1// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. 2 3package kms 4 5import ( 6 "fmt" 7 "time" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awsutil" 11 "github.com/aws/aws-sdk-go/aws/request" 12 "github.com/aws/aws-sdk-go/private/protocol" 13 "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" 14) 15 16const opCancelKeyDeletion = "CancelKeyDeletion" 17 18// CancelKeyDeletionRequest generates a "aws/request.Request" representing the 19// client's request for the CancelKeyDeletion operation. The "output" return 20// value will be populated with the request's response once the request completes 21// successfully. 22// 23// Use "Send" method on the returned Request to send the API call to the service. 24// the "output" return value is not valid until after Send returns without error. 25// 26// See CancelKeyDeletion for more information on using the CancelKeyDeletion 27// API call, and error handling. 28// 29// This method is useful when you want to inject custom logic or configuration 30// into the SDK's request lifecycle. Such as custom headers, or retry logic. 31// 32// 33// // Example sending a request using the CancelKeyDeletionRequest method. 34// req, resp := client.CancelKeyDeletionRequest(params) 35// 36// err := req.Send() 37// if err == nil { // resp is now filled 38// fmt.Println(resp) 39// } 40// 41// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion 42func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *request.Request, output *CancelKeyDeletionOutput) { 43 op := &request.Operation{ 44 Name: opCancelKeyDeletion, 45 HTTPMethod: "POST", 46 HTTPPath: "/", 47 } 48 49 if input == nil { 50 input = &CancelKeyDeletionInput{} 51 } 52 53 output = &CancelKeyDeletionOutput{} 54 req = c.newRequest(op, input, output) 55 return 56} 57 58// CancelKeyDeletion API operation for AWS Key Management Service. 59// 60// Cancels the deletion of a customer master key (CMK). When this operation 61// succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey. 62// You cannot perform this operation on a CMK in a different AWS account. 63// 64// For more information about scheduling and canceling deletion of a CMK, see 65// Deleting Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) 66// in the AWS Key Management Service Developer Guide. 67// 68// The CMK that you use for this operation must be in a compatible key state. 69// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 70// in the AWS Key Management Service Developer Guide. 71// 72// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 73// with awserr.Error's Code and Message methods to get detailed information about 74// the error. 75// 76// See the AWS API reference guide for AWS Key Management Service's 77// API operation CancelKeyDeletion for usage and error information. 78// 79// Returned Error Codes: 80// * ErrCodeNotFoundException "NotFoundException" 81// The request was rejected because the specified entity or resource could not 82// be found. 83// 84// * ErrCodeInvalidArnException "InvalidArnException" 85// The request was rejected because a specified ARN, or an ARN in a key policy, 86// is not valid. 87// 88// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 89// The system timed out while trying to fulfill the request. The request can 90// be retried. 91// 92// * ErrCodeInternalException "KMSInternalException" 93// The request was rejected because an internal exception occurred. The request 94// can be retried. 95// 96// * ErrCodeInvalidStateException "KMSInvalidStateException" 97// The request was rejected because the state of the specified resource is not 98// valid for this request. 99// 100// For more information about how key state affects the use of a CMK, see How 101// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 102// in the AWS Key Management Service Developer Guide . 103// 104// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion 105func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) { 106 req, out := c.CancelKeyDeletionRequest(input) 107 return out, req.Send() 108} 109 110// CancelKeyDeletionWithContext is the same as CancelKeyDeletion with the addition of 111// the ability to pass a context and additional request options. 112// 113// See CancelKeyDeletion for details on how to use this API operation. 114// 115// The context must be non-nil and will be used for request cancellation. If 116// the context is nil a panic will occur. In the future the SDK may create 117// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 118// for more information on using Contexts. 119func (c *KMS) CancelKeyDeletionWithContext(ctx aws.Context, input *CancelKeyDeletionInput, opts ...request.Option) (*CancelKeyDeletionOutput, error) { 120 req, out := c.CancelKeyDeletionRequest(input) 121 req.SetContext(ctx) 122 req.ApplyOptions(opts...) 123 return out, req.Send() 124} 125 126const opConnectCustomKeyStore = "ConnectCustomKeyStore" 127 128// ConnectCustomKeyStoreRequest generates a "aws/request.Request" representing the 129// client's request for the ConnectCustomKeyStore operation. The "output" return 130// value will be populated with the request's response once the request completes 131// successfully. 132// 133// Use "Send" method on the returned Request to send the API call to the service. 134// the "output" return value is not valid until after Send returns without error. 135// 136// See ConnectCustomKeyStore for more information on using the ConnectCustomKeyStore 137// API call, and error handling. 138// 139// This method is useful when you want to inject custom logic or configuration 140// into the SDK's request lifecycle. Such as custom headers, or retry logic. 141// 142// 143// // Example sending a request using the ConnectCustomKeyStoreRequest method. 144// req, resp := client.ConnectCustomKeyStoreRequest(params) 145// 146// err := req.Send() 147// if err == nil { // resp is now filled 148// fmt.Println(resp) 149// } 150// 151// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore 152func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (req *request.Request, output *ConnectCustomKeyStoreOutput) { 153 op := &request.Operation{ 154 Name: opConnectCustomKeyStore, 155 HTTPMethod: "POST", 156 HTTPPath: "/", 157 } 158 159 if input == nil { 160 input = &ConnectCustomKeyStoreInput{} 161 } 162 163 output = &ConnectCustomKeyStoreOutput{} 164 req = c.newRequest(op, input, output) 165 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 166 return 167} 168 169// ConnectCustomKeyStore API operation for AWS Key Management Service. 170// 171// Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 172// to its associated AWS CloudHSM cluster. 173// 174// The custom key store must be connected before you can create customer master 175// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect 176// and reconnect a custom key store at any time. 177// 178// To connect a custom key store, its associated AWS CloudHSM cluster must have 179// at least one active HSM. To get the number of active HSMs in a cluster, use 180// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 181// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 182// operation. 183// 184// The connection process can take an extended amount of time to complete; up 185// to 20 minutes. This operation starts the connection process, but it does 186// not wait for it to complete. When it succeeds, this operation quickly returns 187// an HTTP 200 response and a JSON object with no properties. However, this 188// response does not indicate that the custom key store is connected. To get 189// the connection state of the custom key store, use the DescribeCustomKeyStores 190// operation. 191// 192// During the connection process, AWS KMS finds the AWS CloudHSM cluster that 193// is associated with the custom key store, creates the connection infrastructure, 194// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser 195// crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) 196// (CU), and rotates its password. 197// 198// The ConnectCustomKeyStore operation might fail for various reasons. To find 199// the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode 200// in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. 201// 202// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect 203// the custom key store, correct the error, use the UpdateCustomKeyStore operation 204// if necessary, and then use ConnectCustomKeyStore again. 205// 206// If you are having trouble connecting or disconnecting a custom key store, 207// see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 208// in the AWS Key Management Service Developer Guide. 209// 210// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 211// with awserr.Error's Code and Message methods to get detailed information about 212// the error. 213// 214// See the AWS API reference guide for AWS Key Management Service's 215// API operation ConnectCustomKeyStore for usage and error information. 216// 217// Returned Error Codes: 218// * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException" 219// The request was rejected because the AWS CloudHSM cluster that is associated 220// with the custom key store is not active. Initialize and activate the cluster 221// and try the command again. For detailed instructions, see Getting Started 222// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 223// in the AWS CloudHSM User Guide. 224// 225// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" 226// The request was rejected because of the ConnectionState of the custom key 227// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 228// operation. 229// 230// This exception is thrown under the following conditions: 231// 232// * You requested the CreateKey or GenerateRandom operation in a custom 233// key store that is not connected. These operations are valid only when 234// the custom key store ConnectionState is CONNECTED. 235// 236// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 237// on a custom key store that is not disconnected. This operation is valid 238// only when the custom key store ConnectionState is DISCONNECTED. 239// 240// * You requested the ConnectCustomKeyStore operation on a custom key store 241// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 242// for all other ConnectionState values. 243// 244// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 245// The request was rejected because AWS KMS cannot find a custom key store with 246// the specified key store name or ID. 247// 248// * ErrCodeInternalException "KMSInternalException" 249// The request was rejected because an internal exception occurred. The request 250// can be retried. 251// 252// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" 253// The request was rejected because the associated AWS CloudHSM cluster did 254// not meet the configuration requirements for a custom key store. 255// 256// * The cluster must be configured with private subnets in at least two 257// different Availability Zones in the Region. 258// 259// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 260// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 261// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 262// rules and the Destination in the outbound rules must match the security 263// group ID. These rules are set by default when you create the cluster. 264// Do not delete or change them. To get information about a particular security 265// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 266// operation. 267// 268// * The cluster must contain at least as many HSMs as the operation requires. 269// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 270// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 271// operations, the AWS CloudHSM cluster must have at least two active HSMs, 272// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 273// the AWS CloudHSM must contain at least one active HSM. 274// 275// For information about the requirements for an AWS CloudHSM cluster that is 276// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 277// in the AWS Key Management Service Developer Guide. For information about 278// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 279// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 280// in the AWS CloudHSM User Guide. For information about cluster security groups, 281// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 282// in the AWS CloudHSM User Guide . 283// 284// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore 285func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) { 286 req, out := c.ConnectCustomKeyStoreRequest(input) 287 return out, req.Send() 288} 289 290// ConnectCustomKeyStoreWithContext is the same as ConnectCustomKeyStore with the addition of 291// the ability to pass a context and additional request options. 292// 293// See ConnectCustomKeyStore for details on how to use this API operation. 294// 295// The context must be non-nil and will be used for request cancellation. If 296// the context is nil a panic will occur. In the future the SDK may create 297// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 298// for more information on using Contexts. 299func (c *KMS) ConnectCustomKeyStoreWithContext(ctx aws.Context, input *ConnectCustomKeyStoreInput, opts ...request.Option) (*ConnectCustomKeyStoreOutput, error) { 300 req, out := c.ConnectCustomKeyStoreRequest(input) 301 req.SetContext(ctx) 302 req.ApplyOptions(opts...) 303 return out, req.Send() 304} 305 306const opCreateAlias = "CreateAlias" 307 308// CreateAliasRequest generates a "aws/request.Request" representing the 309// client's request for the CreateAlias operation. The "output" return 310// value will be populated with the request's response once the request completes 311// successfully. 312// 313// Use "Send" method on the returned Request to send the API call to the service. 314// the "output" return value is not valid until after Send returns without error. 315// 316// See CreateAlias for more information on using the CreateAlias 317// API call, and error handling. 318// 319// This method is useful when you want to inject custom logic or configuration 320// into the SDK's request lifecycle. Such as custom headers, or retry logic. 321// 322// 323// // Example sending a request using the CreateAliasRequest method. 324// req, resp := client.CreateAliasRequest(params) 325// 326// err := req.Send() 327// if err == nil { // resp is now filled 328// fmt.Println(resp) 329// } 330// 331// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias 332func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, output *CreateAliasOutput) { 333 op := &request.Operation{ 334 Name: opCreateAlias, 335 HTTPMethod: "POST", 336 HTTPPath: "/", 337 } 338 339 if input == nil { 340 input = &CreateAliasInput{} 341 } 342 343 output = &CreateAliasOutput{} 344 req = c.newRequest(op, input, output) 345 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 346 return 347} 348 349// CreateAlias API operation for AWS Key Management Service. 350// 351// Creates a display name for a customer managed customer master key (CMK). 352// You can use an alias to identify a CMK in cryptographic operations, such 353// as Encrypt and GenerateDataKey. You can change the CMK associated with the 354// alias at any time. 355// 356// Aliases are easier to remember than key IDs. They can also help to simplify 357// your applications. For example, if you use an alias in your code, you can 358// change the CMK your code uses by associating a given alias with a different 359// CMK. 360// 361// To run the same code in multiple AWS regions, use an alias in your code, 362// such as alias/ApplicationKey. Then, in each AWS Region, create an alias/ApplicationKey 363// alias that is associated with a CMK in that Region. When you run your code, 364// it uses the alias/ApplicationKey CMK for that AWS Region without any Region-specific 365// code. 366// 367// This operation does not return a response. To get the alias that you created, 368// use the ListAliases operation. 369// 370// To use aliases successfully, be aware of the following information. 371// 372// * Each alias points to only one CMK at a time, although a single CMK can 373// have multiple aliases. The alias and its associated CMK must be in the 374// same AWS account and Region. 375// 376// * You can associate an alias with any customer managed CMK in the same 377// AWS account and Region. However, you do not have permission to associate 378// an alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) 379// or an AWS owned CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). 380// 381// * To change the CMK associated with an alias, use the UpdateAlias operation. 382// The current CMK and the new CMK must be the same type (both symmetric 383// or both asymmetric) and they must have the same key usage (ENCRYPT_DECRYPT 384// or SIGN_VERIFY). This restriction prevents cryptographic errors in code 385// that uses aliases. 386// 387// * The alias name must begin with alias/ followed by a name, such as alias/ExampleAlias. 388// It can contain only alphanumeric characters, forward slashes (/), underscores 389// (_), and dashes (-). The alias name cannot begin with alias/aws/. The 390// alias/aws/ prefix is reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). 391// 392// * The alias name must be unique within an AWS Region. However, you can 393// use the same alias name in multiple Regions of the same AWS account. Each 394// instance of the alias is associated with a CMK in its Region. 395// 396// * After you create an alias, you cannot change its alias name. However, 397// you can use the DeleteAlias operation to delete the alias and then create 398// a new alias with the desired name. 399// 400// * You can use an alias name or alias ARN to identify a CMK in AWS KMS 401// cryptographic operations and in the DescribeKey operation. However, you 402// cannot use alias names or alias ARNs in API operations that manage CMKs, 403// such as DisableKey or GetKeyPolicy. For information about the valid CMK 404// identifiers for each AWS KMS API operation, see the descriptions of the 405// KeyId parameter in the API operation documentation. 406// 407// Because an alias is not a property of a CMK, you can delete and change the 408// aliases of a CMK without affecting the CMK. Also, aliases do not appear in 409// the response from the DescribeKey operation. To get the aliases and alias 410// ARNs of CMKs in each AWS account and Region, use the ListAliases operation. 411// 412// The CMK that you use for this operation must be in a compatible key state. 413// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 414// in the AWS Key Management Service Developer Guide. 415// 416// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 417// with awserr.Error's Code and Message methods to get detailed information about 418// the error. 419// 420// See the AWS API reference guide for AWS Key Management Service's 421// API operation CreateAlias for usage and error information. 422// 423// Returned Error Codes: 424// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 425// The system timed out while trying to fulfill the request. The request can 426// be retried. 427// 428// * ErrCodeAlreadyExistsException "AlreadyExistsException" 429// The request was rejected because it attempted to create a resource that already 430// exists. 431// 432// * ErrCodeNotFoundException "NotFoundException" 433// The request was rejected because the specified entity or resource could not 434// be found. 435// 436// * ErrCodeInvalidAliasNameException "InvalidAliasNameException" 437// The request was rejected because the specified alias name is not valid. 438// 439// * ErrCodeInternalException "KMSInternalException" 440// The request was rejected because an internal exception occurred. The request 441// can be retried. 442// 443// * ErrCodeLimitExceededException "LimitExceededException" 444// The request was rejected because a limit was exceeded. For more information, 445// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 446// in the AWS Key Management Service Developer Guide. 447// 448// * ErrCodeInvalidStateException "KMSInvalidStateException" 449// The request was rejected because the state of the specified resource is not 450// valid for this request. 451// 452// For more information about how key state affects the use of a CMK, see How 453// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 454// in the AWS Key Management Service Developer Guide . 455// 456// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias 457func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) { 458 req, out := c.CreateAliasRequest(input) 459 return out, req.Send() 460} 461 462// CreateAliasWithContext is the same as CreateAlias with the addition of 463// the ability to pass a context and additional request options. 464// 465// See CreateAlias for details on how to use this API operation. 466// 467// The context must be non-nil and will be used for request cancellation. If 468// the context is nil a panic will occur. In the future the SDK may create 469// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 470// for more information on using Contexts. 471func (c *KMS) CreateAliasWithContext(ctx aws.Context, input *CreateAliasInput, opts ...request.Option) (*CreateAliasOutput, error) { 472 req, out := c.CreateAliasRequest(input) 473 req.SetContext(ctx) 474 req.ApplyOptions(opts...) 475 return out, req.Send() 476} 477 478const opCreateCustomKeyStore = "CreateCustomKeyStore" 479 480// CreateCustomKeyStoreRequest generates a "aws/request.Request" representing the 481// client's request for the CreateCustomKeyStore operation. The "output" return 482// value will be populated with the request's response once the request completes 483// successfully. 484// 485// Use "Send" method on the returned Request to send the API call to the service. 486// the "output" return value is not valid until after Send returns without error. 487// 488// See CreateCustomKeyStore for more information on using the CreateCustomKeyStore 489// API call, and error handling. 490// 491// This method is useful when you want to inject custom logic or configuration 492// into the SDK's request lifecycle. Such as custom headers, or retry logic. 493// 494// 495// // Example sending a request using the CreateCustomKeyStoreRequest method. 496// req, resp := client.CreateCustomKeyStoreRequest(params) 497// 498// err := req.Send() 499// if err == nil { // resp is now filled 500// fmt.Println(resp) 501// } 502// 503// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore 504func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req *request.Request, output *CreateCustomKeyStoreOutput) { 505 op := &request.Operation{ 506 Name: opCreateCustomKeyStore, 507 HTTPMethod: "POST", 508 HTTPPath: "/", 509 } 510 511 if input == nil { 512 input = &CreateCustomKeyStoreInput{} 513 } 514 515 output = &CreateCustomKeyStoreOutput{} 516 req = c.newRequest(op, input, output) 517 return 518} 519 520// CreateCustomKeyStore API operation for AWS Key Management Service. 521// 522// Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 523// that is associated with an AWS CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) 524// that you own and manage. 525// 526// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 527// feature in AWS KMS, which combines the convenience and extensive integration 528// of AWS KMS with the isolation and control of a single-tenant key store. 529// 530// Before you create the custom key store, you must assemble the required elements, 531// including an AWS CloudHSM cluster that fulfills the requirements for a custom 532// key store. For details about the required elements, see Assemble the Prerequisites 533// (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 534// in the AWS Key Management Service Developer Guide. 535// 536// When the operation completes successfully, it returns the ID of the new custom 537// key store. Before you can use your new custom key store, you need to use 538// the ConnectCustomKeyStore operation to connect the new key store to its AWS 539// CloudHSM cluster. Even if you are not going to use your custom key store 540// immediately, you might want to connect it to verify that all settings are 541// correct and then disconnect it until you are ready to use it. 542// 543// For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 544// in the AWS Key Management Service Developer Guide. 545// 546// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 547// with awserr.Error's Code and Message methods to get detailed information about 548// the error. 549// 550// See the AWS API reference guide for AWS Key Management Service's 551// API operation CreateCustomKeyStore for usage and error information. 552// 553// Returned Error Codes: 554// * ErrCodeCloudHsmClusterInUseException "CloudHsmClusterInUseException" 555// The request was rejected because the specified AWS CloudHSM cluster is already 556// associated with a custom key store or it shares a backup history with a cluster 557// that is associated with a custom key store. Each custom key store must be 558// associated with a different AWS CloudHSM cluster. 559// 560// Clusters that share a backup history have the same cluster certificate. To 561// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 562// operation. 563// 564// * ErrCodeCustomKeyStoreNameInUseException "CustomKeyStoreNameInUseException" 565// The request was rejected because the specified custom key store name is already 566// assigned to another custom key store in the account. Try again with a custom 567// key store name that is unique in the account. 568// 569// * ErrCodeCloudHsmClusterNotFoundException "CloudHsmClusterNotFoundException" 570// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster 571// with the specified cluster ID. Retry the request with a different cluster 572// ID. 573// 574// * ErrCodeInternalException "KMSInternalException" 575// The request was rejected because an internal exception occurred. The request 576// can be retried. 577// 578// * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException" 579// The request was rejected because the AWS CloudHSM cluster that is associated 580// with the custom key store is not active. Initialize and activate the cluster 581// and try the command again. For detailed instructions, see Getting Started 582// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 583// in the AWS CloudHSM User Guide. 584// 585// * ErrCodeIncorrectTrustAnchorException "IncorrectTrustAnchorException" 586// The request was rejected because the trust anchor certificate in the request 587// is not the trust anchor certificate for the specified AWS CloudHSM cluster. 588// 589// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), 590// you create the trust anchor certificate and save it in the customerCA.crt 591// file. 592// 593// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" 594// The request was rejected because the associated AWS CloudHSM cluster did 595// not meet the configuration requirements for a custom key store. 596// 597// * The cluster must be configured with private subnets in at least two 598// different Availability Zones in the Region. 599// 600// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 601// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 602// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 603// rules and the Destination in the outbound rules must match the security 604// group ID. These rules are set by default when you create the cluster. 605// Do not delete or change them. To get information about a particular security 606// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 607// operation. 608// 609// * The cluster must contain at least as many HSMs as the operation requires. 610// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 611// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 612// operations, the AWS CloudHSM cluster must have at least two active HSMs, 613// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 614// the AWS CloudHSM must contain at least one active HSM. 615// 616// For information about the requirements for an AWS CloudHSM cluster that is 617// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 618// in the AWS Key Management Service Developer Guide. For information about 619// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 620// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 621// in the AWS CloudHSM User Guide. For information about cluster security groups, 622// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 623// in the AWS CloudHSM User Guide . 624// 625// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore 626func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) { 627 req, out := c.CreateCustomKeyStoreRequest(input) 628 return out, req.Send() 629} 630 631// CreateCustomKeyStoreWithContext is the same as CreateCustomKeyStore with the addition of 632// the ability to pass a context and additional request options. 633// 634// See CreateCustomKeyStore for details on how to use this API operation. 635// 636// The context must be non-nil and will be used for request cancellation. If 637// the context is nil a panic will occur. In the future the SDK may create 638// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 639// for more information on using Contexts. 640func (c *KMS) CreateCustomKeyStoreWithContext(ctx aws.Context, input *CreateCustomKeyStoreInput, opts ...request.Option) (*CreateCustomKeyStoreOutput, error) { 641 req, out := c.CreateCustomKeyStoreRequest(input) 642 req.SetContext(ctx) 643 req.ApplyOptions(opts...) 644 return out, req.Send() 645} 646 647const opCreateGrant = "CreateGrant" 648 649// CreateGrantRequest generates a "aws/request.Request" representing the 650// client's request for the CreateGrant operation. The "output" return 651// value will be populated with the request's response once the request completes 652// successfully. 653// 654// Use "Send" method on the returned Request to send the API call to the service. 655// the "output" return value is not valid until after Send returns without error. 656// 657// See CreateGrant for more information on using the CreateGrant 658// API call, and error handling. 659// 660// This method is useful when you want to inject custom logic or configuration 661// into the SDK's request lifecycle. Such as custom headers, or retry logic. 662// 663// 664// // Example sending a request using the CreateGrantRequest method. 665// req, resp := client.CreateGrantRequest(params) 666// 667// err := req.Send() 668// if err == nil { // resp is now filled 669// fmt.Println(resp) 670// } 671// 672// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant 673func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, output *CreateGrantOutput) { 674 op := &request.Operation{ 675 Name: opCreateGrant, 676 HTTPMethod: "POST", 677 HTTPPath: "/", 678 } 679 680 if input == nil { 681 input = &CreateGrantInput{} 682 } 683 684 output = &CreateGrantOutput{} 685 req = c.newRequest(op, input, output) 686 return 687} 688 689// CreateGrant API operation for AWS Key Management Service. 690// 691// Adds a grant to a customer master key (CMK). The grant allows the grantee 692// principal to use the CMK when the conditions specified in the grant are met. 693// When setting permissions, grants are an alternative to key policies. 694// 695// To create a grant that allows a cryptographic operation only when the request 696// includes a particular encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context), 697// use the Constraints parameter. For details, see GrantConstraints. 698// 699// You can create grants on symmetric and asymmetric CMKs. However, if the grant 700// allows an operation that the CMK does not support, CreateGrant fails with 701// a ValidationException. 702// 703// * Grants for symmetric CMKs cannot allow operations that are not supported 704// for symmetric CMKs, including Sign, Verify, and GetPublicKey. (There are 705// limited exceptions to this rule for legacy operations, but you should 706// not create a grant for an operation that AWS KMS does not support.) 707// 708// * Grants for asymmetric CMKs cannot allow operations that are not supported 709// for asymmetric CMKs, including operations that generate data keys (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey) 710// or data key pairs (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair), 711// or operations related to automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html), 712// imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 713// or CMKs in custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 714// 715// * Grants for asymmetric CMKs with a KeyUsage of ENCRYPT_DECRYPT cannot 716// allow the Sign or Verify operations. Grants for asymmetric CMKs with a 717// KeyUsage of SIGN_VERIFY cannot allow the Encrypt or Decrypt operations. 718// 719// * Grants for asymmetric CMKs cannot include an encryption context grant 720// constraint. An encryption context is not supported on asymmetric CMKs. 721// 722// For information about symmetric and asymmetric CMKs, see Using Symmetric 723// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 724// in the AWS Key Management Service Developer Guide. 725// 726// To perform this operation on a CMK in a different AWS account, specify the 727// key ARN in the value of the KeyId parameter. For more information about grants, 728// see Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) 729// in the AWS Key Management Service Developer Guide . 730// 731// The CMK that you use for this operation must be in a compatible key state. 732// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 733// in the AWS Key Management Service Developer Guide. 734// 735// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 736// with awserr.Error's Code and Message methods to get detailed information about 737// the error. 738// 739// See the AWS API reference guide for AWS Key Management Service's 740// API operation CreateGrant for usage and error information. 741// 742// Returned Error Codes: 743// * ErrCodeNotFoundException "NotFoundException" 744// The request was rejected because the specified entity or resource could not 745// be found. 746// 747// * ErrCodeDisabledException "DisabledException" 748// The request was rejected because the specified CMK is not enabled. 749// 750// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 751// The system timed out while trying to fulfill the request. The request can 752// be retried. 753// 754// * ErrCodeInvalidArnException "InvalidArnException" 755// The request was rejected because a specified ARN, or an ARN in a key policy, 756// is not valid. 757// 758// * ErrCodeInternalException "KMSInternalException" 759// The request was rejected because an internal exception occurred. The request 760// can be retried. 761// 762// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 763// The request was rejected because the specified grant token is not valid. 764// 765// * ErrCodeLimitExceededException "LimitExceededException" 766// The request was rejected because a limit was exceeded. For more information, 767// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 768// in the AWS Key Management Service Developer Guide. 769// 770// * ErrCodeInvalidStateException "KMSInvalidStateException" 771// The request was rejected because the state of the specified resource is not 772// valid for this request. 773// 774// For more information about how key state affects the use of a CMK, see How 775// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 776// in the AWS Key Management Service Developer Guide . 777// 778// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant 779func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) { 780 req, out := c.CreateGrantRequest(input) 781 return out, req.Send() 782} 783 784// CreateGrantWithContext is the same as CreateGrant with the addition of 785// the ability to pass a context and additional request options. 786// 787// See CreateGrant for details on how to use this API operation. 788// 789// The context must be non-nil and will be used for request cancellation. If 790// the context is nil a panic will occur. In the future the SDK may create 791// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 792// for more information on using Contexts. 793func (c *KMS) CreateGrantWithContext(ctx aws.Context, input *CreateGrantInput, opts ...request.Option) (*CreateGrantOutput, error) { 794 req, out := c.CreateGrantRequest(input) 795 req.SetContext(ctx) 796 req.ApplyOptions(opts...) 797 return out, req.Send() 798} 799 800const opCreateKey = "CreateKey" 801 802// CreateKeyRequest generates a "aws/request.Request" representing the 803// client's request for the CreateKey operation. The "output" return 804// value will be populated with the request's response once the request completes 805// successfully. 806// 807// Use "Send" method on the returned Request to send the API call to the service. 808// the "output" return value is not valid until after Send returns without error. 809// 810// See CreateKey for more information on using the CreateKey 811// API call, and error handling. 812// 813// This method is useful when you want to inject custom logic or configuration 814// into the SDK's request lifecycle. Such as custom headers, or retry logic. 815// 816// 817// // Example sending a request using the CreateKeyRequest method. 818// req, resp := client.CreateKeyRequest(params) 819// 820// err := req.Send() 821// if err == nil { // resp is now filled 822// fmt.Println(resp) 823// } 824// 825// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey 826func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, output *CreateKeyOutput) { 827 op := &request.Operation{ 828 Name: opCreateKey, 829 HTTPMethod: "POST", 830 HTTPPath: "/", 831 } 832 833 if input == nil { 834 input = &CreateKeyInput{} 835 } 836 837 output = &CreateKeyOutput{} 838 req = c.newRequest(op, input, output) 839 return 840} 841 842// CreateKey API operation for AWS Key Management Service. 843// 844// Creates a unique customer managed customer master key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys) 845// (CMK) in your AWS account and Region. You cannot use this operation to create 846// a CMK in a different AWS account. 847// 848// You can use the CreateKey operation to create symmetric or asymmetric CMKs. 849// 850// * Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS 851// KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a 852// symmetric CMK to encrypt and decrypt small amounts of data, but they are 853// typically used to generate data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) 854// or data key pairs. For details, see GenerateDataKey and GenerateDataKeyPair. 855// 856// * Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) 857// key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted. 858// However, you can use the GetPublicKey operation to download the public 859// key so it can be used outside of AWS KMS. CMKs with RSA key pairs can 860// be used to encrypt or decrypt data or sign and verify messages (but not 861// both). CMKs with ECC key pairs can be used only to sign and verify messages. 862// 863// For information about symmetric and asymmetric CMKs, see Using Symmetric 864// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 865// in the AWS Key Management Service Developer Guide. 866// 867// To create different types of CMKs, use the following guidance: 868// 869// Asymmetric CMKs 870// 871// To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify 872// the type of key material in the CMK. Then, use the KeyUsage parameter to 873// determine whether the CMK will be used to encrypt and decrypt or sign and 874// verify. You can't change these properties after the CMK is created. 875// 876// Symmetric CMKs 877// 878// When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec 879// or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, 880// and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values 881// for symmetric CMKs. 882// 883// Imported Key Material 884// 885// To import your own key material, begin by creating a symmetric CMK with no 886// key material. To do this, use the Origin parameter of CreateKey with a value 887// of EXTERNAL. Next, use GetParametersForImport operation to get a public key 888// and import token, and use the public key to encrypt your key material. Then, 889// use ImportKeyMaterial with your import token to import the key material. 890// For step-by-step instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 891// in the AWS Key Management Service Developer Guide . You cannot import the 892// key material into an asymmetric CMK. 893// 894// Custom Key Stores 895// 896// To create a symmetric CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 897// use the CustomKeyStoreId parameter to specify the custom key store. You must 898// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM 899// cluster that is associated with the custom key store must have at least two 900// active HSMs in different Availability Zones in the AWS Region. 901// 902// You cannot create an asymmetric CMK in a custom key store. For information 903// about custom key stores in AWS KMS see Using Custom Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 904// in the AWS Key Management Service Developer Guide . 905// 906// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 907// with awserr.Error's Code and Message methods to get detailed information about 908// the error. 909// 910// See the AWS API reference guide for AWS Key Management Service's 911// API operation CreateKey for usage and error information. 912// 913// Returned Error Codes: 914// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocumentException" 915// The request was rejected because the specified policy is not syntactically 916// or semantically correct. 917// 918// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 919// The system timed out while trying to fulfill the request. The request can 920// be retried. 921// 922// * ErrCodeInvalidArnException "InvalidArnException" 923// The request was rejected because a specified ARN, or an ARN in a key policy, 924// is not valid. 925// 926// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 927// The request was rejected because a specified parameter is not supported or 928// a specified resource is not valid for this operation. 929// 930// * ErrCodeInternalException "KMSInternalException" 931// The request was rejected because an internal exception occurred. The request 932// can be retried. 933// 934// * ErrCodeLimitExceededException "LimitExceededException" 935// The request was rejected because a limit was exceeded. For more information, 936// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 937// in the AWS Key Management Service Developer Guide. 938// 939// * ErrCodeTagException "TagException" 940// The request was rejected because one or more tags are not valid. 941// 942// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 943// The request was rejected because AWS KMS cannot find a custom key store with 944// the specified key store name or ID. 945// 946// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" 947// The request was rejected because of the ConnectionState of the custom key 948// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 949// operation. 950// 951// This exception is thrown under the following conditions: 952// 953// * You requested the CreateKey or GenerateRandom operation in a custom 954// key store that is not connected. These operations are valid only when 955// the custom key store ConnectionState is CONNECTED. 956// 957// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 958// on a custom key store that is not disconnected. This operation is valid 959// only when the custom key store ConnectionState is DISCONNECTED. 960// 961// * You requested the ConnectCustomKeyStore operation on a custom key store 962// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 963// for all other ConnectionState values. 964// 965// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" 966// The request was rejected because the associated AWS CloudHSM cluster did 967// not meet the configuration requirements for a custom key store. 968// 969// * The cluster must be configured with private subnets in at least two 970// different Availability Zones in the Region. 971// 972// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 973// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 974// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 975// rules and the Destination in the outbound rules must match the security 976// group ID. These rules are set by default when you create the cluster. 977// Do not delete or change them. To get information about a particular security 978// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 979// operation. 980// 981// * The cluster must contain at least as many HSMs as the operation requires. 982// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 983// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 984// operations, the AWS CloudHSM cluster must have at least two active HSMs, 985// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 986// the AWS CloudHSM must contain at least one active HSM. 987// 988// For information about the requirements for an AWS CloudHSM cluster that is 989// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 990// in the AWS Key Management Service Developer Guide. For information about 991// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 992// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 993// in the AWS CloudHSM User Guide. For information about cluster security groups, 994// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 995// in the AWS CloudHSM User Guide . 996// 997// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey 998func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) { 999 req, out := c.CreateKeyRequest(input) 1000 return out, req.Send() 1001} 1002 1003// CreateKeyWithContext is the same as CreateKey with the addition of 1004// the ability to pass a context and additional request options. 1005// 1006// See CreateKey for details on how to use this API operation. 1007// 1008// The context must be non-nil and will be used for request cancellation. If 1009// the context is nil a panic will occur. In the future the SDK may create 1010// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1011// for more information on using Contexts. 1012func (c *KMS) CreateKeyWithContext(ctx aws.Context, input *CreateKeyInput, opts ...request.Option) (*CreateKeyOutput, error) { 1013 req, out := c.CreateKeyRequest(input) 1014 req.SetContext(ctx) 1015 req.ApplyOptions(opts...) 1016 return out, req.Send() 1017} 1018 1019const opDecrypt = "Decrypt" 1020 1021// DecryptRequest generates a "aws/request.Request" representing the 1022// client's request for the Decrypt operation. The "output" return 1023// value will be populated with the request's response once the request completes 1024// successfully. 1025// 1026// Use "Send" method on the returned Request to send the API call to the service. 1027// the "output" return value is not valid until after Send returns without error. 1028// 1029// See Decrypt for more information on using the Decrypt 1030// API call, and error handling. 1031// 1032// This method is useful when you want to inject custom logic or configuration 1033// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1034// 1035// 1036// // Example sending a request using the DecryptRequest method. 1037// req, resp := client.DecryptRequest(params) 1038// 1039// err := req.Send() 1040// if err == nil { // resp is now filled 1041// fmt.Println(resp) 1042// } 1043// 1044// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt 1045func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output *DecryptOutput) { 1046 op := &request.Operation{ 1047 Name: opDecrypt, 1048 HTTPMethod: "POST", 1049 HTTPPath: "/", 1050 } 1051 1052 if input == nil { 1053 input = &DecryptInput{} 1054 } 1055 1056 output = &DecryptOutput{} 1057 req = c.newRequest(op, input, output) 1058 return 1059} 1060 1061// Decrypt API operation for AWS Key Management Service. 1062// 1063// Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) 1064// using any of the following operations: 1065// 1066// * Encrypt 1067// 1068// * GenerateDataKey 1069// 1070// * GenerateDataKeyPair 1071// 1072// * GenerateDataKeyWithoutPlaintext 1073// 1074// * GenerateDataKeyPairWithoutPlaintext 1075// 1076// You can use this operation to decrypt ciphertext that was encrypted under 1077// a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify 1078// the CMK and the encryption algorithm that was used to encrypt the ciphertext. 1079// For information about symmetric and asymmetric CMKs, see Using Symmetric 1080// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 1081// in the AWS Key Management Service Developer Guide. 1082// 1083// The Decrypt operation also decrypts ciphertext that was encrypted outside 1084// of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot 1085// decrypt ciphertext produced by other libraries, such as the AWS Encryption 1086// SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) 1087// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). 1088// These libraries return a ciphertext format that is incompatible with AWS 1089// KMS. 1090// 1091// If the ciphertext was encrypted under a symmetric CMK, you do not need to 1092// specify the CMK or the encryption algorithm. AWS KMS can get this information 1093// from metadata that it adds to the symmetric ciphertext blob. However, if 1094// you prefer, you can specify the KeyId to ensure that a particular CMK is 1095// used to decrypt the ciphertext. If you specify a different CMK than the one 1096// used to encrypt the ciphertext, the Decrypt operation fails. 1097// 1098// Whenever possible, use key policies to give users permission to call the 1099// Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise, 1100// you might create an IAM user policy that gives the user Decrypt permission 1101// on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs 1102// in other accounts if the key policy for the cross-account CMK permits it. 1103// If you must use an IAM policy for Decrypt permissions, limit the user to 1104// particular CMKs or particular trusted accounts. 1105// 1106// The CMK that you use for this operation must be in a compatible key state. 1107// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1108// in the AWS Key Management Service Developer Guide. 1109// 1110// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1111// with awserr.Error's Code and Message methods to get detailed information about 1112// the error. 1113// 1114// See the AWS API reference guide for AWS Key Management Service's 1115// API operation Decrypt for usage and error information. 1116// 1117// Returned Error Codes: 1118// * ErrCodeNotFoundException "NotFoundException" 1119// The request was rejected because the specified entity or resource could not 1120// be found. 1121// 1122// * ErrCodeDisabledException "DisabledException" 1123// The request was rejected because the specified CMK is not enabled. 1124// 1125// * ErrCodeInvalidCiphertextException "InvalidCiphertextException" 1126// From the Decrypt or ReEncrypt operation, the request was rejected because 1127// the specified ciphertext, or additional authenticated data incorporated into 1128// the ciphertext, such as the encryption context, is corrupted, missing, or 1129// otherwise invalid. 1130// 1131// From the ImportKeyMaterial operation, the request was rejected because AWS 1132// KMS could not decrypt the encrypted (wrapped) key material. 1133// 1134// * ErrCodeKeyUnavailableException "KeyUnavailableException" 1135// The request was rejected because the specified CMK was not available. You 1136// can retry the request. 1137// 1138// * ErrCodeIncorrectKeyException "IncorrectKeyException" 1139// The request was rejected because the specified CMK cannot decrypt the data. 1140// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request 1141// must identify the same CMK that was used to encrypt the ciphertext. 1142// 1143// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 1144// The request was rejected for one of the following reasons: 1145// 1146// * The KeyUsage value of the CMK is incompatible with the API operation. 1147// 1148// * The encryption algorithm or signing algorithm specified for the operation 1149// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 1150// 1151// For encrypting, decrypting, re-encrypting, and generating data keys, the 1152// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 1153// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 1154// 1155// To find the encryption or signing algorithms supported for a particular CMK, 1156// use the DescribeKey operation. 1157// 1158// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 1159// The system timed out while trying to fulfill the request. The request can 1160// be retried. 1161// 1162// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 1163// The request was rejected because the specified grant token is not valid. 1164// 1165// * ErrCodeInternalException "KMSInternalException" 1166// The request was rejected because an internal exception occurred. The request 1167// can be retried. 1168// 1169// * ErrCodeInvalidStateException "KMSInvalidStateException" 1170// The request was rejected because the state of the specified resource is not 1171// valid for this request. 1172// 1173// For more information about how key state affects the use of a CMK, see How 1174// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1175// in the AWS Key Management Service Developer Guide . 1176// 1177// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt 1178func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) { 1179 req, out := c.DecryptRequest(input) 1180 return out, req.Send() 1181} 1182 1183// DecryptWithContext is the same as Decrypt with the addition of 1184// the ability to pass a context and additional request options. 1185// 1186// See Decrypt for details on how to use this API operation. 1187// 1188// The context must be non-nil and will be used for request cancellation. If 1189// the context is nil a panic will occur. In the future the SDK may create 1190// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1191// for more information on using Contexts. 1192func (c *KMS) DecryptWithContext(ctx aws.Context, input *DecryptInput, opts ...request.Option) (*DecryptOutput, error) { 1193 req, out := c.DecryptRequest(input) 1194 req.SetContext(ctx) 1195 req.ApplyOptions(opts...) 1196 return out, req.Send() 1197} 1198 1199const opDeleteAlias = "DeleteAlias" 1200 1201// DeleteAliasRequest generates a "aws/request.Request" representing the 1202// client's request for the DeleteAlias operation. The "output" return 1203// value will be populated with the request's response once the request completes 1204// successfully. 1205// 1206// Use "Send" method on the returned Request to send the API call to the service. 1207// the "output" return value is not valid until after Send returns without error. 1208// 1209// See DeleteAlias for more information on using the DeleteAlias 1210// API call, and error handling. 1211// 1212// This method is useful when you want to inject custom logic or configuration 1213// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1214// 1215// 1216// // Example sending a request using the DeleteAliasRequest method. 1217// req, resp := client.DeleteAliasRequest(params) 1218// 1219// err := req.Send() 1220// if err == nil { // resp is now filled 1221// fmt.Println(resp) 1222// } 1223// 1224// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias 1225func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, output *DeleteAliasOutput) { 1226 op := &request.Operation{ 1227 Name: opDeleteAlias, 1228 HTTPMethod: "POST", 1229 HTTPPath: "/", 1230 } 1231 1232 if input == nil { 1233 input = &DeleteAliasInput{} 1234 } 1235 1236 output = &DeleteAliasOutput{} 1237 req = c.newRequest(op, input, output) 1238 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1239 return 1240} 1241 1242// DeleteAlias API operation for AWS Key Management Service. 1243// 1244// Deletes the specified alias. You cannot perform this operation on an alias 1245// in a different AWS account. 1246// 1247// Because an alias is not a property of a CMK, you can delete and change the 1248// aliases of a CMK without affecting the CMK. Also, aliases do not appear in 1249// the response from the DescribeKey operation. To get the aliases of all CMKs, 1250// use the ListAliases operation. 1251// 1252// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias 1253// to delete the current alias and CreateAlias to create a new alias. To associate 1254// an existing alias with a different customer master key (CMK), call UpdateAlias. 1255// 1256// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1257// with awserr.Error's Code and Message methods to get detailed information about 1258// the error. 1259// 1260// See the AWS API reference guide for AWS Key Management Service's 1261// API operation DeleteAlias for usage and error information. 1262// 1263// Returned Error Codes: 1264// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 1265// The system timed out while trying to fulfill the request. The request can 1266// be retried. 1267// 1268// * ErrCodeNotFoundException "NotFoundException" 1269// The request was rejected because the specified entity or resource could not 1270// be found. 1271// 1272// * ErrCodeInternalException "KMSInternalException" 1273// The request was rejected because an internal exception occurred. The request 1274// can be retried. 1275// 1276// * ErrCodeInvalidStateException "KMSInvalidStateException" 1277// The request was rejected because the state of the specified resource is not 1278// valid for this request. 1279// 1280// For more information about how key state affects the use of a CMK, see How 1281// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1282// in the AWS Key Management Service Developer Guide . 1283// 1284// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias 1285func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) { 1286 req, out := c.DeleteAliasRequest(input) 1287 return out, req.Send() 1288} 1289 1290// DeleteAliasWithContext is the same as DeleteAlias with the addition of 1291// the ability to pass a context and additional request options. 1292// 1293// See DeleteAlias for details on how to use this API operation. 1294// 1295// The context must be non-nil and will be used for request cancellation. If 1296// the context is nil a panic will occur. In the future the SDK may create 1297// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1298// for more information on using Contexts. 1299func (c *KMS) DeleteAliasWithContext(ctx aws.Context, input *DeleteAliasInput, opts ...request.Option) (*DeleteAliasOutput, error) { 1300 req, out := c.DeleteAliasRequest(input) 1301 req.SetContext(ctx) 1302 req.ApplyOptions(opts...) 1303 return out, req.Send() 1304} 1305 1306const opDeleteCustomKeyStore = "DeleteCustomKeyStore" 1307 1308// DeleteCustomKeyStoreRequest generates a "aws/request.Request" representing the 1309// client's request for the DeleteCustomKeyStore operation. The "output" return 1310// value will be populated with the request's response once the request completes 1311// successfully. 1312// 1313// Use "Send" method on the returned Request to send the API call to the service. 1314// the "output" return value is not valid until after Send returns without error. 1315// 1316// See DeleteCustomKeyStore for more information on using the DeleteCustomKeyStore 1317// API call, and error handling. 1318// 1319// This method is useful when you want to inject custom logic or configuration 1320// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1321// 1322// 1323// // Example sending a request using the DeleteCustomKeyStoreRequest method. 1324// req, resp := client.DeleteCustomKeyStoreRequest(params) 1325// 1326// err := req.Send() 1327// if err == nil { // resp is now filled 1328// fmt.Println(resp) 1329// } 1330// 1331// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore 1332func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req *request.Request, output *DeleteCustomKeyStoreOutput) { 1333 op := &request.Operation{ 1334 Name: opDeleteCustomKeyStore, 1335 HTTPMethod: "POST", 1336 HTTPPath: "/", 1337 } 1338 1339 if input == nil { 1340 input = &DeleteCustomKeyStoreInput{} 1341 } 1342 1343 output = &DeleteCustomKeyStoreOutput{} 1344 req = c.newRequest(op, input, output) 1345 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1346 return 1347} 1348 1349// DeleteCustomKeyStore API operation for AWS Key Management Service. 1350// 1351// Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 1352// This operation does not delete the AWS CloudHSM cluster that is associated 1353// with the custom key store, or affect any users or keys in the cluster. 1354// 1355// The custom key store that you delete cannot contain any AWS KMS customer 1356// master keys (CMKs) (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). 1357// Before deleting the key store, verify that you will never need to use any 1358// of the CMKs in the key store for any cryptographic operations. Then, use 1359// ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs) from 1360// the key store. When the scheduled waiting period expires, the ScheduleKeyDeletion 1361// operation deletes the CMKs. Then it makes a best effort to delete the key 1362// material from the associated cluster. However, you might need to manually 1363// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) 1364// from the cluster and its backups. 1365// 1366// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to 1367// disconnect the key store from AWS KMS. Then, you can delete the custom key 1368// store. 1369// 1370// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore 1371// to disconnect it from AWS KMS. While the key store is disconnected, you cannot 1372// create or use the CMKs in the key store. But, you do not need to delete CMKs 1373// and you can reconnect a disconnected custom key store at any time. 1374// 1375// If the operation succeeds, it returns a JSON object with no properties. 1376// 1377// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 1378// feature in AWS KMS, which combines the convenience and extensive integration 1379// of AWS KMS with the isolation and control of a single-tenant key store. 1380// 1381// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1382// with awserr.Error's Code and Message methods to get detailed information about 1383// the error. 1384// 1385// See the AWS API reference guide for AWS Key Management Service's 1386// API operation DeleteCustomKeyStore for usage and error information. 1387// 1388// Returned Error Codes: 1389// * ErrCodeCustomKeyStoreHasCMKsException "CustomKeyStoreHasCMKsException" 1390// The request was rejected because the custom key store contains AWS KMS customer 1391// master keys (CMKs). After verifying that you do not need to use the CMKs, 1392// use the ScheduleKeyDeletion operation to delete the CMKs. After they are 1393// deleted, you can delete the custom key store. 1394// 1395// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" 1396// The request was rejected because of the ConnectionState of the custom key 1397// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 1398// operation. 1399// 1400// This exception is thrown under the following conditions: 1401// 1402// * You requested the CreateKey or GenerateRandom operation in a custom 1403// key store that is not connected. These operations are valid only when 1404// the custom key store ConnectionState is CONNECTED. 1405// 1406// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 1407// on a custom key store that is not disconnected. This operation is valid 1408// only when the custom key store ConnectionState is DISCONNECTED. 1409// 1410// * You requested the ConnectCustomKeyStore operation on a custom key store 1411// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 1412// for all other ConnectionState values. 1413// 1414// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 1415// The request was rejected because AWS KMS cannot find a custom key store with 1416// the specified key store name or ID. 1417// 1418// * ErrCodeInternalException "KMSInternalException" 1419// The request was rejected because an internal exception occurred. The request 1420// can be retried. 1421// 1422// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore 1423func (c *KMS) DeleteCustomKeyStore(input *DeleteCustomKeyStoreInput) (*DeleteCustomKeyStoreOutput, error) { 1424 req, out := c.DeleteCustomKeyStoreRequest(input) 1425 return out, req.Send() 1426} 1427 1428// DeleteCustomKeyStoreWithContext is the same as DeleteCustomKeyStore with the addition of 1429// the ability to pass a context and additional request options. 1430// 1431// See DeleteCustomKeyStore for details on how to use this API operation. 1432// 1433// The context must be non-nil and will be used for request cancellation. If 1434// the context is nil a panic will occur. In the future the SDK may create 1435// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1436// for more information on using Contexts. 1437func (c *KMS) DeleteCustomKeyStoreWithContext(ctx aws.Context, input *DeleteCustomKeyStoreInput, opts ...request.Option) (*DeleteCustomKeyStoreOutput, error) { 1438 req, out := c.DeleteCustomKeyStoreRequest(input) 1439 req.SetContext(ctx) 1440 req.ApplyOptions(opts...) 1441 return out, req.Send() 1442} 1443 1444const opDeleteImportedKeyMaterial = "DeleteImportedKeyMaterial" 1445 1446// DeleteImportedKeyMaterialRequest generates a "aws/request.Request" representing the 1447// client's request for the DeleteImportedKeyMaterial operation. The "output" return 1448// value will be populated with the request's response once the request completes 1449// successfully. 1450// 1451// Use "Send" method on the returned Request to send the API call to the service. 1452// the "output" return value is not valid until after Send returns without error. 1453// 1454// See DeleteImportedKeyMaterial for more information on using the DeleteImportedKeyMaterial 1455// API call, and error handling. 1456// 1457// This method is useful when you want to inject custom logic or configuration 1458// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1459// 1460// 1461// // Example sending a request using the DeleteImportedKeyMaterialRequest method. 1462// req, resp := client.DeleteImportedKeyMaterialRequest(params) 1463// 1464// err := req.Send() 1465// if err == nil { // resp is now filled 1466// fmt.Println(resp) 1467// } 1468// 1469// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial 1470func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialInput) (req *request.Request, output *DeleteImportedKeyMaterialOutput) { 1471 op := &request.Operation{ 1472 Name: opDeleteImportedKeyMaterial, 1473 HTTPMethod: "POST", 1474 HTTPPath: "/", 1475 } 1476 1477 if input == nil { 1478 input = &DeleteImportedKeyMaterialInput{} 1479 } 1480 1481 output = &DeleteImportedKeyMaterialOutput{} 1482 req = c.newRequest(op, input, output) 1483 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1484 return 1485} 1486 1487// DeleteImportedKeyMaterial API operation for AWS Key Management Service. 1488// 1489// Deletes key material that you previously imported. This operation makes the 1490// specified customer master key (CMK) unusable. For more information about 1491// importing key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 1492// in the AWS Key Management Service Developer Guide. You cannot perform this 1493// operation on a CMK in a different AWS account. 1494// 1495// When the specified CMK is in the PendingDeletion state, this operation does 1496// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport. 1497// 1498// After you delete key material, you can use ImportKeyMaterial to reimport 1499// the same key material into the CMK. 1500// 1501// The CMK that you use for this operation must be in a compatible key state. 1502// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1503// in the AWS Key Management Service Developer Guide. 1504// 1505// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1506// with awserr.Error's Code and Message methods to get detailed information about 1507// the error. 1508// 1509// See the AWS API reference guide for AWS Key Management Service's 1510// API operation DeleteImportedKeyMaterial for usage and error information. 1511// 1512// Returned Error Codes: 1513// * ErrCodeInvalidArnException "InvalidArnException" 1514// The request was rejected because a specified ARN, or an ARN in a key policy, 1515// is not valid. 1516// 1517// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 1518// The request was rejected because a specified parameter is not supported or 1519// a specified resource is not valid for this operation. 1520// 1521// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 1522// The system timed out while trying to fulfill the request. The request can 1523// be retried. 1524// 1525// * ErrCodeNotFoundException "NotFoundException" 1526// The request was rejected because the specified entity or resource could not 1527// be found. 1528// 1529// * ErrCodeInternalException "KMSInternalException" 1530// The request was rejected because an internal exception occurred. The request 1531// can be retried. 1532// 1533// * ErrCodeInvalidStateException "KMSInvalidStateException" 1534// The request was rejected because the state of the specified resource is not 1535// valid for this request. 1536// 1537// For more information about how key state affects the use of a CMK, see How 1538// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1539// in the AWS Key Management Service Developer Guide . 1540// 1541// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial 1542func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) { 1543 req, out := c.DeleteImportedKeyMaterialRequest(input) 1544 return out, req.Send() 1545} 1546 1547// DeleteImportedKeyMaterialWithContext is the same as DeleteImportedKeyMaterial with the addition of 1548// the ability to pass a context and additional request options. 1549// 1550// See DeleteImportedKeyMaterial for details on how to use this API operation. 1551// 1552// The context must be non-nil and will be used for request cancellation. If 1553// the context is nil a panic will occur. In the future the SDK may create 1554// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1555// for more information on using Contexts. 1556func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *DeleteImportedKeyMaterialInput, opts ...request.Option) (*DeleteImportedKeyMaterialOutput, error) { 1557 req, out := c.DeleteImportedKeyMaterialRequest(input) 1558 req.SetContext(ctx) 1559 req.ApplyOptions(opts...) 1560 return out, req.Send() 1561} 1562 1563const opDescribeCustomKeyStores = "DescribeCustomKeyStores" 1564 1565// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the 1566// client's request for the DescribeCustomKeyStores operation. The "output" return 1567// value will be populated with the request's response once the request completes 1568// successfully. 1569// 1570// Use "Send" method on the returned Request to send the API call to the service. 1571// the "output" return value is not valid until after Send returns without error. 1572// 1573// See DescribeCustomKeyStores for more information on using the DescribeCustomKeyStores 1574// API call, and error handling. 1575// 1576// This method is useful when you want to inject custom logic or configuration 1577// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1578// 1579// 1580// // Example sending a request using the DescribeCustomKeyStoresRequest method. 1581// req, resp := client.DescribeCustomKeyStoresRequest(params) 1582// 1583// err := req.Send() 1584// if err == nil { // resp is now filled 1585// fmt.Println(resp) 1586// } 1587// 1588// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores 1589func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput) (req *request.Request, output *DescribeCustomKeyStoresOutput) { 1590 op := &request.Operation{ 1591 Name: opDescribeCustomKeyStores, 1592 HTTPMethod: "POST", 1593 HTTPPath: "/", 1594 } 1595 1596 if input == nil { 1597 input = &DescribeCustomKeyStoresInput{} 1598 } 1599 1600 output = &DescribeCustomKeyStoresOutput{} 1601 req = c.newRequest(op, input, output) 1602 return 1603} 1604 1605// DescribeCustomKeyStores API operation for AWS Key Management Service. 1606// 1607// Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 1608// in the account and region. 1609// 1610// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 1611// feature in AWS KMS, which combines the convenience and extensive integration 1612// of AWS KMS with the isolation and control of a single-tenant key store. 1613// 1614// By default, this operation returns information about all custom key stores 1615// in the account and region. To get only information about a particular custom 1616// key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter 1617// (but not both). 1618// 1619// To determine whether the custom key store is connected to its AWS CloudHSM 1620// cluster, use the ConnectionState element in the response. If an attempt to 1621// connect the custom key store failed, the ConnectionState value is FAILED 1622// and the ConnectionErrorCode element in the response indicates the cause of 1623// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. 1624// 1625// Custom key stores have a DISCONNECTED connection state if the key store has 1626// never been connected or you use the DisconnectCustomKeyStore operation to 1627// disconnect it. If your custom key store state is CONNECTED but you are having 1628// trouble using it, make sure that its associated AWS CloudHSM cluster is active 1629// and contains the minimum number of HSMs required for the operation, if any. 1630// 1631// For help repairing your custom key store, see the Troubleshooting Custom 1632// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 1633// topic in the AWS Key Management Service Developer Guide. 1634// 1635// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1636// with awserr.Error's Code and Message methods to get detailed information about 1637// the error. 1638// 1639// See the AWS API reference guide for AWS Key Management Service's 1640// API operation DescribeCustomKeyStores for usage and error information. 1641// 1642// Returned Error Codes: 1643// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 1644// The request was rejected because AWS KMS cannot find a custom key store with 1645// the specified key store name or ID. 1646// 1647// * ErrCodeInternalException "KMSInternalException" 1648// The request was rejected because an internal exception occurred. The request 1649// can be retried. 1650// 1651// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores 1652func (c *KMS) DescribeCustomKeyStores(input *DescribeCustomKeyStoresInput) (*DescribeCustomKeyStoresOutput, error) { 1653 req, out := c.DescribeCustomKeyStoresRequest(input) 1654 return out, req.Send() 1655} 1656 1657// DescribeCustomKeyStoresWithContext is the same as DescribeCustomKeyStores with the addition of 1658// the ability to pass a context and additional request options. 1659// 1660// See DescribeCustomKeyStores for details on how to use this API operation. 1661// 1662// The context must be non-nil and will be used for request cancellation. If 1663// the context is nil a panic will occur. In the future the SDK may create 1664// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1665// for more information on using Contexts. 1666func (c *KMS) DescribeCustomKeyStoresWithContext(ctx aws.Context, input *DescribeCustomKeyStoresInput, opts ...request.Option) (*DescribeCustomKeyStoresOutput, error) { 1667 req, out := c.DescribeCustomKeyStoresRequest(input) 1668 req.SetContext(ctx) 1669 req.ApplyOptions(opts...) 1670 return out, req.Send() 1671} 1672 1673const opDescribeKey = "DescribeKey" 1674 1675// DescribeKeyRequest generates a "aws/request.Request" representing the 1676// client's request for the DescribeKey operation. The "output" return 1677// value will be populated with the request's response once the request completes 1678// successfully. 1679// 1680// Use "Send" method on the returned Request to send the API call to the service. 1681// the "output" return value is not valid until after Send returns without error. 1682// 1683// See DescribeKey for more information on using the DescribeKey 1684// API call, and error handling. 1685// 1686// This method is useful when you want to inject custom logic or configuration 1687// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1688// 1689// 1690// // Example sending a request using the DescribeKeyRequest method. 1691// req, resp := client.DescribeKeyRequest(params) 1692// 1693// err := req.Send() 1694// if err == nil { // resp is now filled 1695// fmt.Println(resp) 1696// } 1697// 1698// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey 1699func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, output *DescribeKeyOutput) { 1700 op := &request.Operation{ 1701 Name: opDescribeKey, 1702 HTTPMethod: "POST", 1703 HTTPPath: "/", 1704 } 1705 1706 if input == nil { 1707 input = &DescribeKeyInput{} 1708 } 1709 1710 output = &DescribeKeyOutput{} 1711 req = c.newRequest(op, input, output) 1712 return 1713} 1714 1715// DescribeKey API operation for AWS Key Management Service. 1716// 1717// Provides detailed information about a customer master key (CMK). You can 1718// run DescribeKey on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) 1719// or an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). 1720// 1721// This detailed information includes the key ARN, creation date (and deletion 1722// date, if applicable), the key state, and the origin and expiration date (if 1723// any) of the key material. For CMKs in custom key stores, it includes information 1724// about the custom key store, such as the key store ID and the AWS CloudHSM 1725// cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric 1726// from asymmetric CMKs. It also provides information that is particularly important 1727// to asymmetric CMKs, such as the key usage (encryption or signing) and the 1728// encryption algorithms or signing algorithms that the CMK supports. 1729// 1730// DescribeKey does not return the following information: 1731// 1732// * Aliases associated with the CMK. To get this information, use ListAliases. 1733// 1734// * Whether automatic key rotation is enabled on the CMK. To get this information, 1735// use GetKeyRotationStatus. Also, some key states prevent a CMK from being 1736// automatically rotated. For details, see How Automatic Key Rotation Works 1737// (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) 1738// in AWS Key Management Service Developer Guide. 1739// 1740// * Tags on the CMK. To get this information, use ListResourceTags. 1741// 1742// * Key policies and grants on the CMK. To get this information, use GetKeyPolicy 1743// and ListGrants. 1744// 1745// If you call the DescribeKey operation on a predefined AWS alias, that is, 1746// an AWS alias with no key ID, AWS KMS creates an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). 1747// Then, it associates the alias with the new CMK, and returns the KeyId and 1748// Arn of the new CMK in the response. 1749// 1750// To perform this operation on a CMK in a different AWS account, specify the 1751// key ARN or alias ARN in the value of the KeyId parameter. 1752// 1753// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1754// with awserr.Error's Code and Message methods to get detailed information about 1755// the error. 1756// 1757// See the AWS API reference guide for AWS Key Management Service's 1758// API operation DescribeKey for usage and error information. 1759// 1760// Returned Error Codes: 1761// * ErrCodeNotFoundException "NotFoundException" 1762// The request was rejected because the specified entity or resource could not 1763// be found. 1764// 1765// * ErrCodeInvalidArnException "InvalidArnException" 1766// The request was rejected because a specified ARN, or an ARN in a key policy, 1767// is not valid. 1768// 1769// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 1770// The system timed out while trying to fulfill the request. The request can 1771// be retried. 1772// 1773// * ErrCodeInternalException "KMSInternalException" 1774// The request was rejected because an internal exception occurred. The request 1775// can be retried. 1776// 1777// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey 1778func (c *KMS) DescribeKey(input *DescribeKeyInput) (*DescribeKeyOutput, error) { 1779 req, out := c.DescribeKeyRequest(input) 1780 return out, req.Send() 1781} 1782 1783// DescribeKeyWithContext is the same as DescribeKey with the addition of 1784// the ability to pass a context and additional request options. 1785// 1786// See DescribeKey for details on how to use this API operation. 1787// 1788// The context must be non-nil and will be used for request cancellation. If 1789// the context is nil a panic will occur. In the future the SDK may create 1790// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1791// for more information on using Contexts. 1792func (c *KMS) DescribeKeyWithContext(ctx aws.Context, input *DescribeKeyInput, opts ...request.Option) (*DescribeKeyOutput, error) { 1793 req, out := c.DescribeKeyRequest(input) 1794 req.SetContext(ctx) 1795 req.ApplyOptions(opts...) 1796 return out, req.Send() 1797} 1798 1799const opDisableKey = "DisableKey" 1800 1801// DisableKeyRequest generates a "aws/request.Request" representing the 1802// client's request for the DisableKey operation. The "output" return 1803// value will be populated with the request's response once the request completes 1804// successfully. 1805// 1806// Use "Send" method on the returned Request to send the API call to the service. 1807// the "output" return value is not valid until after Send returns without error. 1808// 1809// See DisableKey for more information on using the DisableKey 1810// API call, and error handling. 1811// 1812// This method is useful when you want to inject custom logic or configuration 1813// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1814// 1815// 1816// // Example sending a request using the DisableKeyRequest method. 1817// req, resp := client.DisableKeyRequest(params) 1818// 1819// err := req.Send() 1820// if err == nil { // resp is now filled 1821// fmt.Println(resp) 1822// } 1823// 1824// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey 1825func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, output *DisableKeyOutput) { 1826 op := &request.Operation{ 1827 Name: opDisableKey, 1828 HTTPMethod: "POST", 1829 HTTPPath: "/", 1830 } 1831 1832 if input == nil { 1833 input = &DisableKeyInput{} 1834 } 1835 1836 output = &DisableKeyOutput{} 1837 req = c.newRequest(op, input, output) 1838 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1839 return 1840} 1841 1842// DisableKey API operation for AWS Key Management Service. 1843// 1844// Sets the state of a customer master key (CMK) to disabled, thereby preventing 1845// its use for cryptographic operations. You cannot perform this operation on 1846// a CMK in a different AWS account. 1847// 1848// For more information about how key state affects the use of a CMK, see How 1849// Key State Affects the Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1850// in the AWS Key Management Service Developer Guide . 1851// 1852// The CMK that you use for this operation must be in a compatible key state. 1853// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1854// in the AWS Key Management Service Developer Guide. 1855// 1856// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1857// with awserr.Error's Code and Message methods to get detailed information about 1858// the error. 1859// 1860// See the AWS API reference guide for AWS Key Management Service's 1861// API operation DisableKey for usage and error information. 1862// 1863// Returned Error Codes: 1864// * ErrCodeNotFoundException "NotFoundException" 1865// The request was rejected because the specified entity or resource could not 1866// be found. 1867// 1868// * ErrCodeInvalidArnException "InvalidArnException" 1869// The request was rejected because a specified ARN, or an ARN in a key policy, 1870// is not valid. 1871// 1872// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 1873// The system timed out while trying to fulfill the request. The request can 1874// be retried. 1875// 1876// * ErrCodeInternalException "KMSInternalException" 1877// The request was rejected because an internal exception occurred. The request 1878// can be retried. 1879// 1880// * ErrCodeInvalidStateException "KMSInvalidStateException" 1881// The request was rejected because the state of the specified resource is not 1882// valid for this request. 1883// 1884// For more information about how key state affects the use of a CMK, see How 1885// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1886// in the AWS Key Management Service Developer Guide . 1887// 1888// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey 1889func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) { 1890 req, out := c.DisableKeyRequest(input) 1891 return out, req.Send() 1892} 1893 1894// DisableKeyWithContext is the same as DisableKey with the addition of 1895// the ability to pass a context and additional request options. 1896// 1897// See DisableKey for details on how to use this API operation. 1898// 1899// The context must be non-nil and will be used for request cancellation. If 1900// the context is nil a panic will occur. In the future the SDK may create 1901// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1902// for more information on using Contexts. 1903func (c *KMS) DisableKeyWithContext(ctx aws.Context, input *DisableKeyInput, opts ...request.Option) (*DisableKeyOutput, error) { 1904 req, out := c.DisableKeyRequest(input) 1905 req.SetContext(ctx) 1906 req.ApplyOptions(opts...) 1907 return out, req.Send() 1908} 1909 1910const opDisableKeyRotation = "DisableKeyRotation" 1911 1912// DisableKeyRotationRequest generates a "aws/request.Request" representing the 1913// client's request for the DisableKeyRotation operation. The "output" return 1914// value will be populated with the request's response once the request completes 1915// successfully. 1916// 1917// Use "Send" method on the returned Request to send the API call to the service. 1918// the "output" return value is not valid until after Send returns without error. 1919// 1920// See DisableKeyRotation for more information on using the DisableKeyRotation 1921// API call, and error handling. 1922// 1923// This method is useful when you want to inject custom logic or configuration 1924// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1925// 1926// 1927// // Example sending a request using the DisableKeyRotationRequest method. 1928// req, resp := client.DisableKeyRotationRequest(params) 1929// 1930// err := req.Send() 1931// if err == nil { // resp is now filled 1932// fmt.Println(resp) 1933// } 1934// 1935// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation 1936func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *request.Request, output *DisableKeyRotationOutput) { 1937 op := &request.Operation{ 1938 Name: opDisableKeyRotation, 1939 HTTPMethod: "POST", 1940 HTTPPath: "/", 1941 } 1942 1943 if input == nil { 1944 input = &DisableKeyRotationInput{} 1945 } 1946 1947 output = &DisableKeyRotationOutput{} 1948 req = c.newRequest(op, input, output) 1949 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1950 return 1951} 1952 1953// DisableKeyRotation API operation for AWS Key Management Service. 1954// 1955// Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) 1956// for the specified symmetric customer master key (CMK). 1957// 1958// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported 1959// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 1960// You cannot perform this operation on a CMK in a different AWS account. 1961// 1962// The CMK that you use for this operation must be in a compatible key state. 1963// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1964// in the AWS Key Management Service Developer Guide. 1965// 1966// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1967// with awserr.Error's Code and Message methods to get detailed information about 1968// the error. 1969// 1970// See the AWS API reference guide for AWS Key Management Service's 1971// API operation DisableKeyRotation for usage and error information. 1972// 1973// Returned Error Codes: 1974// * ErrCodeNotFoundException "NotFoundException" 1975// The request was rejected because the specified entity or resource could not 1976// be found. 1977// 1978// * ErrCodeDisabledException "DisabledException" 1979// The request was rejected because the specified CMK is not enabled. 1980// 1981// * ErrCodeInvalidArnException "InvalidArnException" 1982// The request was rejected because a specified ARN, or an ARN in a key policy, 1983// is not valid. 1984// 1985// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 1986// The system timed out while trying to fulfill the request. The request can 1987// be retried. 1988// 1989// * ErrCodeInternalException "KMSInternalException" 1990// The request was rejected because an internal exception occurred. The request 1991// can be retried. 1992// 1993// * ErrCodeInvalidStateException "KMSInvalidStateException" 1994// The request was rejected because the state of the specified resource is not 1995// valid for this request. 1996// 1997// For more information about how key state affects the use of a CMK, see How 1998// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1999// in the AWS Key Management Service Developer Guide . 2000// 2001// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 2002// The request was rejected because a specified parameter is not supported or 2003// a specified resource is not valid for this operation. 2004// 2005// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation 2006func (c *KMS) DisableKeyRotation(input *DisableKeyRotationInput) (*DisableKeyRotationOutput, error) { 2007 req, out := c.DisableKeyRotationRequest(input) 2008 return out, req.Send() 2009} 2010 2011// DisableKeyRotationWithContext is the same as DisableKeyRotation with the addition of 2012// the ability to pass a context and additional request options. 2013// 2014// See DisableKeyRotation for details on how to use this API operation. 2015// 2016// The context must be non-nil and will be used for request cancellation. If 2017// the context is nil a panic will occur. In the future the SDK may create 2018// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2019// for more information on using Contexts. 2020func (c *KMS) DisableKeyRotationWithContext(ctx aws.Context, input *DisableKeyRotationInput, opts ...request.Option) (*DisableKeyRotationOutput, error) { 2021 req, out := c.DisableKeyRotationRequest(input) 2022 req.SetContext(ctx) 2023 req.ApplyOptions(opts...) 2024 return out, req.Send() 2025} 2026 2027const opDisconnectCustomKeyStore = "DisconnectCustomKeyStore" 2028 2029// DisconnectCustomKeyStoreRequest generates a "aws/request.Request" representing the 2030// client's request for the DisconnectCustomKeyStore operation. The "output" return 2031// value will be populated with the request's response once the request completes 2032// successfully. 2033// 2034// Use "Send" method on the returned Request to send the API call to the service. 2035// the "output" return value is not valid until after Send returns without error. 2036// 2037// See DisconnectCustomKeyStore for more information on using the DisconnectCustomKeyStore 2038// API call, and error handling. 2039// 2040// This method is useful when you want to inject custom logic or configuration 2041// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2042// 2043// 2044// // Example sending a request using the DisconnectCustomKeyStoreRequest method. 2045// req, resp := client.DisconnectCustomKeyStoreRequest(params) 2046// 2047// err := req.Send() 2048// if err == nil { // resp is now filled 2049// fmt.Println(resp) 2050// } 2051// 2052// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore 2053func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInput) (req *request.Request, output *DisconnectCustomKeyStoreOutput) { 2054 op := &request.Operation{ 2055 Name: opDisconnectCustomKeyStore, 2056 HTTPMethod: "POST", 2057 HTTPPath: "/", 2058 } 2059 2060 if input == nil { 2061 input = &DisconnectCustomKeyStoreInput{} 2062 } 2063 2064 output = &DisconnectCustomKeyStoreOutput{} 2065 req = c.newRequest(op, input, output) 2066 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2067 return 2068} 2069 2070// DisconnectCustomKeyStore API operation for AWS Key Management Service. 2071// 2072// Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 2073// from its associated AWS CloudHSM cluster. While a custom key store is disconnected, 2074// you can manage the custom key store and its customer master keys (CMKs), 2075// but you cannot create or use CMKs in the custom key store. You can reconnect 2076// the custom key store at any time. 2077// 2078// While a custom key store is disconnected, all attempts to create customer 2079// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic 2080// operations will fail. This action can prevent users from storing and accessing 2081// sensitive data. 2082// 2083// To find the connection state of a custom key store, use the DescribeCustomKeyStores 2084// operation. To reconnect a custom key store, use the ConnectCustomKeyStore 2085// operation. 2086// 2087// If the operation succeeds, it returns a JSON object with no properties. 2088// 2089// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 2090// feature in AWS KMS, which combines the convenience and extensive integration 2091// of AWS KMS with the isolation and control of a single-tenant key store. 2092// 2093// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2094// with awserr.Error's Code and Message methods to get detailed information about 2095// the error. 2096// 2097// See the AWS API reference guide for AWS Key Management Service's 2098// API operation DisconnectCustomKeyStore for usage and error information. 2099// 2100// Returned Error Codes: 2101// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" 2102// The request was rejected because of the ConnectionState of the custom key 2103// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 2104// operation. 2105// 2106// This exception is thrown under the following conditions: 2107// 2108// * You requested the CreateKey or GenerateRandom operation in a custom 2109// key store that is not connected. These operations are valid only when 2110// the custom key store ConnectionState is CONNECTED. 2111// 2112// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 2113// on a custom key store that is not disconnected. This operation is valid 2114// only when the custom key store ConnectionState is DISCONNECTED. 2115// 2116// * You requested the ConnectCustomKeyStore operation on a custom key store 2117// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 2118// for all other ConnectionState values. 2119// 2120// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 2121// The request was rejected because AWS KMS cannot find a custom key store with 2122// the specified key store name or ID. 2123// 2124// * ErrCodeInternalException "KMSInternalException" 2125// The request was rejected because an internal exception occurred. The request 2126// can be retried. 2127// 2128// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore 2129func (c *KMS) DisconnectCustomKeyStore(input *DisconnectCustomKeyStoreInput) (*DisconnectCustomKeyStoreOutput, error) { 2130 req, out := c.DisconnectCustomKeyStoreRequest(input) 2131 return out, req.Send() 2132} 2133 2134// DisconnectCustomKeyStoreWithContext is the same as DisconnectCustomKeyStore with the addition of 2135// the ability to pass a context and additional request options. 2136// 2137// See DisconnectCustomKeyStore for details on how to use this API operation. 2138// 2139// The context must be non-nil and will be used for request cancellation. If 2140// the context is nil a panic will occur. In the future the SDK may create 2141// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2142// for more information on using Contexts. 2143func (c *KMS) DisconnectCustomKeyStoreWithContext(ctx aws.Context, input *DisconnectCustomKeyStoreInput, opts ...request.Option) (*DisconnectCustomKeyStoreOutput, error) { 2144 req, out := c.DisconnectCustomKeyStoreRequest(input) 2145 req.SetContext(ctx) 2146 req.ApplyOptions(opts...) 2147 return out, req.Send() 2148} 2149 2150const opEnableKey = "EnableKey" 2151 2152// EnableKeyRequest generates a "aws/request.Request" representing the 2153// client's request for the EnableKey operation. The "output" return 2154// value will be populated with the request's response once the request completes 2155// successfully. 2156// 2157// Use "Send" method on the returned Request to send the API call to the service. 2158// the "output" return value is not valid until after Send returns without error. 2159// 2160// See EnableKey for more information on using the EnableKey 2161// API call, and error handling. 2162// 2163// This method is useful when you want to inject custom logic or configuration 2164// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2165// 2166// 2167// // Example sending a request using the EnableKeyRequest method. 2168// req, resp := client.EnableKeyRequest(params) 2169// 2170// err := req.Send() 2171// if err == nil { // resp is now filled 2172// fmt.Println(resp) 2173// } 2174// 2175// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey 2176func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, output *EnableKeyOutput) { 2177 op := &request.Operation{ 2178 Name: opEnableKey, 2179 HTTPMethod: "POST", 2180 HTTPPath: "/", 2181 } 2182 2183 if input == nil { 2184 input = &EnableKeyInput{} 2185 } 2186 2187 output = &EnableKeyOutput{} 2188 req = c.newRequest(op, input, output) 2189 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2190 return 2191} 2192 2193// EnableKey API operation for AWS Key Management Service. 2194// 2195// Sets the key state of a customer master key (CMK) to enabled. This allows 2196// you to use the CMK for cryptographic operations. You cannot perform this 2197// operation on a CMK in a different AWS account. 2198// 2199// The CMK that you use for this operation must be in a compatible key state. 2200// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2201// in the AWS Key Management Service Developer Guide. 2202// 2203// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2204// with awserr.Error's Code and Message methods to get detailed information about 2205// the error. 2206// 2207// See the AWS API reference guide for AWS Key Management Service's 2208// API operation EnableKey for usage and error information. 2209// 2210// Returned Error Codes: 2211// * ErrCodeNotFoundException "NotFoundException" 2212// The request was rejected because the specified entity or resource could not 2213// be found. 2214// 2215// * ErrCodeInvalidArnException "InvalidArnException" 2216// The request was rejected because a specified ARN, or an ARN in a key policy, 2217// is not valid. 2218// 2219// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 2220// The system timed out while trying to fulfill the request. The request can 2221// be retried. 2222// 2223// * ErrCodeInternalException "KMSInternalException" 2224// The request was rejected because an internal exception occurred. The request 2225// can be retried. 2226// 2227// * ErrCodeLimitExceededException "LimitExceededException" 2228// The request was rejected because a limit was exceeded. For more information, 2229// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 2230// in the AWS Key Management Service Developer Guide. 2231// 2232// * ErrCodeInvalidStateException "KMSInvalidStateException" 2233// The request was rejected because the state of the specified resource is not 2234// valid for this request. 2235// 2236// For more information about how key state affects the use of a CMK, see How 2237// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2238// in the AWS Key Management Service Developer Guide . 2239// 2240// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey 2241func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) { 2242 req, out := c.EnableKeyRequest(input) 2243 return out, req.Send() 2244} 2245 2246// EnableKeyWithContext is the same as EnableKey with the addition of 2247// the ability to pass a context and additional request options. 2248// 2249// See EnableKey for details on how to use this API operation. 2250// 2251// The context must be non-nil and will be used for request cancellation. If 2252// the context is nil a panic will occur. In the future the SDK may create 2253// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2254// for more information on using Contexts. 2255func (c *KMS) EnableKeyWithContext(ctx aws.Context, input *EnableKeyInput, opts ...request.Option) (*EnableKeyOutput, error) { 2256 req, out := c.EnableKeyRequest(input) 2257 req.SetContext(ctx) 2258 req.ApplyOptions(opts...) 2259 return out, req.Send() 2260} 2261 2262const opEnableKeyRotation = "EnableKeyRotation" 2263 2264// EnableKeyRotationRequest generates a "aws/request.Request" representing the 2265// client's request for the EnableKeyRotation operation. The "output" return 2266// value will be populated with the request's response once the request completes 2267// successfully. 2268// 2269// Use "Send" method on the returned Request to send the API call to the service. 2270// the "output" return value is not valid until after Send returns without error. 2271// 2272// See EnableKeyRotation for more information on using the EnableKeyRotation 2273// API call, and error handling. 2274// 2275// This method is useful when you want to inject custom logic or configuration 2276// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2277// 2278// 2279// // Example sending a request using the EnableKeyRotationRequest method. 2280// req, resp := client.EnableKeyRotationRequest(params) 2281// 2282// err := req.Send() 2283// if err == nil { // resp is now filled 2284// fmt.Println(resp) 2285// } 2286// 2287// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation 2288func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *request.Request, output *EnableKeyRotationOutput) { 2289 op := &request.Operation{ 2290 Name: opEnableKeyRotation, 2291 HTTPMethod: "POST", 2292 HTTPPath: "/", 2293 } 2294 2295 if input == nil { 2296 input = &EnableKeyRotationInput{} 2297 } 2298 2299 output = &EnableKeyRotationOutput{} 2300 req = c.newRequest(op, input, output) 2301 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2302 return 2303} 2304 2305// EnableKeyRotation API operation for AWS Key Management Service. 2306// 2307// Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) 2308// for the specified symmetric customer master key (CMK). You cannot perform 2309// this operation on a CMK in a different AWS account. 2310// 2311// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported 2312// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 2313// 2314// The CMK that you use for this operation must be in a compatible key state. 2315// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2316// in the AWS Key Management Service Developer Guide. 2317// 2318// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2319// with awserr.Error's Code and Message methods to get detailed information about 2320// the error. 2321// 2322// See the AWS API reference guide for AWS Key Management Service's 2323// API operation EnableKeyRotation for usage and error information. 2324// 2325// Returned Error Codes: 2326// * ErrCodeNotFoundException "NotFoundException" 2327// The request was rejected because the specified entity or resource could not 2328// be found. 2329// 2330// * ErrCodeDisabledException "DisabledException" 2331// The request was rejected because the specified CMK is not enabled. 2332// 2333// * ErrCodeInvalidArnException "InvalidArnException" 2334// The request was rejected because a specified ARN, or an ARN in a key policy, 2335// is not valid. 2336// 2337// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 2338// The system timed out while trying to fulfill the request. The request can 2339// be retried. 2340// 2341// * ErrCodeInternalException "KMSInternalException" 2342// The request was rejected because an internal exception occurred. The request 2343// can be retried. 2344// 2345// * ErrCodeInvalidStateException "KMSInvalidStateException" 2346// The request was rejected because the state of the specified resource is not 2347// valid for this request. 2348// 2349// For more information about how key state affects the use of a CMK, see How 2350// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2351// in the AWS Key Management Service Developer Guide . 2352// 2353// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 2354// The request was rejected because a specified parameter is not supported or 2355// a specified resource is not valid for this operation. 2356// 2357// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation 2358func (c *KMS) EnableKeyRotation(input *EnableKeyRotationInput) (*EnableKeyRotationOutput, error) { 2359 req, out := c.EnableKeyRotationRequest(input) 2360 return out, req.Send() 2361} 2362 2363// EnableKeyRotationWithContext is the same as EnableKeyRotation with the addition of 2364// the ability to pass a context and additional request options. 2365// 2366// See EnableKeyRotation for details on how to use this API operation. 2367// 2368// The context must be non-nil and will be used for request cancellation. If 2369// the context is nil a panic will occur. In the future the SDK may create 2370// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2371// for more information on using Contexts. 2372func (c *KMS) EnableKeyRotationWithContext(ctx aws.Context, input *EnableKeyRotationInput, opts ...request.Option) (*EnableKeyRotationOutput, error) { 2373 req, out := c.EnableKeyRotationRequest(input) 2374 req.SetContext(ctx) 2375 req.ApplyOptions(opts...) 2376 return out, req.Send() 2377} 2378 2379const opEncrypt = "Encrypt" 2380 2381// EncryptRequest generates a "aws/request.Request" representing the 2382// client's request for the Encrypt operation. The "output" return 2383// value will be populated with the request's response once the request completes 2384// successfully. 2385// 2386// Use "Send" method on the returned Request to send the API call to the service. 2387// the "output" return value is not valid until after Send returns without error. 2388// 2389// See Encrypt for more information on using the Encrypt 2390// API call, and error handling. 2391// 2392// This method is useful when you want to inject custom logic or configuration 2393// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2394// 2395// 2396// // Example sending a request using the EncryptRequest method. 2397// req, resp := client.EncryptRequest(params) 2398// 2399// err := req.Send() 2400// if err == nil { // resp is now filled 2401// fmt.Println(resp) 2402// } 2403// 2404// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt 2405func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output *EncryptOutput) { 2406 op := &request.Operation{ 2407 Name: opEncrypt, 2408 HTTPMethod: "POST", 2409 HTTPPath: "/", 2410 } 2411 2412 if input == nil { 2413 input = &EncryptInput{} 2414 } 2415 2416 output = &EncryptOutput{} 2417 req = c.newRequest(op, input, output) 2418 return 2419} 2420 2421// Encrypt API operation for AWS Key Management Service. 2422// 2423// Encrypts plaintext into ciphertext by using a customer master key (CMK). 2424// The Encrypt operation has two primary use cases: 2425// 2426// * You can encrypt small amounts of arbitrary data, such as a personal 2427// identifier or database password, or other sensitive information. 2428// 2429// * You can use the Encrypt operation to move encrypted data from one AWS 2430// region to another. In the first region, generate a data key and use the 2431// plaintext key to encrypt the data. Then, in the new region, call the Encrypt 2432// method on same plaintext data key. Now, you can safely move the encrypted 2433// data and encrypted data key to the new region, and decrypt in the new 2434// region when necessary. 2435// 2436// You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey 2437// and GenerateDataKeyPair operations return a plaintext data key and an encrypted 2438// copy of that data key. 2439// 2440// When you encrypt data, you must specify a symmetric or asymmetric CMK to 2441// use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. 2442// To find the KeyUsage of a CMK, use the DescribeKey operation. 2443// 2444// If you use a symmetric CMK, you can use an encryption context to add additional 2445// security to your encryption operation. If you specify an EncryptionContext 2446// when encrypting data, you must specify the same encryption context (a case-sensitive 2447// exact match) when decrypting the data. Otherwise, the request to decrypt 2448// fails with an InvalidCiphertextException. For more information, see Encryption 2449// Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 2450// in the AWS Key Management Service Developer Guide. 2451// 2452// If you specify an asymmetric CMK, you must also specify the encryption algorithm. 2453// The algorithm must be compatible with the CMK type. 2454// 2455// When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record 2456// the CMK and encryption algorithm that you choose. You will be required to 2457// provide the same CMK and encryption algorithm when you decrypt the data. 2458// If the CMK and algorithm do not match the values used to encrypt the data, 2459// the decrypt operation fails. 2460// 2461// You are not required to supply the CMK ID and encryption algorithm when you 2462// decrypt with symmetric CMKs because AWS KMS stores this information in the 2463// ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with 2464// asymmetric keys. The standard format for asymmetric key ciphertext does not 2465// include configurable fields. 2466// 2467// The maximum size of the data that you can encrypt varies with the type of 2468// CMK and the encryption algorithm that you choose. 2469// 2470// * Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes 2471// 2472// * RSA_2048 RSAES_OAEP_SHA_1: 214 bytes RSAES_OAEP_SHA_256: 190 bytes 2473// 2474// * RSA_3072 RSAES_OAEP_SHA_1: 342 bytes RSAES_OAEP_SHA_256: 318 bytes 2475// 2476// * RSA_4096 RSAES_OAEP_SHA_1: 470 bytes RSAES_OAEP_SHA_256: 446 bytes 2477// 2478// The CMK that you use for this operation must be in a compatible key state. 2479// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2480// in the AWS Key Management Service Developer Guide. 2481// 2482// To perform this operation on a CMK in a different AWS account, specify the 2483// key ARN or alias ARN in the value of the KeyId parameter. 2484// 2485// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2486// with awserr.Error's Code and Message methods to get detailed information about 2487// the error. 2488// 2489// See the AWS API reference guide for AWS Key Management Service's 2490// API operation Encrypt for usage and error information. 2491// 2492// Returned Error Codes: 2493// * ErrCodeNotFoundException "NotFoundException" 2494// The request was rejected because the specified entity or resource could not 2495// be found. 2496// 2497// * ErrCodeDisabledException "DisabledException" 2498// The request was rejected because the specified CMK is not enabled. 2499// 2500// * ErrCodeKeyUnavailableException "KeyUnavailableException" 2501// The request was rejected because the specified CMK was not available. You 2502// can retry the request. 2503// 2504// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 2505// The system timed out while trying to fulfill the request. The request can 2506// be retried. 2507// 2508// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 2509// The request was rejected for one of the following reasons: 2510// 2511// * The KeyUsage value of the CMK is incompatible with the API operation. 2512// 2513// * The encryption algorithm or signing algorithm specified for the operation 2514// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 2515// 2516// For encrypting, decrypting, re-encrypting, and generating data keys, the 2517// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 2518// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 2519// 2520// To find the encryption or signing algorithms supported for a particular CMK, 2521// use the DescribeKey operation. 2522// 2523// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 2524// The request was rejected because the specified grant token is not valid. 2525// 2526// * ErrCodeInternalException "KMSInternalException" 2527// The request was rejected because an internal exception occurred. The request 2528// can be retried. 2529// 2530// * ErrCodeInvalidStateException "KMSInvalidStateException" 2531// The request was rejected because the state of the specified resource is not 2532// valid for this request. 2533// 2534// For more information about how key state affects the use of a CMK, see How 2535// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2536// in the AWS Key Management Service Developer Guide . 2537// 2538// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt 2539func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) { 2540 req, out := c.EncryptRequest(input) 2541 return out, req.Send() 2542} 2543 2544// EncryptWithContext is the same as Encrypt with the addition of 2545// the ability to pass a context and additional request options. 2546// 2547// See Encrypt for details on how to use this API operation. 2548// 2549// The context must be non-nil and will be used for request cancellation. If 2550// the context is nil a panic will occur. In the future the SDK may create 2551// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2552// for more information on using Contexts. 2553func (c *KMS) EncryptWithContext(ctx aws.Context, input *EncryptInput, opts ...request.Option) (*EncryptOutput, error) { 2554 req, out := c.EncryptRequest(input) 2555 req.SetContext(ctx) 2556 req.ApplyOptions(opts...) 2557 return out, req.Send() 2558} 2559 2560const opGenerateDataKey = "GenerateDataKey" 2561 2562// GenerateDataKeyRequest generates a "aws/request.Request" representing the 2563// client's request for the GenerateDataKey operation. The "output" return 2564// value will be populated with the request's response once the request completes 2565// successfully. 2566// 2567// Use "Send" method on the returned Request to send the API call to the service. 2568// the "output" return value is not valid until after Send returns without error. 2569// 2570// See GenerateDataKey for more information on using the GenerateDataKey 2571// API call, and error handling. 2572// 2573// This method is useful when you want to inject custom logic or configuration 2574// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2575// 2576// 2577// // Example sending a request using the GenerateDataKeyRequest method. 2578// req, resp := client.GenerateDataKeyRequest(params) 2579// 2580// err := req.Send() 2581// if err == nil { // resp is now filled 2582// fmt.Println(resp) 2583// } 2584// 2585// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey 2586func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.Request, output *GenerateDataKeyOutput) { 2587 op := &request.Operation{ 2588 Name: opGenerateDataKey, 2589 HTTPMethod: "POST", 2590 HTTPPath: "/", 2591 } 2592 2593 if input == nil { 2594 input = &GenerateDataKeyInput{} 2595 } 2596 2597 output = &GenerateDataKeyOutput{} 2598 req = c.newRequest(op, input, output) 2599 return 2600} 2601 2602// GenerateDataKey API operation for AWS Key Management Service. 2603// 2604// Generates a unique symmetric data key. This operation returns a plaintext 2605// copy of the data key and a copy that is encrypted under a customer master 2606// key (CMK) that you specify. You can use the plaintext key to encrypt your 2607// data outside of AWS KMS and store the encrypted data key with the encrypted 2608// data. 2609// 2610// GenerateDataKey returns a unique data key for each request. The bytes in 2611// the key are not related to the caller or CMK that is used to encrypt the 2612// data key. 2613// 2614// To generate a data key, specify the symmetric CMK that will be used to encrypt 2615// the data key. You cannot use an asymmetric CMK to generate data keys. 2616// 2617// You must also specify the length of the data key. Use either the KeySpec 2618// or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data 2619// keys, use the KeySpec parameter. 2620// 2621// If the operation succeeds, the plaintext copy of the data key is in the Plaintext 2622// field of the response, and the encrypted copy of the data key in the CiphertextBlob 2623// field. 2624// 2625// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. 2626// To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext 2627// operation. To get a cryptographically secure random byte string, use GenerateRandom. 2628// 2629// You can use the optional encryption context to add additional security to 2630// the encryption operation. If you specify an EncryptionContext, you must specify 2631// the same encryption context (a case-sensitive exact match) when decrypting 2632// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 2633// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 2634// in the AWS Key Management Service Developer Guide. 2635// 2636// The CMK that you use for this operation must be in a compatible key state. 2637// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2638// in the AWS Key Management Service Developer Guide. 2639// 2640// We recommend that you use the following pattern to encrypt data locally in 2641// your application: 2642// 2643// Use the GenerateDataKey operation to get a data encryption key. 2644// 2645// Use the plaintext data key (returned in the Plaintext field of the response) 2646// to encrypt data locally, then erase the plaintext data key from memory. 2647// 2648// Store the encrypted data key (returned in the CiphertextBlob field of the 2649// response) alongside the locally encrypted data. 2650// 2651// To decrypt data locally: 2652// 2653// Use the Decrypt operation to decrypt the encrypted data key. The operation 2654// returns a plaintext copy of the data key. 2655// 2656// Use the plaintext data key to decrypt data locally, then erase the plaintext 2657// data key from memory. 2658// 2659// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2660// with awserr.Error's Code and Message methods to get detailed information about 2661// the error. 2662// 2663// See the AWS API reference guide for AWS Key Management Service's 2664// API operation GenerateDataKey for usage and error information. 2665// 2666// Returned Error Codes: 2667// * ErrCodeNotFoundException "NotFoundException" 2668// The request was rejected because the specified entity or resource could not 2669// be found. 2670// 2671// * ErrCodeDisabledException "DisabledException" 2672// The request was rejected because the specified CMK is not enabled. 2673// 2674// * ErrCodeKeyUnavailableException "KeyUnavailableException" 2675// The request was rejected because the specified CMK was not available. You 2676// can retry the request. 2677// 2678// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 2679// The system timed out while trying to fulfill the request. The request can 2680// be retried. 2681// 2682// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 2683// The request was rejected for one of the following reasons: 2684// 2685// * The KeyUsage value of the CMK is incompatible with the API operation. 2686// 2687// * The encryption algorithm or signing algorithm specified for the operation 2688// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 2689// 2690// For encrypting, decrypting, re-encrypting, and generating data keys, the 2691// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 2692// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 2693// 2694// To find the encryption or signing algorithms supported for a particular CMK, 2695// use the DescribeKey operation. 2696// 2697// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 2698// The request was rejected because the specified grant token is not valid. 2699// 2700// * ErrCodeInternalException "KMSInternalException" 2701// The request was rejected because an internal exception occurred. The request 2702// can be retried. 2703// 2704// * ErrCodeInvalidStateException "KMSInvalidStateException" 2705// The request was rejected because the state of the specified resource is not 2706// valid for this request. 2707// 2708// For more information about how key state affects the use of a CMK, see How 2709// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2710// in the AWS Key Management Service Developer Guide . 2711// 2712// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey 2713func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) { 2714 req, out := c.GenerateDataKeyRequest(input) 2715 return out, req.Send() 2716} 2717 2718// GenerateDataKeyWithContext is the same as GenerateDataKey with the addition of 2719// the ability to pass a context and additional request options. 2720// 2721// See GenerateDataKey for details on how to use this API operation. 2722// 2723// The context must be non-nil and will be used for request cancellation. If 2724// the context is nil a panic will occur. In the future the SDK may create 2725// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2726// for more information on using Contexts. 2727func (c *KMS) GenerateDataKeyWithContext(ctx aws.Context, input *GenerateDataKeyInput, opts ...request.Option) (*GenerateDataKeyOutput, error) { 2728 req, out := c.GenerateDataKeyRequest(input) 2729 req.SetContext(ctx) 2730 req.ApplyOptions(opts...) 2731 return out, req.Send() 2732} 2733 2734const opGenerateDataKeyPair = "GenerateDataKeyPair" 2735 2736// GenerateDataKeyPairRequest generates a "aws/request.Request" representing the 2737// client's request for the GenerateDataKeyPair operation. The "output" return 2738// value will be populated with the request's response once the request completes 2739// successfully. 2740// 2741// Use "Send" method on the returned Request to send the API call to the service. 2742// the "output" return value is not valid until after Send returns without error. 2743// 2744// See GenerateDataKeyPair for more information on using the GenerateDataKeyPair 2745// API call, and error handling. 2746// 2747// This method is useful when you want to inject custom logic or configuration 2748// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2749// 2750// 2751// // Example sending a request using the GenerateDataKeyPairRequest method. 2752// req, resp := client.GenerateDataKeyPairRequest(params) 2753// 2754// err := req.Send() 2755// if err == nil { // resp is now filled 2756// fmt.Println(resp) 2757// } 2758// 2759// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair 2760func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *request.Request, output *GenerateDataKeyPairOutput) { 2761 op := &request.Operation{ 2762 Name: opGenerateDataKeyPair, 2763 HTTPMethod: "POST", 2764 HTTPPath: "/", 2765 } 2766 2767 if input == nil { 2768 input = &GenerateDataKeyPairInput{} 2769 } 2770 2771 output = &GenerateDataKeyPairOutput{} 2772 req = c.newRequest(op, input, output) 2773 return 2774} 2775 2776// GenerateDataKeyPair API operation for AWS Key Management Service. 2777// 2778// Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation 2779// returns a plaintext public key, a plaintext private key, and a copy of the 2780// private key that is encrypted under the symmetric CMK you specify. You can 2781// use the data key pair to perform asymmetric cryptography outside of AWS KMS. 2782// 2783// GenerateDataKeyPair returns a unique data key pair for each request. The 2784// bytes in the keys are not related to the caller or the CMK that is used to 2785// encrypt the private key. 2786// 2787// You can use the public key that GenerateDataKeyPair returns to encrypt data 2788// or verify a signature outside of AWS KMS. Then, store the encrypted private 2789// key with the data. When you are ready to decrypt data or sign a message, 2790// you can use the Decrypt operation to decrypt the encrypted private key. 2791// 2792// To generate a data key pair, you must specify a symmetric customer master 2793// key (CMK) to encrypt the private key in a data key pair. You cannot use an 2794// asymmetric CMK. To get the type of your CMK, use the DescribeKey operation. 2795// 2796// If you are using the data key pair to encrypt data, or for any operation 2797// where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext 2798// operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public 2799// key and an encrypted private key, but omits the plaintext private key that 2800// you need only to decrypt ciphertext or sign a message. Later, when you need 2801// to decrypt the data or sign a message, use the Decrypt operation to decrypt 2802// the encrypted private key in the data key pair. 2803// 2804// You can use the optional encryption context to add additional security to 2805// the encryption operation. If you specify an EncryptionContext, you must specify 2806// the same encryption context (a case-sensitive exact match) when decrypting 2807// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 2808// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 2809// in the AWS Key Management Service Developer Guide. 2810// 2811// The CMK that you use for this operation must be in a compatible key state. 2812// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2813// in the AWS Key Management Service Developer Guide. 2814// 2815// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2816// with awserr.Error's Code and Message methods to get detailed information about 2817// the error. 2818// 2819// See the AWS API reference guide for AWS Key Management Service's 2820// API operation GenerateDataKeyPair for usage and error information. 2821// 2822// Returned Error Codes: 2823// * ErrCodeNotFoundException "NotFoundException" 2824// The request was rejected because the specified entity or resource could not 2825// be found. 2826// 2827// * ErrCodeDisabledException "DisabledException" 2828// The request was rejected because the specified CMK is not enabled. 2829// 2830// * ErrCodeKeyUnavailableException "KeyUnavailableException" 2831// The request was rejected because the specified CMK was not available. You 2832// can retry the request. 2833// 2834// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 2835// The system timed out while trying to fulfill the request. The request can 2836// be retried. 2837// 2838// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 2839// The request was rejected for one of the following reasons: 2840// 2841// * The KeyUsage value of the CMK is incompatible with the API operation. 2842// 2843// * The encryption algorithm or signing algorithm specified for the operation 2844// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 2845// 2846// For encrypting, decrypting, re-encrypting, and generating data keys, the 2847// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 2848// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 2849// 2850// To find the encryption or signing algorithms supported for a particular CMK, 2851// use the DescribeKey operation. 2852// 2853// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 2854// The request was rejected because the specified grant token is not valid. 2855// 2856// * ErrCodeInternalException "KMSInternalException" 2857// The request was rejected because an internal exception occurred. The request 2858// can be retried. 2859// 2860// * ErrCodeInvalidStateException "KMSInvalidStateException" 2861// The request was rejected because the state of the specified resource is not 2862// valid for this request. 2863// 2864// For more information about how key state affects the use of a CMK, see How 2865// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2866// in the AWS Key Management Service Developer Guide . 2867// 2868// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair 2869func (c *KMS) GenerateDataKeyPair(input *GenerateDataKeyPairInput) (*GenerateDataKeyPairOutput, error) { 2870 req, out := c.GenerateDataKeyPairRequest(input) 2871 return out, req.Send() 2872} 2873 2874// GenerateDataKeyPairWithContext is the same as GenerateDataKeyPair with the addition of 2875// the ability to pass a context and additional request options. 2876// 2877// See GenerateDataKeyPair for details on how to use this API operation. 2878// 2879// The context must be non-nil and will be used for request cancellation. If 2880// the context is nil a panic will occur. In the future the SDK may create 2881// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2882// for more information on using Contexts. 2883func (c *KMS) GenerateDataKeyPairWithContext(ctx aws.Context, input *GenerateDataKeyPairInput, opts ...request.Option) (*GenerateDataKeyPairOutput, error) { 2884 req, out := c.GenerateDataKeyPairRequest(input) 2885 req.SetContext(ctx) 2886 req.ApplyOptions(opts...) 2887 return out, req.Send() 2888} 2889 2890const opGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext" 2891 2892// GenerateDataKeyPairWithoutPlaintextRequest generates a "aws/request.Request" representing the 2893// client's request for the GenerateDataKeyPairWithoutPlaintext operation. The "output" return 2894// value will be populated with the request's response once the request completes 2895// successfully. 2896// 2897// Use "Send" method on the returned Request to send the API call to the service. 2898// the "output" return value is not valid until after Send returns without error. 2899// 2900// See GenerateDataKeyPairWithoutPlaintext for more information on using the GenerateDataKeyPairWithoutPlaintext 2901// API call, and error handling. 2902// 2903// This method is useful when you want to inject custom logic or configuration 2904// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2905// 2906// 2907// // Example sending a request using the GenerateDataKeyPairWithoutPlaintextRequest method. 2908// req, resp := client.GenerateDataKeyPairWithoutPlaintextRequest(params) 2909// 2910// err := req.Send() 2911// if err == nil { // resp is now filled 2912// fmt.Println(resp) 2913// } 2914// 2915// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext 2916func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyPairWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyPairWithoutPlaintextOutput) { 2917 op := &request.Operation{ 2918 Name: opGenerateDataKeyPairWithoutPlaintext, 2919 HTTPMethod: "POST", 2920 HTTPPath: "/", 2921 } 2922 2923 if input == nil { 2924 input = &GenerateDataKeyPairWithoutPlaintextInput{} 2925 } 2926 2927 output = &GenerateDataKeyPairWithoutPlaintextOutput{} 2928 req = c.newRequest(op, input, output) 2929 return 2930} 2931 2932// GenerateDataKeyPairWithoutPlaintext API operation for AWS Key Management Service. 2933// 2934// Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext 2935// operation returns a plaintext public key and a copy of the private key that 2936// is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, 2937// this operation does not return a plaintext private key. 2938// 2939// To generate a data key pair, you must specify a symmetric customer master 2940// key (CMK) to encrypt the private key in the data key pair. You cannot use 2941// an asymmetric CMK. To get the type of your CMK, use the KeySpec field in 2942// the DescribeKey response. 2943// 2944// You can use the public key that GenerateDataKeyPairWithoutPlaintext returns 2945// to encrypt data or verify a signature outside of AWS KMS. Then, store the 2946// encrypted private key with the data. When you are ready to decrypt data or 2947// sign a message, you can use the Decrypt operation to decrypt the encrypted 2948// private key. 2949// 2950// GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each 2951// request. The bytes in the key are not related to the caller or CMK that is 2952// used to encrypt the private key. 2953// 2954// You can use the optional encryption context to add additional security to 2955// the encryption operation. If you specify an EncryptionContext, you must specify 2956// the same encryption context (a case-sensitive exact match) when decrypting 2957// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 2958// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 2959// in the AWS Key Management Service Developer Guide. 2960// 2961// The CMK that you use for this operation must be in a compatible key state. 2962// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2963// in the AWS Key Management Service Developer Guide. 2964// 2965// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2966// with awserr.Error's Code and Message methods to get detailed information about 2967// the error. 2968// 2969// See the AWS API reference guide for AWS Key Management Service's 2970// API operation GenerateDataKeyPairWithoutPlaintext for usage and error information. 2971// 2972// Returned Error Codes: 2973// * ErrCodeNotFoundException "NotFoundException" 2974// The request was rejected because the specified entity or resource could not 2975// be found. 2976// 2977// * ErrCodeDisabledException "DisabledException" 2978// The request was rejected because the specified CMK is not enabled. 2979// 2980// * ErrCodeKeyUnavailableException "KeyUnavailableException" 2981// The request was rejected because the specified CMK was not available. You 2982// can retry the request. 2983// 2984// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 2985// The system timed out while trying to fulfill the request. The request can 2986// be retried. 2987// 2988// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 2989// The request was rejected for one of the following reasons: 2990// 2991// * The KeyUsage value of the CMK is incompatible with the API operation. 2992// 2993// * The encryption algorithm or signing algorithm specified for the operation 2994// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 2995// 2996// For encrypting, decrypting, re-encrypting, and generating data keys, the 2997// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 2998// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 2999// 3000// To find the encryption or signing algorithms supported for a particular CMK, 3001// use the DescribeKey operation. 3002// 3003// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 3004// The request was rejected because the specified grant token is not valid. 3005// 3006// * ErrCodeInternalException "KMSInternalException" 3007// The request was rejected because an internal exception occurred. The request 3008// can be retried. 3009// 3010// * ErrCodeInvalidStateException "KMSInvalidStateException" 3011// The request was rejected because the state of the specified resource is not 3012// valid for this request. 3013// 3014// For more information about how key state affects the use of a CMK, see How 3015// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3016// in the AWS Key Management Service Developer Guide . 3017// 3018// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext 3019func (c *KMS) GenerateDataKeyPairWithoutPlaintext(input *GenerateDataKeyPairWithoutPlaintextInput) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { 3020 req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input) 3021 return out, req.Send() 3022} 3023 3024// GenerateDataKeyPairWithoutPlaintextWithContext is the same as GenerateDataKeyPairWithoutPlaintext with the addition of 3025// the ability to pass a context and additional request options. 3026// 3027// See GenerateDataKeyPairWithoutPlaintext for details on how to use this API operation. 3028// 3029// The context must be non-nil and will be used for request cancellation. If 3030// the context is nil a panic will occur. In the future the SDK may create 3031// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3032// for more information on using Contexts. 3033func (c *KMS) GenerateDataKeyPairWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyPairWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { 3034 req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input) 3035 req.SetContext(ctx) 3036 req.ApplyOptions(opts...) 3037 return out, req.Send() 3038} 3039 3040const opGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" 3041 3042// GenerateDataKeyWithoutPlaintextRequest generates a "aws/request.Request" representing the 3043// client's request for the GenerateDataKeyWithoutPlaintext operation. The "output" return 3044// value will be populated with the request's response once the request completes 3045// successfully. 3046// 3047// Use "Send" method on the returned Request to send the API call to the service. 3048// the "output" return value is not valid until after Send returns without error. 3049// 3050// See GenerateDataKeyWithoutPlaintext for more information on using the GenerateDataKeyWithoutPlaintext 3051// API call, and error handling. 3052// 3053// This method is useful when you want to inject custom logic or configuration 3054// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3055// 3056// 3057// // Example sending a request using the GenerateDataKeyWithoutPlaintextRequest method. 3058// req, resp := client.GenerateDataKeyWithoutPlaintextRequest(params) 3059// 3060// err := req.Send() 3061// if err == nil { // resp is now filled 3062// fmt.Println(resp) 3063// } 3064// 3065// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext 3066func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyWithoutPlaintextOutput) { 3067 op := &request.Operation{ 3068 Name: opGenerateDataKeyWithoutPlaintext, 3069 HTTPMethod: "POST", 3070 HTTPPath: "/", 3071 } 3072 3073 if input == nil { 3074 input = &GenerateDataKeyWithoutPlaintextInput{} 3075 } 3076 3077 output = &GenerateDataKeyWithoutPlaintextOutput{} 3078 req = c.newRequest(op, input, output) 3079 return 3080} 3081 3082// GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service. 3083// 3084// Generates a unique symmetric data key. This operation returns a data key 3085// that is encrypted under a customer master key (CMK) that you specify. To 3086// request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext 3087// operations. 3088// 3089// GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation 3090// except that returns only the encrypted copy of the data key. This operation 3091// is useful for systems that need to encrypt data at some point, but not immediately. 3092// When you need to encrypt the data, you call the Decrypt operation on the 3093// encrypted copy of the key. 3094// 3095// It's also useful in distributed systems with different levels of trust. For 3096// example, you might store encrypted data in containers. One component of your 3097// system creates new containers and stores an encrypted data key with each 3098// container. Then, a different component puts the data into the containers. 3099// That component first decrypts the data key, uses the plaintext data key to 3100// encrypt data, puts the encrypted data into the container, and then destroys 3101// the plaintext data key. In this system, the component that creates the containers 3102// never sees the plaintext data key. 3103// 3104// GenerateDataKeyWithoutPlaintext returns a unique data key for each request. 3105// The bytes in the keys are not related to the caller or CMK that is used to 3106// encrypt the private key. 3107// 3108// To generate a data key, you must specify the symmetric customer master key 3109// (CMK) that is used to encrypt the data key. You cannot use an asymmetric 3110// CMK to generate a data key. To get the type of your CMK, use the KeySpec 3111// field in the DescribeKey response. You must also specify the length of the 3112// data key using either the KeySpec or NumberOfBytes field (but not both). 3113// For common key lengths (128-bit and 256-bit symmetric keys), use the KeySpec 3114// parameter. 3115// 3116// If the operation succeeds, you will find the plaintext copy of the data key 3117// in the Plaintext field of the response, and the encrypted copy of the data 3118// key in the CiphertextBlob field. 3119// 3120// You can use the optional encryption context to add additional security to 3121// the encryption operation. If you specify an EncryptionContext, you must specify 3122// the same encryption context (a case-sensitive exact match) when decrypting 3123// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 3124// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 3125// in the AWS Key Management Service Developer Guide. 3126// 3127// The CMK that you use for this operation must be in a compatible key state. 3128// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3129// in the AWS Key Management Service Developer Guide. 3130// 3131// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3132// with awserr.Error's Code and Message methods to get detailed information about 3133// the error. 3134// 3135// See the AWS API reference guide for AWS Key Management Service's 3136// API operation GenerateDataKeyWithoutPlaintext for usage and error information. 3137// 3138// Returned Error Codes: 3139// * ErrCodeNotFoundException "NotFoundException" 3140// The request was rejected because the specified entity or resource could not 3141// be found. 3142// 3143// * ErrCodeDisabledException "DisabledException" 3144// The request was rejected because the specified CMK is not enabled. 3145// 3146// * ErrCodeKeyUnavailableException "KeyUnavailableException" 3147// The request was rejected because the specified CMK was not available. You 3148// can retry the request. 3149// 3150// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3151// The system timed out while trying to fulfill the request. The request can 3152// be retried. 3153// 3154// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 3155// The request was rejected for one of the following reasons: 3156// 3157// * The KeyUsage value of the CMK is incompatible with the API operation. 3158// 3159// * The encryption algorithm or signing algorithm specified for the operation 3160// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 3161// 3162// For encrypting, decrypting, re-encrypting, and generating data keys, the 3163// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 3164// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 3165// 3166// To find the encryption or signing algorithms supported for a particular CMK, 3167// use the DescribeKey operation. 3168// 3169// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 3170// The request was rejected because the specified grant token is not valid. 3171// 3172// * ErrCodeInternalException "KMSInternalException" 3173// The request was rejected because an internal exception occurred. The request 3174// can be retried. 3175// 3176// * ErrCodeInvalidStateException "KMSInvalidStateException" 3177// The request was rejected because the state of the specified resource is not 3178// valid for this request. 3179// 3180// For more information about how key state affects the use of a CMK, see How 3181// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3182// in the AWS Key Management Service Developer Guide . 3183// 3184// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext 3185func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) { 3186 req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) 3187 return out, req.Send() 3188} 3189 3190// GenerateDataKeyWithoutPlaintextWithContext is the same as GenerateDataKeyWithoutPlaintext with the addition of 3191// the ability to pass a context and additional request options. 3192// 3193// See GenerateDataKeyWithoutPlaintext for details on how to use this API operation. 3194// 3195// The context must be non-nil and will be used for request cancellation. If 3196// the context is nil a panic will occur. In the future the SDK may create 3197// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3198// for more information on using Contexts. 3199func (c *KMS) GenerateDataKeyWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyWithoutPlaintextOutput, error) { 3200 req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) 3201 req.SetContext(ctx) 3202 req.ApplyOptions(opts...) 3203 return out, req.Send() 3204} 3205 3206const opGenerateRandom = "GenerateRandom" 3207 3208// GenerateRandomRequest generates a "aws/request.Request" representing the 3209// client's request for the GenerateRandom operation. The "output" return 3210// value will be populated with the request's response once the request completes 3211// successfully. 3212// 3213// Use "Send" method on the returned Request to send the API call to the service. 3214// the "output" return value is not valid until after Send returns without error. 3215// 3216// See GenerateRandom for more information on using the GenerateRandom 3217// API call, and error handling. 3218// 3219// This method is useful when you want to inject custom logic or configuration 3220// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3221// 3222// 3223// // Example sending a request using the GenerateRandomRequest method. 3224// req, resp := client.GenerateRandomRequest(params) 3225// 3226// err := req.Send() 3227// if err == nil { // resp is now filled 3228// fmt.Println(resp) 3229// } 3230// 3231// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom 3232func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Request, output *GenerateRandomOutput) { 3233 op := &request.Operation{ 3234 Name: opGenerateRandom, 3235 HTTPMethod: "POST", 3236 HTTPPath: "/", 3237 } 3238 3239 if input == nil { 3240 input = &GenerateRandomInput{} 3241 } 3242 3243 output = &GenerateRandomOutput{} 3244 req = c.newRequest(op, input, output) 3245 return 3246} 3247 3248// GenerateRandom API operation for AWS Key Management Service. 3249// 3250// Returns a random byte string that is cryptographically secure. 3251// 3252// By default, the random byte string is generated in AWS KMS. To generate the 3253// byte string in the AWS CloudHSM cluster that is associated with a custom 3254// key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 3255// specify the custom key store ID. 3256// 3257// For more information about entropy and random number generation, see the 3258// AWS Key Management Service Cryptographic Details (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf) 3259// whitepaper. 3260// 3261// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3262// with awserr.Error's Code and Message methods to get detailed information about 3263// the error. 3264// 3265// See the AWS API reference guide for AWS Key Management Service's 3266// API operation GenerateRandom for usage and error information. 3267// 3268// Returned Error Codes: 3269// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3270// The system timed out while trying to fulfill the request. The request can 3271// be retried. 3272// 3273// * ErrCodeInternalException "KMSInternalException" 3274// The request was rejected because an internal exception occurred. The request 3275// can be retried. 3276// 3277// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 3278// The request was rejected because AWS KMS cannot find a custom key store with 3279// the specified key store name or ID. 3280// 3281// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" 3282// The request was rejected because of the ConnectionState of the custom key 3283// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 3284// operation. 3285// 3286// This exception is thrown under the following conditions: 3287// 3288// * You requested the CreateKey or GenerateRandom operation in a custom 3289// key store that is not connected. These operations are valid only when 3290// the custom key store ConnectionState is CONNECTED. 3291// 3292// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 3293// on a custom key store that is not disconnected. This operation is valid 3294// only when the custom key store ConnectionState is DISCONNECTED. 3295// 3296// * You requested the ConnectCustomKeyStore operation on a custom key store 3297// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 3298// for all other ConnectionState values. 3299// 3300// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom 3301func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) { 3302 req, out := c.GenerateRandomRequest(input) 3303 return out, req.Send() 3304} 3305 3306// GenerateRandomWithContext is the same as GenerateRandom with the addition of 3307// the ability to pass a context and additional request options. 3308// 3309// See GenerateRandom for details on how to use this API operation. 3310// 3311// The context must be non-nil and will be used for request cancellation. If 3312// the context is nil a panic will occur. In the future the SDK may create 3313// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3314// for more information on using Contexts. 3315func (c *KMS) GenerateRandomWithContext(ctx aws.Context, input *GenerateRandomInput, opts ...request.Option) (*GenerateRandomOutput, error) { 3316 req, out := c.GenerateRandomRequest(input) 3317 req.SetContext(ctx) 3318 req.ApplyOptions(opts...) 3319 return out, req.Send() 3320} 3321 3322const opGetKeyPolicy = "GetKeyPolicy" 3323 3324// GetKeyPolicyRequest generates a "aws/request.Request" representing the 3325// client's request for the GetKeyPolicy operation. The "output" return 3326// value will be populated with the request's response once the request completes 3327// successfully. 3328// 3329// Use "Send" method on the returned Request to send the API call to the service. 3330// the "output" return value is not valid until after Send returns without error. 3331// 3332// See GetKeyPolicy for more information on using the GetKeyPolicy 3333// API call, and error handling. 3334// 3335// This method is useful when you want to inject custom logic or configuration 3336// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3337// 3338// 3339// // Example sending a request using the GetKeyPolicyRequest method. 3340// req, resp := client.GetKeyPolicyRequest(params) 3341// 3342// err := req.Send() 3343// if err == nil { // resp is now filled 3344// fmt.Println(resp) 3345// } 3346// 3347// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy 3348func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Request, output *GetKeyPolicyOutput) { 3349 op := &request.Operation{ 3350 Name: opGetKeyPolicy, 3351 HTTPMethod: "POST", 3352 HTTPPath: "/", 3353 } 3354 3355 if input == nil { 3356 input = &GetKeyPolicyInput{} 3357 } 3358 3359 output = &GetKeyPolicyOutput{} 3360 req = c.newRequest(op, input, output) 3361 return 3362} 3363 3364// GetKeyPolicy API operation for AWS Key Management Service. 3365// 3366// Gets a key policy attached to the specified customer master key (CMK). You 3367// cannot perform this operation on a CMK in a different AWS account. 3368// 3369// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3370// with awserr.Error's Code and Message methods to get detailed information about 3371// the error. 3372// 3373// See the AWS API reference guide for AWS Key Management Service's 3374// API operation GetKeyPolicy for usage and error information. 3375// 3376// Returned Error Codes: 3377// * ErrCodeNotFoundException "NotFoundException" 3378// The request was rejected because the specified entity or resource could not 3379// be found. 3380// 3381// * ErrCodeInvalidArnException "InvalidArnException" 3382// The request was rejected because a specified ARN, or an ARN in a key policy, 3383// is not valid. 3384// 3385// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3386// The system timed out while trying to fulfill the request. The request can 3387// be retried. 3388// 3389// * ErrCodeInternalException "KMSInternalException" 3390// The request was rejected because an internal exception occurred. The request 3391// can be retried. 3392// 3393// * ErrCodeInvalidStateException "KMSInvalidStateException" 3394// The request was rejected because the state of the specified resource is not 3395// valid for this request. 3396// 3397// For more information about how key state affects the use of a CMK, see How 3398// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3399// in the AWS Key Management Service Developer Guide . 3400// 3401// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy 3402func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) { 3403 req, out := c.GetKeyPolicyRequest(input) 3404 return out, req.Send() 3405} 3406 3407// GetKeyPolicyWithContext is the same as GetKeyPolicy with the addition of 3408// the ability to pass a context and additional request options. 3409// 3410// See GetKeyPolicy for details on how to use this API operation. 3411// 3412// The context must be non-nil and will be used for request cancellation. If 3413// the context is nil a panic will occur. In the future the SDK may create 3414// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3415// for more information on using Contexts. 3416func (c *KMS) GetKeyPolicyWithContext(ctx aws.Context, input *GetKeyPolicyInput, opts ...request.Option) (*GetKeyPolicyOutput, error) { 3417 req, out := c.GetKeyPolicyRequest(input) 3418 req.SetContext(ctx) 3419 req.ApplyOptions(opts...) 3420 return out, req.Send() 3421} 3422 3423const opGetKeyRotationStatus = "GetKeyRotationStatus" 3424 3425// GetKeyRotationStatusRequest generates a "aws/request.Request" representing the 3426// client's request for the GetKeyRotationStatus operation. The "output" return 3427// value will be populated with the request's response once the request completes 3428// successfully. 3429// 3430// Use "Send" method on the returned Request to send the API call to the service. 3431// the "output" return value is not valid until after Send returns without error. 3432// 3433// See GetKeyRotationStatus for more information on using the GetKeyRotationStatus 3434// API call, and error handling. 3435// 3436// This method is useful when you want to inject custom logic or configuration 3437// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3438// 3439// 3440// // Example sending a request using the GetKeyRotationStatusRequest method. 3441// req, resp := client.GetKeyRotationStatusRequest(params) 3442// 3443// err := req.Send() 3444// if err == nil { // resp is now filled 3445// fmt.Println(resp) 3446// } 3447// 3448// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus 3449func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req *request.Request, output *GetKeyRotationStatusOutput) { 3450 op := &request.Operation{ 3451 Name: opGetKeyRotationStatus, 3452 HTTPMethod: "POST", 3453 HTTPPath: "/", 3454 } 3455 3456 if input == nil { 3457 input = &GetKeyRotationStatusInput{} 3458 } 3459 3460 output = &GetKeyRotationStatusOutput{} 3461 req = c.newRequest(op, input, output) 3462 return 3463} 3464 3465// GetKeyRotationStatus API operation for AWS Key Management Service. 3466// 3467// Gets a Boolean value that indicates whether automatic rotation of the key 3468// material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) 3469// is enabled for the specified customer master key (CMK). 3470// 3471// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported 3472// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 3473// The key rotation status for these CMKs is always false. 3474// 3475// The CMK that you use for this operation must be in a compatible key state. 3476// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3477// in the AWS Key Management Service Developer Guide. 3478// 3479// * Disabled: The key rotation status does not change when you disable a 3480// CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing 3481// key. 3482// 3483// * Pending deletion: While a CMK is pending deletion, its key rotation 3484// status is false and AWS KMS does not rotate the backing key. If you cancel 3485// the deletion, the original key rotation status is restored. 3486// 3487// To perform this operation on a CMK in a different AWS account, specify the 3488// key ARN in the value of the KeyId parameter. 3489// 3490// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3491// with awserr.Error's Code and Message methods to get detailed information about 3492// the error. 3493// 3494// See the AWS API reference guide for AWS Key Management Service's 3495// API operation GetKeyRotationStatus for usage and error information. 3496// 3497// Returned Error Codes: 3498// * ErrCodeNotFoundException "NotFoundException" 3499// The request was rejected because the specified entity or resource could not 3500// be found. 3501// 3502// * ErrCodeInvalidArnException "InvalidArnException" 3503// The request was rejected because a specified ARN, or an ARN in a key policy, 3504// is not valid. 3505// 3506// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3507// The system timed out while trying to fulfill the request. The request can 3508// be retried. 3509// 3510// * ErrCodeInternalException "KMSInternalException" 3511// The request was rejected because an internal exception occurred. The request 3512// can be retried. 3513// 3514// * ErrCodeInvalidStateException "KMSInvalidStateException" 3515// The request was rejected because the state of the specified resource is not 3516// valid for this request. 3517// 3518// For more information about how key state affects the use of a CMK, see How 3519// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3520// in the AWS Key Management Service Developer Guide . 3521// 3522// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 3523// The request was rejected because a specified parameter is not supported or 3524// a specified resource is not valid for this operation. 3525// 3526// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus 3527func (c *KMS) GetKeyRotationStatus(input *GetKeyRotationStatusInput) (*GetKeyRotationStatusOutput, error) { 3528 req, out := c.GetKeyRotationStatusRequest(input) 3529 return out, req.Send() 3530} 3531 3532// GetKeyRotationStatusWithContext is the same as GetKeyRotationStatus with the addition of 3533// the ability to pass a context and additional request options. 3534// 3535// See GetKeyRotationStatus for details on how to use this API operation. 3536// 3537// The context must be non-nil and will be used for request cancellation. If 3538// the context is nil a panic will occur. In the future the SDK may create 3539// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3540// for more information on using Contexts. 3541func (c *KMS) GetKeyRotationStatusWithContext(ctx aws.Context, input *GetKeyRotationStatusInput, opts ...request.Option) (*GetKeyRotationStatusOutput, error) { 3542 req, out := c.GetKeyRotationStatusRequest(input) 3543 req.SetContext(ctx) 3544 req.ApplyOptions(opts...) 3545 return out, req.Send() 3546} 3547 3548const opGetParametersForImport = "GetParametersForImport" 3549 3550// GetParametersForImportRequest generates a "aws/request.Request" representing the 3551// client's request for the GetParametersForImport operation. The "output" return 3552// value will be populated with the request's response once the request completes 3553// successfully. 3554// 3555// Use "Send" method on the returned Request to send the API call to the service. 3556// the "output" return value is not valid until after Send returns without error. 3557// 3558// See GetParametersForImport for more information on using the GetParametersForImport 3559// API call, and error handling. 3560// 3561// This method is useful when you want to inject custom logic or configuration 3562// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3563// 3564// 3565// // Example sending a request using the GetParametersForImportRequest method. 3566// req, resp := client.GetParametersForImportRequest(params) 3567// 3568// err := req.Send() 3569// if err == nil { // resp is now filled 3570// fmt.Println(resp) 3571// } 3572// 3573// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport 3574func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) (req *request.Request, output *GetParametersForImportOutput) { 3575 op := &request.Operation{ 3576 Name: opGetParametersForImport, 3577 HTTPMethod: "POST", 3578 HTTPPath: "/", 3579 } 3580 3581 if input == nil { 3582 input = &GetParametersForImportInput{} 3583 } 3584 3585 output = &GetParametersForImportOutput{} 3586 req = c.newRequest(op, input, output) 3587 return 3588} 3589 3590// GetParametersForImport API operation for AWS Key Management Service. 3591// 3592// Returns the items you need to import key material into a symmetric, customer 3593// managed customer master key (CMK). For more information about importing key 3594// material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 3595// in the AWS Key Management Service Developer Guide. 3596// 3597// This operation returns a public key and an import token. Use the public key 3598// to encrypt the symmetric key material. Store the import token to send with 3599// a subsequent ImportKeyMaterial request. 3600// 3601// You must specify the key ID of the symmetric CMK into which you will import 3602// key material. This CMK's Origin must be EXTERNAL. You must also specify the 3603// wrapping algorithm and type of wrapping key (public key) that you will use 3604// to encrypt the key material. You cannot perform this operation on an asymmetric 3605// CMK or on any CMK in a different AWS account. 3606// 3607// To import key material, you must use the public key and import token from 3608// the same response. These items are valid for 24 hours. The expiration date 3609// and time appear in the GetParametersForImport response. You cannot use an 3610// expired token in an ImportKeyMaterial request. If your key and token expire, 3611// send another GetParametersForImport request. 3612// 3613// The CMK that you use for this operation must be in a compatible key state. 3614// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3615// in the AWS Key Management Service Developer Guide. 3616// 3617// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3618// with awserr.Error's Code and Message methods to get detailed information about 3619// the error. 3620// 3621// See the AWS API reference guide for AWS Key Management Service's 3622// API operation GetParametersForImport for usage and error information. 3623// 3624// Returned Error Codes: 3625// * ErrCodeInvalidArnException "InvalidArnException" 3626// The request was rejected because a specified ARN, or an ARN in a key policy, 3627// is not valid. 3628// 3629// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 3630// The request was rejected because a specified parameter is not supported or 3631// a specified resource is not valid for this operation. 3632// 3633// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3634// The system timed out while trying to fulfill the request. The request can 3635// be retried. 3636// 3637// * ErrCodeNotFoundException "NotFoundException" 3638// The request was rejected because the specified entity or resource could not 3639// be found. 3640// 3641// * ErrCodeInternalException "KMSInternalException" 3642// The request was rejected because an internal exception occurred. The request 3643// can be retried. 3644// 3645// * ErrCodeInvalidStateException "KMSInvalidStateException" 3646// The request was rejected because the state of the specified resource is not 3647// valid for this request. 3648// 3649// For more information about how key state affects the use of a CMK, see How 3650// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3651// in the AWS Key Management Service Developer Guide . 3652// 3653// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport 3654func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) { 3655 req, out := c.GetParametersForImportRequest(input) 3656 return out, req.Send() 3657} 3658 3659// GetParametersForImportWithContext is the same as GetParametersForImport with the addition of 3660// the ability to pass a context and additional request options. 3661// 3662// See GetParametersForImport for details on how to use this API operation. 3663// 3664// The context must be non-nil and will be used for request cancellation. If 3665// the context is nil a panic will occur. In the future the SDK may create 3666// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3667// for more information on using Contexts. 3668func (c *KMS) GetParametersForImportWithContext(ctx aws.Context, input *GetParametersForImportInput, opts ...request.Option) (*GetParametersForImportOutput, error) { 3669 req, out := c.GetParametersForImportRequest(input) 3670 req.SetContext(ctx) 3671 req.ApplyOptions(opts...) 3672 return out, req.Send() 3673} 3674 3675const opGetPublicKey = "GetPublicKey" 3676 3677// GetPublicKeyRequest generates a "aws/request.Request" representing the 3678// client's request for the GetPublicKey operation. The "output" return 3679// value will be populated with the request's response once the request completes 3680// successfully. 3681// 3682// Use "Send" method on the returned Request to send the API call to the service. 3683// the "output" return value is not valid until after Send returns without error. 3684// 3685// See GetPublicKey for more information on using the GetPublicKey 3686// API call, and error handling. 3687// 3688// This method is useful when you want to inject custom logic or configuration 3689// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3690// 3691// 3692// // Example sending a request using the GetPublicKeyRequest method. 3693// req, resp := client.GetPublicKeyRequest(params) 3694// 3695// err := req.Send() 3696// if err == nil { // resp is now filled 3697// fmt.Println(resp) 3698// } 3699// 3700// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey 3701func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Request, output *GetPublicKeyOutput) { 3702 op := &request.Operation{ 3703 Name: opGetPublicKey, 3704 HTTPMethod: "POST", 3705 HTTPPath: "/", 3706 } 3707 3708 if input == nil { 3709 input = &GetPublicKeyInput{} 3710 } 3711 3712 output = &GetPublicKeyOutput{} 3713 req = c.newRequest(op, input, output) 3714 return 3715} 3716 3717// GetPublicKey API operation for AWS Key Management Service. 3718// 3719// Returns the public key of an asymmetric CMK. Unlike the private key of a 3720// asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey 3721// permission can download the public key of an asymmetric CMK. You can share 3722// the public key to allow others to encrypt messages and verify signatures 3723// outside of AWS KMS. For information about symmetric and asymmetric CMKs, 3724// see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 3725// in the AWS Key Management Service Developer Guide. 3726// 3727// You do not need to download the public key. Instead, you can use the public 3728// key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations 3729// with the identifier of an asymmetric CMK. When you use the public key within 3730// AWS KMS, you benefit from the authentication, authorization, and logging 3731// that are part of every AWS KMS operation. You also reduce of risk of encrypting 3732// data that cannot be decrypted. These features are not effective outside of 3733// AWS KMS. For details, see Special Considerations for Downloading Public Keys 3734// (https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations). 3735// 3736// To help you use the public key safely outside of AWS KMS, GetPublicKey returns 3737// important information about the public key in the response, including: 3738// 3739// * CustomerMasterKeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec): 3740// The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521. 3741// 3742// * KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage): 3743// Whether the key is used for encryption or signing. 3744// 3745// * EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms) 3746// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms): 3747// A list of the encryption algorithms or the signing algorithms for the 3748// key. 3749// 3750// Although AWS KMS cannot enforce these restrictions on external operations, 3751// it is crucial that you use this information to prevent the public key from 3752// being used improperly. For example, you can prevent a public signing key 3753// from being used encrypt data, or prevent a public key from being used with 3754// an encryption algorithm that is not supported by AWS KMS. You can also avoid 3755// errors, such as using the wrong signing algorithm in a verification operation. 3756// 3757// The CMK that you use for this operation must be in a compatible key state. 3758// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3759// in the AWS Key Management Service Developer Guide. 3760// 3761// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3762// with awserr.Error's Code and Message methods to get detailed information about 3763// the error. 3764// 3765// See the AWS API reference guide for AWS Key Management Service's 3766// API operation GetPublicKey for usage and error information. 3767// 3768// Returned Error Codes: 3769// * ErrCodeNotFoundException "NotFoundException" 3770// The request was rejected because the specified entity or resource could not 3771// be found. 3772// 3773// * ErrCodeDisabledException "DisabledException" 3774// The request was rejected because the specified CMK is not enabled. 3775// 3776// * ErrCodeKeyUnavailableException "KeyUnavailableException" 3777// The request was rejected because the specified CMK was not available. You 3778// can retry the request. 3779// 3780// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3781// The system timed out while trying to fulfill the request. The request can 3782// be retried. 3783// 3784// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 3785// The request was rejected because a specified parameter is not supported or 3786// a specified resource is not valid for this operation. 3787// 3788// * ErrCodeInvalidArnException "InvalidArnException" 3789// The request was rejected because a specified ARN, or an ARN in a key policy, 3790// is not valid. 3791// 3792// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 3793// The request was rejected because the specified grant token is not valid. 3794// 3795// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 3796// The request was rejected for one of the following reasons: 3797// 3798// * The KeyUsage value of the CMK is incompatible with the API operation. 3799// 3800// * The encryption algorithm or signing algorithm specified for the operation 3801// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 3802// 3803// For encrypting, decrypting, re-encrypting, and generating data keys, the 3804// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 3805// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 3806// 3807// To find the encryption or signing algorithms supported for a particular CMK, 3808// use the DescribeKey operation. 3809// 3810// * ErrCodeInternalException "KMSInternalException" 3811// The request was rejected because an internal exception occurred. The request 3812// can be retried. 3813// 3814// * ErrCodeInvalidStateException "KMSInvalidStateException" 3815// The request was rejected because the state of the specified resource is not 3816// valid for this request. 3817// 3818// For more information about how key state affects the use of a CMK, see How 3819// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3820// in the AWS Key Management Service Developer Guide . 3821// 3822// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey 3823func (c *KMS) GetPublicKey(input *GetPublicKeyInput) (*GetPublicKeyOutput, error) { 3824 req, out := c.GetPublicKeyRequest(input) 3825 return out, req.Send() 3826} 3827 3828// GetPublicKeyWithContext is the same as GetPublicKey with the addition of 3829// the ability to pass a context and additional request options. 3830// 3831// See GetPublicKey for details on how to use this API operation. 3832// 3833// The context must be non-nil and will be used for request cancellation. If 3834// the context is nil a panic will occur. In the future the SDK may create 3835// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3836// for more information on using Contexts. 3837func (c *KMS) GetPublicKeyWithContext(ctx aws.Context, input *GetPublicKeyInput, opts ...request.Option) (*GetPublicKeyOutput, error) { 3838 req, out := c.GetPublicKeyRequest(input) 3839 req.SetContext(ctx) 3840 req.ApplyOptions(opts...) 3841 return out, req.Send() 3842} 3843 3844const opImportKeyMaterial = "ImportKeyMaterial" 3845 3846// ImportKeyMaterialRequest generates a "aws/request.Request" representing the 3847// client's request for the ImportKeyMaterial operation. The "output" return 3848// value will be populated with the request's response once the request completes 3849// successfully. 3850// 3851// Use "Send" method on the returned Request to send the API call to the service. 3852// the "output" return value is not valid until after Send returns without error. 3853// 3854// See ImportKeyMaterial for more information on using the ImportKeyMaterial 3855// API call, and error handling. 3856// 3857// This method is useful when you want to inject custom logic or configuration 3858// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3859// 3860// 3861// // Example sending a request using the ImportKeyMaterialRequest method. 3862// req, resp := client.ImportKeyMaterialRequest(params) 3863// 3864// err := req.Send() 3865// if err == nil { // resp is now filled 3866// fmt.Println(resp) 3867// } 3868// 3869// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial 3870func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *request.Request, output *ImportKeyMaterialOutput) { 3871 op := &request.Operation{ 3872 Name: opImportKeyMaterial, 3873 HTTPMethod: "POST", 3874 HTTPPath: "/", 3875 } 3876 3877 if input == nil { 3878 input = &ImportKeyMaterialInput{} 3879 } 3880 3881 output = &ImportKeyMaterialOutput{} 3882 req = c.newRequest(op, input, output) 3883 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 3884 return 3885} 3886 3887// ImportKeyMaterial API operation for AWS Key Management Service. 3888// 3889// Imports key material into an existing symmetric AWS KMS customer master key 3890// (CMK) that was created without key material. After you successfully import 3891// key material into a CMK, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) 3892// into that CMK, but you cannot import different key material. 3893// 3894// You cannot perform this operation on an asymmetric CMK or on any CMK in a 3895// different AWS account. For more information about creating CMKs with no key 3896// material and then importing key material, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 3897// in the AWS Key Management Service Developer Guide. 3898// 3899// Before using this operation, call GetParametersForImport. Its response includes 3900// a public key and an import token. Use the public key to encrypt the key material. 3901// Then, submit the import token from the same GetParametersForImport response. 3902// 3903// When calling this operation, you must specify the following values: 3904// 3905// * The key ID or key ARN of a CMK with no key material. Its Origin must 3906// be EXTERNAL. To create a CMK with no key material, call CreateKey and 3907// set the value of its Origin parameter to EXTERNAL. To get the Origin of 3908// a CMK, call DescribeKey.) 3909// 3910// * The encrypted key material. To get the public key to encrypt the key 3911// material, call GetParametersForImport. 3912// 3913// * The import token that GetParametersForImport returned. You must use 3914// a public key and token from the same GetParametersForImport response. 3915// 3916// * Whether the key material expires and if so, when. If you set an expiration 3917// date, AWS KMS deletes the key material from the CMK on the specified date, 3918// and the CMK becomes unusable. To use the CMK again, you must reimport 3919// the same key material. The only way to change an expiration date is by 3920// reimporting the same key material and specifying a new expiration date. 3921// 3922// When this operation is successful, the key state of the CMK changes from 3923// PendingImport to Enabled, and you can use the CMK. 3924// 3925// If this operation fails, use the exception to help determine the problem. 3926// If the error is related to the key material, the import token, or wrapping 3927// key, use GetParametersForImport to get a new public key and import token 3928// for the CMK and repeat the import procedure. For help, see How To Import 3929// Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview) 3930// in the AWS Key Management Service Developer Guide. 3931// 3932// The CMK that you use for this operation must be in a compatible key state. 3933// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3934// in the AWS Key Management Service Developer Guide. 3935// 3936// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3937// with awserr.Error's Code and Message methods to get detailed information about 3938// the error. 3939// 3940// See the AWS API reference guide for AWS Key Management Service's 3941// API operation ImportKeyMaterial for usage and error information. 3942// 3943// Returned Error Codes: 3944// * ErrCodeInvalidArnException "InvalidArnException" 3945// The request was rejected because a specified ARN, or an ARN in a key policy, 3946// is not valid. 3947// 3948// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 3949// The request was rejected because a specified parameter is not supported or 3950// a specified resource is not valid for this operation. 3951// 3952// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 3953// The system timed out while trying to fulfill the request. The request can 3954// be retried. 3955// 3956// * ErrCodeNotFoundException "NotFoundException" 3957// The request was rejected because the specified entity or resource could not 3958// be found. 3959// 3960// * ErrCodeInternalException "KMSInternalException" 3961// The request was rejected because an internal exception occurred. The request 3962// can be retried. 3963// 3964// * ErrCodeInvalidStateException "KMSInvalidStateException" 3965// The request was rejected because the state of the specified resource is not 3966// valid for this request. 3967// 3968// For more information about how key state affects the use of a CMK, see How 3969// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3970// in the AWS Key Management Service Developer Guide . 3971// 3972// * ErrCodeInvalidCiphertextException "InvalidCiphertextException" 3973// From the Decrypt or ReEncrypt operation, the request was rejected because 3974// the specified ciphertext, or additional authenticated data incorporated into 3975// the ciphertext, such as the encryption context, is corrupted, missing, or 3976// otherwise invalid. 3977// 3978// From the ImportKeyMaterial operation, the request was rejected because AWS 3979// KMS could not decrypt the encrypted (wrapped) key material. 3980// 3981// * ErrCodeIncorrectKeyMaterialException "IncorrectKeyMaterialException" 3982// The request was rejected because the key material in the request is, expired, 3983// invalid, or is not the same key material that was previously imported into 3984// this customer master key (CMK). 3985// 3986// * ErrCodeExpiredImportTokenException "ExpiredImportTokenException" 3987// The request was rejected because the specified import token is expired. Use 3988// GetParametersForImport to get a new import token and public key, use the 3989// new public key to encrypt the key material, and then try the request again. 3990// 3991// * ErrCodeInvalidImportTokenException "InvalidImportTokenException" 3992// The request was rejected because the provided import token is invalid or 3993// is associated with a different customer master key (CMK). 3994// 3995// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial 3996func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) { 3997 req, out := c.ImportKeyMaterialRequest(input) 3998 return out, req.Send() 3999} 4000 4001// ImportKeyMaterialWithContext is the same as ImportKeyMaterial with the addition of 4002// the ability to pass a context and additional request options. 4003// 4004// See ImportKeyMaterial for details on how to use this API operation. 4005// 4006// The context must be non-nil and will be used for request cancellation. If 4007// the context is nil a panic will occur. In the future the SDK may create 4008// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4009// for more information on using Contexts. 4010func (c *KMS) ImportKeyMaterialWithContext(ctx aws.Context, input *ImportKeyMaterialInput, opts ...request.Option) (*ImportKeyMaterialOutput, error) { 4011 req, out := c.ImportKeyMaterialRequest(input) 4012 req.SetContext(ctx) 4013 req.ApplyOptions(opts...) 4014 return out, req.Send() 4015} 4016 4017const opListAliases = "ListAliases" 4018 4019// ListAliasesRequest generates a "aws/request.Request" representing the 4020// client's request for the ListAliases operation. The "output" return 4021// value will be populated with the request's response once the request completes 4022// successfully. 4023// 4024// Use "Send" method on the returned Request to send the API call to the service. 4025// the "output" return value is not valid until after Send returns without error. 4026// 4027// See ListAliases for more information on using the ListAliases 4028// API call, and error handling. 4029// 4030// This method is useful when you want to inject custom logic or configuration 4031// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4032// 4033// 4034// // Example sending a request using the ListAliasesRequest method. 4035// req, resp := client.ListAliasesRequest(params) 4036// 4037// err := req.Send() 4038// if err == nil { // resp is now filled 4039// fmt.Println(resp) 4040// } 4041// 4042// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases 4043func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, output *ListAliasesOutput) { 4044 op := &request.Operation{ 4045 Name: opListAliases, 4046 HTTPMethod: "POST", 4047 HTTPPath: "/", 4048 Paginator: &request.Paginator{ 4049 InputTokens: []string{"Marker"}, 4050 OutputTokens: []string{"NextMarker"}, 4051 LimitToken: "Limit", 4052 TruncationToken: "Truncated", 4053 }, 4054 } 4055 4056 if input == nil { 4057 input = &ListAliasesInput{} 4058 } 4059 4060 output = &ListAliasesOutput{} 4061 req = c.newRequest(op, input, output) 4062 return 4063} 4064 4065// ListAliases API operation for AWS Key Management Service. 4066// 4067// Gets a list of aliases in the caller's AWS account and region. You cannot 4068// list aliases in other accounts. For more information about aliases, see CreateAlias. 4069// 4070// By default, the ListAliases command returns all aliases in the account and 4071// region. To get only the aliases that point to a particular customer master 4072// key (CMK), use the KeyId parameter. 4073// 4074// The ListAliases response can include aliases that you created and associated 4075// with your customer managed CMKs, and aliases that AWS created and associated 4076// with AWS managed CMKs in your account. You can recognize AWS aliases because 4077// their names have the format aws/<service-name>, such as aws/dynamodb. 4078// 4079// The response might also include aliases that have no TargetKeyId field. These 4080// are predefined aliases that AWS has created but has not yet associated with 4081// a CMK. Aliases that AWS creates in your account, including predefined aliases, 4082// do not count against your AWS KMS aliases limit (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit). 4083// 4084// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4085// with awserr.Error's Code and Message methods to get detailed information about 4086// the error. 4087// 4088// See the AWS API reference guide for AWS Key Management Service's 4089// API operation ListAliases for usage and error information. 4090// 4091// Returned Error Codes: 4092// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 4093// The system timed out while trying to fulfill the request. The request can 4094// be retried. 4095// 4096// * ErrCodeInvalidMarkerException "InvalidMarkerException" 4097// The request was rejected because the marker that specifies where pagination 4098// should next begin is not valid. 4099// 4100// * ErrCodeInternalException "KMSInternalException" 4101// The request was rejected because an internal exception occurred. The request 4102// can be retried. 4103// 4104// * ErrCodeInvalidArnException "InvalidArnException" 4105// The request was rejected because a specified ARN, or an ARN in a key policy, 4106// is not valid. 4107// 4108// * ErrCodeNotFoundException "NotFoundException" 4109// The request was rejected because the specified entity or resource could not 4110// be found. 4111// 4112// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases 4113func (c *KMS) ListAliases(input *ListAliasesInput) (*ListAliasesOutput, error) { 4114 req, out := c.ListAliasesRequest(input) 4115 return out, req.Send() 4116} 4117 4118// ListAliasesWithContext is the same as ListAliases with the addition of 4119// the ability to pass a context and additional request options. 4120// 4121// See ListAliases for details on how to use this API operation. 4122// 4123// The context must be non-nil and will be used for request cancellation. If 4124// the context is nil a panic will occur. In the future the SDK may create 4125// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4126// for more information on using Contexts. 4127func (c *KMS) ListAliasesWithContext(ctx aws.Context, input *ListAliasesInput, opts ...request.Option) (*ListAliasesOutput, error) { 4128 req, out := c.ListAliasesRequest(input) 4129 req.SetContext(ctx) 4130 req.ApplyOptions(opts...) 4131 return out, req.Send() 4132} 4133 4134// ListAliasesPages iterates over the pages of a ListAliases operation, 4135// calling the "fn" function with the response data for each page. To stop 4136// iterating, return false from the fn function. 4137// 4138// See ListAliases method for more information on how to use this operation. 4139// 4140// Note: This operation can generate multiple requests to a service. 4141// 4142// // Example iterating over at most 3 pages of a ListAliases operation. 4143// pageNum := 0 4144// err := client.ListAliasesPages(params, 4145// func(page *kms.ListAliasesOutput, lastPage bool) bool { 4146// pageNum++ 4147// fmt.Println(page) 4148// return pageNum <= 3 4149// }) 4150// 4151func (c *KMS) ListAliasesPages(input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool) error { 4152 return c.ListAliasesPagesWithContext(aws.BackgroundContext(), input, fn) 4153} 4154 4155// ListAliasesPagesWithContext same as ListAliasesPages except 4156// it takes a Context and allows setting request options on the pages. 4157// 4158// The context must be non-nil and will be used for request cancellation. If 4159// the context is nil a panic will occur. In the future the SDK may create 4160// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4161// for more information on using Contexts. 4162func (c *KMS) ListAliasesPagesWithContext(ctx aws.Context, input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool, opts ...request.Option) error { 4163 p := request.Pagination{ 4164 NewRequest: func() (*request.Request, error) { 4165 var inCpy *ListAliasesInput 4166 if input != nil { 4167 tmp := *input 4168 inCpy = &tmp 4169 } 4170 req, _ := c.ListAliasesRequest(inCpy) 4171 req.SetContext(ctx) 4172 req.ApplyOptions(opts...) 4173 return req, nil 4174 }, 4175 } 4176 4177 for p.Next() { 4178 if !fn(p.Page().(*ListAliasesOutput), !p.HasNextPage()) { 4179 break 4180 } 4181 } 4182 4183 return p.Err() 4184} 4185 4186const opListGrants = "ListGrants" 4187 4188// ListGrantsRequest generates a "aws/request.Request" representing the 4189// client's request for the ListGrants operation. The "output" return 4190// value will be populated with the request's response once the request completes 4191// successfully. 4192// 4193// Use "Send" method on the returned Request to send the API call to the service. 4194// the "output" return value is not valid until after Send returns without error. 4195// 4196// See ListGrants for more information on using the ListGrants 4197// API call, and error handling. 4198// 4199// This method is useful when you want to inject custom logic or configuration 4200// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4201// 4202// 4203// // Example sending a request using the ListGrantsRequest method. 4204// req, resp := client.ListGrantsRequest(params) 4205// 4206// err := req.Send() 4207// if err == nil { // resp is now filled 4208// fmt.Println(resp) 4209// } 4210// 4211// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants 4212func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, output *ListGrantsResponse) { 4213 op := &request.Operation{ 4214 Name: opListGrants, 4215 HTTPMethod: "POST", 4216 HTTPPath: "/", 4217 Paginator: &request.Paginator{ 4218 InputTokens: []string{"Marker"}, 4219 OutputTokens: []string{"NextMarker"}, 4220 LimitToken: "Limit", 4221 TruncationToken: "Truncated", 4222 }, 4223 } 4224 4225 if input == nil { 4226 input = &ListGrantsInput{} 4227 } 4228 4229 output = &ListGrantsResponse{} 4230 req = c.newRequest(op, input, output) 4231 return 4232} 4233 4234// ListGrants API operation for AWS Key Management Service. 4235// 4236// Gets a list of all grants for the specified customer master key (CMK). 4237// 4238// To perform this operation on a CMK in a different AWS account, specify the 4239// key ARN in the value of the KeyId parameter. 4240// 4241// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4242// with awserr.Error's Code and Message methods to get detailed information about 4243// the error. 4244// 4245// See the AWS API reference guide for AWS Key Management Service's 4246// API operation ListGrants for usage and error information. 4247// 4248// Returned Error Codes: 4249// * ErrCodeNotFoundException "NotFoundException" 4250// The request was rejected because the specified entity or resource could not 4251// be found. 4252// 4253// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 4254// The system timed out while trying to fulfill the request. The request can 4255// be retried. 4256// 4257// * ErrCodeInvalidMarkerException "InvalidMarkerException" 4258// The request was rejected because the marker that specifies where pagination 4259// should next begin is not valid. 4260// 4261// * ErrCodeInvalidArnException "InvalidArnException" 4262// The request was rejected because a specified ARN, or an ARN in a key policy, 4263// is not valid. 4264// 4265// * ErrCodeInternalException "KMSInternalException" 4266// The request was rejected because an internal exception occurred. The request 4267// can be retried. 4268// 4269// * ErrCodeInvalidStateException "KMSInvalidStateException" 4270// The request was rejected because the state of the specified resource is not 4271// valid for this request. 4272// 4273// For more information about how key state affects the use of a CMK, see How 4274// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4275// in the AWS Key Management Service Developer Guide . 4276// 4277// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants 4278func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) { 4279 req, out := c.ListGrantsRequest(input) 4280 return out, req.Send() 4281} 4282 4283// ListGrantsWithContext is the same as ListGrants with the addition of 4284// the ability to pass a context and additional request options. 4285// 4286// See ListGrants for details on how to use this API operation. 4287// 4288// The context must be non-nil and will be used for request cancellation. If 4289// the context is nil a panic will occur. In the future the SDK may create 4290// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4291// for more information on using Contexts. 4292func (c *KMS) ListGrantsWithContext(ctx aws.Context, input *ListGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { 4293 req, out := c.ListGrantsRequest(input) 4294 req.SetContext(ctx) 4295 req.ApplyOptions(opts...) 4296 return out, req.Send() 4297} 4298 4299// ListGrantsPages iterates over the pages of a ListGrants operation, 4300// calling the "fn" function with the response data for each page. To stop 4301// iterating, return false from the fn function. 4302// 4303// See ListGrants method for more information on how to use this operation. 4304// 4305// Note: This operation can generate multiple requests to a service. 4306// 4307// // Example iterating over at most 3 pages of a ListGrants operation. 4308// pageNum := 0 4309// err := client.ListGrantsPages(params, 4310// func(page *kms.ListGrantsResponse, lastPage bool) bool { 4311// pageNum++ 4312// fmt.Println(page) 4313// return pageNum <= 3 4314// }) 4315// 4316func (c *KMS) ListGrantsPages(input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool) error { 4317 return c.ListGrantsPagesWithContext(aws.BackgroundContext(), input, fn) 4318} 4319 4320// ListGrantsPagesWithContext same as ListGrantsPages except 4321// it takes a Context and allows setting request options on the pages. 4322// 4323// The context must be non-nil and will be used for request cancellation. If 4324// the context is nil a panic will occur. In the future the SDK may create 4325// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4326// for more information on using Contexts. 4327func (c *KMS) ListGrantsPagesWithContext(ctx aws.Context, input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool, opts ...request.Option) error { 4328 p := request.Pagination{ 4329 NewRequest: func() (*request.Request, error) { 4330 var inCpy *ListGrantsInput 4331 if input != nil { 4332 tmp := *input 4333 inCpy = &tmp 4334 } 4335 req, _ := c.ListGrantsRequest(inCpy) 4336 req.SetContext(ctx) 4337 req.ApplyOptions(opts...) 4338 return req, nil 4339 }, 4340 } 4341 4342 for p.Next() { 4343 if !fn(p.Page().(*ListGrantsResponse), !p.HasNextPage()) { 4344 break 4345 } 4346 } 4347 4348 return p.Err() 4349} 4350 4351const opListKeyPolicies = "ListKeyPolicies" 4352 4353// ListKeyPoliciesRequest generates a "aws/request.Request" representing the 4354// client's request for the ListKeyPolicies operation. The "output" return 4355// value will be populated with the request's response once the request completes 4356// successfully. 4357// 4358// Use "Send" method on the returned Request to send the API call to the service. 4359// the "output" return value is not valid until after Send returns without error. 4360// 4361// See ListKeyPolicies for more information on using the ListKeyPolicies 4362// API call, and error handling. 4363// 4364// This method is useful when you want to inject custom logic or configuration 4365// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4366// 4367// 4368// // Example sending a request using the ListKeyPoliciesRequest method. 4369// req, resp := client.ListKeyPoliciesRequest(params) 4370// 4371// err := req.Send() 4372// if err == nil { // resp is now filled 4373// fmt.Println(resp) 4374// } 4375// 4376// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies 4377func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.Request, output *ListKeyPoliciesOutput) { 4378 op := &request.Operation{ 4379 Name: opListKeyPolicies, 4380 HTTPMethod: "POST", 4381 HTTPPath: "/", 4382 Paginator: &request.Paginator{ 4383 InputTokens: []string{"Marker"}, 4384 OutputTokens: []string{"NextMarker"}, 4385 LimitToken: "Limit", 4386 TruncationToken: "Truncated", 4387 }, 4388 } 4389 4390 if input == nil { 4391 input = &ListKeyPoliciesInput{} 4392 } 4393 4394 output = &ListKeyPoliciesOutput{} 4395 req = c.newRequest(op, input, output) 4396 return 4397} 4398 4399// ListKeyPolicies API operation for AWS Key Management Service. 4400// 4401// Gets the names of the key policies that are attached to a customer master 4402// key (CMK). This operation is designed to get policy names that you can use 4403// in a GetKeyPolicy operation. However, the only valid policy name is default. 4404// You cannot perform this operation on a CMK in a different AWS account. 4405// 4406// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4407// with awserr.Error's Code and Message methods to get detailed information about 4408// the error. 4409// 4410// See the AWS API reference guide for AWS Key Management Service's 4411// API operation ListKeyPolicies for usage and error information. 4412// 4413// Returned Error Codes: 4414// * ErrCodeNotFoundException "NotFoundException" 4415// The request was rejected because the specified entity or resource could not 4416// be found. 4417// 4418// * ErrCodeInvalidArnException "InvalidArnException" 4419// The request was rejected because a specified ARN, or an ARN in a key policy, 4420// is not valid. 4421// 4422// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 4423// The system timed out while trying to fulfill the request. The request can 4424// be retried. 4425// 4426// * ErrCodeInternalException "KMSInternalException" 4427// The request was rejected because an internal exception occurred. The request 4428// can be retried. 4429// 4430// * ErrCodeInvalidStateException "KMSInvalidStateException" 4431// The request was rejected because the state of the specified resource is not 4432// valid for this request. 4433// 4434// For more information about how key state affects the use of a CMK, see How 4435// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4436// in the AWS Key Management Service Developer Guide . 4437// 4438// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies 4439func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) { 4440 req, out := c.ListKeyPoliciesRequest(input) 4441 return out, req.Send() 4442} 4443 4444// ListKeyPoliciesWithContext is the same as ListKeyPolicies with the addition of 4445// the ability to pass a context and additional request options. 4446// 4447// See ListKeyPolicies for details on how to use this API operation. 4448// 4449// The context must be non-nil and will be used for request cancellation. If 4450// the context is nil a panic will occur. In the future the SDK may create 4451// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4452// for more information on using Contexts. 4453func (c *KMS) ListKeyPoliciesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, opts ...request.Option) (*ListKeyPoliciesOutput, error) { 4454 req, out := c.ListKeyPoliciesRequest(input) 4455 req.SetContext(ctx) 4456 req.ApplyOptions(opts...) 4457 return out, req.Send() 4458} 4459 4460// ListKeyPoliciesPages iterates over the pages of a ListKeyPolicies operation, 4461// calling the "fn" function with the response data for each page. To stop 4462// iterating, return false from the fn function. 4463// 4464// See ListKeyPolicies method for more information on how to use this operation. 4465// 4466// Note: This operation can generate multiple requests to a service. 4467// 4468// // Example iterating over at most 3 pages of a ListKeyPolicies operation. 4469// pageNum := 0 4470// err := client.ListKeyPoliciesPages(params, 4471// func(page *kms.ListKeyPoliciesOutput, lastPage bool) bool { 4472// pageNum++ 4473// fmt.Println(page) 4474// return pageNum <= 3 4475// }) 4476// 4477func (c *KMS) ListKeyPoliciesPages(input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool) error { 4478 return c.ListKeyPoliciesPagesWithContext(aws.BackgroundContext(), input, fn) 4479} 4480 4481// ListKeyPoliciesPagesWithContext same as ListKeyPoliciesPages except 4482// it takes a Context and allows setting request options on the pages. 4483// 4484// The context must be non-nil and will be used for request cancellation. If 4485// the context is nil a panic will occur. In the future the SDK may create 4486// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4487// for more information on using Contexts. 4488func (c *KMS) ListKeyPoliciesPagesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool, opts ...request.Option) error { 4489 p := request.Pagination{ 4490 NewRequest: func() (*request.Request, error) { 4491 var inCpy *ListKeyPoliciesInput 4492 if input != nil { 4493 tmp := *input 4494 inCpy = &tmp 4495 } 4496 req, _ := c.ListKeyPoliciesRequest(inCpy) 4497 req.SetContext(ctx) 4498 req.ApplyOptions(opts...) 4499 return req, nil 4500 }, 4501 } 4502 4503 for p.Next() { 4504 if !fn(p.Page().(*ListKeyPoliciesOutput), !p.HasNextPage()) { 4505 break 4506 } 4507 } 4508 4509 return p.Err() 4510} 4511 4512const opListKeys = "ListKeys" 4513 4514// ListKeysRequest generates a "aws/request.Request" representing the 4515// client's request for the ListKeys operation. The "output" return 4516// value will be populated with the request's response once the request completes 4517// successfully. 4518// 4519// Use "Send" method on the returned Request to send the API call to the service. 4520// the "output" return value is not valid until after Send returns without error. 4521// 4522// See ListKeys for more information on using the ListKeys 4523// API call, and error handling. 4524// 4525// This method is useful when you want to inject custom logic or configuration 4526// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4527// 4528// 4529// // Example sending a request using the ListKeysRequest method. 4530// req, resp := client.ListKeysRequest(params) 4531// 4532// err := req.Send() 4533// if err == nil { // resp is now filled 4534// fmt.Println(resp) 4535// } 4536// 4537// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys 4538func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, output *ListKeysOutput) { 4539 op := &request.Operation{ 4540 Name: opListKeys, 4541 HTTPMethod: "POST", 4542 HTTPPath: "/", 4543 Paginator: &request.Paginator{ 4544 InputTokens: []string{"Marker"}, 4545 OutputTokens: []string{"NextMarker"}, 4546 LimitToken: "Limit", 4547 TruncationToken: "Truncated", 4548 }, 4549 } 4550 4551 if input == nil { 4552 input = &ListKeysInput{} 4553 } 4554 4555 output = &ListKeysOutput{} 4556 req = c.newRequest(op, input, output) 4557 return 4558} 4559 4560// ListKeys API operation for AWS Key Management Service. 4561// 4562// Gets a list of all customer master keys (CMKs) in the caller's AWS account 4563// and Region. 4564// 4565// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4566// with awserr.Error's Code and Message methods to get detailed information about 4567// the error. 4568// 4569// See the AWS API reference guide for AWS Key Management Service's 4570// API operation ListKeys for usage and error information. 4571// 4572// Returned Error Codes: 4573// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 4574// The system timed out while trying to fulfill the request. The request can 4575// be retried. 4576// 4577// * ErrCodeInternalException "KMSInternalException" 4578// The request was rejected because an internal exception occurred. The request 4579// can be retried. 4580// 4581// * ErrCodeInvalidMarkerException "InvalidMarkerException" 4582// The request was rejected because the marker that specifies where pagination 4583// should next begin is not valid. 4584// 4585// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys 4586func (c *KMS) ListKeys(input *ListKeysInput) (*ListKeysOutput, error) { 4587 req, out := c.ListKeysRequest(input) 4588 return out, req.Send() 4589} 4590 4591// ListKeysWithContext is the same as ListKeys with the addition of 4592// the ability to pass a context and additional request options. 4593// 4594// See ListKeys for details on how to use this API operation. 4595// 4596// The context must be non-nil and will be used for request cancellation. If 4597// the context is nil a panic will occur. In the future the SDK may create 4598// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4599// for more information on using Contexts. 4600func (c *KMS) ListKeysWithContext(ctx aws.Context, input *ListKeysInput, opts ...request.Option) (*ListKeysOutput, error) { 4601 req, out := c.ListKeysRequest(input) 4602 req.SetContext(ctx) 4603 req.ApplyOptions(opts...) 4604 return out, req.Send() 4605} 4606 4607// ListKeysPages iterates over the pages of a ListKeys operation, 4608// calling the "fn" function with the response data for each page. To stop 4609// iterating, return false from the fn function. 4610// 4611// See ListKeys method for more information on how to use this operation. 4612// 4613// Note: This operation can generate multiple requests to a service. 4614// 4615// // Example iterating over at most 3 pages of a ListKeys operation. 4616// pageNum := 0 4617// err := client.ListKeysPages(params, 4618// func(page *kms.ListKeysOutput, lastPage bool) bool { 4619// pageNum++ 4620// fmt.Println(page) 4621// return pageNum <= 3 4622// }) 4623// 4624func (c *KMS) ListKeysPages(input *ListKeysInput, fn func(*ListKeysOutput, bool) bool) error { 4625 return c.ListKeysPagesWithContext(aws.BackgroundContext(), input, fn) 4626} 4627 4628// ListKeysPagesWithContext same as ListKeysPages except 4629// it takes a Context and allows setting request options on the pages. 4630// 4631// The context must be non-nil and will be used for request cancellation. If 4632// the context is nil a panic will occur. In the future the SDK may create 4633// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4634// for more information on using Contexts. 4635func (c *KMS) ListKeysPagesWithContext(ctx aws.Context, input *ListKeysInput, fn func(*ListKeysOutput, bool) bool, opts ...request.Option) error { 4636 p := request.Pagination{ 4637 NewRequest: func() (*request.Request, error) { 4638 var inCpy *ListKeysInput 4639 if input != nil { 4640 tmp := *input 4641 inCpy = &tmp 4642 } 4643 req, _ := c.ListKeysRequest(inCpy) 4644 req.SetContext(ctx) 4645 req.ApplyOptions(opts...) 4646 return req, nil 4647 }, 4648 } 4649 4650 for p.Next() { 4651 if !fn(p.Page().(*ListKeysOutput), !p.HasNextPage()) { 4652 break 4653 } 4654 } 4655 4656 return p.Err() 4657} 4658 4659const opListResourceTags = "ListResourceTags" 4660 4661// ListResourceTagsRequest generates a "aws/request.Request" representing the 4662// client's request for the ListResourceTags operation. The "output" return 4663// value will be populated with the request's response once the request completes 4664// successfully. 4665// 4666// Use "Send" method on the returned Request to send the API call to the service. 4667// the "output" return value is not valid until after Send returns without error. 4668// 4669// See ListResourceTags for more information on using the ListResourceTags 4670// API call, and error handling. 4671// 4672// This method is useful when you want to inject custom logic or configuration 4673// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4674// 4675// 4676// // Example sending a request using the ListResourceTagsRequest method. 4677// req, resp := client.ListResourceTagsRequest(params) 4678// 4679// err := req.Send() 4680// if err == nil { // resp is now filled 4681// fmt.Println(resp) 4682// } 4683// 4684// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags 4685func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *request.Request, output *ListResourceTagsOutput) { 4686 op := &request.Operation{ 4687 Name: opListResourceTags, 4688 HTTPMethod: "POST", 4689 HTTPPath: "/", 4690 } 4691 4692 if input == nil { 4693 input = &ListResourceTagsInput{} 4694 } 4695 4696 output = &ListResourceTagsOutput{} 4697 req = c.newRequest(op, input, output) 4698 return 4699} 4700 4701// ListResourceTags API operation for AWS Key Management Service. 4702// 4703// Returns a list of all tags for the specified customer master key (CMK). 4704// 4705// You cannot perform this operation on a CMK in a different AWS account. 4706// 4707// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4708// with awserr.Error's Code and Message methods to get detailed information about 4709// the error. 4710// 4711// See the AWS API reference guide for AWS Key Management Service's 4712// API operation ListResourceTags for usage and error information. 4713// 4714// Returned Error Codes: 4715// * ErrCodeInternalException "KMSInternalException" 4716// The request was rejected because an internal exception occurred. The request 4717// can be retried. 4718// 4719// * ErrCodeNotFoundException "NotFoundException" 4720// The request was rejected because the specified entity or resource could not 4721// be found. 4722// 4723// * ErrCodeInvalidArnException "InvalidArnException" 4724// The request was rejected because a specified ARN, or an ARN in a key policy, 4725// is not valid. 4726// 4727// * ErrCodeInvalidMarkerException "InvalidMarkerException" 4728// The request was rejected because the marker that specifies where pagination 4729// should next begin is not valid. 4730// 4731// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags 4732func (c *KMS) ListResourceTags(input *ListResourceTagsInput) (*ListResourceTagsOutput, error) { 4733 req, out := c.ListResourceTagsRequest(input) 4734 return out, req.Send() 4735} 4736 4737// ListResourceTagsWithContext is the same as ListResourceTags with the addition of 4738// the ability to pass a context and additional request options. 4739// 4740// See ListResourceTags for details on how to use this API operation. 4741// 4742// The context must be non-nil and will be used for request cancellation. If 4743// the context is nil a panic will occur. In the future the SDK may create 4744// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4745// for more information on using Contexts. 4746func (c *KMS) ListResourceTagsWithContext(ctx aws.Context, input *ListResourceTagsInput, opts ...request.Option) (*ListResourceTagsOutput, error) { 4747 req, out := c.ListResourceTagsRequest(input) 4748 req.SetContext(ctx) 4749 req.ApplyOptions(opts...) 4750 return out, req.Send() 4751} 4752 4753const opListRetirableGrants = "ListRetirableGrants" 4754 4755// ListRetirableGrantsRequest generates a "aws/request.Request" representing the 4756// client's request for the ListRetirableGrants operation. The "output" return 4757// value will be populated with the request's response once the request completes 4758// successfully. 4759// 4760// Use "Send" method on the returned Request to send the API call to the service. 4761// the "output" return value is not valid until after Send returns without error. 4762// 4763// See ListRetirableGrants for more information on using the ListRetirableGrants 4764// API call, and error handling. 4765// 4766// This method is useful when you want to inject custom logic or configuration 4767// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4768// 4769// 4770// // Example sending a request using the ListRetirableGrantsRequest method. 4771// req, resp := client.ListRetirableGrantsRequest(params) 4772// 4773// err := req.Send() 4774// if err == nil { // resp is now filled 4775// fmt.Println(resp) 4776// } 4777// 4778// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants 4779func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *request.Request, output *ListGrantsResponse) { 4780 op := &request.Operation{ 4781 Name: opListRetirableGrants, 4782 HTTPMethod: "POST", 4783 HTTPPath: "/", 4784 } 4785 4786 if input == nil { 4787 input = &ListRetirableGrantsInput{} 4788 } 4789 4790 output = &ListGrantsResponse{} 4791 req = c.newRequest(op, input, output) 4792 return 4793} 4794 4795// ListRetirableGrants API operation for AWS Key Management Service. 4796// 4797// Returns a list of all grants for which the grant's RetiringPrincipal matches 4798// the one specified. 4799// 4800// A typical use is to list all grants that you are able to retire. To retire 4801// a grant, use RetireGrant. 4802// 4803// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4804// with awserr.Error's Code and Message methods to get detailed information about 4805// the error. 4806// 4807// See the AWS API reference guide for AWS Key Management Service's 4808// API operation ListRetirableGrants for usage and error information. 4809// 4810// Returned Error Codes: 4811// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 4812// The system timed out while trying to fulfill the request. The request can 4813// be retried. 4814// 4815// * ErrCodeInvalidMarkerException "InvalidMarkerException" 4816// The request was rejected because the marker that specifies where pagination 4817// should next begin is not valid. 4818// 4819// * ErrCodeInvalidArnException "InvalidArnException" 4820// The request was rejected because a specified ARN, or an ARN in a key policy, 4821// is not valid. 4822// 4823// * ErrCodeNotFoundException "NotFoundException" 4824// The request was rejected because the specified entity or resource could not 4825// be found. 4826// 4827// * ErrCodeInternalException "KMSInternalException" 4828// The request was rejected because an internal exception occurred. The request 4829// can be retried. 4830// 4831// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants 4832func (c *KMS) ListRetirableGrants(input *ListRetirableGrantsInput) (*ListGrantsResponse, error) { 4833 req, out := c.ListRetirableGrantsRequest(input) 4834 return out, req.Send() 4835} 4836 4837// ListRetirableGrantsWithContext is the same as ListRetirableGrants with the addition of 4838// the ability to pass a context and additional request options. 4839// 4840// See ListRetirableGrants for details on how to use this API operation. 4841// 4842// The context must be non-nil and will be used for request cancellation. If 4843// the context is nil a panic will occur. In the future the SDK may create 4844// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4845// for more information on using Contexts. 4846func (c *KMS) ListRetirableGrantsWithContext(ctx aws.Context, input *ListRetirableGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { 4847 req, out := c.ListRetirableGrantsRequest(input) 4848 req.SetContext(ctx) 4849 req.ApplyOptions(opts...) 4850 return out, req.Send() 4851} 4852 4853const opPutKeyPolicy = "PutKeyPolicy" 4854 4855// PutKeyPolicyRequest generates a "aws/request.Request" representing the 4856// client's request for the PutKeyPolicy operation. The "output" return 4857// value will be populated with the request's response once the request completes 4858// successfully. 4859// 4860// Use "Send" method on the returned Request to send the API call to the service. 4861// the "output" return value is not valid until after Send returns without error. 4862// 4863// See PutKeyPolicy for more information on using the PutKeyPolicy 4864// API call, and error handling. 4865// 4866// This method is useful when you want to inject custom logic or configuration 4867// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4868// 4869// 4870// // Example sending a request using the PutKeyPolicyRequest method. 4871// req, resp := client.PutKeyPolicyRequest(params) 4872// 4873// err := req.Send() 4874// if err == nil { // resp is now filled 4875// fmt.Println(resp) 4876// } 4877// 4878// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy 4879func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Request, output *PutKeyPolicyOutput) { 4880 op := &request.Operation{ 4881 Name: opPutKeyPolicy, 4882 HTTPMethod: "POST", 4883 HTTPPath: "/", 4884 } 4885 4886 if input == nil { 4887 input = &PutKeyPolicyInput{} 4888 } 4889 4890 output = &PutKeyPolicyOutput{} 4891 req = c.newRequest(op, input, output) 4892 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 4893 return 4894} 4895 4896// PutKeyPolicy API operation for AWS Key Management Service. 4897// 4898// Attaches a key policy to the specified customer master key (CMK). You cannot 4899// perform this operation on a CMK in a different AWS account. 4900// 4901// For more information about key policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) 4902// in the AWS Key Management Service Developer Guide. 4903// 4904// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4905// with awserr.Error's Code and Message methods to get detailed information about 4906// the error. 4907// 4908// See the AWS API reference guide for AWS Key Management Service's 4909// API operation PutKeyPolicy for usage and error information. 4910// 4911// Returned Error Codes: 4912// * ErrCodeNotFoundException "NotFoundException" 4913// The request was rejected because the specified entity or resource could not 4914// be found. 4915// 4916// * ErrCodeInvalidArnException "InvalidArnException" 4917// The request was rejected because a specified ARN, or an ARN in a key policy, 4918// is not valid. 4919// 4920// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocumentException" 4921// The request was rejected because the specified policy is not syntactically 4922// or semantically correct. 4923// 4924// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 4925// The system timed out while trying to fulfill the request. The request can 4926// be retried. 4927// 4928// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" 4929// The request was rejected because a specified parameter is not supported or 4930// a specified resource is not valid for this operation. 4931// 4932// * ErrCodeInternalException "KMSInternalException" 4933// The request was rejected because an internal exception occurred. The request 4934// can be retried. 4935// 4936// * ErrCodeLimitExceededException "LimitExceededException" 4937// The request was rejected because a limit was exceeded. For more information, 4938// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 4939// in the AWS Key Management Service Developer Guide. 4940// 4941// * ErrCodeInvalidStateException "KMSInvalidStateException" 4942// The request was rejected because the state of the specified resource is not 4943// valid for this request. 4944// 4945// For more information about how key state affects the use of a CMK, see How 4946// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4947// in the AWS Key Management Service Developer Guide . 4948// 4949// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy 4950func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) { 4951 req, out := c.PutKeyPolicyRequest(input) 4952 return out, req.Send() 4953} 4954 4955// PutKeyPolicyWithContext is the same as PutKeyPolicy with the addition of 4956// the ability to pass a context and additional request options. 4957// 4958// See PutKeyPolicy for details on how to use this API operation. 4959// 4960// The context must be non-nil and will be used for request cancellation. If 4961// the context is nil a panic will occur. In the future the SDK may create 4962// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4963// for more information on using Contexts. 4964func (c *KMS) PutKeyPolicyWithContext(ctx aws.Context, input *PutKeyPolicyInput, opts ...request.Option) (*PutKeyPolicyOutput, error) { 4965 req, out := c.PutKeyPolicyRequest(input) 4966 req.SetContext(ctx) 4967 req.ApplyOptions(opts...) 4968 return out, req.Send() 4969} 4970 4971const opReEncrypt = "ReEncrypt" 4972 4973// ReEncryptRequest generates a "aws/request.Request" representing the 4974// client's request for the ReEncrypt operation. The "output" return 4975// value will be populated with the request's response once the request completes 4976// successfully. 4977// 4978// Use "Send" method on the returned Request to send the API call to the service. 4979// the "output" return value is not valid until after Send returns without error. 4980// 4981// See ReEncrypt for more information on using the ReEncrypt 4982// API call, and error handling. 4983// 4984// This method is useful when you want to inject custom logic or configuration 4985// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4986// 4987// 4988// // Example sending a request using the ReEncryptRequest method. 4989// req, resp := client.ReEncryptRequest(params) 4990// 4991// err := req.Send() 4992// if err == nil { // resp is now filled 4993// fmt.Println(resp) 4994// } 4995// 4996// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt 4997func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, output *ReEncryptOutput) { 4998 op := &request.Operation{ 4999 Name: opReEncrypt, 5000 HTTPMethod: "POST", 5001 HTTPPath: "/", 5002 } 5003 5004 if input == nil { 5005 input = &ReEncryptInput{} 5006 } 5007 5008 output = &ReEncryptOutput{} 5009 req = c.newRequest(op, input, output) 5010 return 5011} 5012 5013// ReEncrypt API operation for AWS Key Management Service. 5014// 5015// Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can 5016// use this operation to change the customer master key (CMK) under which data 5017// is encrypted, such as when you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) 5018// a CMK or change the CMK that protects a ciphertext. You can also use it to 5019// reencrypt ciphertext under the same CMK, such as to change the encryption 5020// context of a ciphertext. 5021// 5022// The ReEncrypt operation can decrypt ciphertext that was encrypted by using 5023// an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. 5024// It can also decrypt ciphertext that was encrypted by using the public key 5025// of an asymmetric CMK outside of AWS KMS. However, it cannot decrypt ciphertext 5026// produced by other libraries, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) 5027// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). 5028// These libraries return a ciphertext format that is incompatible with AWS 5029// KMS. 5030// 5031// When you use the ReEncrypt operation, you need to provide information for 5032// the decrypt operation and the subsequent encrypt operation. 5033// 5034// * If your ciphertext was encrypted under an asymmetric CMK, you must identify 5035// the source CMK, that is, the CMK that encrypted the ciphertext. You must 5036// also supply the encryption algorithm that was used. This information is 5037// required to decrypt the data. 5038// 5039// * It is optional, but you can specify a source CMK even when the ciphertext 5040// was encrypted under a symmetric CMK. This ensures that the ciphertext 5041// is decrypted only by using a particular CMK. If the CMK that you specify 5042// cannot decrypt the ciphertext, the ReEncrypt operation fails. 5043// 5044// * To reencrypt the data, you must specify the destination CMK, that is, 5045// the CMK that re-encrypts the data after it is decrypted. You can select 5046// a symmetric or asymmetric CMK. If the destination CMK is an asymmetric 5047// CMK, you must also provide the encryption algorithm. The algorithm that 5048// you choose must be compatible with the CMK. When you use an asymmetric 5049// CMK to encrypt or reencrypt data, be sure to record the CMK and encryption 5050// algorithm that you choose. You will be required to provide the same CMK 5051// and encryption algorithm when you decrypt the data. If the CMK and algorithm 5052// do not match the values used to encrypt the data, the decrypt operation 5053// fails. You are not required to supply the CMK ID and encryption algorithm 5054// when you decrypt with symmetric CMKs because AWS KMS stores this information 5055// in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated 5056// with asymmetric keys. The standard format for asymmetric key ciphertext 5057// does not include configurable fields. 5058// 5059// Unlike other AWS KMS API operations, ReEncrypt callers must have two permissions: 5060// 5061// * kms:EncryptFrom permission on the source CMK 5062// 5063// * kms:EncryptTo permission on the destination CMK 5064// 5065// To permit reencryption from 5066// 5067// or to a CMK, include the "kms:ReEncrypt*" permission in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). 5068// This permission is automatically included in the key policy when you use 5069// the console to create a CMK. But you must include it manually when you create 5070// a CMK programmatically or when you use the PutKeyPolicy operation set a key 5071// policy. 5072// 5073// The CMK that you use for this operation must be in a compatible key state. 5074// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5075// in the AWS Key Management Service Developer Guide. 5076// 5077// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5078// with awserr.Error's Code and Message methods to get detailed information about 5079// the error. 5080// 5081// See the AWS API reference guide for AWS Key Management Service's 5082// API operation ReEncrypt for usage and error information. 5083// 5084// Returned Error Codes: 5085// * ErrCodeNotFoundException "NotFoundException" 5086// The request was rejected because the specified entity or resource could not 5087// be found. 5088// 5089// * ErrCodeDisabledException "DisabledException" 5090// The request was rejected because the specified CMK is not enabled. 5091// 5092// * ErrCodeInvalidCiphertextException "InvalidCiphertextException" 5093// From the Decrypt or ReEncrypt operation, the request was rejected because 5094// the specified ciphertext, or additional authenticated data incorporated into 5095// the ciphertext, such as the encryption context, is corrupted, missing, or 5096// otherwise invalid. 5097// 5098// From the ImportKeyMaterial operation, the request was rejected because AWS 5099// KMS could not decrypt the encrypted (wrapped) key material. 5100// 5101// * ErrCodeKeyUnavailableException "KeyUnavailableException" 5102// The request was rejected because the specified CMK was not available. You 5103// can retry the request. 5104// 5105// * ErrCodeIncorrectKeyException "IncorrectKeyException" 5106// The request was rejected because the specified CMK cannot decrypt the data. 5107// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request 5108// must identify the same CMK that was used to encrypt the ciphertext. 5109// 5110// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 5111// The system timed out while trying to fulfill the request. The request can 5112// be retried. 5113// 5114// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 5115// The request was rejected for one of the following reasons: 5116// 5117// * The KeyUsage value of the CMK is incompatible with the API operation. 5118// 5119// * The encryption algorithm or signing algorithm specified for the operation 5120// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 5121// 5122// For encrypting, decrypting, re-encrypting, and generating data keys, the 5123// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 5124// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 5125// 5126// To find the encryption or signing algorithms supported for a particular CMK, 5127// use the DescribeKey operation. 5128// 5129// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 5130// The request was rejected because the specified grant token is not valid. 5131// 5132// * ErrCodeInternalException "KMSInternalException" 5133// The request was rejected because an internal exception occurred. The request 5134// can be retried. 5135// 5136// * ErrCodeInvalidStateException "KMSInvalidStateException" 5137// The request was rejected because the state of the specified resource is not 5138// valid for this request. 5139// 5140// For more information about how key state affects the use of a CMK, see How 5141// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5142// in the AWS Key Management Service Developer Guide . 5143// 5144// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt 5145func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) { 5146 req, out := c.ReEncryptRequest(input) 5147 return out, req.Send() 5148} 5149 5150// ReEncryptWithContext is the same as ReEncrypt with the addition of 5151// the ability to pass a context and additional request options. 5152// 5153// See ReEncrypt for details on how to use this API operation. 5154// 5155// The context must be non-nil and will be used for request cancellation. If 5156// the context is nil a panic will occur. In the future the SDK may create 5157// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5158// for more information on using Contexts. 5159func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts ...request.Option) (*ReEncryptOutput, error) { 5160 req, out := c.ReEncryptRequest(input) 5161 req.SetContext(ctx) 5162 req.ApplyOptions(opts...) 5163 return out, req.Send() 5164} 5165 5166const opRetireGrant = "RetireGrant" 5167 5168// RetireGrantRequest generates a "aws/request.Request" representing the 5169// client's request for the RetireGrant operation. The "output" return 5170// value will be populated with the request's response once the request completes 5171// successfully. 5172// 5173// Use "Send" method on the returned Request to send the API call to the service. 5174// the "output" return value is not valid until after Send returns without error. 5175// 5176// See RetireGrant for more information on using the RetireGrant 5177// API call, and error handling. 5178// 5179// This method is useful when you want to inject custom logic or configuration 5180// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5181// 5182// 5183// // Example sending a request using the RetireGrantRequest method. 5184// req, resp := client.RetireGrantRequest(params) 5185// 5186// err := req.Send() 5187// if err == nil { // resp is now filled 5188// fmt.Println(resp) 5189// } 5190// 5191// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant 5192func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, output *RetireGrantOutput) { 5193 op := &request.Operation{ 5194 Name: opRetireGrant, 5195 HTTPMethod: "POST", 5196 HTTPPath: "/", 5197 } 5198 5199 if input == nil { 5200 input = &RetireGrantInput{} 5201 } 5202 5203 output = &RetireGrantOutput{} 5204 req = c.newRequest(op, input, output) 5205 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5206 return 5207} 5208 5209// RetireGrant API operation for AWS Key Management Service. 5210// 5211// Retires a grant. To clean up, you can retire a grant when you're done using 5212// it. You should revoke a grant when you intend to actively deny operations 5213// that depend on it. The following are permitted to call this API: 5214// 5215// * The AWS account (root user) under which the grant was created 5216// 5217// * The RetiringPrincipal, if present in the grant 5218// 5219// * The GranteePrincipal, if RetireGrant is an operation specified in the 5220// grant 5221// 5222// You must identify the grant to retire by its grant token or by a combination 5223// of the grant ID and the Amazon Resource Name (ARN) of the customer master 5224// key (CMK). A grant token is a unique variable-length base64-encoded string. 5225// A grant ID is a 64 character unique identifier of a grant. The CreateGrant 5226// operation returns both. 5227// 5228// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5229// with awserr.Error's Code and Message methods to get detailed information about 5230// the error. 5231// 5232// See the AWS API reference guide for AWS Key Management Service's 5233// API operation RetireGrant for usage and error information. 5234// 5235// Returned Error Codes: 5236// * ErrCodeInvalidArnException "InvalidArnException" 5237// The request was rejected because a specified ARN, or an ARN in a key policy, 5238// is not valid. 5239// 5240// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 5241// The request was rejected because the specified grant token is not valid. 5242// 5243// * ErrCodeInvalidGrantIdException "InvalidGrantIdException" 5244// The request was rejected because the specified GrantId is not valid. 5245// 5246// * ErrCodeNotFoundException "NotFoundException" 5247// The request was rejected because the specified entity or resource could not 5248// be found. 5249// 5250// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 5251// The system timed out while trying to fulfill the request. The request can 5252// be retried. 5253// 5254// * ErrCodeInternalException "KMSInternalException" 5255// The request was rejected because an internal exception occurred. The request 5256// can be retried. 5257// 5258// * ErrCodeInvalidStateException "KMSInvalidStateException" 5259// The request was rejected because the state of the specified resource is not 5260// valid for this request. 5261// 5262// For more information about how key state affects the use of a CMK, see How 5263// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5264// in the AWS Key Management Service Developer Guide . 5265// 5266// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant 5267func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) { 5268 req, out := c.RetireGrantRequest(input) 5269 return out, req.Send() 5270} 5271 5272// RetireGrantWithContext is the same as RetireGrant with the addition of 5273// the ability to pass a context and additional request options. 5274// 5275// See RetireGrant for details on how to use this API operation. 5276// 5277// The context must be non-nil and will be used for request cancellation. If 5278// the context is nil a panic will occur. In the future the SDK may create 5279// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5280// for more information on using Contexts. 5281func (c *KMS) RetireGrantWithContext(ctx aws.Context, input *RetireGrantInput, opts ...request.Option) (*RetireGrantOutput, error) { 5282 req, out := c.RetireGrantRequest(input) 5283 req.SetContext(ctx) 5284 req.ApplyOptions(opts...) 5285 return out, req.Send() 5286} 5287 5288const opRevokeGrant = "RevokeGrant" 5289 5290// RevokeGrantRequest generates a "aws/request.Request" representing the 5291// client's request for the RevokeGrant operation. The "output" return 5292// value will be populated with the request's response once the request completes 5293// successfully. 5294// 5295// Use "Send" method on the returned Request to send the API call to the service. 5296// the "output" return value is not valid until after Send returns without error. 5297// 5298// See RevokeGrant for more information on using the RevokeGrant 5299// API call, and error handling. 5300// 5301// This method is useful when you want to inject custom logic or configuration 5302// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5303// 5304// 5305// // Example sending a request using the RevokeGrantRequest method. 5306// req, resp := client.RevokeGrantRequest(params) 5307// 5308// err := req.Send() 5309// if err == nil { // resp is now filled 5310// fmt.Println(resp) 5311// } 5312// 5313// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant 5314func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, output *RevokeGrantOutput) { 5315 op := &request.Operation{ 5316 Name: opRevokeGrant, 5317 HTTPMethod: "POST", 5318 HTTPPath: "/", 5319 } 5320 5321 if input == nil { 5322 input = &RevokeGrantInput{} 5323 } 5324 5325 output = &RevokeGrantOutput{} 5326 req = c.newRequest(op, input, output) 5327 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5328 return 5329} 5330 5331// RevokeGrant API operation for AWS Key Management Service. 5332// 5333// Revokes the specified grant for the specified customer master key (CMK). 5334// You can revoke a grant to actively deny operations that depend on it. 5335// 5336// To perform this operation on a CMK in a different AWS account, specify the 5337// key ARN in the value of the KeyId parameter. 5338// 5339// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5340// with awserr.Error's Code and Message methods to get detailed information about 5341// the error. 5342// 5343// See the AWS API reference guide for AWS Key Management Service's 5344// API operation RevokeGrant for usage and error information. 5345// 5346// Returned Error Codes: 5347// * ErrCodeNotFoundException "NotFoundException" 5348// The request was rejected because the specified entity or resource could not 5349// be found. 5350// 5351// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 5352// The system timed out while trying to fulfill the request. The request can 5353// be retried. 5354// 5355// * ErrCodeInvalidArnException "InvalidArnException" 5356// The request was rejected because a specified ARN, or an ARN in a key policy, 5357// is not valid. 5358// 5359// * ErrCodeInvalidGrantIdException "InvalidGrantIdException" 5360// The request was rejected because the specified GrantId is not valid. 5361// 5362// * ErrCodeInternalException "KMSInternalException" 5363// The request was rejected because an internal exception occurred. The request 5364// can be retried. 5365// 5366// * ErrCodeInvalidStateException "KMSInvalidStateException" 5367// The request was rejected because the state of the specified resource is not 5368// valid for this request. 5369// 5370// For more information about how key state affects the use of a CMK, see How 5371// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5372// in the AWS Key Management Service Developer Guide . 5373// 5374// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant 5375func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) { 5376 req, out := c.RevokeGrantRequest(input) 5377 return out, req.Send() 5378} 5379 5380// RevokeGrantWithContext is the same as RevokeGrant with the addition of 5381// the ability to pass a context and additional request options. 5382// 5383// See RevokeGrant for details on how to use this API operation. 5384// 5385// The context must be non-nil and will be used for request cancellation. If 5386// the context is nil a panic will occur. In the future the SDK may create 5387// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5388// for more information on using Contexts. 5389func (c *KMS) RevokeGrantWithContext(ctx aws.Context, input *RevokeGrantInput, opts ...request.Option) (*RevokeGrantOutput, error) { 5390 req, out := c.RevokeGrantRequest(input) 5391 req.SetContext(ctx) 5392 req.ApplyOptions(opts...) 5393 return out, req.Send() 5394} 5395 5396const opScheduleKeyDeletion = "ScheduleKeyDeletion" 5397 5398// ScheduleKeyDeletionRequest generates a "aws/request.Request" representing the 5399// client's request for the ScheduleKeyDeletion operation. The "output" return 5400// value will be populated with the request's response once the request completes 5401// successfully. 5402// 5403// Use "Send" method on the returned Request to send the API call to the service. 5404// the "output" return value is not valid until after Send returns without error. 5405// 5406// See ScheduleKeyDeletion for more information on using the ScheduleKeyDeletion 5407// API call, and error handling. 5408// 5409// This method is useful when you want to inject custom logic or configuration 5410// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5411// 5412// 5413// // Example sending a request using the ScheduleKeyDeletionRequest method. 5414// req, resp := client.ScheduleKeyDeletionRequest(params) 5415// 5416// err := req.Send() 5417// if err == nil { // resp is now filled 5418// fmt.Println(resp) 5419// } 5420// 5421// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion 5422func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *request.Request, output *ScheduleKeyDeletionOutput) { 5423 op := &request.Operation{ 5424 Name: opScheduleKeyDeletion, 5425 HTTPMethod: "POST", 5426 HTTPPath: "/", 5427 } 5428 5429 if input == nil { 5430 input = &ScheduleKeyDeletionInput{} 5431 } 5432 5433 output = &ScheduleKeyDeletionOutput{} 5434 req = c.newRequest(op, input, output) 5435 return 5436} 5437 5438// ScheduleKeyDeletion API operation for AWS Key Management Service. 5439// 5440// Schedules the deletion of a customer master key (CMK). You may provide a 5441// waiting period, specified in days, before deletion occurs. If you do not 5442// provide a waiting period, the default period of 30 days is used. When this 5443// operation is successful, the key state of the CMK changes to PendingDeletion. 5444// Before the waiting period ends, you can use CancelKeyDeletion to cancel the 5445// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK 5446// and all AWS KMS data associated with it, including all aliases that refer 5447// to it. 5448// 5449// Deleting a CMK is a destructive and potentially dangerous operation. When 5450// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. 5451// To prevent the use of a CMK without deleting it, use DisableKey. 5452// 5453// If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 5454// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from 5455// AWS KMS. Then AWS KMS makes a best effort to delete the key material from 5456// the associated AWS CloudHSM cluster. However, you might need to manually 5457// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) 5458// from the cluster and its backups. 5459// 5460// You cannot perform this operation on a CMK in a different AWS account. 5461// 5462// For more information about scheduling a CMK for deletion, see Deleting Customer 5463// Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) 5464// in the AWS Key Management Service Developer Guide. 5465// 5466// The CMK that you use for this operation must be in a compatible key state. 5467// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5468// in the AWS Key Management Service Developer Guide. 5469// 5470// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5471// with awserr.Error's Code and Message methods to get detailed information about 5472// the error. 5473// 5474// See the AWS API reference guide for AWS Key Management Service's 5475// API operation ScheduleKeyDeletion for usage and error information. 5476// 5477// Returned Error Codes: 5478// * ErrCodeNotFoundException "NotFoundException" 5479// The request was rejected because the specified entity or resource could not 5480// be found. 5481// 5482// * ErrCodeInvalidArnException "InvalidArnException" 5483// The request was rejected because a specified ARN, or an ARN in a key policy, 5484// is not valid. 5485// 5486// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 5487// The system timed out while trying to fulfill the request. The request can 5488// be retried. 5489// 5490// * ErrCodeInternalException "KMSInternalException" 5491// The request was rejected because an internal exception occurred. The request 5492// can be retried. 5493// 5494// * ErrCodeInvalidStateException "KMSInvalidStateException" 5495// The request was rejected because the state of the specified resource is not 5496// valid for this request. 5497// 5498// For more information about how key state affects the use of a CMK, see How 5499// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5500// in the AWS Key Management Service Developer Guide . 5501// 5502// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion 5503func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) { 5504 req, out := c.ScheduleKeyDeletionRequest(input) 5505 return out, req.Send() 5506} 5507 5508// ScheduleKeyDeletionWithContext is the same as ScheduleKeyDeletion with the addition of 5509// the ability to pass a context and additional request options. 5510// 5511// See ScheduleKeyDeletion for details on how to use this API operation. 5512// 5513// The context must be non-nil and will be used for request cancellation. If 5514// the context is nil a panic will occur. In the future the SDK may create 5515// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5516// for more information on using Contexts. 5517func (c *KMS) ScheduleKeyDeletionWithContext(ctx aws.Context, input *ScheduleKeyDeletionInput, opts ...request.Option) (*ScheduleKeyDeletionOutput, error) { 5518 req, out := c.ScheduleKeyDeletionRequest(input) 5519 req.SetContext(ctx) 5520 req.ApplyOptions(opts...) 5521 return out, req.Send() 5522} 5523 5524const opSign = "Sign" 5525 5526// SignRequest generates a "aws/request.Request" representing the 5527// client's request for the Sign operation. The "output" return 5528// value will be populated with the request's response once the request completes 5529// successfully. 5530// 5531// Use "Send" method on the returned Request to send the API call to the service. 5532// the "output" return value is not valid until after Send returns without error. 5533// 5534// See Sign for more information on using the Sign 5535// API call, and error handling. 5536// 5537// This method is useful when you want to inject custom logic or configuration 5538// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5539// 5540// 5541// // Example sending a request using the SignRequest method. 5542// req, resp := client.SignRequest(params) 5543// 5544// err := req.Send() 5545// if err == nil { // resp is now filled 5546// fmt.Println(resp) 5547// } 5548// 5549// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign 5550func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignOutput) { 5551 op := &request.Operation{ 5552 Name: opSign, 5553 HTTPMethod: "POST", 5554 HTTPPath: "/", 5555 } 5556 5557 if input == nil { 5558 input = &SignInput{} 5559 } 5560 5561 output = &SignOutput{} 5562 req = c.newRequest(op, input, output) 5563 return 5564} 5565 5566// Sign API operation for AWS Key Management Service. 5567// 5568// Creates a digital signature (https://en.wikipedia.org/wiki/Digital_signature) 5569// for a message or message digest by using the private key in an asymmetric 5570// CMK. To verify the signature, use the Verify operation, or use the public 5571// key in the same asymmetric CMK outside of AWS KMS. For information about 5572// symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 5573// in the AWS Key Management Service Developer Guide. 5574// 5575// Digital signatures are generated and verified by using asymmetric key pair, 5576// such as an RSA or ECC pair that is represented by an asymmetric customer 5577// master key (CMK). The key owner (or an authorized user) uses their private 5578// key to sign a message. Anyone with the public key can verify that the message 5579// was signed with that particular private key and that the message hasn't changed 5580// since it was signed. 5581// 5582// To use the Sign operation, provide the following information: 5583// 5584// * Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage 5585// value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey 5586// operation. The caller must have kms:Sign permission on the CMK. 5587// 5588// * Use the Message parameter to specify the message or message digest to 5589// sign. You can submit messages of up to 4096 bytes. To sign a larger message, 5590// generate a hash digest of the message, and then provide the hash digest 5591// in the Message parameter. To indicate whether the message is a full message 5592// or a digest, use the MessageType parameter. 5593// 5594// * Choose a signing algorithm that is compatible with the CMK. 5595// 5596// When signing a message, be sure to record the CMK and the signing algorithm. 5597// This information is required to verify the signature. 5598// 5599// To verify the signature that this operation generates, use the Verify operation. 5600// Or use the GetPublicKey operation to download the public key and then use 5601// the public key to verify the signature outside of AWS KMS. 5602// 5603// The CMK that you use for this operation must be in a compatible key state. 5604// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5605// in the AWS Key Management Service Developer Guide. 5606// 5607// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5608// with awserr.Error's Code and Message methods to get detailed information about 5609// the error. 5610// 5611// See the AWS API reference guide for AWS Key Management Service's 5612// API operation Sign for usage and error information. 5613// 5614// Returned Error Codes: 5615// * ErrCodeNotFoundException "NotFoundException" 5616// The request was rejected because the specified entity or resource could not 5617// be found. 5618// 5619// * ErrCodeDisabledException "DisabledException" 5620// The request was rejected because the specified CMK is not enabled. 5621// 5622// * ErrCodeKeyUnavailableException "KeyUnavailableException" 5623// The request was rejected because the specified CMK was not available. You 5624// can retry the request. 5625// 5626// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 5627// The system timed out while trying to fulfill the request. The request can 5628// be retried. 5629// 5630// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 5631// The request was rejected for one of the following reasons: 5632// 5633// * The KeyUsage value of the CMK is incompatible with the API operation. 5634// 5635// * The encryption algorithm or signing algorithm specified for the operation 5636// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 5637// 5638// For encrypting, decrypting, re-encrypting, and generating data keys, the 5639// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 5640// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 5641// 5642// To find the encryption or signing algorithms supported for a particular CMK, 5643// use the DescribeKey operation. 5644// 5645// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 5646// The request was rejected because the specified grant token is not valid. 5647// 5648// * ErrCodeInternalException "KMSInternalException" 5649// The request was rejected because an internal exception occurred. The request 5650// can be retried. 5651// 5652// * ErrCodeInvalidStateException "KMSInvalidStateException" 5653// The request was rejected because the state of the specified resource is not 5654// valid for this request. 5655// 5656// For more information about how key state affects the use of a CMK, see How 5657// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5658// in the AWS Key Management Service Developer Guide . 5659// 5660// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign 5661func (c *KMS) Sign(input *SignInput) (*SignOutput, error) { 5662 req, out := c.SignRequest(input) 5663 return out, req.Send() 5664} 5665 5666// SignWithContext is the same as Sign with the addition of 5667// the ability to pass a context and additional request options. 5668// 5669// See Sign for details on how to use this API operation. 5670// 5671// The context must be non-nil and will be used for request cancellation. If 5672// the context is nil a panic will occur. In the future the SDK may create 5673// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5674// for more information on using Contexts. 5675func (c *KMS) SignWithContext(ctx aws.Context, input *SignInput, opts ...request.Option) (*SignOutput, error) { 5676 req, out := c.SignRequest(input) 5677 req.SetContext(ctx) 5678 req.ApplyOptions(opts...) 5679 return out, req.Send() 5680} 5681 5682const opTagResource = "TagResource" 5683 5684// TagResourceRequest generates a "aws/request.Request" representing the 5685// client's request for the TagResource operation. The "output" return 5686// value will be populated with the request's response once the request completes 5687// successfully. 5688// 5689// Use "Send" method on the returned Request to send the API call to the service. 5690// the "output" return value is not valid until after Send returns without error. 5691// 5692// See TagResource for more information on using the TagResource 5693// API call, and error handling. 5694// 5695// This method is useful when you want to inject custom logic or configuration 5696// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5697// 5698// 5699// // Example sending a request using the TagResourceRequest method. 5700// req, resp := client.TagResourceRequest(params) 5701// 5702// err := req.Send() 5703// if err == nil { // resp is now filled 5704// fmt.Println(resp) 5705// } 5706// 5707// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource 5708func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) { 5709 op := &request.Operation{ 5710 Name: opTagResource, 5711 HTTPMethod: "POST", 5712 HTTPPath: "/", 5713 } 5714 5715 if input == nil { 5716 input = &TagResourceInput{} 5717 } 5718 5719 output = &TagResourceOutput{} 5720 req = c.newRequest(op, input, output) 5721 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5722 return 5723} 5724 5725// TagResource API operation for AWS Key Management Service. 5726// 5727// Adds or edits tags for a customer master key (CMK). You cannot perform this 5728// operation on a CMK in a different AWS account. 5729// 5730// Each tag consists of a tag key and a tag value. Tag keys and tag values are 5731// both required, but tag values can be empty (null) strings. 5732// 5733// You can only use a tag key once for each CMK. If you use the tag key again, 5734// AWS KMS replaces the current tag value with the specified value. 5735// 5736// For information about the rules that apply to tag keys and tag values, see 5737// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) 5738// in the AWS Billing and Cost Management User Guide. 5739// 5740// The CMK that you use for this operation must be in a compatible key state. 5741// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5742// in the AWS Key Management Service Developer Guide. 5743// 5744// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5745// with awserr.Error's Code and Message methods to get detailed information about 5746// the error. 5747// 5748// See the AWS API reference guide for AWS Key Management Service's 5749// API operation TagResource for usage and error information. 5750// 5751// Returned Error Codes: 5752// * ErrCodeInternalException "KMSInternalException" 5753// The request was rejected because an internal exception occurred. The request 5754// can be retried. 5755// 5756// * ErrCodeNotFoundException "NotFoundException" 5757// The request was rejected because the specified entity or resource could not 5758// be found. 5759// 5760// * ErrCodeInvalidArnException "InvalidArnException" 5761// The request was rejected because a specified ARN, or an ARN in a key policy, 5762// is not valid. 5763// 5764// * ErrCodeInvalidStateException "KMSInvalidStateException" 5765// The request was rejected because the state of the specified resource is not 5766// valid for this request. 5767// 5768// For more information about how key state affects the use of a CMK, see How 5769// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5770// in the AWS Key Management Service Developer Guide . 5771// 5772// * ErrCodeLimitExceededException "LimitExceededException" 5773// The request was rejected because a limit was exceeded. For more information, 5774// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 5775// in the AWS Key Management Service Developer Guide. 5776// 5777// * ErrCodeTagException "TagException" 5778// The request was rejected because one or more tags are not valid. 5779// 5780// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource 5781func (c *KMS) TagResource(input *TagResourceInput) (*TagResourceOutput, error) { 5782 req, out := c.TagResourceRequest(input) 5783 return out, req.Send() 5784} 5785 5786// TagResourceWithContext is the same as TagResource with the addition of 5787// the ability to pass a context and additional request options. 5788// 5789// See TagResource for details on how to use this API operation. 5790// 5791// The context must be non-nil and will be used for request cancellation. If 5792// the context is nil a panic will occur. In the future the SDK may create 5793// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5794// for more information on using Contexts. 5795func (c *KMS) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) { 5796 req, out := c.TagResourceRequest(input) 5797 req.SetContext(ctx) 5798 req.ApplyOptions(opts...) 5799 return out, req.Send() 5800} 5801 5802const opUntagResource = "UntagResource" 5803 5804// UntagResourceRequest generates a "aws/request.Request" representing the 5805// client's request for the UntagResource operation. The "output" return 5806// value will be populated with the request's response once the request completes 5807// successfully. 5808// 5809// Use "Send" method on the returned Request to send the API call to the service. 5810// the "output" return value is not valid until after Send returns without error. 5811// 5812// See UntagResource for more information on using the UntagResource 5813// API call, and error handling. 5814// 5815// This method is useful when you want to inject custom logic or configuration 5816// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5817// 5818// 5819// // Example sending a request using the UntagResourceRequest method. 5820// req, resp := client.UntagResourceRequest(params) 5821// 5822// err := req.Send() 5823// if err == nil { // resp is now filled 5824// fmt.Println(resp) 5825// } 5826// 5827// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource 5828func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) { 5829 op := &request.Operation{ 5830 Name: opUntagResource, 5831 HTTPMethod: "POST", 5832 HTTPPath: "/", 5833 } 5834 5835 if input == nil { 5836 input = &UntagResourceInput{} 5837 } 5838 5839 output = &UntagResourceOutput{} 5840 req = c.newRequest(op, input, output) 5841 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5842 return 5843} 5844 5845// UntagResource API operation for AWS Key Management Service. 5846// 5847// Removes the specified tags from the specified customer master key (CMK). 5848// You cannot perform this operation on a CMK in a different AWS account. 5849// 5850// To remove a tag, specify the tag key. To change the tag value of an existing 5851// tag key, use TagResource. 5852// 5853// The CMK that you use for this operation must be in a compatible key state. 5854// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5855// in the AWS Key Management Service Developer Guide. 5856// 5857// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5858// with awserr.Error's Code and Message methods to get detailed information about 5859// the error. 5860// 5861// See the AWS API reference guide for AWS Key Management Service's 5862// API operation UntagResource for usage and error information. 5863// 5864// Returned Error Codes: 5865// * ErrCodeInternalException "KMSInternalException" 5866// The request was rejected because an internal exception occurred. The request 5867// can be retried. 5868// 5869// * ErrCodeNotFoundException "NotFoundException" 5870// The request was rejected because the specified entity or resource could not 5871// be found. 5872// 5873// * ErrCodeInvalidArnException "InvalidArnException" 5874// The request was rejected because a specified ARN, or an ARN in a key policy, 5875// is not valid. 5876// 5877// * ErrCodeInvalidStateException "KMSInvalidStateException" 5878// The request was rejected because the state of the specified resource is not 5879// valid for this request. 5880// 5881// For more information about how key state affects the use of a CMK, see How 5882// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5883// in the AWS Key Management Service Developer Guide . 5884// 5885// * ErrCodeTagException "TagException" 5886// The request was rejected because one or more tags are not valid. 5887// 5888// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource 5889func (c *KMS) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) { 5890 req, out := c.UntagResourceRequest(input) 5891 return out, req.Send() 5892} 5893 5894// UntagResourceWithContext is the same as UntagResource with the addition of 5895// the ability to pass a context and additional request options. 5896// 5897// See UntagResource for details on how to use this API operation. 5898// 5899// The context must be non-nil and will be used for request cancellation. If 5900// the context is nil a panic will occur. In the future the SDK may create 5901// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5902// for more information on using Contexts. 5903func (c *KMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) { 5904 req, out := c.UntagResourceRequest(input) 5905 req.SetContext(ctx) 5906 req.ApplyOptions(opts...) 5907 return out, req.Send() 5908} 5909 5910const opUpdateAlias = "UpdateAlias" 5911 5912// UpdateAliasRequest generates a "aws/request.Request" representing the 5913// client's request for the UpdateAlias operation. The "output" return 5914// value will be populated with the request's response once the request completes 5915// successfully. 5916// 5917// Use "Send" method on the returned Request to send the API call to the service. 5918// the "output" return value is not valid until after Send returns without error. 5919// 5920// See UpdateAlias for more information on using the UpdateAlias 5921// API call, and error handling. 5922// 5923// This method is useful when you want to inject custom logic or configuration 5924// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5925// 5926// 5927// // Example sending a request using the UpdateAliasRequest method. 5928// req, resp := client.UpdateAliasRequest(params) 5929// 5930// err := req.Send() 5931// if err == nil { // resp is now filled 5932// fmt.Println(resp) 5933// } 5934// 5935// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias 5936func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, output *UpdateAliasOutput) { 5937 op := &request.Operation{ 5938 Name: opUpdateAlias, 5939 HTTPMethod: "POST", 5940 HTTPPath: "/", 5941 } 5942 5943 if input == nil { 5944 input = &UpdateAliasInput{} 5945 } 5946 5947 output = &UpdateAliasOutput{} 5948 req = c.newRequest(op, input, output) 5949 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5950 return 5951} 5952 5953// UpdateAlias API operation for AWS Key Management Service. 5954// 5955// Associates an existing AWS KMS alias with a different customer master key 5956// (CMK). Each alias is associated with only one CMK at a time, although a CMK 5957// can have multiple aliases. The alias and the CMK must be in the same AWS 5958// account and region. You cannot perform this operation on an alias in a different 5959// AWS account. 5960// 5961// The current and new CMK must be the same type (both symmetric or both asymmetric), 5962// and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This 5963// restriction prevents errors in code that uses aliases. If you must assign 5964// an alias to a different type of CMK, use DeleteAlias to delete the old alias 5965// and CreateAlias to create a new alias. 5966// 5967// You cannot use UpdateAlias to change an alias name. To change an alias name, 5968// use DeleteAlias to delete the old alias and CreateAlias to create a new alias. 5969// 5970// Because an alias is not a property of a CMK, you can create, update, and 5971// delete the aliases of a CMK without affecting the CMK. Also, aliases do not 5972// appear in the response from the DescribeKey operation. To get the aliases 5973// of all CMKs in the account, use the ListAliases operation. 5974// 5975// The CMK that you use for this operation must be in a compatible key state. 5976// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5977// in the AWS Key Management Service Developer Guide. 5978// 5979// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5980// with awserr.Error's Code and Message methods to get detailed information about 5981// the error. 5982// 5983// See the AWS API reference guide for AWS Key Management Service's 5984// API operation UpdateAlias for usage and error information. 5985// 5986// Returned Error Codes: 5987// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 5988// The system timed out while trying to fulfill the request. The request can 5989// be retried. 5990// 5991// * ErrCodeNotFoundException "NotFoundException" 5992// The request was rejected because the specified entity or resource could not 5993// be found. 5994// 5995// * ErrCodeInternalException "KMSInternalException" 5996// The request was rejected because an internal exception occurred. The request 5997// can be retried. 5998// 5999// * ErrCodeInvalidStateException "KMSInvalidStateException" 6000// The request was rejected because the state of the specified resource is not 6001// valid for this request. 6002// 6003// For more information about how key state affects the use of a CMK, see How 6004// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6005// in the AWS Key Management Service Developer Guide . 6006// 6007// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias 6008func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) { 6009 req, out := c.UpdateAliasRequest(input) 6010 return out, req.Send() 6011} 6012 6013// UpdateAliasWithContext is the same as UpdateAlias with the addition of 6014// the ability to pass a context and additional request options. 6015// 6016// See UpdateAlias for details on how to use this API operation. 6017// 6018// The context must be non-nil and will be used for request cancellation. If 6019// the context is nil a panic will occur. In the future the SDK may create 6020// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6021// for more information on using Contexts. 6022func (c *KMS) UpdateAliasWithContext(ctx aws.Context, input *UpdateAliasInput, opts ...request.Option) (*UpdateAliasOutput, error) { 6023 req, out := c.UpdateAliasRequest(input) 6024 req.SetContext(ctx) 6025 req.ApplyOptions(opts...) 6026 return out, req.Send() 6027} 6028 6029const opUpdateCustomKeyStore = "UpdateCustomKeyStore" 6030 6031// UpdateCustomKeyStoreRequest generates a "aws/request.Request" representing the 6032// client's request for the UpdateCustomKeyStore operation. The "output" return 6033// value will be populated with the request's response once the request completes 6034// successfully. 6035// 6036// Use "Send" method on the returned Request to send the API call to the service. 6037// the "output" return value is not valid until after Send returns without error. 6038// 6039// See UpdateCustomKeyStore for more information on using the UpdateCustomKeyStore 6040// API call, and error handling. 6041// 6042// This method is useful when you want to inject custom logic or configuration 6043// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6044// 6045// 6046// // Example sending a request using the UpdateCustomKeyStoreRequest method. 6047// req, resp := client.UpdateCustomKeyStoreRequest(params) 6048// 6049// err := req.Send() 6050// if err == nil { // resp is now filled 6051// fmt.Println(resp) 6052// } 6053// 6054// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore 6055func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req *request.Request, output *UpdateCustomKeyStoreOutput) { 6056 op := &request.Operation{ 6057 Name: opUpdateCustomKeyStore, 6058 HTTPMethod: "POST", 6059 HTTPPath: "/", 6060 } 6061 6062 if input == nil { 6063 input = &UpdateCustomKeyStoreInput{} 6064 } 6065 6066 output = &UpdateCustomKeyStoreOutput{} 6067 req = c.newRequest(op, input, output) 6068 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6069 return 6070} 6071 6072// UpdateCustomKeyStore API operation for AWS Key Management Service. 6073// 6074// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter 6075// to identify the custom key store you want to edit. Use the remaining parameters 6076// to change the properties of the custom key store. 6077// 6078// You can only update a custom key store that is disconnected. To disconnect 6079// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom 6080// key store after the update completes, use ConnectCustomKeyStore. To find 6081// the connection state of a custom key store, use the DescribeCustomKeyStores 6082// operation. 6083// 6084// Use the parameters of UpdateCustomKeyStore to edit your keystore settings. 6085// 6086// * Use the NewCustomKeyStoreName parameter to change the friendly name 6087// of the custom key store to the value that you specify. 6088// 6089// * Use the KeyStorePassword parameter tell AWS KMS the current password 6090// of the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) 6091// in the associated AWS CloudHSM cluster. You can use this parameter to 6092// fix connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password) 6093// that occur when AWS KMS cannot log into the associated cluster because 6094// the kmsuser password has changed. This value does not change the password 6095// in the AWS CloudHSM cluster. 6096// 6097// * Use the CloudHsmClusterId parameter to associate the custom key store 6098// with a different, but related, AWS CloudHSM cluster. You can use this 6099// parameter to repair a custom key store if its AWS CloudHSM cluster becomes 6100// corrupted or is deleted, or when you need to create or restore a cluster 6101// from a backup. 6102// 6103// If the operation succeeds, it returns a JSON object with no properties. 6104// 6105// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 6106// feature in AWS KMS, which combines the convenience and extensive integration 6107// of AWS KMS with the isolation and control of a single-tenant key store. 6108// 6109// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6110// with awserr.Error's Code and Message methods to get detailed information about 6111// the error. 6112// 6113// See the AWS API reference guide for AWS Key Management Service's 6114// API operation UpdateCustomKeyStore for usage and error information. 6115// 6116// Returned Error Codes: 6117// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" 6118// The request was rejected because AWS KMS cannot find a custom key store with 6119// the specified key store name or ID. 6120// 6121// * ErrCodeCustomKeyStoreNameInUseException "CustomKeyStoreNameInUseException" 6122// The request was rejected because the specified custom key store name is already 6123// assigned to another custom key store in the account. Try again with a custom 6124// key store name that is unique in the account. 6125// 6126// * ErrCodeCloudHsmClusterNotFoundException "CloudHsmClusterNotFoundException" 6127// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster 6128// with the specified cluster ID. Retry the request with a different cluster 6129// ID. 6130// 6131// * ErrCodeCloudHsmClusterNotRelatedException "CloudHsmClusterNotRelatedException" 6132// The request was rejected because the specified AWS CloudHSM cluster has a 6133// different cluster certificate than the original cluster. You cannot use the 6134// operation to specify an unrelated cluster. 6135// 6136// Specify a cluster that shares a backup history with the original cluster. 6137// This includes clusters that were created from a backup of the current cluster, 6138// and clusters that were created from the same backup that produced the current 6139// cluster. 6140// 6141// Clusters that share a backup history have the same cluster certificate. To 6142// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 6143// operation. 6144// 6145// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" 6146// The request was rejected because of the ConnectionState of the custom key 6147// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 6148// operation. 6149// 6150// This exception is thrown under the following conditions: 6151// 6152// * You requested the CreateKey or GenerateRandom operation in a custom 6153// key store that is not connected. These operations are valid only when 6154// the custom key store ConnectionState is CONNECTED. 6155// 6156// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 6157// on a custom key store that is not disconnected. This operation is valid 6158// only when the custom key store ConnectionState is DISCONNECTED. 6159// 6160// * You requested the ConnectCustomKeyStore operation on a custom key store 6161// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 6162// for all other ConnectionState values. 6163// 6164// * ErrCodeInternalException "KMSInternalException" 6165// The request was rejected because an internal exception occurred. The request 6166// can be retried. 6167// 6168// * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException" 6169// The request was rejected because the AWS CloudHSM cluster that is associated 6170// with the custom key store is not active. Initialize and activate the cluster 6171// and try the command again. For detailed instructions, see Getting Started 6172// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 6173// in the AWS CloudHSM User Guide. 6174// 6175// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" 6176// The request was rejected because the associated AWS CloudHSM cluster did 6177// not meet the configuration requirements for a custom key store. 6178// 6179// * The cluster must be configured with private subnets in at least two 6180// different Availability Zones in the Region. 6181// 6182// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 6183// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 6184// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 6185// rules and the Destination in the outbound rules must match the security 6186// group ID. These rules are set by default when you create the cluster. 6187// Do not delete or change them. To get information about a particular security 6188// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 6189// operation. 6190// 6191// * The cluster must contain at least as many HSMs as the operation requires. 6192// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 6193// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 6194// operations, the AWS CloudHSM cluster must have at least two active HSMs, 6195// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 6196// the AWS CloudHSM must contain at least one active HSM. 6197// 6198// For information about the requirements for an AWS CloudHSM cluster that is 6199// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 6200// in the AWS Key Management Service Developer Guide. For information about 6201// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 6202// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 6203// in the AWS CloudHSM User Guide. For information about cluster security groups, 6204// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 6205// in the AWS CloudHSM User Guide . 6206// 6207// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore 6208func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) { 6209 req, out := c.UpdateCustomKeyStoreRequest(input) 6210 return out, req.Send() 6211} 6212 6213// UpdateCustomKeyStoreWithContext is the same as UpdateCustomKeyStore with the addition of 6214// the ability to pass a context and additional request options. 6215// 6216// See UpdateCustomKeyStore for details on how to use this API operation. 6217// 6218// The context must be non-nil and will be used for request cancellation. If 6219// the context is nil a panic will occur. In the future the SDK may create 6220// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6221// for more information on using Contexts. 6222func (c *KMS) UpdateCustomKeyStoreWithContext(ctx aws.Context, input *UpdateCustomKeyStoreInput, opts ...request.Option) (*UpdateCustomKeyStoreOutput, error) { 6223 req, out := c.UpdateCustomKeyStoreRequest(input) 6224 req.SetContext(ctx) 6225 req.ApplyOptions(opts...) 6226 return out, req.Send() 6227} 6228 6229const opUpdateKeyDescription = "UpdateKeyDescription" 6230 6231// UpdateKeyDescriptionRequest generates a "aws/request.Request" representing the 6232// client's request for the UpdateKeyDescription operation. The "output" return 6233// value will be populated with the request's response once the request completes 6234// successfully. 6235// 6236// Use "Send" method on the returned Request to send the API call to the service. 6237// the "output" return value is not valid until after Send returns without error. 6238// 6239// See UpdateKeyDescription for more information on using the UpdateKeyDescription 6240// API call, and error handling. 6241// 6242// This method is useful when you want to inject custom logic or configuration 6243// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6244// 6245// 6246// // Example sending a request using the UpdateKeyDescriptionRequest method. 6247// req, resp := client.UpdateKeyDescriptionRequest(params) 6248// 6249// err := req.Send() 6250// if err == nil { // resp is now filled 6251// fmt.Println(resp) 6252// } 6253// 6254// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription 6255func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req *request.Request, output *UpdateKeyDescriptionOutput) { 6256 op := &request.Operation{ 6257 Name: opUpdateKeyDescription, 6258 HTTPMethod: "POST", 6259 HTTPPath: "/", 6260 } 6261 6262 if input == nil { 6263 input = &UpdateKeyDescriptionInput{} 6264 } 6265 6266 output = &UpdateKeyDescriptionOutput{} 6267 req = c.newRequest(op, input, output) 6268 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6269 return 6270} 6271 6272// UpdateKeyDescription API operation for AWS Key Management Service. 6273// 6274// Updates the description of a customer master key (CMK). To see the description 6275// of a CMK, use DescribeKey. 6276// 6277// You cannot perform this operation on a CMK in a different AWS account. 6278// 6279// The CMK that you use for this operation must be in a compatible key state. 6280// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6281// in the AWS Key Management Service Developer Guide. 6282// 6283// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6284// with awserr.Error's Code and Message methods to get detailed information about 6285// the error. 6286// 6287// See the AWS API reference guide for AWS Key Management Service's 6288// API operation UpdateKeyDescription for usage and error information. 6289// 6290// Returned Error Codes: 6291// * ErrCodeNotFoundException "NotFoundException" 6292// The request was rejected because the specified entity or resource could not 6293// be found. 6294// 6295// * ErrCodeInvalidArnException "InvalidArnException" 6296// The request was rejected because a specified ARN, or an ARN in a key policy, 6297// is not valid. 6298// 6299// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 6300// The system timed out while trying to fulfill the request. The request can 6301// be retried. 6302// 6303// * ErrCodeInternalException "KMSInternalException" 6304// The request was rejected because an internal exception occurred. The request 6305// can be retried. 6306// 6307// * ErrCodeInvalidStateException "KMSInvalidStateException" 6308// The request was rejected because the state of the specified resource is not 6309// valid for this request. 6310// 6311// For more information about how key state affects the use of a CMK, see How 6312// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6313// in the AWS Key Management Service Developer Guide . 6314// 6315// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription 6316func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) { 6317 req, out := c.UpdateKeyDescriptionRequest(input) 6318 return out, req.Send() 6319} 6320 6321// UpdateKeyDescriptionWithContext is the same as UpdateKeyDescription with the addition of 6322// the ability to pass a context and additional request options. 6323// 6324// See UpdateKeyDescription for details on how to use this API operation. 6325// 6326// The context must be non-nil and will be used for request cancellation. If 6327// the context is nil a panic will occur. In the future the SDK may create 6328// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6329// for more information on using Contexts. 6330func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyDescriptionInput, opts ...request.Option) (*UpdateKeyDescriptionOutput, error) { 6331 req, out := c.UpdateKeyDescriptionRequest(input) 6332 req.SetContext(ctx) 6333 req.ApplyOptions(opts...) 6334 return out, req.Send() 6335} 6336 6337const opVerify = "Verify" 6338 6339// VerifyRequest generates a "aws/request.Request" representing the 6340// client's request for the Verify operation. The "output" return 6341// value will be populated with the request's response once the request completes 6342// successfully. 6343// 6344// Use "Send" method on the returned Request to send the API call to the service. 6345// the "output" return value is not valid until after Send returns without error. 6346// 6347// See Verify for more information on using the Verify 6348// API call, and error handling. 6349// 6350// This method is useful when you want to inject custom logic or configuration 6351// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6352// 6353// 6354// // Example sending a request using the VerifyRequest method. 6355// req, resp := client.VerifyRequest(params) 6356// 6357// err := req.Send() 6358// if err == nil { // resp is now filled 6359// fmt.Println(resp) 6360// } 6361// 6362// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify 6363func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *VerifyOutput) { 6364 op := &request.Operation{ 6365 Name: opVerify, 6366 HTTPMethod: "POST", 6367 HTTPPath: "/", 6368 } 6369 6370 if input == nil { 6371 input = &VerifyInput{} 6372 } 6373 6374 output = &VerifyOutput{} 6375 req = c.newRequest(op, input, output) 6376 return 6377} 6378 6379// Verify API operation for AWS Key Management Service. 6380// 6381// Verifies a digital signature that was generated by the Sign operation. 6382// 6383// Verification confirms that an authorized user signed the message with the 6384// specified CMK and signing algorithm, and the message hasn't changed since 6385// it was signed. If the signature is verified, the value of the SignatureValid 6386// field in the response is True. If the signature verification fails, the Verify 6387// operation fails with an KMSInvalidSignatureException exception. 6388// 6389// A digital signature is generated by using the private key in an asymmetric 6390// CMK. The signature is verified by using the public key in the same asymmetric 6391// CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric 6392// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 6393// in the AWS Key Management Service Developer Guide. 6394// 6395// To verify a digital signature, you can use the Verify operation. Specify 6396// the same asymmetric CMK, message, and signing algorithm that were used to 6397// produce the signature. 6398// 6399// You can also verify the digital signature by using the public key of the 6400// CMK outside of AWS KMS. Use the GetPublicKey operation to download the public 6401// key in the asymmetric CMK and then use the public key to verify the signature 6402// outside of AWS KMS. The advantage of using the Verify operation is that it 6403// is performed within AWS KMS. As a result, it's easy to call, the operation 6404// is performed within the FIPS boundary, it is logged in AWS CloudTrail, and 6405// you can use key policy and IAM policy to determine who is authorized to use 6406// the CMK to verify signatures. 6407// 6408// The CMK that you use for this operation must be in a compatible key state. 6409// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6410// in the AWS Key Management Service Developer Guide. 6411// 6412// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6413// with awserr.Error's Code and Message methods to get detailed information about 6414// the error. 6415// 6416// See the AWS API reference guide for AWS Key Management Service's 6417// API operation Verify for usage and error information. 6418// 6419// Returned Error Codes: 6420// * ErrCodeNotFoundException "NotFoundException" 6421// The request was rejected because the specified entity or resource could not 6422// be found. 6423// 6424// * ErrCodeDisabledException "DisabledException" 6425// The request was rejected because the specified CMK is not enabled. 6426// 6427// * ErrCodeKeyUnavailableException "KeyUnavailableException" 6428// The request was rejected because the specified CMK was not available. You 6429// can retry the request. 6430// 6431// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" 6432// The system timed out while trying to fulfill the request. The request can 6433// be retried. 6434// 6435// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" 6436// The request was rejected for one of the following reasons: 6437// 6438// * The KeyUsage value of the CMK is incompatible with the API operation. 6439// 6440// * The encryption algorithm or signing algorithm specified for the operation 6441// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 6442// 6443// For encrypting, decrypting, re-encrypting, and generating data keys, the 6444// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 6445// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 6446// 6447// To find the encryption or signing algorithms supported for a particular CMK, 6448// use the DescribeKey operation. 6449// 6450// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" 6451// The request was rejected because the specified grant token is not valid. 6452// 6453// * ErrCodeInternalException "KMSInternalException" 6454// The request was rejected because an internal exception occurred. The request 6455// can be retried. 6456// 6457// * ErrCodeInvalidStateException "KMSInvalidStateException" 6458// The request was rejected because the state of the specified resource is not 6459// valid for this request. 6460// 6461// For more information about how key state affects the use of a CMK, see How 6462// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6463// in the AWS Key Management Service Developer Guide . 6464// 6465// * ErrCodeKMSInvalidSignatureException "KMSInvalidSignatureException" 6466// The request was rejected because the signature verification failed. Signature 6467// verification fails when it cannot confirm that signature was produced by 6468// signing the specified message with the specified CMK and signing algorithm. 6469// 6470// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify 6471func (c *KMS) Verify(input *VerifyInput) (*VerifyOutput, error) { 6472 req, out := c.VerifyRequest(input) 6473 return out, req.Send() 6474} 6475 6476// VerifyWithContext is the same as Verify with the addition of 6477// the ability to pass a context and additional request options. 6478// 6479// See Verify for details on how to use this API operation. 6480// 6481// The context must be non-nil and will be used for request cancellation. If 6482// the context is nil a panic will occur. In the future the SDK may create 6483// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6484// for more information on using Contexts. 6485func (c *KMS) VerifyWithContext(ctx aws.Context, input *VerifyInput, opts ...request.Option) (*VerifyOutput, error) { 6486 req, out := c.VerifyRequest(input) 6487 req.SetContext(ctx) 6488 req.ApplyOptions(opts...) 6489 return out, req.Send() 6490} 6491 6492// Contains information about an alias. 6493type AliasListEntry struct { 6494 _ struct{} `type:"structure"` 6495 6496 // String that contains the key ARN. 6497 AliasArn *string `min:"20" type:"string"` 6498 6499 // String that contains the alias. This value begins with alias/. 6500 AliasName *string `min:"1" type:"string"` 6501 6502 // String that contains the key identifier referred to by the alias. 6503 TargetKeyId *string `min:"1" type:"string"` 6504} 6505 6506// String returns the string representation 6507func (s AliasListEntry) String() string { 6508 return awsutil.Prettify(s) 6509} 6510 6511// GoString returns the string representation 6512func (s AliasListEntry) GoString() string { 6513 return s.String() 6514} 6515 6516// SetAliasArn sets the AliasArn field's value. 6517func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry { 6518 s.AliasArn = &v 6519 return s 6520} 6521 6522// SetAliasName sets the AliasName field's value. 6523func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry { 6524 s.AliasName = &v 6525 return s 6526} 6527 6528// SetTargetKeyId sets the TargetKeyId field's value. 6529func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry { 6530 s.TargetKeyId = &v 6531 return s 6532} 6533 6534type CancelKeyDeletionInput struct { 6535 _ struct{} `type:"structure"` 6536 6537 // The unique identifier for the customer master key (CMK) for which to cancel 6538 // deletion. 6539 // 6540 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 6541 // 6542 // For example: 6543 // 6544 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 6545 // 6546 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 6547 // 6548 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 6549 // 6550 // KeyId is a required field 6551 KeyId *string `min:"1" type:"string" required:"true"` 6552} 6553 6554// String returns the string representation 6555func (s CancelKeyDeletionInput) String() string { 6556 return awsutil.Prettify(s) 6557} 6558 6559// GoString returns the string representation 6560func (s CancelKeyDeletionInput) GoString() string { 6561 return s.String() 6562} 6563 6564// Validate inspects the fields of the type to determine if they are valid. 6565func (s *CancelKeyDeletionInput) Validate() error { 6566 invalidParams := request.ErrInvalidParams{Context: "CancelKeyDeletionInput"} 6567 if s.KeyId == nil { 6568 invalidParams.Add(request.NewErrParamRequired("KeyId")) 6569 } 6570 if s.KeyId != nil && len(*s.KeyId) < 1 { 6571 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 6572 } 6573 6574 if invalidParams.Len() > 0 { 6575 return invalidParams 6576 } 6577 return nil 6578} 6579 6580// SetKeyId sets the KeyId field's value. 6581func (s *CancelKeyDeletionInput) SetKeyId(v string) *CancelKeyDeletionInput { 6582 s.KeyId = &v 6583 return s 6584} 6585 6586type CancelKeyDeletionOutput struct { 6587 _ struct{} `type:"structure"` 6588 6589 // The unique identifier of the master key for which deletion is canceled. 6590 KeyId *string `min:"1" type:"string"` 6591} 6592 6593// String returns the string representation 6594func (s CancelKeyDeletionOutput) String() string { 6595 return awsutil.Prettify(s) 6596} 6597 6598// GoString returns the string representation 6599func (s CancelKeyDeletionOutput) GoString() string { 6600 return s.String() 6601} 6602 6603// SetKeyId sets the KeyId field's value. 6604func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput { 6605 s.KeyId = &v 6606 return s 6607} 6608 6609type ConnectCustomKeyStoreInput struct { 6610 _ struct{} `type:"structure"` 6611 6612 // Enter the key store ID of the custom key store that you want to connect. 6613 // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. 6614 // 6615 // CustomKeyStoreId is a required field 6616 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 6617} 6618 6619// String returns the string representation 6620func (s ConnectCustomKeyStoreInput) String() string { 6621 return awsutil.Prettify(s) 6622} 6623 6624// GoString returns the string representation 6625func (s ConnectCustomKeyStoreInput) GoString() string { 6626 return s.String() 6627} 6628 6629// Validate inspects the fields of the type to determine if they are valid. 6630func (s *ConnectCustomKeyStoreInput) Validate() error { 6631 invalidParams := request.ErrInvalidParams{Context: "ConnectCustomKeyStoreInput"} 6632 if s.CustomKeyStoreId == nil { 6633 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 6634 } 6635 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 6636 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 6637 } 6638 6639 if invalidParams.Len() > 0 { 6640 return invalidParams 6641 } 6642 return nil 6643} 6644 6645// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 6646func (s *ConnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *ConnectCustomKeyStoreInput { 6647 s.CustomKeyStoreId = &v 6648 return s 6649} 6650 6651type ConnectCustomKeyStoreOutput struct { 6652 _ struct{} `type:"structure"` 6653} 6654 6655// String returns the string representation 6656func (s ConnectCustomKeyStoreOutput) String() string { 6657 return awsutil.Prettify(s) 6658} 6659 6660// GoString returns the string representation 6661func (s ConnectCustomKeyStoreOutput) GoString() string { 6662 return s.String() 6663} 6664 6665type CreateAliasInput struct { 6666 _ struct{} `type:"structure"` 6667 6668 // Specifies the alias name. This value must begin with alias/ followed by a 6669 // name, such as alias/ExampleAlias. The alias name cannot begin with alias/aws/. 6670 // The alias/aws/ prefix is reserved for AWS managed CMKs. 6671 // 6672 // AliasName is a required field 6673 AliasName *string `min:"1" type:"string" required:"true"` 6674 6675 // Identifies the CMK to which the alias refers. Specify the key ID or the Amazon 6676 // Resource Name (ARN) of the CMK. You cannot specify another alias. For help 6677 // finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) 6678 // in the AWS Key Management Service Developer Guide. 6679 // 6680 // TargetKeyId is a required field 6681 TargetKeyId *string `min:"1" type:"string" required:"true"` 6682} 6683 6684// String returns the string representation 6685func (s CreateAliasInput) String() string { 6686 return awsutil.Prettify(s) 6687} 6688 6689// GoString returns the string representation 6690func (s CreateAliasInput) GoString() string { 6691 return s.String() 6692} 6693 6694// Validate inspects the fields of the type to determine if they are valid. 6695func (s *CreateAliasInput) Validate() error { 6696 invalidParams := request.ErrInvalidParams{Context: "CreateAliasInput"} 6697 if s.AliasName == nil { 6698 invalidParams.Add(request.NewErrParamRequired("AliasName")) 6699 } 6700 if s.AliasName != nil && len(*s.AliasName) < 1 { 6701 invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) 6702 } 6703 if s.TargetKeyId == nil { 6704 invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) 6705 } 6706 if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { 6707 invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) 6708 } 6709 6710 if invalidParams.Len() > 0 { 6711 return invalidParams 6712 } 6713 return nil 6714} 6715 6716// SetAliasName sets the AliasName field's value. 6717func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput { 6718 s.AliasName = &v 6719 return s 6720} 6721 6722// SetTargetKeyId sets the TargetKeyId field's value. 6723func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput { 6724 s.TargetKeyId = &v 6725 return s 6726} 6727 6728type CreateAliasOutput struct { 6729 _ struct{} `type:"structure"` 6730} 6731 6732// String returns the string representation 6733func (s CreateAliasOutput) String() string { 6734 return awsutil.Prettify(s) 6735} 6736 6737// GoString returns the string representation 6738func (s CreateAliasOutput) GoString() string { 6739 return s.String() 6740} 6741 6742type CreateCustomKeyStoreInput struct { 6743 _ struct{} `type:"structure"` 6744 6745 // Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster 6746 // ID of any active AWS CloudHSM cluster that is not already associated with 6747 // a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 6748 // operation. 6749 // 6750 // CloudHsmClusterId is a required field 6751 CloudHsmClusterId *string `min:"19" type:"string" required:"true"` 6752 6753 // Specifies a friendly name for the custom key store. The name must be unique 6754 // in your AWS account. 6755 // 6756 // CustomKeyStoreName is a required field 6757 CustomKeyStoreName *string `min:"1" type:"string" required:"true"` 6758 6759 // Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) 6760 // in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this 6761 // user to manage key material on your behalf. 6762 // 6763 // This parameter tells AWS KMS the kmsuser account password; it does not change 6764 // the password in the AWS CloudHSM cluster. 6765 // 6766 // KeyStorePassword is a required field 6767 KeyStorePassword *string `min:"1" type:"string" required:"true" sensitive:"true"` 6768 6769 // Enter the content of the trust anchor certificate for the cluster. This is 6770 // the content of the customerCA.crt file that you created when you initialized 6771 // the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html). 6772 // 6773 // TrustAnchorCertificate is a required field 6774 TrustAnchorCertificate *string `min:"1" type:"string" required:"true"` 6775} 6776 6777// String returns the string representation 6778func (s CreateCustomKeyStoreInput) String() string { 6779 return awsutil.Prettify(s) 6780} 6781 6782// GoString returns the string representation 6783func (s CreateCustomKeyStoreInput) GoString() string { 6784 return s.String() 6785} 6786 6787// Validate inspects the fields of the type to determine if they are valid. 6788func (s *CreateCustomKeyStoreInput) Validate() error { 6789 invalidParams := request.ErrInvalidParams{Context: "CreateCustomKeyStoreInput"} 6790 if s.CloudHsmClusterId == nil { 6791 invalidParams.Add(request.NewErrParamRequired("CloudHsmClusterId")) 6792 } 6793 if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { 6794 invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) 6795 } 6796 if s.CustomKeyStoreName == nil { 6797 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreName")) 6798 } 6799 if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { 6800 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) 6801 } 6802 if s.KeyStorePassword == nil { 6803 invalidParams.Add(request.NewErrParamRequired("KeyStorePassword")) 6804 } 6805 if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 1 { 6806 invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 1)) 6807 } 6808 if s.TrustAnchorCertificate == nil { 6809 invalidParams.Add(request.NewErrParamRequired("TrustAnchorCertificate")) 6810 } 6811 if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 { 6812 invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1)) 6813 } 6814 6815 if invalidParams.Len() > 0 { 6816 return invalidParams 6817 } 6818 return nil 6819} 6820 6821// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 6822func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput { 6823 s.CloudHsmClusterId = &v 6824 return s 6825} 6826 6827// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. 6828func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput { 6829 s.CustomKeyStoreName = &v 6830 return s 6831} 6832 6833// SetKeyStorePassword sets the KeyStorePassword field's value. 6834func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput { 6835 s.KeyStorePassword = &v 6836 return s 6837} 6838 6839// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. 6840func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput { 6841 s.TrustAnchorCertificate = &v 6842 return s 6843} 6844 6845type CreateCustomKeyStoreOutput struct { 6846 _ struct{} `type:"structure"` 6847 6848 // A unique identifier for the new custom key store. 6849 CustomKeyStoreId *string `min:"1" type:"string"` 6850} 6851 6852// String returns the string representation 6853func (s CreateCustomKeyStoreOutput) String() string { 6854 return awsutil.Prettify(s) 6855} 6856 6857// GoString returns the string representation 6858func (s CreateCustomKeyStoreOutput) GoString() string { 6859 return s.String() 6860} 6861 6862// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 6863func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustomKeyStoreOutput { 6864 s.CustomKeyStoreId = &v 6865 return s 6866} 6867 6868type CreateGrantInput struct { 6869 _ struct{} `type:"structure"` 6870 6871 // Allows a cryptographic operation only when the encryption context matches 6872 // or includes the encryption context specified in this structure. For more 6873 // information about encryption context, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 6874 // in the AWS Key Management Service Developer Guide . 6875 Constraints *GrantConstraints `type:"structure"` 6876 6877 // A list of grant tokens. 6878 // 6879 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 6880 // in the AWS Key Management Service Developer Guide. 6881 GrantTokens []*string `type:"list"` 6882 6883 // The principal that is given permission to perform the operations that the 6884 // grant permits. 6885 // 6886 // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 6887 // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM 6888 // users, IAM roles, federated users, and assumed role users. For examples of 6889 // the ARN syntax to use for specifying a principal, see AWS Identity and Access 6890 // Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) 6891 // in the Example ARNs section of the AWS General Reference. 6892 // 6893 // GranteePrincipal is a required field 6894 GranteePrincipal *string `min:"1" type:"string" required:"true"` 6895 6896 // The unique identifier for the customer master key (CMK) that the grant applies 6897 // to. 6898 // 6899 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify 6900 // a CMK in a different AWS account, you must use the key ARN. 6901 // 6902 // For example: 6903 // 6904 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 6905 // 6906 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 6907 // 6908 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 6909 // 6910 // KeyId is a required field 6911 KeyId *string `min:"1" type:"string" required:"true"` 6912 6913 // A friendly name for identifying the grant. Use this value to prevent the 6914 // unintended creation of duplicate grants when retrying this request. 6915 // 6916 // When this value is absent, all CreateGrant requests result in a new grant 6917 // with a unique GrantId even if all the supplied parameters are identical. 6918 // This can result in unintended duplicates when you retry the CreateGrant request. 6919 // 6920 // When this value is present, you can retry a CreateGrant request with identical 6921 // parameters; if the grant already exists, the original GrantId is returned 6922 // without creating a new grant. Note that the returned grant token is unique 6923 // with every CreateGrant request, even when a duplicate GrantId is returned. 6924 // All grant tokens obtained in this way can be used interchangeably. 6925 Name *string `min:"1" type:"string"` 6926 6927 // A list of operations that the grant permits. 6928 // 6929 // Operations is a required field 6930 Operations []*string `type:"list" required:"true"` 6931 6932 // The principal that is given permission to retire the grant by using RetireGrant 6933 // operation. 6934 // 6935 // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 6936 // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM 6937 // users, federated users, and assumed role users. For examples of the ARN syntax 6938 // to use for specifying a principal, see AWS Identity and Access Management 6939 // (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) 6940 // in the Example ARNs section of the AWS General Reference. 6941 RetiringPrincipal *string `min:"1" type:"string"` 6942} 6943 6944// String returns the string representation 6945func (s CreateGrantInput) String() string { 6946 return awsutil.Prettify(s) 6947} 6948 6949// GoString returns the string representation 6950func (s CreateGrantInput) GoString() string { 6951 return s.String() 6952} 6953 6954// Validate inspects the fields of the type to determine if they are valid. 6955func (s *CreateGrantInput) Validate() error { 6956 invalidParams := request.ErrInvalidParams{Context: "CreateGrantInput"} 6957 if s.GranteePrincipal == nil { 6958 invalidParams.Add(request.NewErrParamRequired("GranteePrincipal")) 6959 } 6960 if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 { 6961 invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1)) 6962 } 6963 if s.KeyId == nil { 6964 invalidParams.Add(request.NewErrParamRequired("KeyId")) 6965 } 6966 if s.KeyId != nil && len(*s.KeyId) < 1 { 6967 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 6968 } 6969 if s.Name != nil && len(*s.Name) < 1 { 6970 invalidParams.Add(request.NewErrParamMinLen("Name", 1)) 6971 } 6972 if s.Operations == nil { 6973 invalidParams.Add(request.NewErrParamRequired("Operations")) 6974 } 6975 if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { 6976 invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) 6977 } 6978 6979 if invalidParams.Len() > 0 { 6980 return invalidParams 6981 } 6982 return nil 6983} 6984 6985// SetConstraints sets the Constraints field's value. 6986func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput { 6987 s.Constraints = v 6988 return s 6989} 6990 6991// SetGrantTokens sets the GrantTokens field's value. 6992func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput { 6993 s.GrantTokens = v 6994 return s 6995} 6996 6997// SetGranteePrincipal sets the GranteePrincipal field's value. 6998func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput { 6999 s.GranteePrincipal = &v 7000 return s 7001} 7002 7003// SetKeyId sets the KeyId field's value. 7004func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput { 7005 s.KeyId = &v 7006 return s 7007} 7008 7009// SetName sets the Name field's value. 7010func (s *CreateGrantInput) SetName(v string) *CreateGrantInput { 7011 s.Name = &v 7012 return s 7013} 7014 7015// SetOperations sets the Operations field's value. 7016func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput { 7017 s.Operations = v 7018 return s 7019} 7020 7021// SetRetiringPrincipal sets the RetiringPrincipal field's value. 7022func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput { 7023 s.RetiringPrincipal = &v 7024 return s 7025} 7026 7027type CreateGrantOutput struct { 7028 _ struct{} `type:"structure"` 7029 7030 // The unique identifier for the grant. 7031 // 7032 // You can use the GrantId in a subsequent RetireGrant or RevokeGrant operation. 7033 GrantId *string `min:"1" type:"string"` 7034 7035 // The grant token. 7036 // 7037 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 7038 // in the AWS Key Management Service Developer Guide. 7039 GrantToken *string `min:"1" type:"string"` 7040} 7041 7042// String returns the string representation 7043func (s CreateGrantOutput) String() string { 7044 return awsutil.Prettify(s) 7045} 7046 7047// GoString returns the string representation 7048func (s CreateGrantOutput) GoString() string { 7049 return s.String() 7050} 7051 7052// SetGrantId sets the GrantId field's value. 7053func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput { 7054 s.GrantId = &v 7055 return s 7056} 7057 7058// SetGrantToken sets the GrantToken field's value. 7059func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput { 7060 s.GrantToken = &v 7061 return s 7062} 7063 7064type CreateKeyInput struct { 7065 _ struct{} `type:"structure"` 7066 7067 // A flag to indicate whether to bypass the key policy lockout safety check. 7068 // 7069 // Setting this value to true increases the risk that the CMK becomes unmanageable. 7070 // Do not set this value to true indiscriminately. 7071 // 7072 // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 7073 // section in the AWS Key Management Service Developer Guide . 7074 // 7075 // Use this parameter only when you include a policy in the request and you 7076 // intend to prevent the principal that is making the request from making a 7077 // subsequent PutKeyPolicy request on the CMK. 7078 // 7079 // The default value is false. 7080 BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` 7081 7082 // Creates the CMK in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 7083 // and the key material in its associated AWS CloudHSM cluster. To create a 7084 // CMK in a custom key store, you must also specify the Origin parameter with 7085 // a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with 7086 // the custom key store must have at least two active HSMs, each in a different 7087 // Availability Zone in the Region. 7088 // 7089 // This parameter is valid only for symmetric CMKs. You cannot create an asymmetric 7090 // CMK in a custom key store. 7091 // 7092 // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. 7093 // 7094 // The response includes the custom key store ID and the ID of the AWS CloudHSM 7095 // cluster. 7096 // 7097 // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 7098 // feature in AWS KMS, which combines the convenience and extensive integration 7099 // of AWS KMS with the isolation and control of a single-tenant key store. 7100 CustomKeyStoreId *string `min:"1" type:"string"` 7101 7102 // Specifies the type of CMK to create. The CustomerMasterKeySpec determines 7103 // whether the CMK contains a symmetric key or an asymmetric key pair. It also 7104 // determines the encryption algorithms or signing algorithms that the CMK supports. 7105 // You can't change the CustomerMasterKeySpec after the CMK is created. To further 7106 // restrict the algorithms that can be used with the CMK, use its key policy 7107 // or IAM policy. 7108 // 7109 // For help with choosing a key spec for your CMK, see Selecting a Customer 7110 // Master Key Spec (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#cmk-key-spec) 7111 // in the AWS Key Management Service Developer Guide. 7112 // 7113 // The default value, SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric 7114 // key. 7115 // 7116 // AWS KMS supports the following key specs for CMKs: 7117 // 7118 // * Symmetric key (default) SYMMETRIC_DEFAULT (AES-256-GCM) 7119 // 7120 // * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096 7121 // 7122 // * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1) 7123 // ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1) 7124 // 7125 // * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1), 7126 // commonly used for cryptocurrencies. 7127 CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` 7128 7129 // A description of the CMK. 7130 // 7131 // Use a description that helps you decide whether the CMK is appropriate for 7132 // a task. 7133 Description *string `type:"string"` 7134 7135 // Determines the cryptographic operations for which you can use the CMK. The 7136 // default value is ENCRYPT_DECRYPT. This parameter is required only for asymmetric 7137 // CMKs. You can't change the KeyUsage value after the CMK is created. 7138 // 7139 // Select only one valid value. 7140 // 7141 // * For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT. 7142 // 7143 // * For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or 7144 // SIGN_VERIFY. 7145 // 7146 // * For asymmetric CMKs with ECC key material, specify SIGN_VERIFY. 7147 KeyUsage *string `type:"string" enum:"KeyUsageType"` 7148 7149 // The source of the key material for the CMK. You cannot change the origin 7150 // after you create the CMK. The default is AWS_KMS, which means AWS KMS creates 7151 // the key material. 7152 // 7153 // When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material 7154 // so that you can import key material from your existing key management infrastructure. 7155 // For more information about importing key material into AWS KMS, see Importing 7156 // Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 7157 // in the AWS Key Management Service Developer Guide. This value is valid only 7158 // for symmetric CMKs. 7159 // 7160 // When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS 7161 // KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 7162 // and creates its key material in the associated AWS CloudHSM cluster. You 7163 // must also use the CustomKeyStoreId parameter to identify the custom key store. 7164 // This value is valid only for symmetric CMKs. 7165 Origin *string `type:"string" enum:"OriginType"` 7166 7167 // The key policy to attach to the CMK. 7168 // 7169 // If you provide a key policy, it must meet the following criteria: 7170 // 7171 // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy 7172 // must allow the principal that is making the CreateKey request to make 7173 // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that 7174 // the CMK becomes unmanageable. For more information, refer to the scenario 7175 // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 7176 // section of the AWS Key Management Service Developer Guide . 7177 // 7178 // * Each statement in the key policy must contain one or more principals. 7179 // The principals in the key policy must exist and be visible to AWS KMS. 7180 // When you create a new AWS principal (for example, an IAM user or role), 7181 // you might need to enforce a delay before including the new principal in 7182 // a key policy because the new principal might not be immediately visible 7183 // to AWS KMS. For more information, see Changes that I make are not always 7184 // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) 7185 // in the AWS Identity and Access Management User Guide. 7186 // 7187 // If you do not provide a key policy, AWS KMS attaches a default key policy 7188 // to the CMK. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) 7189 // in the AWS Key Management Service Developer Guide. 7190 // 7191 // The key policy size limit is 32 kilobytes (32768 bytes). 7192 Policy *string `min:"1" type:"string"` 7193 7194 // One or more tags. Each tag consists of a tag key and a tag value. Both the 7195 // tag key and the tag value are required, but the tag value can be an empty 7196 // (null) string. 7197 // 7198 // When you add tags to an AWS resource, AWS generates a cost allocation report 7199 // with usage and costs aggregated by tags. For information about adding, changing, 7200 // deleting and listing tags for CMKs, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). 7201 // 7202 // Use this parameter to tag the CMK when it is created. To add tags to an existing 7203 // CMK, use the TagResource operation. 7204 Tags []*Tag `type:"list"` 7205} 7206 7207// String returns the string representation 7208func (s CreateKeyInput) String() string { 7209 return awsutil.Prettify(s) 7210} 7211 7212// GoString returns the string representation 7213func (s CreateKeyInput) GoString() string { 7214 return s.String() 7215} 7216 7217// Validate inspects the fields of the type to determine if they are valid. 7218func (s *CreateKeyInput) Validate() error { 7219 invalidParams := request.ErrInvalidParams{Context: "CreateKeyInput"} 7220 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 7221 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 7222 } 7223 if s.Policy != nil && len(*s.Policy) < 1 { 7224 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 7225 } 7226 if s.Tags != nil { 7227 for i, v := range s.Tags { 7228 if v == nil { 7229 continue 7230 } 7231 if err := v.Validate(); err != nil { 7232 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 7233 } 7234 } 7235 } 7236 7237 if invalidParams.Len() > 0 { 7238 return invalidParams 7239 } 7240 return nil 7241} 7242 7243// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. 7244func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput { 7245 s.BypassPolicyLockoutSafetyCheck = &v 7246 return s 7247} 7248 7249// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 7250func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput { 7251 s.CustomKeyStoreId = &v 7252 return s 7253} 7254 7255// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. 7256func (s *CreateKeyInput) SetCustomerMasterKeySpec(v string) *CreateKeyInput { 7257 s.CustomerMasterKeySpec = &v 7258 return s 7259} 7260 7261// SetDescription sets the Description field's value. 7262func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput { 7263 s.Description = &v 7264 return s 7265} 7266 7267// SetKeyUsage sets the KeyUsage field's value. 7268func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput { 7269 s.KeyUsage = &v 7270 return s 7271} 7272 7273// SetOrigin sets the Origin field's value. 7274func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput { 7275 s.Origin = &v 7276 return s 7277} 7278 7279// SetPolicy sets the Policy field's value. 7280func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput { 7281 s.Policy = &v 7282 return s 7283} 7284 7285// SetTags sets the Tags field's value. 7286func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput { 7287 s.Tags = v 7288 return s 7289} 7290 7291type CreateKeyOutput struct { 7292 _ struct{} `type:"structure"` 7293 7294 // Metadata associated with the CMK. 7295 KeyMetadata *KeyMetadata `type:"structure"` 7296} 7297 7298// String returns the string representation 7299func (s CreateKeyOutput) String() string { 7300 return awsutil.Prettify(s) 7301} 7302 7303// GoString returns the string representation 7304func (s CreateKeyOutput) GoString() string { 7305 return s.String() 7306} 7307 7308// SetKeyMetadata sets the KeyMetadata field's value. 7309func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput { 7310 s.KeyMetadata = v 7311 return s 7312} 7313 7314// Contains information about each custom key store in the custom key store 7315// list. 7316type CustomKeyStoresListEntry struct { 7317 _ struct{} `type:"structure"` 7318 7319 // A unique identifier for the AWS CloudHSM cluster that is associated with 7320 // the custom key store. 7321 CloudHsmClusterId *string `min:"19" type:"string"` 7322 7323 // Describes the connection error. Valid values are: 7324 // 7325 // * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with 7326 // the specified cluster ID. 7327 // 7328 // * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does 7329 // not contain any active HSMs. To connect a custom key store to its AWS 7330 // CloudHSM cluster, the cluster must contain at least one active HSM. 7331 // 7332 // * INTERNAL_ERROR - AWS KMS could not complete the request due to an internal 7333 // error. Retry the request. For ConnectCustomKeyStore requests, disconnect 7334 // the custom key store before trying to connect again. 7335 // 7336 // * INVALID_CREDENTIALS - AWS KMS does not have the correct password for 7337 // the kmsuser crypto user in the AWS CloudHSM cluster. 7338 // 7339 // * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting 7340 // to the custom key store. 7341 // 7342 // * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated 7343 // AWS CloudHSM cluster due to too many failed password attempts. Before 7344 // you can connect your custom key store to its AWS CloudHSM cluster, you 7345 // must change the kmsuser account password and update the password value 7346 // for the custom key store. 7347 // 7348 // For help with connection failures, see Troubleshooting Custom Key Stores 7349 // (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 7350 // in the AWS Key Management Service Developer Guide. 7351 ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"` 7352 7353 // Indicates whether the custom key store is connected to its AWS CloudHSM cluster. 7354 // 7355 // You can create and use CMKs in your custom key stores only when its connection 7356 // state is CONNECTED. 7357 // 7358 // The value is DISCONNECTED if the key store has never been connected or you 7359 // use the DisconnectCustomKeyStore operation to disconnect it. If the value 7360 // is CONNECTED but you are having trouble using the custom key store, make 7361 // sure that its associated AWS CloudHSM cluster is active and contains at least 7362 // one active HSM. 7363 // 7364 // A value of FAILED indicates that an attempt to connect was unsuccessful. 7365 // For help resolving a connection failure, see Troubleshooting a Custom Key 7366 // Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 7367 // in the AWS Key Management Service Developer Guide. 7368 ConnectionState *string `type:"string" enum:"ConnectionStateType"` 7369 7370 // The date and time when the custom key store was created. 7371 CreationDate *time.Time `type:"timestamp"` 7372 7373 // A unique identifier for the custom key store. 7374 CustomKeyStoreId *string `min:"1" type:"string"` 7375 7376 // The user-specified friendly name for the custom key store. 7377 CustomKeyStoreName *string `min:"1" type:"string"` 7378 7379 // The trust anchor certificate of the associated AWS CloudHSM cluster. When 7380 // you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), 7381 // you create this certificate and save it in the customerCA.crt file. 7382 TrustAnchorCertificate *string `min:"1" type:"string"` 7383} 7384 7385// String returns the string representation 7386func (s CustomKeyStoresListEntry) String() string { 7387 return awsutil.Prettify(s) 7388} 7389 7390// GoString returns the string representation 7391func (s CustomKeyStoresListEntry) GoString() string { 7392 return s.String() 7393} 7394 7395// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 7396func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry { 7397 s.CloudHsmClusterId = &v 7398 return s 7399} 7400 7401// SetConnectionErrorCode sets the ConnectionErrorCode field's value. 7402func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry { 7403 s.ConnectionErrorCode = &v 7404 return s 7405} 7406 7407// SetConnectionState sets the ConnectionState field's value. 7408func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry { 7409 s.ConnectionState = &v 7410 return s 7411} 7412 7413// SetCreationDate sets the CreationDate field's value. 7414func (s *CustomKeyStoresListEntry) SetCreationDate(v time.Time) *CustomKeyStoresListEntry { 7415 s.CreationDate = &v 7416 return s 7417} 7418 7419// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 7420func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry { 7421 s.CustomKeyStoreId = &v 7422 return s 7423} 7424 7425// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. 7426func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry { 7427 s.CustomKeyStoreName = &v 7428 return s 7429} 7430 7431// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. 7432func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry { 7433 s.TrustAnchorCertificate = &v 7434 return s 7435} 7436 7437type DecryptInput struct { 7438 _ struct{} `type:"structure"` 7439 7440 // Ciphertext to be decrypted. The blob includes metadata. 7441 // 7442 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 7443 // 7444 // CiphertextBlob is a required field 7445 CiphertextBlob []byte `min:"1" type:"blob" required:"true"` 7446 7447 // Specifies the encryption algorithm that will be used to decrypt the ciphertext. 7448 // Specify the same algorithm that was used to encrypt the data. If you specify 7449 // a different algorithm, the Decrypt operation fails. 7450 // 7451 // This parameter is required only when the ciphertext was encrypted under an 7452 // asymmetric CMK. The default value, SYMMETRIC_DEFAULT, represents the only 7453 // supported algorithm that is valid for symmetric CMKs. 7454 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 7455 7456 // Specifies the encryption context to use when decrypting the data. An encryption 7457 // context is valid only for cryptographic operations with a symmetric CMK. 7458 // The standard asymmetric encryption algorithms that AWS KMS uses do not support 7459 // an encryption context. 7460 // 7461 // An encryption context is a collection of non-secret key-value pairs that 7462 // represents additional authenticated data. When you use an encryption context 7463 // to encrypt data, you must specify the same (an exact case-sensitive match) 7464 // encryption context to decrypt the data. An encryption context is optional 7465 // when encrypting with a symmetric CMK, but it is highly recommended. 7466 // 7467 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 7468 // in the AWS Key Management Service Developer Guide. 7469 EncryptionContext map[string]*string `type:"map"` 7470 7471 // A list of grant tokens. 7472 // 7473 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 7474 // in the AWS Key Management Service Developer Guide. 7475 GrantTokens []*string `type:"list"` 7476 7477 // Specifies the customer master key (CMK) that AWS KMS will use to decrypt 7478 // the ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext. 7479 // 7480 // If you specify a KeyId value, the Decrypt operation succeeds only if the 7481 // specified CMK was used to encrypt the ciphertext. 7482 // 7483 // This parameter is required only when the ciphertext was encrypted under an 7484 // asymmetric CMK. Otherwise, AWS KMS uses the metadata that it adds to the 7485 // ciphertext blob to determine which CMK was used to encrypt the ciphertext. 7486 // However, you can use this parameter to ensure that a particular CMK (of any 7487 // kind) is used to decrypt the ciphertext. 7488 // 7489 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 7490 // or alias ARN. When using an alias name, prefix it with "alias/". 7491 // 7492 // For example: 7493 // 7494 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 7495 // 7496 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 7497 // 7498 // * Alias name: alias/ExampleAlias 7499 // 7500 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 7501 // 7502 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 7503 // get the alias name and alias ARN, use ListAliases. 7504 KeyId *string `min:"1" type:"string"` 7505} 7506 7507// String returns the string representation 7508func (s DecryptInput) String() string { 7509 return awsutil.Prettify(s) 7510} 7511 7512// GoString returns the string representation 7513func (s DecryptInput) GoString() string { 7514 return s.String() 7515} 7516 7517// Validate inspects the fields of the type to determine if they are valid. 7518func (s *DecryptInput) Validate() error { 7519 invalidParams := request.ErrInvalidParams{Context: "DecryptInput"} 7520 if s.CiphertextBlob == nil { 7521 invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) 7522 } 7523 if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { 7524 invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) 7525 } 7526 if s.KeyId != nil && len(*s.KeyId) < 1 { 7527 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 7528 } 7529 7530 if invalidParams.Len() > 0 { 7531 return invalidParams 7532 } 7533 return nil 7534} 7535 7536// SetCiphertextBlob sets the CiphertextBlob field's value. 7537func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput { 7538 s.CiphertextBlob = v 7539 return s 7540} 7541 7542// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 7543func (s *DecryptInput) SetEncryptionAlgorithm(v string) *DecryptInput { 7544 s.EncryptionAlgorithm = &v 7545 return s 7546} 7547 7548// SetEncryptionContext sets the EncryptionContext field's value. 7549func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput { 7550 s.EncryptionContext = v 7551 return s 7552} 7553 7554// SetGrantTokens sets the GrantTokens field's value. 7555func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput { 7556 s.GrantTokens = v 7557 return s 7558} 7559 7560// SetKeyId sets the KeyId field's value. 7561func (s *DecryptInput) SetKeyId(v string) *DecryptInput { 7562 s.KeyId = &v 7563 return s 7564} 7565 7566type DecryptOutput struct { 7567 _ struct{} `type:"structure"` 7568 7569 // The encryption algorithm that was used to decrypt the ciphertext. 7570 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 7571 7572 // The ARN of the customer master key that was used to perform the decryption. 7573 KeyId *string `min:"1" type:"string"` 7574 7575 // Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value 7576 // is Base64-encoded. Otherwise, it is not Base64-encoded. 7577 // 7578 // Plaintext is automatically base64 encoded/decoded by the SDK. 7579 Plaintext []byte `min:"1" type:"blob" sensitive:"true"` 7580} 7581 7582// String returns the string representation 7583func (s DecryptOutput) String() string { 7584 return awsutil.Prettify(s) 7585} 7586 7587// GoString returns the string representation 7588func (s DecryptOutput) GoString() string { 7589 return s.String() 7590} 7591 7592// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 7593func (s *DecryptOutput) SetEncryptionAlgorithm(v string) *DecryptOutput { 7594 s.EncryptionAlgorithm = &v 7595 return s 7596} 7597 7598// SetKeyId sets the KeyId field's value. 7599func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput { 7600 s.KeyId = &v 7601 return s 7602} 7603 7604// SetPlaintext sets the Plaintext field's value. 7605func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput { 7606 s.Plaintext = v 7607 return s 7608} 7609 7610type DeleteAliasInput struct { 7611 _ struct{} `type:"structure"` 7612 7613 // The alias to be deleted. The alias name must begin with alias/ followed by 7614 // the alias name, such as alias/ExampleAlias. 7615 // 7616 // AliasName is a required field 7617 AliasName *string `min:"1" type:"string" required:"true"` 7618} 7619 7620// String returns the string representation 7621func (s DeleteAliasInput) String() string { 7622 return awsutil.Prettify(s) 7623} 7624 7625// GoString returns the string representation 7626func (s DeleteAliasInput) GoString() string { 7627 return s.String() 7628} 7629 7630// Validate inspects the fields of the type to determine if they are valid. 7631func (s *DeleteAliasInput) Validate() error { 7632 invalidParams := request.ErrInvalidParams{Context: "DeleteAliasInput"} 7633 if s.AliasName == nil { 7634 invalidParams.Add(request.NewErrParamRequired("AliasName")) 7635 } 7636 if s.AliasName != nil && len(*s.AliasName) < 1 { 7637 invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) 7638 } 7639 7640 if invalidParams.Len() > 0 { 7641 return invalidParams 7642 } 7643 return nil 7644} 7645 7646// SetAliasName sets the AliasName field's value. 7647func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput { 7648 s.AliasName = &v 7649 return s 7650} 7651 7652type DeleteAliasOutput struct { 7653 _ struct{} `type:"structure"` 7654} 7655 7656// String returns the string representation 7657func (s DeleteAliasOutput) String() string { 7658 return awsutil.Prettify(s) 7659} 7660 7661// GoString returns the string representation 7662func (s DeleteAliasOutput) GoString() string { 7663 return s.String() 7664} 7665 7666type DeleteCustomKeyStoreInput struct { 7667 _ struct{} `type:"structure"` 7668 7669 // Enter the ID of the custom key store you want to delete. To find the ID of 7670 // a custom key store, use the DescribeCustomKeyStores operation. 7671 // 7672 // CustomKeyStoreId is a required field 7673 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 7674} 7675 7676// String returns the string representation 7677func (s DeleteCustomKeyStoreInput) String() string { 7678 return awsutil.Prettify(s) 7679} 7680 7681// GoString returns the string representation 7682func (s DeleteCustomKeyStoreInput) GoString() string { 7683 return s.String() 7684} 7685 7686// Validate inspects the fields of the type to determine if they are valid. 7687func (s *DeleteCustomKeyStoreInput) Validate() error { 7688 invalidParams := request.ErrInvalidParams{Context: "DeleteCustomKeyStoreInput"} 7689 if s.CustomKeyStoreId == nil { 7690 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 7691 } 7692 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 7693 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 7694 } 7695 7696 if invalidParams.Len() > 0 { 7697 return invalidParams 7698 } 7699 return nil 7700} 7701 7702// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 7703func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput { 7704 s.CustomKeyStoreId = &v 7705 return s 7706} 7707 7708type DeleteCustomKeyStoreOutput struct { 7709 _ struct{} `type:"structure"` 7710} 7711 7712// String returns the string representation 7713func (s DeleteCustomKeyStoreOutput) String() string { 7714 return awsutil.Prettify(s) 7715} 7716 7717// GoString returns the string representation 7718func (s DeleteCustomKeyStoreOutput) GoString() string { 7719 return s.String() 7720} 7721 7722type DeleteImportedKeyMaterialInput struct { 7723 _ struct{} `type:"structure"` 7724 7725 // Identifies the CMK from which you are deleting imported key material. The 7726 // Origin of the CMK must be EXTERNAL. 7727 // 7728 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 7729 // 7730 // For example: 7731 // 7732 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 7733 // 7734 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 7735 // 7736 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 7737 // 7738 // KeyId is a required field 7739 KeyId *string `min:"1" type:"string" required:"true"` 7740} 7741 7742// String returns the string representation 7743func (s DeleteImportedKeyMaterialInput) String() string { 7744 return awsutil.Prettify(s) 7745} 7746 7747// GoString returns the string representation 7748func (s DeleteImportedKeyMaterialInput) GoString() string { 7749 return s.String() 7750} 7751 7752// Validate inspects the fields of the type to determine if they are valid. 7753func (s *DeleteImportedKeyMaterialInput) Validate() error { 7754 invalidParams := request.ErrInvalidParams{Context: "DeleteImportedKeyMaterialInput"} 7755 if s.KeyId == nil { 7756 invalidParams.Add(request.NewErrParamRequired("KeyId")) 7757 } 7758 if s.KeyId != nil && len(*s.KeyId) < 1 { 7759 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 7760 } 7761 7762 if invalidParams.Len() > 0 { 7763 return invalidParams 7764 } 7765 return nil 7766} 7767 7768// SetKeyId sets the KeyId field's value. 7769func (s *DeleteImportedKeyMaterialInput) SetKeyId(v string) *DeleteImportedKeyMaterialInput { 7770 s.KeyId = &v 7771 return s 7772} 7773 7774type DeleteImportedKeyMaterialOutput struct { 7775 _ struct{} `type:"structure"` 7776} 7777 7778// String returns the string representation 7779func (s DeleteImportedKeyMaterialOutput) String() string { 7780 return awsutil.Prettify(s) 7781} 7782 7783// GoString returns the string representation 7784func (s DeleteImportedKeyMaterialOutput) GoString() string { 7785 return s.String() 7786} 7787 7788type DescribeCustomKeyStoresInput struct { 7789 _ struct{} `type:"structure"` 7790 7791 // Gets only information about the specified custom key store. Enter the key 7792 // store ID. 7793 // 7794 // By default, this operation gets information about all custom key stores in 7795 // the account and region. To limit the output to a particular custom key store, 7796 // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, 7797 // but not both. 7798 CustomKeyStoreId *string `min:"1" type:"string"` 7799 7800 // Gets only information about the specified custom key store. Enter the friendly 7801 // name of the custom key store. 7802 // 7803 // By default, this operation gets information about all custom key stores in 7804 // the account and region. To limit the output to a particular custom key store, 7805 // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, 7806 // but not both. 7807 CustomKeyStoreName *string `min:"1" type:"string"` 7808 7809 // Use this parameter to specify the maximum number of items to return. When 7810 // this value is present, AWS KMS does not return more than the specified number 7811 // of items, but it might return fewer. 7812 Limit *int64 `min:"1" type:"integer"` 7813 7814 // Use this parameter in a subsequent request after you receive a response with 7815 // truncated results. Set it to the value of NextMarker from the truncated response 7816 // you just received. 7817 Marker *string `min:"1" type:"string"` 7818} 7819 7820// String returns the string representation 7821func (s DescribeCustomKeyStoresInput) String() string { 7822 return awsutil.Prettify(s) 7823} 7824 7825// GoString returns the string representation 7826func (s DescribeCustomKeyStoresInput) GoString() string { 7827 return s.String() 7828} 7829 7830// Validate inspects the fields of the type to determine if they are valid. 7831func (s *DescribeCustomKeyStoresInput) Validate() error { 7832 invalidParams := request.ErrInvalidParams{Context: "DescribeCustomKeyStoresInput"} 7833 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 7834 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 7835 } 7836 if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { 7837 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) 7838 } 7839 if s.Limit != nil && *s.Limit < 1 { 7840 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 7841 } 7842 if s.Marker != nil && len(*s.Marker) < 1 { 7843 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 7844 } 7845 7846 if invalidParams.Len() > 0 { 7847 return invalidParams 7848 } 7849 return nil 7850} 7851 7852// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 7853func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreId(v string) *DescribeCustomKeyStoresInput { 7854 s.CustomKeyStoreId = &v 7855 return s 7856} 7857 7858// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. 7859func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreName(v string) *DescribeCustomKeyStoresInput { 7860 s.CustomKeyStoreName = &v 7861 return s 7862} 7863 7864// SetLimit sets the Limit field's value. 7865func (s *DescribeCustomKeyStoresInput) SetLimit(v int64) *DescribeCustomKeyStoresInput { 7866 s.Limit = &v 7867 return s 7868} 7869 7870// SetMarker sets the Marker field's value. 7871func (s *DescribeCustomKeyStoresInput) SetMarker(v string) *DescribeCustomKeyStoresInput { 7872 s.Marker = &v 7873 return s 7874} 7875 7876type DescribeCustomKeyStoresOutput struct { 7877 _ struct{} `type:"structure"` 7878 7879 // Contains metadata about each custom key store. 7880 CustomKeyStores []*CustomKeyStoresListEntry `type:"list"` 7881 7882 // When Truncated is true, this element is present and contains the value to 7883 // use for the Marker parameter in a subsequent request. 7884 NextMarker *string `min:"1" type:"string"` 7885 7886 // A flag that indicates whether there are more items in the list. When this 7887 // value is true, the list in this response is truncated. To get more items, 7888 // pass the value of the NextMarker element in thisresponse to the Marker parameter 7889 // in a subsequent request. 7890 Truncated *bool `type:"boolean"` 7891} 7892 7893// String returns the string representation 7894func (s DescribeCustomKeyStoresOutput) String() string { 7895 return awsutil.Prettify(s) 7896} 7897 7898// GoString returns the string representation 7899func (s DescribeCustomKeyStoresOutput) GoString() string { 7900 return s.String() 7901} 7902 7903// SetCustomKeyStores sets the CustomKeyStores field's value. 7904func (s *DescribeCustomKeyStoresOutput) SetCustomKeyStores(v []*CustomKeyStoresListEntry) *DescribeCustomKeyStoresOutput { 7905 s.CustomKeyStores = v 7906 return s 7907} 7908 7909// SetNextMarker sets the NextMarker field's value. 7910func (s *DescribeCustomKeyStoresOutput) SetNextMarker(v string) *DescribeCustomKeyStoresOutput { 7911 s.NextMarker = &v 7912 return s 7913} 7914 7915// SetTruncated sets the Truncated field's value. 7916func (s *DescribeCustomKeyStoresOutput) SetTruncated(v bool) *DescribeCustomKeyStoresOutput { 7917 s.Truncated = &v 7918 return s 7919} 7920 7921type DescribeKeyInput struct { 7922 _ struct{} `type:"structure"` 7923 7924 // A list of grant tokens. 7925 // 7926 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 7927 // in the AWS Key Management Service Developer Guide. 7928 GrantTokens []*string `type:"list"` 7929 7930 // Describes the specified customer master key (CMK). 7931 // 7932 // If you specify a predefined AWS alias (an AWS alias with no key ID), KMS 7933 // associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) 7934 // and returns its KeyId and Arn in the response. 7935 // 7936 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 7937 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 7938 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 7939 // 7940 // For example: 7941 // 7942 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 7943 // 7944 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 7945 // 7946 // * Alias name: alias/ExampleAlias 7947 // 7948 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 7949 // 7950 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 7951 // get the alias name and alias ARN, use ListAliases. 7952 // 7953 // KeyId is a required field 7954 KeyId *string `min:"1" type:"string" required:"true"` 7955} 7956 7957// String returns the string representation 7958func (s DescribeKeyInput) String() string { 7959 return awsutil.Prettify(s) 7960} 7961 7962// GoString returns the string representation 7963func (s DescribeKeyInput) GoString() string { 7964 return s.String() 7965} 7966 7967// Validate inspects the fields of the type to determine if they are valid. 7968func (s *DescribeKeyInput) Validate() error { 7969 invalidParams := request.ErrInvalidParams{Context: "DescribeKeyInput"} 7970 if s.KeyId == nil { 7971 invalidParams.Add(request.NewErrParamRequired("KeyId")) 7972 } 7973 if s.KeyId != nil && len(*s.KeyId) < 1 { 7974 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 7975 } 7976 7977 if invalidParams.Len() > 0 { 7978 return invalidParams 7979 } 7980 return nil 7981} 7982 7983// SetGrantTokens sets the GrantTokens field's value. 7984func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput { 7985 s.GrantTokens = v 7986 return s 7987} 7988 7989// SetKeyId sets the KeyId field's value. 7990func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput { 7991 s.KeyId = &v 7992 return s 7993} 7994 7995type DescribeKeyOutput struct { 7996 _ struct{} `type:"structure"` 7997 7998 // Metadata associated with the key. 7999 KeyMetadata *KeyMetadata `type:"structure"` 8000} 8001 8002// String returns the string representation 8003func (s DescribeKeyOutput) String() string { 8004 return awsutil.Prettify(s) 8005} 8006 8007// GoString returns the string representation 8008func (s DescribeKeyOutput) GoString() string { 8009 return s.String() 8010} 8011 8012// SetKeyMetadata sets the KeyMetadata field's value. 8013func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput { 8014 s.KeyMetadata = v 8015 return s 8016} 8017 8018type DisableKeyInput struct { 8019 _ struct{} `type:"structure"` 8020 8021 // A unique identifier for the customer master key (CMK). 8022 // 8023 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 8024 // 8025 // For example: 8026 // 8027 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8028 // 8029 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8030 // 8031 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 8032 // 8033 // KeyId is a required field 8034 KeyId *string `min:"1" type:"string" required:"true"` 8035} 8036 8037// String returns the string representation 8038func (s DisableKeyInput) String() string { 8039 return awsutil.Prettify(s) 8040} 8041 8042// GoString returns the string representation 8043func (s DisableKeyInput) GoString() string { 8044 return s.String() 8045} 8046 8047// Validate inspects the fields of the type to determine if they are valid. 8048func (s *DisableKeyInput) Validate() error { 8049 invalidParams := request.ErrInvalidParams{Context: "DisableKeyInput"} 8050 if s.KeyId == nil { 8051 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8052 } 8053 if s.KeyId != nil && len(*s.KeyId) < 1 { 8054 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8055 } 8056 8057 if invalidParams.Len() > 0 { 8058 return invalidParams 8059 } 8060 return nil 8061} 8062 8063// SetKeyId sets the KeyId field's value. 8064func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput { 8065 s.KeyId = &v 8066 return s 8067} 8068 8069type DisableKeyOutput struct { 8070 _ struct{} `type:"structure"` 8071} 8072 8073// String returns the string representation 8074func (s DisableKeyOutput) String() string { 8075 return awsutil.Prettify(s) 8076} 8077 8078// GoString returns the string representation 8079func (s DisableKeyOutput) GoString() string { 8080 return s.String() 8081} 8082 8083type DisableKeyRotationInput struct { 8084 _ struct{} `type:"structure"` 8085 8086 // Identifies a symmetric customer master key (CMK). You cannot enable automatic 8087 // rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks), 8088 // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 8089 // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 8090 // 8091 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 8092 // 8093 // For example: 8094 // 8095 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8096 // 8097 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8098 // 8099 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 8100 // 8101 // KeyId is a required field 8102 KeyId *string `min:"1" type:"string" required:"true"` 8103} 8104 8105// String returns the string representation 8106func (s DisableKeyRotationInput) String() string { 8107 return awsutil.Prettify(s) 8108} 8109 8110// GoString returns the string representation 8111func (s DisableKeyRotationInput) GoString() string { 8112 return s.String() 8113} 8114 8115// Validate inspects the fields of the type to determine if they are valid. 8116func (s *DisableKeyRotationInput) Validate() error { 8117 invalidParams := request.ErrInvalidParams{Context: "DisableKeyRotationInput"} 8118 if s.KeyId == nil { 8119 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8120 } 8121 if s.KeyId != nil && len(*s.KeyId) < 1 { 8122 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8123 } 8124 8125 if invalidParams.Len() > 0 { 8126 return invalidParams 8127 } 8128 return nil 8129} 8130 8131// SetKeyId sets the KeyId field's value. 8132func (s *DisableKeyRotationInput) SetKeyId(v string) *DisableKeyRotationInput { 8133 s.KeyId = &v 8134 return s 8135} 8136 8137type DisableKeyRotationOutput struct { 8138 _ struct{} `type:"structure"` 8139} 8140 8141// String returns the string representation 8142func (s DisableKeyRotationOutput) String() string { 8143 return awsutil.Prettify(s) 8144} 8145 8146// GoString returns the string representation 8147func (s DisableKeyRotationOutput) GoString() string { 8148 return s.String() 8149} 8150 8151type DisconnectCustomKeyStoreInput struct { 8152 _ struct{} `type:"structure"` 8153 8154 // Enter the ID of the custom key store you want to disconnect. To find the 8155 // ID of a custom key store, use the DescribeCustomKeyStores operation. 8156 // 8157 // CustomKeyStoreId is a required field 8158 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 8159} 8160 8161// String returns the string representation 8162func (s DisconnectCustomKeyStoreInput) String() string { 8163 return awsutil.Prettify(s) 8164} 8165 8166// GoString returns the string representation 8167func (s DisconnectCustomKeyStoreInput) GoString() string { 8168 return s.String() 8169} 8170 8171// Validate inspects the fields of the type to determine if they are valid. 8172func (s *DisconnectCustomKeyStoreInput) Validate() error { 8173 invalidParams := request.ErrInvalidParams{Context: "DisconnectCustomKeyStoreInput"} 8174 if s.CustomKeyStoreId == nil { 8175 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 8176 } 8177 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 8178 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 8179 } 8180 8181 if invalidParams.Len() > 0 { 8182 return invalidParams 8183 } 8184 return nil 8185} 8186 8187// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 8188func (s *DisconnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DisconnectCustomKeyStoreInput { 8189 s.CustomKeyStoreId = &v 8190 return s 8191} 8192 8193type DisconnectCustomKeyStoreOutput struct { 8194 _ struct{} `type:"structure"` 8195} 8196 8197// String returns the string representation 8198func (s DisconnectCustomKeyStoreOutput) String() string { 8199 return awsutil.Prettify(s) 8200} 8201 8202// GoString returns the string representation 8203func (s DisconnectCustomKeyStoreOutput) GoString() string { 8204 return s.String() 8205} 8206 8207type EnableKeyInput struct { 8208 _ struct{} `type:"structure"` 8209 8210 // A unique identifier for the customer master key (CMK). 8211 // 8212 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 8213 // 8214 // For example: 8215 // 8216 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8217 // 8218 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8219 // 8220 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 8221 // 8222 // KeyId is a required field 8223 KeyId *string `min:"1" type:"string" required:"true"` 8224} 8225 8226// String returns the string representation 8227func (s EnableKeyInput) String() string { 8228 return awsutil.Prettify(s) 8229} 8230 8231// GoString returns the string representation 8232func (s EnableKeyInput) GoString() string { 8233 return s.String() 8234} 8235 8236// Validate inspects the fields of the type to determine if they are valid. 8237func (s *EnableKeyInput) Validate() error { 8238 invalidParams := request.ErrInvalidParams{Context: "EnableKeyInput"} 8239 if s.KeyId == nil { 8240 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8241 } 8242 if s.KeyId != nil && len(*s.KeyId) < 1 { 8243 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8244 } 8245 8246 if invalidParams.Len() > 0 { 8247 return invalidParams 8248 } 8249 return nil 8250} 8251 8252// SetKeyId sets the KeyId field's value. 8253func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput { 8254 s.KeyId = &v 8255 return s 8256} 8257 8258type EnableKeyOutput struct { 8259 _ struct{} `type:"structure"` 8260} 8261 8262// String returns the string representation 8263func (s EnableKeyOutput) String() string { 8264 return awsutil.Prettify(s) 8265} 8266 8267// GoString returns the string representation 8268func (s EnableKeyOutput) GoString() string { 8269 return s.String() 8270} 8271 8272type EnableKeyRotationInput struct { 8273 _ struct{} `type:"structure"` 8274 8275 // Identifies a symmetric customer master key (CMK). You cannot enable automatic 8276 // rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in 8277 // a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 8278 // 8279 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 8280 // 8281 // For example: 8282 // 8283 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8284 // 8285 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8286 // 8287 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 8288 // 8289 // KeyId is a required field 8290 KeyId *string `min:"1" type:"string" required:"true"` 8291} 8292 8293// String returns the string representation 8294func (s EnableKeyRotationInput) String() string { 8295 return awsutil.Prettify(s) 8296} 8297 8298// GoString returns the string representation 8299func (s EnableKeyRotationInput) GoString() string { 8300 return s.String() 8301} 8302 8303// Validate inspects the fields of the type to determine if they are valid. 8304func (s *EnableKeyRotationInput) Validate() error { 8305 invalidParams := request.ErrInvalidParams{Context: "EnableKeyRotationInput"} 8306 if s.KeyId == nil { 8307 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8308 } 8309 if s.KeyId != nil && len(*s.KeyId) < 1 { 8310 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8311 } 8312 8313 if invalidParams.Len() > 0 { 8314 return invalidParams 8315 } 8316 return nil 8317} 8318 8319// SetKeyId sets the KeyId field's value. 8320func (s *EnableKeyRotationInput) SetKeyId(v string) *EnableKeyRotationInput { 8321 s.KeyId = &v 8322 return s 8323} 8324 8325type EnableKeyRotationOutput struct { 8326 _ struct{} `type:"structure"` 8327} 8328 8329// String returns the string representation 8330func (s EnableKeyRotationOutput) String() string { 8331 return awsutil.Prettify(s) 8332} 8333 8334// GoString returns the string representation 8335func (s EnableKeyRotationOutput) GoString() string { 8336 return s.String() 8337} 8338 8339type EncryptInput struct { 8340 _ struct{} `type:"structure"` 8341 8342 // Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext 8343 // message. The algorithm must be compatible with the CMK that you specify. 8344 // 8345 // This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, 8346 // is the algorithm used for symmetric CMKs. If you are using an asymmetric 8347 // CMK, we recommend RSAES_OAEP_SHA_256. 8348 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 8349 8350 // Specifies the encryption context that will be used to encrypt the data. An 8351 // encryption context is valid only for cryptographic operations with a symmetric 8352 // CMK. The standard asymmetric encryption algorithms that AWS KMS uses do not 8353 // support an encryption context. 8354 // 8355 // An encryption context is a collection of non-secret key-value pairs that 8356 // represents additional authenticated data. When you use an encryption context 8357 // to encrypt data, you must specify the same (an exact case-sensitive match) 8358 // encryption context to decrypt the data. An encryption context is optional 8359 // when encrypting with a symmetric CMK, but it is highly recommended. 8360 // 8361 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 8362 // in the AWS Key Management Service Developer Guide. 8363 EncryptionContext map[string]*string `type:"map"` 8364 8365 // A list of grant tokens. 8366 // 8367 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 8368 // in the AWS Key Management Service Developer Guide. 8369 GrantTokens []*string `type:"list"` 8370 8371 // A unique identifier for the customer master key (CMK). 8372 // 8373 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 8374 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 8375 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 8376 // 8377 // For example: 8378 // 8379 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8380 // 8381 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8382 // 8383 // * Alias name: alias/ExampleAlias 8384 // 8385 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 8386 // 8387 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 8388 // get the alias name and alias ARN, use ListAliases. 8389 // 8390 // KeyId is a required field 8391 KeyId *string `min:"1" type:"string" required:"true"` 8392 8393 // Data to be encrypted. 8394 // 8395 // Plaintext is automatically base64 encoded/decoded by the SDK. 8396 // 8397 // Plaintext is a required field 8398 Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"` 8399} 8400 8401// String returns the string representation 8402func (s EncryptInput) String() string { 8403 return awsutil.Prettify(s) 8404} 8405 8406// GoString returns the string representation 8407func (s EncryptInput) GoString() string { 8408 return s.String() 8409} 8410 8411// Validate inspects the fields of the type to determine if they are valid. 8412func (s *EncryptInput) Validate() error { 8413 invalidParams := request.ErrInvalidParams{Context: "EncryptInput"} 8414 if s.KeyId == nil { 8415 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8416 } 8417 if s.KeyId != nil && len(*s.KeyId) < 1 { 8418 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8419 } 8420 if s.Plaintext == nil { 8421 invalidParams.Add(request.NewErrParamRequired("Plaintext")) 8422 } 8423 if s.Plaintext != nil && len(s.Plaintext) < 1 { 8424 invalidParams.Add(request.NewErrParamMinLen("Plaintext", 1)) 8425 } 8426 8427 if invalidParams.Len() > 0 { 8428 return invalidParams 8429 } 8430 return nil 8431} 8432 8433// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 8434func (s *EncryptInput) SetEncryptionAlgorithm(v string) *EncryptInput { 8435 s.EncryptionAlgorithm = &v 8436 return s 8437} 8438 8439// SetEncryptionContext sets the EncryptionContext field's value. 8440func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput { 8441 s.EncryptionContext = v 8442 return s 8443} 8444 8445// SetGrantTokens sets the GrantTokens field's value. 8446func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput { 8447 s.GrantTokens = v 8448 return s 8449} 8450 8451// SetKeyId sets the KeyId field's value. 8452func (s *EncryptInput) SetKeyId(v string) *EncryptInput { 8453 s.KeyId = &v 8454 return s 8455} 8456 8457// SetPlaintext sets the Plaintext field's value. 8458func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput { 8459 s.Plaintext = v 8460 return s 8461} 8462 8463type EncryptOutput struct { 8464 _ struct{} `type:"structure"` 8465 8466 // The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value 8467 // is Base64-encoded. Otherwise, it is not Base64-encoded. 8468 // 8469 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 8470 CiphertextBlob []byte `min:"1" type:"blob"` 8471 8472 // The encryption algorithm that was used to encrypt the plaintext. 8473 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 8474 8475 // The ID of the key used during encryption. 8476 KeyId *string `min:"1" type:"string"` 8477} 8478 8479// String returns the string representation 8480func (s EncryptOutput) String() string { 8481 return awsutil.Prettify(s) 8482} 8483 8484// GoString returns the string representation 8485func (s EncryptOutput) GoString() string { 8486 return s.String() 8487} 8488 8489// SetCiphertextBlob sets the CiphertextBlob field's value. 8490func (s *EncryptOutput) SetCiphertextBlob(v []byte) *EncryptOutput { 8491 s.CiphertextBlob = v 8492 return s 8493} 8494 8495// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 8496func (s *EncryptOutput) SetEncryptionAlgorithm(v string) *EncryptOutput { 8497 s.EncryptionAlgorithm = &v 8498 return s 8499} 8500 8501// SetKeyId sets the KeyId field's value. 8502func (s *EncryptOutput) SetKeyId(v string) *EncryptOutput { 8503 s.KeyId = &v 8504 return s 8505} 8506 8507type GenerateDataKeyInput struct { 8508 _ struct{} `type:"structure"` 8509 8510 // Specifies the encryption context that will be used when encrypting the data 8511 // key. 8512 // 8513 // An encryption context is a collection of non-secret key-value pairs that 8514 // represents additional authenticated data. When you use an encryption context 8515 // to encrypt data, you must specify the same (an exact case-sensitive match) 8516 // encryption context to decrypt the data. An encryption context is optional 8517 // when encrypting with a symmetric CMK, but it is highly recommended. 8518 // 8519 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 8520 // in the AWS Key Management Service Developer Guide. 8521 EncryptionContext map[string]*string `type:"map"` 8522 8523 // A list of grant tokens. 8524 // 8525 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 8526 // in the AWS Key Management Service Developer Guide. 8527 GrantTokens []*string `type:"list"` 8528 8529 // Identifies the symmetric CMK that encrypts the data key. 8530 // 8531 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 8532 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 8533 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 8534 // 8535 // For example: 8536 // 8537 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8538 // 8539 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8540 // 8541 // * Alias name: alias/ExampleAlias 8542 // 8543 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 8544 // 8545 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 8546 // get the alias name and alias ARN, use ListAliases. 8547 // 8548 // KeyId is a required field 8549 KeyId *string `min:"1" type:"string" required:"true"` 8550 8551 // Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric 8552 // key, or AES_256 to generate a 256-bit symmetric key. 8553 // 8554 // You must specify either the KeySpec or the NumberOfBytes parameter (but not 8555 // both) in every GenerateDataKey request. 8556 KeySpec *string `type:"string" enum:"DataKeySpec"` 8557 8558 // Specifies the length of the data key in bytes. For example, use the value 8559 // 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) 8560 // and 256-bit (32-byte) data keys, use the KeySpec parameter. 8561 // 8562 // You must specify either the KeySpec or the NumberOfBytes parameter (but not 8563 // both) in every GenerateDataKey request. 8564 NumberOfBytes *int64 `min:"1" type:"integer"` 8565} 8566 8567// String returns the string representation 8568func (s GenerateDataKeyInput) String() string { 8569 return awsutil.Prettify(s) 8570} 8571 8572// GoString returns the string representation 8573func (s GenerateDataKeyInput) GoString() string { 8574 return s.String() 8575} 8576 8577// Validate inspects the fields of the type to determine if they are valid. 8578func (s *GenerateDataKeyInput) Validate() error { 8579 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyInput"} 8580 if s.KeyId == nil { 8581 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8582 } 8583 if s.KeyId != nil && len(*s.KeyId) < 1 { 8584 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8585 } 8586 if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { 8587 invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) 8588 } 8589 8590 if invalidParams.Len() > 0 { 8591 return invalidParams 8592 } 8593 return nil 8594} 8595 8596// SetEncryptionContext sets the EncryptionContext field's value. 8597func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput { 8598 s.EncryptionContext = v 8599 return s 8600} 8601 8602// SetGrantTokens sets the GrantTokens field's value. 8603func (s *GenerateDataKeyInput) SetGrantTokens(v []*string) *GenerateDataKeyInput { 8604 s.GrantTokens = v 8605 return s 8606} 8607 8608// SetKeyId sets the KeyId field's value. 8609func (s *GenerateDataKeyInput) SetKeyId(v string) *GenerateDataKeyInput { 8610 s.KeyId = &v 8611 return s 8612} 8613 8614// SetKeySpec sets the KeySpec field's value. 8615func (s *GenerateDataKeyInput) SetKeySpec(v string) *GenerateDataKeyInput { 8616 s.KeySpec = &v 8617 return s 8618} 8619 8620// SetNumberOfBytes sets the NumberOfBytes field's value. 8621func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput { 8622 s.NumberOfBytes = &v 8623 return s 8624} 8625 8626type GenerateDataKeyOutput struct { 8627 _ struct{} `type:"structure"` 8628 8629 // The encrypted copy of the data key. When you use the HTTP API or the AWS 8630 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 8631 // 8632 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 8633 CiphertextBlob []byte `min:"1" type:"blob"` 8634 8635 // The identifier of the CMK that encrypted the data key. 8636 KeyId *string `min:"1" type:"string"` 8637 8638 // The plaintext data key. When you use the HTTP API or the AWS CLI, the value 8639 // is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key 8640 // to encrypt your data outside of KMS. Then, remove it from memory as soon 8641 // as possible. 8642 // 8643 // Plaintext is automatically base64 encoded/decoded by the SDK. 8644 Plaintext []byte `min:"1" type:"blob" sensitive:"true"` 8645} 8646 8647// String returns the string representation 8648func (s GenerateDataKeyOutput) String() string { 8649 return awsutil.Prettify(s) 8650} 8651 8652// GoString returns the string representation 8653func (s GenerateDataKeyOutput) GoString() string { 8654 return s.String() 8655} 8656 8657// SetCiphertextBlob sets the CiphertextBlob field's value. 8658func (s *GenerateDataKeyOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyOutput { 8659 s.CiphertextBlob = v 8660 return s 8661} 8662 8663// SetKeyId sets the KeyId field's value. 8664func (s *GenerateDataKeyOutput) SetKeyId(v string) *GenerateDataKeyOutput { 8665 s.KeyId = &v 8666 return s 8667} 8668 8669// SetPlaintext sets the Plaintext field's value. 8670func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput { 8671 s.Plaintext = v 8672 return s 8673} 8674 8675type GenerateDataKeyPairInput struct { 8676 _ struct{} `type:"structure"` 8677 8678 // Specifies the encryption context that will be used when encrypting the private 8679 // key in the data key pair. 8680 // 8681 // An encryption context is a collection of non-secret key-value pairs that 8682 // represents additional authenticated data. When you use an encryption context 8683 // to encrypt data, you must specify the same (an exact case-sensitive match) 8684 // encryption context to decrypt the data. An encryption context is optional 8685 // when encrypting with a symmetric CMK, but it is highly recommended. 8686 // 8687 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 8688 // in the AWS Key Management Service Developer Guide. 8689 EncryptionContext map[string]*string `type:"map"` 8690 8691 // A list of grant tokens. 8692 // 8693 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 8694 // in the AWS Key Management Service Developer Guide. 8695 GrantTokens []*string `type:"list"` 8696 8697 // Specifies the symmetric CMK that encrypts the private key in the data key 8698 // pair. You cannot specify an asymmetric CMKs. 8699 // 8700 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 8701 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 8702 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 8703 // 8704 // For example: 8705 // 8706 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8707 // 8708 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8709 // 8710 // * Alias name: alias/ExampleAlias 8711 // 8712 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 8713 // 8714 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 8715 // get the alias name and alias ARN, use ListAliases. 8716 // 8717 // KeyId is a required field 8718 KeyId *string `min:"1" type:"string" required:"true"` 8719 8720 // Determines the type of data key pair that is generated. 8721 // 8722 // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt 8723 // and decrypt or to sign and verify (but not both), and the rule that permits 8724 // you to use ECC CMKs only to sign and verify, are not effective outside of 8725 // AWS KMS. 8726 // 8727 // KeyPairSpec is a required field 8728 KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` 8729} 8730 8731// String returns the string representation 8732func (s GenerateDataKeyPairInput) String() string { 8733 return awsutil.Prettify(s) 8734} 8735 8736// GoString returns the string representation 8737func (s GenerateDataKeyPairInput) GoString() string { 8738 return s.String() 8739} 8740 8741// Validate inspects the fields of the type to determine if they are valid. 8742func (s *GenerateDataKeyPairInput) Validate() error { 8743 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairInput"} 8744 if s.KeyId == nil { 8745 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8746 } 8747 if s.KeyId != nil && len(*s.KeyId) < 1 { 8748 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8749 } 8750 if s.KeyPairSpec == nil { 8751 invalidParams.Add(request.NewErrParamRequired("KeyPairSpec")) 8752 } 8753 8754 if invalidParams.Len() > 0 { 8755 return invalidParams 8756 } 8757 return nil 8758} 8759 8760// SetEncryptionContext sets the EncryptionContext field's value. 8761func (s *GenerateDataKeyPairInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairInput { 8762 s.EncryptionContext = v 8763 return s 8764} 8765 8766// SetGrantTokens sets the GrantTokens field's value. 8767func (s *GenerateDataKeyPairInput) SetGrantTokens(v []*string) *GenerateDataKeyPairInput { 8768 s.GrantTokens = v 8769 return s 8770} 8771 8772// SetKeyId sets the KeyId field's value. 8773func (s *GenerateDataKeyPairInput) SetKeyId(v string) *GenerateDataKeyPairInput { 8774 s.KeyId = &v 8775 return s 8776} 8777 8778// SetKeyPairSpec sets the KeyPairSpec field's value. 8779func (s *GenerateDataKeyPairInput) SetKeyPairSpec(v string) *GenerateDataKeyPairInput { 8780 s.KeyPairSpec = &v 8781 return s 8782} 8783 8784type GenerateDataKeyPairOutput struct { 8785 _ struct{} `type:"structure"` 8786 8787 // The identifier of the CMK that encrypted the private key. 8788 KeyId *string `min:"1" type:"string"` 8789 8790 // The type of data key pair that was generated. 8791 KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` 8792 8793 // The encrypted copy of the private key. When you use the HTTP API or the AWS 8794 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 8795 // 8796 // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. 8797 PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` 8798 8799 // The plaintext copy of the private key. When you use the HTTP API or the AWS 8800 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 8801 // 8802 // PrivateKeyPlaintext is automatically base64 encoded/decoded by the SDK. 8803 PrivateKeyPlaintext []byte `min:"1" type:"blob" sensitive:"true"` 8804 8805 // The public key (in plaintext). 8806 // 8807 // PublicKey is automatically base64 encoded/decoded by the SDK. 8808 PublicKey []byte `min:"1" type:"blob"` 8809} 8810 8811// String returns the string representation 8812func (s GenerateDataKeyPairOutput) String() string { 8813 return awsutil.Prettify(s) 8814} 8815 8816// GoString returns the string representation 8817func (s GenerateDataKeyPairOutput) GoString() string { 8818 return s.String() 8819} 8820 8821// SetKeyId sets the KeyId field's value. 8822func (s *GenerateDataKeyPairOutput) SetKeyId(v string) *GenerateDataKeyPairOutput { 8823 s.KeyId = &v 8824 return s 8825} 8826 8827// SetKeyPairSpec sets the KeyPairSpec field's value. 8828func (s *GenerateDataKeyPairOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairOutput { 8829 s.KeyPairSpec = &v 8830 return s 8831} 8832 8833// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value. 8834func (s *GenerateDataKeyPairOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairOutput { 8835 s.PrivateKeyCiphertextBlob = v 8836 return s 8837} 8838 8839// SetPrivateKeyPlaintext sets the PrivateKeyPlaintext field's value. 8840func (s *GenerateDataKeyPairOutput) SetPrivateKeyPlaintext(v []byte) *GenerateDataKeyPairOutput { 8841 s.PrivateKeyPlaintext = v 8842 return s 8843} 8844 8845// SetPublicKey sets the PublicKey field's value. 8846func (s *GenerateDataKeyPairOutput) SetPublicKey(v []byte) *GenerateDataKeyPairOutput { 8847 s.PublicKey = v 8848 return s 8849} 8850 8851type GenerateDataKeyPairWithoutPlaintextInput struct { 8852 _ struct{} `type:"structure"` 8853 8854 // Specifies the encryption context that will be used when encrypting the private 8855 // key in the data key pair. 8856 // 8857 // An encryption context is a collection of non-secret key-value pairs that 8858 // represents additional authenticated data. When you use an encryption context 8859 // to encrypt data, you must specify the same (an exact case-sensitive match) 8860 // encryption context to decrypt the data. An encryption context is optional 8861 // when encrypting with a symmetric CMK, but it is highly recommended. 8862 // 8863 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 8864 // in the AWS Key Management Service Developer Guide. 8865 EncryptionContext map[string]*string `type:"map"` 8866 8867 // A list of grant tokens. 8868 // 8869 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 8870 // in the AWS Key Management Service Developer Guide. 8871 GrantTokens []*string `type:"list"` 8872 8873 // Specifies the CMK that encrypts the private key in the data key pair. You 8874 // must specify a symmetric CMK. You cannot use an asymmetric CMK. 8875 // 8876 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 8877 // or alias ARN. When using an alias name, prefix it with "alias/". 8878 // 8879 // For example: 8880 // 8881 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8882 // 8883 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8884 // 8885 // * Alias name: alias/ExampleAlias 8886 // 8887 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 8888 // 8889 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 8890 // get the alias name and alias ARN, use ListAliases. 8891 // 8892 // KeyId is a required field 8893 KeyId *string `min:"1" type:"string" required:"true"` 8894 8895 // Determines the type of data key pair that is generated. 8896 // 8897 // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt 8898 // and decrypt or to sign and verify (but not both), and the rule that permits 8899 // you to use ECC CMKs only to sign and verify, are not effective outside of 8900 // AWS KMS. 8901 // 8902 // KeyPairSpec is a required field 8903 KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` 8904} 8905 8906// String returns the string representation 8907func (s GenerateDataKeyPairWithoutPlaintextInput) String() string { 8908 return awsutil.Prettify(s) 8909} 8910 8911// GoString returns the string representation 8912func (s GenerateDataKeyPairWithoutPlaintextInput) GoString() string { 8913 return s.String() 8914} 8915 8916// Validate inspects the fields of the type to determine if they are valid. 8917func (s *GenerateDataKeyPairWithoutPlaintextInput) Validate() error { 8918 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairWithoutPlaintextInput"} 8919 if s.KeyId == nil { 8920 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8921 } 8922 if s.KeyId != nil && len(*s.KeyId) < 1 { 8923 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8924 } 8925 if s.KeyPairSpec == nil { 8926 invalidParams.Add(request.NewErrParamRequired("KeyPairSpec")) 8927 } 8928 8929 if invalidParams.Len() > 0 { 8930 return invalidParams 8931 } 8932 return nil 8933} 8934 8935// SetEncryptionContext sets the EncryptionContext field's value. 8936func (s *GenerateDataKeyPairWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairWithoutPlaintextInput { 8937 s.EncryptionContext = v 8938 return s 8939} 8940 8941// SetGrantTokens sets the GrantTokens field's value. 8942func (s *GenerateDataKeyPairWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyPairWithoutPlaintextInput { 8943 s.GrantTokens = v 8944 return s 8945} 8946 8947// SetKeyId sets the KeyId field's value. 8948func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextInput { 8949 s.KeyId = &v 8950 return s 8951} 8952 8953// SetKeyPairSpec sets the KeyPairSpec field's value. 8954func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextInput { 8955 s.KeyPairSpec = &v 8956 return s 8957} 8958 8959type GenerateDataKeyPairWithoutPlaintextOutput struct { 8960 _ struct{} `type:"structure"` 8961 8962 // Specifies the CMK that encrypted the private key in the data key pair. You 8963 // must specify a symmetric CMK. You cannot use an asymmetric CMK. 8964 // 8965 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 8966 // or alias ARN. When using an alias name, prefix it with "alias/". 8967 // 8968 // For example: 8969 // 8970 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8971 // 8972 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8973 // 8974 // * Alias name: alias/ExampleAlias 8975 // 8976 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 8977 // 8978 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 8979 // get the alias name and alias ARN, use ListAliases. 8980 KeyId *string `min:"1" type:"string"` 8981 8982 // The type of data key pair that was generated. 8983 KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` 8984 8985 // The encrypted copy of the private key. When you use the HTTP API or the AWS 8986 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 8987 // 8988 // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. 8989 PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` 8990 8991 // The public key (in plaintext). 8992 // 8993 // PublicKey is automatically base64 encoded/decoded by the SDK. 8994 PublicKey []byte `min:"1" type:"blob"` 8995} 8996 8997// String returns the string representation 8998func (s GenerateDataKeyPairWithoutPlaintextOutput) String() string { 8999 return awsutil.Prettify(s) 9000} 9001 9002// GoString returns the string representation 9003func (s GenerateDataKeyPairWithoutPlaintextOutput) GoString() string { 9004 return s.String() 9005} 9006 9007// SetKeyId sets the KeyId field's value. 9008func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextOutput { 9009 s.KeyId = &v 9010 return s 9011} 9012 9013// SetKeyPairSpec sets the KeyPairSpec field's value. 9014func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextOutput { 9015 s.KeyPairSpec = &v 9016 return s 9017} 9018 9019// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value. 9020func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput { 9021 s.PrivateKeyCiphertextBlob = v 9022 return s 9023} 9024 9025// SetPublicKey sets the PublicKey field's value. 9026func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPublicKey(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput { 9027 s.PublicKey = v 9028 return s 9029} 9030 9031type GenerateDataKeyWithoutPlaintextInput struct { 9032 _ struct{} `type:"structure"` 9033 9034 // Specifies the encryption context that will be used when encrypting the data 9035 // key. 9036 // 9037 // An encryption context is a collection of non-secret key-value pairs that 9038 // represents additional authenticated data. When you use an encryption context 9039 // to encrypt data, you must specify the same (an exact case-sensitive match) 9040 // encryption context to decrypt the data. An encryption context is optional 9041 // when encrypting with a symmetric CMK, but it is highly recommended. 9042 // 9043 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 9044 // in the AWS Key Management Service Developer Guide. 9045 EncryptionContext map[string]*string `type:"map"` 9046 9047 // A list of grant tokens. 9048 // 9049 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 9050 // in the AWS Key Management Service Developer Guide. 9051 GrantTokens []*string `type:"list"` 9052 9053 // The identifier of the symmetric customer master key (CMK) that encrypts the 9054 // data key. 9055 // 9056 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 9057 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 9058 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 9059 // 9060 // For example: 9061 // 9062 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9063 // 9064 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9065 // 9066 // * Alias name: alias/ExampleAlias 9067 // 9068 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 9069 // 9070 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 9071 // get the alias name and alias ARN, use ListAliases. 9072 // 9073 // KeyId is a required field 9074 KeyId *string `min:"1" type:"string" required:"true"` 9075 9076 // The length of the data key. Use AES_128 to generate a 128-bit symmetric key, 9077 // or AES_256 to generate a 256-bit symmetric key. 9078 KeySpec *string `type:"string" enum:"DataKeySpec"` 9079 9080 // The length of the data key in bytes. For example, use the value 64 to generate 9081 // a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit 9082 // and 256-bit symmetric keys), we recommend that you use the KeySpec field 9083 // instead of this one. 9084 NumberOfBytes *int64 `min:"1" type:"integer"` 9085} 9086 9087// String returns the string representation 9088func (s GenerateDataKeyWithoutPlaintextInput) String() string { 9089 return awsutil.Prettify(s) 9090} 9091 9092// GoString returns the string representation 9093func (s GenerateDataKeyWithoutPlaintextInput) GoString() string { 9094 return s.String() 9095} 9096 9097// Validate inspects the fields of the type to determine if they are valid. 9098func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error { 9099 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyWithoutPlaintextInput"} 9100 if s.KeyId == nil { 9101 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9102 } 9103 if s.KeyId != nil && len(*s.KeyId) < 1 { 9104 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9105 } 9106 if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { 9107 invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) 9108 } 9109 9110 if invalidParams.Len() > 0 { 9111 return invalidParams 9112 } 9113 return nil 9114} 9115 9116// SetEncryptionContext sets the EncryptionContext field's value. 9117func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput { 9118 s.EncryptionContext = v 9119 return s 9120} 9121 9122// SetGrantTokens sets the GrantTokens field's value. 9123func (s *GenerateDataKeyWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyWithoutPlaintextInput { 9124 s.GrantTokens = v 9125 return s 9126} 9127 9128// SetKeyId sets the KeyId field's value. 9129func (s *GenerateDataKeyWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextInput { 9130 s.KeyId = &v 9131 return s 9132} 9133 9134// SetKeySpec sets the KeySpec field's value. 9135func (s *GenerateDataKeyWithoutPlaintextInput) SetKeySpec(v string) *GenerateDataKeyWithoutPlaintextInput { 9136 s.KeySpec = &v 9137 return s 9138} 9139 9140// SetNumberOfBytes sets the NumberOfBytes field's value. 9141func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *GenerateDataKeyWithoutPlaintextInput { 9142 s.NumberOfBytes = &v 9143 return s 9144} 9145 9146type GenerateDataKeyWithoutPlaintextOutput struct { 9147 _ struct{} `type:"structure"` 9148 9149 // The encrypted data key. When you use the HTTP API or the AWS CLI, the value 9150 // is Base64-encoded. Otherwise, it is not Base64-encoded. 9151 // 9152 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 9153 CiphertextBlob []byte `min:"1" type:"blob"` 9154 9155 // The identifier of the CMK that encrypted the data key. 9156 KeyId *string `min:"1" type:"string"` 9157} 9158 9159// String returns the string representation 9160func (s GenerateDataKeyWithoutPlaintextOutput) String() string { 9161 return awsutil.Prettify(s) 9162} 9163 9164// GoString returns the string representation 9165func (s GenerateDataKeyWithoutPlaintextOutput) GoString() string { 9166 return s.String() 9167} 9168 9169// SetCiphertextBlob sets the CiphertextBlob field's value. 9170func (s *GenerateDataKeyWithoutPlaintextOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyWithoutPlaintextOutput { 9171 s.CiphertextBlob = v 9172 return s 9173} 9174 9175// SetKeyId sets the KeyId field's value. 9176func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextOutput { 9177 s.KeyId = &v 9178 return s 9179} 9180 9181type GenerateRandomInput struct { 9182 _ struct{} `type:"structure"` 9183 9184 // Generates the random byte string in the AWS CloudHSM cluster that is associated 9185 // with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 9186 // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. 9187 CustomKeyStoreId *string `min:"1" type:"string"` 9188 9189 // The length of the byte string. 9190 NumberOfBytes *int64 `min:"1" type:"integer"` 9191} 9192 9193// String returns the string representation 9194func (s GenerateRandomInput) String() string { 9195 return awsutil.Prettify(s) 9196} 9197 9198// GoString returns the string representation 9199func (s GenerateRandomInput) GoString() string { 9200 return s.String() 9201} 9202 9203// Validate inspects the fields of the type to determine if they are valid. 9204func (s *GenerateRandomInput) Validate() error { 9205 invalidParams := request.ErrInvalidParams{Context: "GenerateRandomInput"} 9206 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 9207 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 9208 } 9209 if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { 9210 invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) 9211 } 9212 9213 if invalidParams.Len() > 0 { 9214 return invalidParams 9215 } 9216 return nil 9217} 9218 9219// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 9220func (s *GenerateRandomInput) SetCustomKeyStoreId(v string) *GenerateRandomInput { 9221 s.CustomKeyStoreId = &v 9222 return s 9223} 9224 9225// SetNumberOfBytes sets the NumberOfBytes field's value. 9226func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput { 9227 s.NumberOfBytes = &v 9228 return s 9229} 9230 9231type GenerateRandomOutput struct { 9232 _ struct{} `type:"structure"` 9233 9234 // The random byte string. When you use the HTTP API or the AWS CLI, the value 9235 // is Base64-encoded. Otherwise, it is not Base64-encoded. 9236 // 9237 // Plaintext is automatically base64 encoded/decoded by the SDK. 9238 Plaintext []byte `min:"1" type:"blob" sensitive:"true"` 9239} 9240 9241// String returns the string representation 9242func (s GenerateRandomOutput) String() string { 9243 return awsutil.Prettify(s) 9244} 9245 9246// GoString returns the string representation 9247func (s GenerateRandomOutput) GoString() string { 9248 return s.String() 9249} 9250 9251// SetPlaintext sets the Plaintext field's value. 9252func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput { 9253 s.Plaintext = v 9254 return s 9255} 9256 9257type GetKeyPolicyInput struct { 9258 _ struct{} `type:"structure"` 9259 9260 // A unique identifier for the customer master key (CMK). 9261 // 9262 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 9263 // 9264 // For example: 9265 // 9266 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9267 // 9268 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9269 // 9270 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 9271 // 9272 // KeyId is a required field 9273 KeyId *string `min:"1" type:"string" required:"true"` 9274 9275 // Specifies the name of the key policy. The only valid name is default. To 9276 // get the names of key policies, use ListKeyPolicies. 9277 // 9278 // PolicyName is a required field 9279 PolicyName *string `min:"1" type:"string" required:"true"` 9280} 9281 9282// String returns the string representation 9283func (s GetKeyPolicyInput) String() string { 9284 return awsutil.Prettify(s) 9285} 9286 9287// GoString returns the string representation 9288func (s GetKeyPolicyInput) GoString() string { 9289 return s.String() 9290} 9291 9292// Validate inspects the fields of the type to determine if they are valid. 9293func (s *GetKeyPolicyInput) Validate() error { 9294 invalidParams := request.ErrInvalidParams{Context: "GetKeyPolicyInput"} 9295 if s.KeyId == nil { 9296 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9297 } 9298 if s.KeyId != nil && len(*s.KeyId) < 1 { 9299 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9300 } 9301 if s.PolicyName == nil { 9302 invalidParams.Add(request.NewErrParamRequired("PolicyName")) 9303 } 9304 if s.PolicyName != nil && len(*s.PolicyName) < 1 { 9305 invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) 9306 } 9307 9308 if invalidParams.Len() > 0 { 9309 return invalidParams 9310 } 9311 return nil 9312} 9313 9314// SetKeyId sets the KeyId field's value. 9315func (s *GetKeyPolicyInput) SetKeyId(v string) *GetKeyPolicyInput { 9316 s.KeyId = &v 9317 return s 9318} 9319 9320// SetPolicyName sets the PolicyName field's value. 9321func (s *GetKeyPolicyInput) SetPolicyName(v string) *GetKeyPolicyInput { 9322 s.PolicyName = &v 9323 return s 9324} 9325 9326type GetKeyPolicyOutput struct { 9327 _ struct{} `type:"structure"` 9328 9329 // A key policy document in JSON format. 9330 Policy *string `min:"1" type:"string"` 9331} 9332 9333// String returns the string representation 9334func (s GetKeyPolicyOutput) String() string { 9335 return awsutil.Prettify(s) 9336} 9337 9338// GoString returns the string representation 9339func (s GetKeyPolicyOutput) GoString() string { 9340 return s.String() 9341} 9342 9343// SetPolicy sets the Policy field's value. 9344func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput { 9345 s.Policy = &v 9346 return s 9347} 9348 9349type GetKeyRotationStatusInput struct { 9350 _ struct{} `type:"structure"` 9351 9352 // A unique identifier for the customer master key (CMK). 9353 // 9354 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify 9355 // a CMK in a different AWS account, you must use the key ARN. 9356 // 9357 // For example: 9358 // 9359 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9360 // 9361 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9362 // 9363 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 9364 // 9365 // KeyId is a required field 9366 KeyId *string `min:"1" type:"string" required:"true"` 9367} 9368 9369// String returns the string representation 9370func (s GetKeyRotationStatusInput) String() string { 9371 return awsutil.Prettify(s) 9372} 9373 9374// GoString returns the string representation 9375func (s GetKeyRotationStatusInput) GoString() string { 9376 return s.String() 9377} 9378 9379// Validate inspects the fields of the type to determine if they are valid. 9380func (s *GetKeyRotationStatusInput) Validate() error { 9381 invalidParams := request.ErrInvalidParams{Context: "GetKeyRotationStatusInput"} 9382 if s.KeyId == nil { 9383 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9384 } 9385 if s.KeyId != nil && len(*s.KeyId) < 1 { 9386 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9387 } 9388 9389 if invalidParams.Len() > 0 { 9390 return invalidParams 9391 } 9392 return nil 9393} 9394 9395// SetKeyId sets the KeyId field's value. 9396func (s *GetKeyRotationStatusInput) SetKeyId(v string) *GetKeyRotationStatusInput { 9397 s.KeyId = &v 9398 return s 9399} 9400 9401type GetKeyRotationStatusOutput struct { 9402 _ struct{} `type:"structure"` 9403 9404 // A Boolean value that specifies whether key rotation is enabled. 9405 KeyRotationEnabled *bool `type:"boolean"` 9406} 9407 9408// String returns the string representation 9409func (s GetKeyRotationStatusOutput) String() string { 9410 return awsutil.Prettify(s) 9411} 9412 9413// GoString returns the string representation 9414func (s GetKeyRotationStatusOutput) GoString() string { 9415 return s.String() 9416} 9417 9418// SetKeyRotationEnabled sets the KeyRotationEnabled field's value. 9419func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotationStatusOutput { 9420 s.KeyRotationEnabled = &v 9421 return s 9422} 9423 9424type GetParametersForImportInput struct { 9425 _ struct{} `type:"structure"` 9426 9427 // The identifier of the symmetric CMK into which you will import key material. 9428 // The Origin of the CMK must be EXTERNAL. 9429 // 9430 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 9431 // 9432 // For example: 9433 // 9434 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9435 // 9436 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9437 // 9438 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 9439 // 9440 // KeyId is a required field 9441 KeyId *string `min:"1" type:"string" required:"true"` 9442 9443 // The algorithm you will use to encrypt the key material before importing it 9444 // with ImportKeyMaterial. For more information, see Encrypt the Key Material 9445 // (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html) 9446 // in the AWS Key Management Service Developer Guide. 9447 // 9448 // WrappingAlgorithm is a required field 9449 WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"` 9450 9451 // The type of wrapping key (public key) to return in the response. Only 2048-bit 9452 // RSA public keys are supported. 9453 // 9454 // WrappingKeySpec is a required field 9455 WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"` 9456} 9457 9458// String returns the string representation 9459func (s GetParametersForImportInput) String() string { 9460 return awsutil.Prettify(s) 9461} 9462 9463// GoString returns the string representation 9464func (s GetParametersForImportInput) GoString() string { 9465 return s.String() 9466} 9467 9468// Validate inspects the fields of the type to determine if they are valid. 9469func (s *GetParametersForImportInput) Validate() error { 9470 invalidParams := request.ErrInvalidParams{Context: "GetParametersForImportInput"} 9471 if s.KeyId == nil { 9472 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9473 } 9474 if s.KeyId != nil && len(*s.KeyId) < 1 { 9475 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9476 } 9477 if s.WrappingAlgorithm == nil { 9478 invalidParams.Add(request.NewErrParamRequired("WrappingAlgorithm")) 9479 } 9480 if s.WrappingKeySpec == nil { 9481 invalidParams.Add(request.NewErrParamRequired("WrappingKeySpec")) 9482 } 9483 9484 if invalidParams.Len() > 0 { 9485 return invalidParams 9486 } 9487 return nil 9488} 9489 9490// SetKeyId sets the KeyId field's value. 9491func (s *GetParametersForImportInput) SetKeyId(v string) *GetParametersForImportInput { 9492 s.KeyId = &v 9493 return s 9494} 9495 9496// SetWrappingAlgorithm sets the WrappingAlgorithm field's value. 9497func (s *GetParametersForImportInput) SetWrappingAlgorithm(v string) *GetParametersForImportInput { 9498 s.WrappingAlgorithm = &v 9499 return s 9500} 9501 9502// SetWrappingKeySpec sets the WrappingKeySpec field's value. 9503func (s *GetParametersForImportInput) SetWrappingKeySpec(v string) *GetParametersForImportInput { 9504 s.WrappingKeySpec = &v 9505 return s 9506} 9507 9508type GetParametersForImportOutput struct { 9509 _ struct{} `type:"structure"` 9510 9511 // The import token to send in a subsequent ImportKeyMaterial request. 9512 // 9513 // ImportToken is automatically base64 encoded/decoded by the SDK. 9514 ImportToken []byte `min:"1" type:"blob"` 9515 9516 // The identifier of the CMK to use in a subsequent ImportKeyMaterial request. 9517 // This is the same CMK specified in the GetParametersForImport request. 9518 KeyId *string `min:"1" type:"string"` 9519 9520 // The time at which the import token and public key are no longer valid. After 9521 // this time, you cannot use them to make an ImportKeyMaterial request and you 9522 // must send another GetParametersForImport request to get new ones. 9523 ParametersValidTo *time.Time `type:"timestamp"` 9524 9525 // The public key to use to encrypt the key material before importing it with 9526 // ImportKeyMaterial. 9527 // 9528 // PublicKey is automatically base64 encoded/decoded by the SDK. 9529 PublicKey []byte `min:"1" type:"blob" sensitive:"true"` 9530} 9531 9532// String returns the string representation 9533func (s GetParametersForImportOutput) String() string { 9534 return awsutil.Prettify(s) 9535} 9536 9537// GoString returns the string representation 9538func (s GetParametersForImportOutput) GoString() string { 9539 return s.String() 9540} 9541 9542// SetImportToken sets the ImportToken field's value. 9543func (s *GetParametersForImportOutput) SetImportToken(v []byte) *GetParametersForImportOutput { 9544 s.ImportToken = v 9545 return s 9546} 9547 9548// SetKeyId sets the KeyId field's value. 9549func (s *GetParametersForImportOutput) SetKeyId(v string) *GetParametersForImportOutput { 9550 s.KeyId = &v 9551 return s 9552} 9553 9554// SetParametersValidTo sets the ParametersValidTo field's value. 9555func (s *GetParametersForImportOutput) SetParametersValidTo(v time.Time) *GetParametersForImportOutput { 9556 s.ParametersValidTo = &v 9557 return s 9558} 9559 9560// SetPublicKey sets the PublicKey field's value. 9561func (s *GetParametersForImportOutput) SetPublicKey(v []byte) *GetParametersForImportOutput { 9562 s.PublicKey = v 9563 return s 9564} 9565 9566type GetPublicKeyInput struct { 9567 _ struct{} `type:"structure"` 9568 9569 // A list of grant tokens. 9570 // 9571 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 9572 // in the AWS Key Management Service Developer Guide. 9573 GrantTokens []*string `type:"list"` 9574 9575 // Identifies the asymmetric CMK that includes the public key. 9576 // 9577 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 9578 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 9579 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 9580 // 9581 // For example: 9582 // 9583 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9584 // 9585 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9586 // 9587 // * Alias name: alias/ExampleAlias 9588 // 9589 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 9590 // 9591 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 9592 // get the alias name and alias ARN, use ListAliases. 9593 // 9594 // KeyId is a required field 9595 KeyId *string `min:"1" type:"string" required:"true"` 9596} 9597 9598// String returns the string representation 9599func (s GetPublicKeyInput) String() string { 9600 return awsutil.Prettify(s) 9601} 9602 9603// GoString returns the string representation 9604func (s GetPublicKeyInput) GoString() string { 9605 return s.String() 9606} 9607 9608// Validate inspects the fields of the type to determine if they are valid. 9609func (s *GetPublicKeyInput) Validate() error { 9610 invalidParams := request.ErrInvalidParams{Context: "GetPublicKeyInput"} 9611 if s.KeyId == nil { 9612 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9613 } 9614 if s.KeyId != nil && len(*s.KeyId) < 1 { 9615 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9616 } 9617 9618 if invalidParams.Len() > 0 { 9619 return invalidParams 9620 } 9621 return nil 9622} 9623 9624// SetGrantTokens sets the GrantTokens field's value. 9625func (s *GetPublicKeyInput) SetGrantTokens(v []*string) *GetPublicKeyInput { 9626 s.GrantTokens = v 9627 return s 9628} 9629 9630// SetKeyId sets the KeyId field's value. 9631func (s *GetPublicKeyInput) SetKeyId(v string) *GetPublicKeyInput { 9632 s.KeyId = &v 9633 return s 9634} 9635 9636type GetPublicKeyOutput struct { 9637 _ struct{} `type:"structure"` 9638 9639 // The type of the of the public key that was downloaded. 9640 CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` 9641 9642 // The encryption algorithms that AWS KMS supports for this key. 9643 // 9644 // This information is critical. If a public key encrypts data outside of AWS 9645 // KMS by using an unsupported encryption algorithm, the ciphertext cannot be 9646 // decrypted. 9647 // 9648 // This field appears in the response only when the KeyUsage of the public key 9649 // is ENCRYPT_DECRYPT. 9650 EncryptionAlgorithms []*string `type:"list"` 9651 9652 // The identifier of the asymmetric CMK from which the public key was downloaded. 9653 KeyId *string `min:"1" type:"string"` 9654 9655 // The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or 9656 // SIGN_VERIFY. 9657 // 9658 // This information is critical. If a public key with SIGN_VERIFY key usage 9659 // encrypts data outside of AWS KMS, the ciphertext cannot be decrypted. 9660 KeyUsage *string `type:"string" enum:"KeyUsageType"` 9661 9662 // The exported public key. 9663 // 9664 // This value is returned as a binary Distinguished Encoding Rules (https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf) 9665 // (DER)-encoded object. To decode it, use an ASN.1 parsing tool, such as OpenSSL 9666 // asn1parse (https://www.openssl.org/docs/man1.0.2/man1/asn1parse.html). 9667 // 9668 // PublicKey is automatically base64 encoded/decoded by the SDK. 9669 PublicKey []byte `min:"1" type:"blob"` 9670 9671 // The signing algorithms that AWS KMS supports for this key. 9672 // 9673 // This field appears in the response only when the KeyUsage of the public key 9674 // is SIGN_VERIFY. 9675 SigningAlgorithms []*string `type:"list"` 9676} 9677 9678// String returns the string representation 9679func (s GetPublicKeyOutput) String() string { 9680 return awsutil.Prettify(s) 9681} 9682 9683// GoString returns the string representation 9684func (s GetPublicKeyOutput) GoString() string { 9685 return s.String() 9686} 9687 9688// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. 9689func (s *GetPublicKeyOutput) SetCustomerMasterKeySpec(v string) *GetPublicKeyOutput { 9690 s.CustomerMasterKeySpec = &v 9691 return s 9692} 9693 9694// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value. 9695func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyOutput { 9696 s.EncryptionAlgorithms = v 9697 return s 9698} 9699 9700// SetKeyId sets the KeyId field's value. 9701func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput { 9702 s.KeyId = &v 9703 return s 9704} 9705 9706// SetKeyUsage sets the KeyUsage field's value. 9707func (s *GetPublicKeyOutput) SetKeyUsage(v string) *GetPublicKeyOutput { 9708 s.KeyUsage = &v 9709 return s 9710} 9711 9712// SetPublicKey sets the PublicKey field's value. 9713func (s *GetPublicKeyOutput) SetPublicKey(v []byte) *GetPublicKeyOutput { 9714 s.PublicKey = v 9715 return s 9716} 9717 9718// SetSigningAlgorithms sets the SigningAlgorithms field's value. 9719func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutput { 9720 s.SigningAlgorithms = v 9721 return s 9722} 9723 9724// Use this structure to allow cryptographic operations in the grant only when 9725// the operation request includes the specified encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). 9726// 9727// AWS KMS applies the grant constraints only when the grant allows a cryptographic 9728// operation that accepts an encryption context as input, such as the following. 9729// 9730// * Encrypt 9731// 9732// * Decrypt 9733// 9734// * GenerateDataKey 9735// 9736// * GenerateDataKeyWithoutPlaintext 9737// 9738// * ReEncrypt 9739// 9740// AWS KMS does not apply the grant constraints to other operations, such as 9741// DescribeKey or ScheduleKeyDeletion. 9742// 9743// In a cryptographic operation, the encryption context in the decryption operation 9744// must be an exact, case-sensitive match for the keys and values in the encryption 9745// context of the encryption operation. Only the order of the pairs can vary. 9746// 9747// However, in a grant constraint, the key in each key-value pair is not case 9748// sensitive, but the value is case sensitive. 9749// 9750// To avoid confusion, do not use multiple encryption context pairs that differ 9751// only by case. To require a fully case-sensitive encryption context, use the 9752// kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM 9753// or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) 9754// in the AWS Key Management Service Developer Guide . 9755type GrantConstraints struct { 9756 _ struct{} `type:"structure"` 9757 9758 // A list of key-value pairs that must match the encryption context in the cryptographic 9759 // operation request. The grant allows the operation only when the encryption 9760 // context in the request is the same as the encryption context specified in 9761 // this constraint. 9762 EncryptionContextEquals map[string]*string `type:"map"` 9763 9764 // A list of key-value pairs that must be included in the encryption context 9765 // of the cryptographic operation request. The grant allows the cryptographic 9766 // operation only when the encryption context in the request includes the key-value 9767 // pairs specified in this constraint, although it can include additional key-value 9768 // pairs. 9769 EncryptionContextSubset map[string]*string `type:"map"` 9770} 9771 9772// String returns the string representation 9773func (s GrantConstraints) String() string { 9774 return awsutil.Prettify(s) 9775} 9776 9777// GoString returns the string representation 9778func (s GrantConstraints) GoString() string { 9779 return s.String() 9780} 9781 9782// SetEncryptionContextEquals sets the EncryptionContextEquals field's value. 9783func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints { 9784 s.EncryptionContextEquals = v 9785 return s 9786} 9787 9788// SetEncryptionContextSubset sets the EncryptionContextSubset field's value. 9789func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints { 9790 s.EncryptionContextSubset = v 9791 return s 9792} 9793 9794// Contains information about an entry in a list of grants. 9795type GrantListEntry struct { 9796 _ struct{} `type:"structure"` 9797 9798 // A list of key-value pairs that must be present in the encryption context 9799 // of certain subsequent operations that the grant allows. 9800 Constraints *GrantConstraints `type:"structure"` 9801 9802 // The date and time when the grant was created. 9803 CreationDate *time.Time `type:"timestamp"` 9804 9805 // The unique identifier for the grant. 9806 GrantId *string `min:"1" type:"string"` 9807 9808 // The principal that receives the grant's permissions. 9809 GranteePrincipal *string `min:"1" type:"string"` 9810 9811 // The AWS account under which the grant was issued. 9812 IssuingAccount *string `min:"1" type:"string"` 9813 9814 // The unique identifier for the customer master key (CMK) to which the grant 9815 // applies. 9816 KeyId *string `min:"1" type:"string"` 9817 9818 // The friendly name that identifies the grant. If a name was provided in the 9819 // CreateGrant request, that name is returned. Otherwise this value is null. 9820 Name *string `min:"1" type:"string"` 9821 9822 // The list of operations permitted by the grant. 9823 Operations []*string `type:"list"` 9824 9825 // The principal that can retire the grant. 9826 RetiringPrincipal *string `min:"1" type:"string"` 9827} 9828 9829// String returns the string representation 9830func (s GrantListEntry) String() string { 9831 return awsutil.Prettify(s) 9832} 9833 9834// GoString returns the string representation 9835func (s GrantListEntry) GoString() string { 9836 return s.String() 9837} 9838 9839// SetConstraints sets the Constraints field's value. 9840func (s *GrantListEntry) SetConstraints(v *GrantConstraints) *GrantListEntry { 9841 s.Constraints = v 9842 return s 9843} 9844 9845// SetCreationDate sets the CreationDate field's value. 9846func (s *GrantListEntry) SetCreationDate(v time.Time) *GrantListEntry { 9847 s.CreationDate = &v 9848 return s 9849} 9850 9851// SetGrantId sets the GrantId field's value. 9852func (s *GrantListEntry) SetGrantId(v string) *GrantListEntry { 9853 s.GrantId = &v 9854 return s 9855} 9856 9857// SetGranteePrincipal sets the GranteePrincipal field's value. 9858func (s *GrantListEntry) SetGranteePrincipal(v string) *GrantListEntry { 9859 s.GranteePrincipal = &v 9860 return s 9861} 9862 9863// SetIssuingAccount sets the IssuingAccount field's value. 9864func (s *GrantListEntry) SetIssuingAccount(v string) *GrantListEntry { 9865 s.IssuingAccount = &v 9866 return s 9867} 9868 9869// SetKeyId sets the KeyId field's value. 9870func (s *GrantListEntry) SetKeyId(v string) *GrantListEntry { 9871 s.KeyId = &v 9872 return s 9873} 9874 9875// SetName sets the Name field's value. 9876func (s *GrantListEntry) SetName(v string) *GrantListEntry { 9877 s.Name = &v 9878 return s 9879} 9880 9881// SetOperations sets the Operations field's value. 9882func (s *GrantListEntry) SetOperations(v []*string) *GrantListEntry { 9883 s.Operations = v 9884 return s 9885} 9886 9887// SetRetiringPrincipal sets the RetiringPrincipal field's value. 9888func (s *GrantListEntry) SetRetiringPrincipal(v string) *GrantListEntry { 9889 s.RetiringPrincipal = &v 9890 return s 9891} 9892 9893type ImportKeyMaterialInput struct { 9894 _ struct{} `type:"structure"` 9895 9896 // The encrypted key material to import. The key material must be encrypted 9897 // with the public wrapping key that GetParametersForImport returned, using 9898 // the wrapping algorithm that you specified in the same GetParametersForImport 9899 // request. 9900 // 9901 // EncryptedKeyMaterial is automatically base64 encoded/decoded by the SDK. 9902 // 9903 // EncryptedKeyMaterial is a required field 9904 EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"` 9905 9906 // Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES, 9907 // in which case you must include the ValidTo parameter. When this parameter 9908 // is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter. 9909 ExpirationModel *string `type:"string" enum:"ExpirationModelType"` 9910 9911 // The import token that you received in the response to a previous GetParametersForImport 9912 // request. It must be from the same response that contained the public key 9913 // that you used to encrypt the key material. 9914 // 9915 // ImportToken is automatically base64 encoded/decoded by the SDK. 9916 // 9917 // ImportToken is a required field 9918 ImportToken []byte `min:"1" type:"blob" required:"true"` 9919 9920 // The identifier of the symmetric CMK that receives the imported key material. 9921 // The CMK's Origin must be EXTERNAL. This must be the same CMK specified in 9922 // the KeyID parameter of the corresponding GetParametersForImport request. 9923 // 9924 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 9925 // 9926 // For example: 9927 // 9928 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9929 // 9930 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9931 // 9932 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 9933 // 9934 // KeyId is a required field 9935 KeyId *string `min:"1" type:"string" required:"true"` 9936 9937 // The time at which the imported key material expires. When the key material 9938 // expires, AWS KMS deletes the key material and the CMK becomes unusable. You 9939 // must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. 9940 // Otherwise it is required. 9941 ValidTo *time.Time `type:"timestamp"` 9942} 9943 9944// String returns the string representation 9945func (s ImportKeyMaterialInput) String() string { 9946 return awsutil.Prettify(s) 9947} 9948 9949// GoString returns the string representation 9950func (s ImportKeyMaterialInput) GoString() string { 9951 return s.String() 9952} 9953 9954// Validate inspects the fields of the type to determine if they are valid. 9955func (s *ImportKeyMaterialInput) Validate() error { 9956 invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterialInput"} 9957 if s.EncryptedKeyMaterial == nil { 9958 invalidParams.Add(request.NewErrParamRequired("EncryptedKeyMaterial")) 9959 } 9960 if s.EncryptedKeyMaterial != nil && len(s.EncryptedKeyMaterial) < 1 { 9961 invalidParams.Add(request.NewErrParamMinLen("EncryptedKeyMaterial", 1)) 9962 } 9963 if s.ImportToken == nil { 9964 invalidParams.Add(request.NewErrParamRequired("ImportToken")) 9965 } 9966 if s.ImportToken != nil && len(s.ImportToken) < 1 { 9967 invalidParams.Add(request.NewErrParamMinLen("ImportToken", 1)) 9968 } 9969 if s.KeyId == nil { 9970 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9971 } 9972 if s.KeyId != nil && len(*s.KeyId) < 1 { 9973 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9974 } 9975 9976 if invalidParams.Len() > 0 { 9977 return invalidParams 9978 } 9979 return nil 9980} 9981 9982// SetEncryptedKeyMaterial sets the EncryptedKeyMaterial field's value. 9983func (s *ImportKeyMaterialInput) SetEncryptedKeyMaterial(v []byte) *ImportKeyMaterialInput { 9984 s.EncryptedKeyMaterial = v 9985 return s 9986} 9987 9988// SetExpirationModel sets the ExpirationModel field's value. 9989func (s *ImportKeyMaterialInput) SetExpirationModel(v string) *ImportKeyMaterialInput { 9990 s.ExpirationModel = &v 9991 return s 9992} 9993 9994// SetImportToken sets the ImportToken field's value. 9995func (s *ImportKeyMaterialInput) SetImportToken(v []byte) *ImportKeyMaterialInput { 9996 s.ImportToken = v 9997 return s 9998} 9999 10000// SetKeyId sets the KeyId field's value. 10001func (s *ImportKeyMaterialInput) SetKeyId(v string) *ImportKeyMaterialInput { 10002 s.KeyId = &v 10003 return s 10004} 10005 10006// SetValidTo sets the ValidTo field's value. 10007func (s *ImportKeyMaterialInput) SetValidTo(v time.Time) *ImportKeyMaterialInput { 10008 s.ValidTo = &v 10009 return s 10010} 10011 10012type ImportKeyMaterialOutput struct { 10013 _ struct{} `type:"structure"` 10014} 10015 10016// String returns the string representation 10017func (s ImportKeyMaterialOutput) String() string { 10018 return awsutil.Prettify(s) 10019} 10020 10021// GoString returns the string representation 10022func (s ImportKeyMaterialOutput) GoString() string { 10023 return s.String() 10024} 10025 10026// Contains information about each entry in the key list. 10027type KeyListEntry struct { 10028 _ struct{} `type:"structure"` 10029 10030 // ARN of the key. 10031 KeyArn *string `min:"20" type:"string"` 10032 10033 // Unique identifier of the key. 10034 KeyId *string `min:"1" type:"string"` 10035} 10036 10037// String returns the string representation 10038func (s KeyListEntry) String() string { 10039 return awsutil.Prettify(s) 10040} 10041 10042// GoString returns the string representation 10043func (s KeyListEntry) GoString() string { 10044 return s.String() 10045} 10046 10047// SetKeyArn sets the KeyArn field's value. 10048func (s *KeyListEntry) SetKeyArn(v string) *KeyListEntry { 10049 s.KeyArn = &v 10050 return s 10051} 10052 10053// SetKeyId sets the KeyId field's value. 10054func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry { 10055 s.KeyId = &v 10056 return s 10057} 10058 10059// Contains metadata about a customer master key (CMK). 10060// 10061// This data type is used as a response element for the CreateKey and DescribeKey 10062// operations. 10063type KeyMetadata struct { 10064 _ struct{} `type:"structure"` 10065 10066 // The twelve-digit account ID of the AWS account that owns the CMK. 10067 AWSAccountId *string `type:"string"` 10068 10069 // The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management 10070 // Service (AWS KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) 10071 // in the Example ARNs section of the AWS General Reference. 10072 Arn *string `min:"20" type:"string"` 10073 10074 // The cluster ID of the AWS CloudHSM cluster that contains the key material 10075 // for the CMK. When you create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 10076 // AWS KMS creates the key material for the CMK in the associated AWS CloudHSM 10077 // cluster. This value is present only when the CMK is created in a custom key 10078 // store. 10079 CloudHsmClusterId *string `min:"19" type:"string"` 10080 10081 // The date and time when the CMK was created. 10082 CreationDate *time.Time `type:"timestamp"` 10083 10084 // A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 10085 // that contains the CMK. This value is present only when the CMK is created 10086 // in a custom key store. 10087 CustomKeyStoreId *string `min:"1" type:"string"` 10088 10089 // Describes the type of key material in the CMK. 10090 CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` 10091 10092 // The date and time after which AWS KMS deletes the CMK. This value is present 10093 // only when KeyState is PendingDeletion. 10094 DeletionDate *time.Time `type:"timestamp"` 10095 10096 // The description of the CMK. 10097 Description *string `type:"string"` 10098 10099 // Specifies whether the CMK is enabled. When KeyState is Enabled this value 10100 // is true, otherwise it is false. 10101 Enabled *bool `type:"boolean"` 10102 10103 // A list of encryption algorithms that the CMK supports. You cannot use the 10104 // CMK with other encryption algorithms within AWS KMS. 10105 // 10106 // This field appears only when the KeyUsage of the CMK is ENCRYPT_DECRYPT. 10107 EncryptionAlgorithms []*string `type:"list"` 10108 10109 // Specifies whether the CMK's key material expires. This value is present only 10110 // when Origin is EXTERNAL, otherwise this value is omitted. 10111 ExpirationModel *string `type:"string" enum:"ExpirationModelType"` 10112 10113 // The globally unique identifier for the CMK. 10114 // 10115 // KeyId is a required field 10116 KeyId *string `min:"1" type:"string" required:"true"` 10117 10118 // The manager of the CMK. CMKs in your AWS account are either customer managed 10119 // or AWS managed. For more information about the difference, see Customer Master 10120 // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) 10121 // in the AWS Key Management Service Developer Guide. 10122 KeyManager *string `type:"string" enum:"KeyManagerType"` 10123 10124 // The state of the CMK. 10125 // 10126 // For more information about how key state affects the use of a CMK, see How 10127 // Key State Affects the Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 10128 // in the AWS Key Management Service Developer Guide. 10129 KeyState *string `type:"string" enum:"KeyState"` 10130 10131 // The cryptographic operations for which you can use the CMK. 10132 KeyUsage *string `type:"string" enum:"KeyUsageType"` 10133 10134 // The source of the CMK's key material. When this value is AWS_KMS, AWS KMS 10135 // created the key material. When this value is EXTERNAL, the key material was 10136 // imported from your existing key management infrastructure or the CMK lacks 10137 // key material. When this value is AWS_CLOUDHSM, the key material was created 10138 // in the AWS CloudHSM cluster associated with a custom key store. 10139 Origin *string `type:"string" enum:"OriginType"` 10140 10141 // A list of signing algorithms that the CMK supports. You cannot use the CMK 10142 // with other signing algorithms within AWS KMS. 10143 // 10144 // This field appears only when the KeyUsage of the CMK is SIGN_VERIFY. 10145 SigningAlgorithms []*string `type:"list"` 10146 10147 // The time at which the imported key material expires. When the key material 10148 // expires, AWS KMS deletes the key material and the CMK becomes unusable. This 10149 // value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel 10150 // is KEY_MATERIAL_EXPIRES, otherwise this value is omitted. 10151 ValidTo *time.Time `type:"timestamp"` 10152} 10153 10154// String returns the string representation 10155func (s KeyMetadata) String() string { 10156 return awsutil.Prettify(s) 10157} 10158 10159// GoString returns the string representation 10160func (s KeyMetadata) GoString() string { 10161 return s.String() 10162} 10163 10164// SetAWSAccountId sets the AWSAccountId field's value. 10165func (s *KeyMetadata) SetAWSAccountId(v string) *KeyMetadata { 10166 s.AWSAccountId = &v 10167 return s 10168} 10169 10170// SetArn sets the Arn field's value. 10171func (s *KeyMetadata) SetArn(v string) *KeyMetadata { 10172 s.Arn = &v 10173 return s 10174} 10175 10176// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 10177func (s *KeyMetadata) SetCloudHsmClusterId(v string) *KeyMetadata { 10178 s.CloudHsmClusterId = &v 10179 return s 10180} 10181 10182// SetCreationDate sets the CreationDate field's value. 10183func (s *KeyMetadata) SetCreationDate(v time.Time) *KeyMetadata { 10184 s.CreationDate = &v 10185 return s 10186} 10187 10188// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 10189func (s *KeyMetadata) SetCustomKeyStoreId(v string) *KeyMetadata { 10190 s.CustomKeyStoreId = &v 10191 return s 10192} 10193 10194// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. 10195func (s *KeyMetadata) SetCustomerMasterKeySpec(v string) *KeyMetadata { 10196 s.CustomerMasterKeySpec = &v 10197 return s 10198} 10199 10200// SetDeletionDate sets the DeletionDate field's value. 10201func (s *KeyMetadata) SetDeletionDate(v time.Time) *KeyMetadata { 10202 s.DeletionDate = &v 10203 return s 10204} 10205 10206// SetDescription sets the Description field's value. 10207func (s *KeyMetadata) SetDescription(v string) *KeyMetadata { 10208 s.Description = &v 10209 return s 10210} 10211 10212// SetEnabled sets the Enabled field's value. 10213func (s *KeyMetadata) SetEnabled(v bool) *KeyMetadata { 10214 s.Enabled = &v 10215 return s 10216} 10217 10218// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value. 10219func (s *KeyMetadata) SetEncryptionAlgorithms(v []*string) *KeyMetadata { 10220 s.EncryptionAlgorithms = v 10221 return s 10222} 10223 10224// SetExpirationModel sets the ExpirationModel field's value. 10225func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata { 10226 s.ExpirationModel = &v 10227 return s 10228} 10229 10230// SetKeyId sets the KeyId field's value. 10231func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata { 10232 s.KeyId = &v 10233 return s 10234} 10235 10236// SetKeyManager sets the KeyManager field's value. 10237func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata { 10238 s.KeyManager = &v 10239 return s 10240} 10241 10242// SetKeyState sets the KeyState field's value. 10243func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata { 10244 s.KeyState = &v 10245 return s 10246} 10247 10248// SetKeyUsage sets the KeyUsage field's value. 10249func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata { 10250 s.KeyUsage = &v 10251 return s 10252} 10253 10254// SetOrigin sets the Origin field's value. 10255func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata { 10256 s.Origin = &v 10257 return s 10258} 10259 10260// SetSigningAlgorithms sets the SigningAlgorithms field's value. 10261func (s *KeyMetadata) SetSigningAlgorithms(v []*string) *KeyMetadata { 10262 s.SigningAlgorithms = v 10263 return s 10264} 10265 10266// SetValidTo sets the ValidTo field's value. 10267func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata { 10268 s.ValidTo = &v 10269 return s 10270} 10271 10272type ListAliasesInput struct { 10273 _ struct{} `type:"structure"` 10274 10275 // Lists only aliases that refer to the specified CMK. The value of this parameter 10276 // can be the ID or Amazon Resource Name (ARN) of a CMK in the caller's account 10277 // and region. You cannot use an alias name or alias ARN in this value. 10278 // 10279 // This parameter is optional. If you omit it, ListAliases returns all aliases 10280 // in the account and region. 10281 KeyId *string `min:"1" type:"string"` 10282 10283 // Use this parameter to specify the maximum number of items to return. When 10284 // this value is present, AWS KMS does not return more than the specified number 10285 // of items, but it might return fewer. 10286 // 10287 // This value is optional. If you include a value, it must be between 1 and 10288 // 100, inclusive. If you do not include a value, it defaults to 50. 10289 Limit *int64 `min:"1" type:"integer"` 10290 10291 // Use this parameter in a subsequent request after you receive a response with 10292 // truncated results. Set it to the value of NextMarker from the truncated response 10293 // you just received. 10294 Marker *string `min:"1" type:"string"` 10295} 10296 10297// String returns the string representation 10298func (s ListAliasesInput) String() string { 10299 return awsutil.Prettify(s) 10300} 10301 10302// GoString returns the string representation 10303func (s ListAliasesInput) GoString() string { 10304 return s.String() 10305} 10306 10307// Validate inspects the fields of the type to determine if they are valid. 10308func (s *ListAliasesInput) Validate() error { 10309 invalidParams := request.ErrInvalidParams{Context: "ListAliasesInput"} 10310 if s.KeyId != nil && len(*s.KeyId) < 1 { 10311 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10312 } 10313 if s.Limit != nil && *s.Limit < 1 { 10314 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 10315 } 10316 if s.Marker != nil && len(*s.Marker) < 1 { 10317 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 10318 } 10319 10320 if invalidParams.Len() > 0 { 10321 return invalidParams 10322 } 10323 return nil 10324} 10325 10326// SetKeyId sets the KeyId field's value. 10327func (s *ListAliasesInput) SetKeyId(v string) *ListAliasesInput { 10328 s.KeyId = &v 10329 return s 10330} 10331 10332// SetLimit sets the Limit field's value. 10333func (s *ListAliasesInput) SetLimit(v int64) *ListAliasesInput { 10334 s.Limit = &v 10335 return s 10336} 10337 10338// SetMarker sets the Marker field's value. 10339func (s *ListAliasesInput) SetMarker(v string) *ListAliasesInput { 10340 s.Marker = &v 10341 return s 10342} 10343 10344type ListAliasesOutput struct { 10345 _ struct{} `type:"structure"` 10346 10347 // A list of aliases. 10348 Aliases []*AliasListEntry `type:"list"` 10349 10350 // When Truncated is true, this element is present and contains the value to 10351 // use for the Marker parameter in a subsequent request. 10352 NextMarker *string `min:"1" type:"string"` 10353 10354 // A flag that indicates whether there are more items in the list. When this 10355 // value is true, the list in this response is truncated. To get more items, 10356 // pass the value of the NextMarker element in thisresponse to the Marker parameter 10357 // in a subsequent request. 10358 Truncated *bool `type:"boolean"` 10359} 10360 10361// String returns the string representation 10362func (s ListAliasesOutput) String() string { 10363 return awsutil.Prettify(s) 10364} 10365 10366// GoString returns the string representation 10367func (s ListAliasesOutput) GoString() string { 10368 return s.String() 10369} 10370 10371// SetAliases sets the Aliases field's value. 10372func (s *ListAliasesOutput) SetAliases(v []*AliasListEntry) *ListAliasesOutput { 10373 s.Aliases = v 10374 return s 10375} 10376 10377// SetNextMarker sets the NextMarker field's value. 10378func (s *ListAliasesOutput) SetNextMarker(v string) *ListAliasesOutput { 10379 s.NextMarker = &v 10380 return s 10381} 10382 10383// SetTruncated sets the Truncated field's value. 10384func (s *ListAliasesOutput) SetTruncated(v bool) *ListAliasesOutput { 10385 s.Truncated = &v 10386 return s 10387} 10388 10389type ListGrantsInput struct { 10390 _ struct{} `type:"structure"` 10391 10392 // A unique identifier for the customer master key (CMK). 10393 // 10394 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify 10395 // a CMK in a different AWS account, you must use the key ARN. 10396 // 10397 // For example: 10398 // 10399 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10400 // 10401 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10402 // 10403 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10404 // 10405 // KeyId is a required field 10406 KeyId *string `min:"1" type:"string" required:"true"` 10407 10408 // Use this parameter to specify the maximum number of items to return. When 10409 // this value is present, AWS KMS does not return more than the specified number 10410 // of items, but it might return fewer. 10411 // 10412 // This value is optional. If you include a value, it must be between 1 and 10413 // 100, inclusive. If you do not include a value, it defaults to 50. 10414 Limit *int64 `min:"1" type:"integer"` 10415 10416 // Use this parameter in a subsequent request after you receive a response with 10417 // truncated results. Set it to the value of NextMarker from the truncated response 10418 // you just received. 10419 Marker *string `min:"1" type:"string"` 10420} 10421 10422// String returns the string representation 10423func (s ListGrantsInput) String() string { 10424 return awsutil.Prettify(s) 10425} 10426 10427// GoString returns the string representation 10428func (s ListGrantsInput) GoString() string { 10429 return s.String() 10430} 10431 10432// Validate inspects the fields of the type to determine if they are valid. 10433func (s *ListGrantsInput) Validate() error { 10434 invalidParams := request.ErrInvalidParams{Context: "ListGrantsInput"} 10435 if s.KeyId == nil { 10436 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10437 } 10438 if s.KeyId != nil && len(*s.KeyId) < 1 { 10439 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10440 } 10441 if s.Limit != nil && *s.Limit < 1 { 10442 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 10443 } 10444 if s.Marker != nil && len(*s.Marker) < 1 { 10445 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 10446 } 10447 10448 if invalidParams.Len() > 0 { 10449 return invalidParams 10450 } 10451 return nil 10452} 10453 10454// SetKeyId sets the KeyId field's value. 10455func (s *ListGrantsInput) SetKeyId(v string) *ListGrantsInput { 10456 s.KeyId = &v 10457 return s 10458} 10459 10460// SetLimit sets the Limit field's value. 10461func (s *ListGrantsInput) SetLimit(v int64) *ListGrantsInput { 10462 s.Limit = &v 10463 return s 10464} 10465 10466// SetMarker sets the Marker field's value. 10467func (s *ListGrantsInput) SetMarker(v string) *ListGrantsInput { 10468 s.Marker = &v 10469 return s 10470} 10471 10472type ListGrantsResponse struct { 10473 _ struct{} `type:"structure"` 10474 10475 // A list of grants. 10476 Grants []*GrantListEntry `type:"list"` 10477 10478 // When Truncated is true, this element is present and contains the value to 10479 // use for the Marker parameter in a subsequent request. 10480 NextMarker *string `min:"1" type:"string"` 10481 10482 // A flag that indicates whether there are more items in the list. When this 10483 // value is true, the list in this response is truncated. To get more items, 10484 // pass the value of the NextMarker element in thisresponse to the Marker parameter 10485 // in a subsequent request. 10486 Truncated *bool `type:"boolean"` 10487} 10488 10489// String returns the string representation 10490func (s ListGrantsResponse) String() string { 10491 return awsutil.Prettify(s) 10492} 10493 10494// GoString returns the string representation 10495func (s ListGrantsResponse) GoString() string { 10496 return s.String() 10497} 10498 10499// SetGrants sets the Grants field's value. 10500func (s *ListGrantsResponse) SetGrants(v []*GrantListEntry) *ListGrantsResponse { 10501 s.Grants = v 10502 return s 10503} 10504 10505// SetNextMarker sets the NextMarker field's value. 10506func (s *ListGrantsResponse) SetNextMarker(v string) *ListGrantsResponse { 10507 s.NextMarker = &v 10508 return s 10509} 10510 10511// SetTruncated sets the Truncated field's value. 10512func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse { 10513 s.Truncated = &v 10514 return s 10515} 10516 10517type ListKeyPoliciesInput struct { 10518 _ struct{} `type:"structure"` 10519 10520 // A unique identifier for the customer master key (CMK). 10521 // 10522 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 10523 // 10524 // For example: 10525 // 10526 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10527 // 10528 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10529 // 10530 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10531 // 10532 // KeyId is a required field 10533 KeyId *string `min:"1" type:"string" required:"true"` 10534 10535 // Use this parameter to specify the maximum number of items to return. When 10536 // this value is present, AWS KMS does not return more than the specified number 10537 // of items, but it might return fewer. 10538 // 10539 // This value is optional. If you include a value, it must be between 1 and 10540 // 1000, inclusive. If you do not include a value, it defaults to 100. 10541 // 10542 // Only one policy can be attached to a key. 10543 Limit *int64 `min:"1" type:"integer"` 10544 10545 // Use this parameter in a subsequent request after you receive a response with 10546 // truncated results. Set it to the value of NextMarker from the truncated response 10547 // you just received. 10548 Marker *string `min:"1" type:"string"` 10549} 10550 10551// String returns the string representation 10552func (s ListKeyPoliciesInput) String() string { 10553 return awsutil.Prettify(s) 10554} 10555 10556// GoString returns the string representation 10557func (s ListKeyPoliciesInput) GoString() string { 10558 return s.String() 10559} 10560 10561// Validate inspects the fields of the type to determine if they are valid. 10562func (s *ListKeyPoliciesInput) Validate() error { 10563 invalidParams := request.ErrInvalidParams{Context: "ListKeyPoliciesInput"} 10564 if s.KeyId == nil { 10565 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10566 } 10567 if s.KeyId != nil && len(*s.KeyId) < 1 { 10568 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10569 } 10570 if s.Limit != nil && *s.Limit < 1 { 10571 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 10572 } 10573 if s.Marker != nil && len(*s.Marker) < 1 { 10574 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 10575 } 10576 10577 if invalidParams.Len() > 0 { 10578 return invalidParams 10579 } 10580 return nil 10581} 10582 10583// SetKeyId sets the KeyId field's value. 10584func (s *ListKeyPoliciesInput) SetKeyId(v string) *ListKeyPoliciesInput { 10585 s.KeyId = &v 10586 return s 10587} 10588 10589// SetLimit sets the Limit field's value. 10590func (s *ListKeyPoliciesInput) SetLimit(v int64) *ListKeyPoliciesInput { 10591 s.Limit = &v 10592 return s 10593} 10594 10595// SetMarker sets the Marker field's value. 10596func (s *ListKeyPoliciesInput) SetMarker(v string) *ListKeyPoliciesInput { 10597 s.Marker = &v 10598 return s 10599} 10600 10601type ListKeyPoliciesOutput struct { 10602 _ struct{} `type:"structure"` 10603 10604 // When Truncated is true, this element is present and contains the value to 10605 // use for the Marker parameter in a subsequent request. 10606 NextMarker *string `min:"1" type:"string"` 10607 10608 // A list of key policy names. The only valid value is default. 10609 PolicyNames []*string `type:"list"` 10610 10611 // A flag that indicates whether there are more items in the list. When this 10612 // value is true, the list in this response is truncated. To get more items, 10613 // pass the value of the NextMarker element in thisresponse to the Marker parameter 10614 // in a subsequent request. 10615 Truncated *bool `type:"boolean"` 10616} 10617 10618// String returns the string representation 10619func (s ListKeyPoliciesOutput) String() string { 10620 return awsutil.Prettify(s) 10621} 10622 10623// GoString returns the string representation 10624func (s ListKeyPoliciesOutput) GoString() string { 10625 return s.String() 10626} 10627 10628// SetNextMarker sets the NextMarker field's value. 10629func (s *ListKeyPoliciesOutput) SetNextMarker(v string) *ListKeyPoliciesOutput { 10630 s.NextMarker = &v 10631 return s 10632} 10633 10634// SetPolicyNames sets the PolicyNames field's value. 10635func (s *ListKeyPoliciesOutput) SetPolicyNames(v []*string) *ListKeyPoliciesOutput { 10636 s.PolicyNames = v 10637 return s 10638} 10639 10640// SetTruncated sets the Truncated field's value. 10641func (s *ListKeyPoliciesOutput) SetTruncated(v bool) *ListKeyPoliciesOutput { 10642 s.Truncated = &v 10643 return s 10644} 10645 10646type ListKeysInput struct { 10647 _ struct{} `type:"structure"` 10648 10649 // Use this parameter to specify the maximum number of items to return. When 10650 // this value is present, AWS KMS does not return more than the specified number 10651 // of items, but it might return fewer. 10652 // 10653 // This value is optional. If you include a value, it must be between 1 and 10654 // 1000, inclusive. If you do not include a value, it defaults to 100. 10655 Limit *int64 `min:"1" type:"integer"` 10656 10657 // Use this parameter in a subsequent request after you receive a response with 10658 // truncated results. Set it to the value of NextMarker from the truncated response 10659 // you just received. 10660 Marker *string `min:"1" type:"string"` 10661} 10662 10663// String returns the string representation 10664func (s ListKeysInput) String() string { 10665 return awsutil.Prettify(s) 10666} 10667 10668// GoString returns the string representation 10669func (s ListKeysInput) GoString() string { 10670 return s.String() 10671} 10672 10673// Validate inspects the fields of the type to determine if they are valid. 10674func (s *ListKeysInput) Validate() error { 10675 invalidParams := request.ErrInvalidParams{Context: "ListKeysInput"} 10676 if s.Limit != nil && *s.Limit < 1 { 10677 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 10678 } 10679 if s.Marker != nil && len(*s.Marker) < 1 { 10680 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 10681 } 10682 10683 if invalidParams.Len() > 0 { 10684 return invalidParams 10685 } 10686 return nil 10687} 10688 10689// SetLimit sets the Limit field's value. 10690func (s *ListKeysInput) SetLimit(v int64) *ListKeysInput { 10691 s.Limit = &v 10692 return s 10693} 10694 10695// SetMarker sets the Marker field's value. 10696func (s *ListKeysInput) SetMarker(v string) *ListKeysInput { 10697 s.Marker = &v 10698 return s 10699} 10700 10701type ListKeysOutput struct { 10702 _ struct{} `type:"structure"` 10703 10704 // A list of customer master keys (CMKs). 10705 Keys []*KeyListEntry `type:"list"` 10706 10707 // When Truncated is true, this element is present and contains the value to 10708 // use for the Marker parameter in a subsequent request. 10709 NextMarker *string `min:"1" type:"string"` 10710 10711 // A flag that indicates whether there are more items in the list. When this 10712 // value is true, the list in this response is truncated. To get more items, 10713 // pass the value of the NextMarker element in thisresponse to the Marker parameter 10714 // in a subsequent request. 10715 Truncated *bool `type:"boolean"` 10716} 10717 10718// String returns the string representation 10719func (s ListKeysOutput) String() string { 10720 return awsutil.Prettify(s) 10721} 10722 10723// GoString returns the string representation 10724func (s ListKeysOutput) GoString() string { 10725 return s.String() 10726} 10727 10728// SetKeys sets the Keys field's value. 10729func (s *ListKeysOutput) SetKeys(v []*KeyListEntry) *ListKeysOutput { 10730 s.Keys = v 10731 return s 10732} 10733 10734// SetNextMarker sets the NextMarker field's value. 10735func (s *ListKeysOutput) SetNextMarker(v string) *ListKeysOutput { 10736 s.NextMarker = &v 10737 return s 10738} 10739 10740// SetTruncated sets the Truncated field's value. 10741func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput { 10742 s.Truncated = &v 10743 return s 10744} 10745 10746type ListResourceTagsInput struct { 10747 _ struct{} `type:"structure"` 10748 10749 // A unique identifier for the customer master key (CMK). 10750 // 10751 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 10752 // 10753 // For example: 10754 // 10755 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10756 // 10757 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10758 // 10759 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10760 // 10761 // KeyId is a required field 10762 KeyId *string `min:"1" type:"string" required:"true"` 10763 10764 // Use this parameter to specify the maximum number of items to return. When 10765 // this value is present, AWS KMS does not return more than the specified number 10766 // of items, but it might return fewer. 10767 // 10768 // This value is optional. If you include a value, it must be between 1 and 10769 // 50, inclusive. If you do not include a value, it defaults to 50. 10770 Limit *int64 `min:"1" type:"integer"` 10771 10772 // Use this parameter in a subsequent request after you receive a response with 10773 // truncated results. Set it to the value of NextMarker from the truncated response 10774 // you just received. 10775 // 10776 // Do not attempt to construct this value. Use only the value of NextMarker 10777 // from the truncated response you just received. 10778 Marker *string `min:"1" type:"string"` 10779} 10780 10781// String returns the string representation 10782func (s ListResourceTagsInput) String() string { 10783 return awsutil.Prettify(s) 10784} 10785 10786// GoString returns the string representation 10787func (s ListResourceTagsInput) GoString() string { 10788 return s.String() 10789} 10790 10791// Validate inspects the fields of the type to determine if they are valid. 10792func (s *ListResourceTagsInput) Validate() error { 10793 invalidParams := request.ErrInvalidParams{Context: "ListResourceTagsInput"} 10794 if s.KeyId == nil { 10795 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10796 } 10797 if s.KeyId != nil && len(*s.KeyId) < 1 { 10798 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10799 } 10800 if s.Limit != nil && *s.Limit < 1 { 10801 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 10802 } 10803 if s.Marker != nil && len(*s.Marker) < 1 { 10804 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 10805 } 10806 10807 if invalidParams.Len() > 0 { 10808 return invalidParams 10809 } 10810 return nil 10811} 10812 10813// SetKeyId sets the KeyId field's value. 10814func (s *ListResourceTagsInput) SetKeyId(v string) *ListResourceTagsInput { 10815 s.KeyId = &v 10816 return s 10817} 10818 10819// SetLimit sets the Limit field's value. 10820func (s *ListResourceTagsInput) SetLimit(v int64) *ListResourceTagsInput { 10821 s.Limit = &v 10822 return s 10823} 10824 10825// SetMarker sets the Marker field's value. 10826func (s *ListResourceTagsInput) SetMarker(v string) *ListResourceTagsInput { 10827 s.Marker = &v 10828 return s 10829} 10830 10831type ListResourceTagsOutput struct { 10832 _ struct{} `type:"structure"` 10833 10834 // When Truncated is true, this element is present and contains the value to 10835 // use for the Marker parameter in a subsequent request. 10836 // 10837 // Do not assume or infer any information from this value. 10838 NextMarker *string `min:"1" type:"string"` 10839 10840 // A list of tags. Each tag consists of a tag key and a tag value. 10841 Tags []*Tag `type:"list"` 10842 10843 // A flag that indicates whether there are more items in the list. When this 10844 // value is true, the list in this response is truncated. To get more items, 10845 // pass the value of the NextMarker element in thisresponse to the Marker parameter 10846 // in a subsequent request. 10847 Truncated *bool `type:"boolean"` 10848} 10849 10850// String returns the string representation 10851func (s ListResourceTagsOutput) String() string { 10852 return awsutil.Prettify(s) 10853} 10854 10855// GoString returns the string representation 10856func (s ListResourceTagsOutput) GoString() string { 10857 return s.String() 10858} 10859 10860// SetNextMarker sets the NextMarker field's value. 10861func (s *ListResourceTagsOutput) SetNextMarker(v string) *ListResourceTagsOutput { 10862 s.NextMarker = &v 10863 return s 10864} 10865 10866// SetTags sets the Tags field's value. 10867func (s *ListResourceTagsOutput) SetTags(v []*Tag) *ListResourceTagsOutput { 10868 s.Tags = v 10869 return s 10870} 10871 10872// SetTruncated sets the Truncated field's value. 10873func (s *ListResourceTagsOutput) SetTruncated(v bool) *ListResourceTagsOutput { 10874 s.Truncated = &v 10875 return s 10876} 10877 10878type ListRetirableGrantsInput struct { 10879 _ struct{} `type:"structure"` 10880 10881 // Use this parameter to specify the maximum number of items to return. When 10882 // this value is present, AWS KMS does not return more than the specified number 10883 // of items, but it might return fewer. 10884 // 10885 // This value is optional. If you include a value, it must be between 1 and 10886 // 100, inclusive. If you do not include a value, it defaults to 50. 10887 Limit *int64 `min:"1" type:"integer"` 10888 10889 // Use this parameter in a subsequent request after you receive a response with 10890 // truncated results. Set it to the value of NextMarker from the truncated response 10891 // you just received. 10892 Marker *string `min:"1" type:"string"` 10893 10894 // The retiring principal for which to list grants. 10895 // 10896 // To specify the retiring principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 10897 // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM 10898 // users, federated users, and assumed role users. For examples of the ARN syntax 10899 // for specifying a principal, see AWS Identity and Access Management (IAM) 10900 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) 10901 // in the Example ARNs section of the Amazon Web Services General Reference. 10902 // 10903 // RetiringPrincipal is a required field 10904 RetiringPrincipal *string `min:"1" type:"string" required:"true"` 10905} 10906 10907// String returns the string representation 10908func (s ListRetirableGrantsInput) String() string { 10909 return awsutil.Prettify(s) 10910} 10911 10912// GoString returns the string representation 10913func (s ListRetirableGrantsInput) GoString() string { 10914 return s.String() 10915} 10916 10917// Validate inspects the fields of the type to determine if they are valid. 10918func (s *ListRetirableGrantsInput) Validate() error { 10919 invalidParams := request.ErrInvalidParams{Context: "ListRetirableGrantsInput"} 10920 if s.Limit != nil && *s.Limit < 1 { 10921 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 10922 } 10923 if s.Marker != nil && len(*s.Marker) < 1 { 10924 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 10925 } 10926 if s.RetiringPrincipal == nil { 10927 invalidParams.Add(request.NewErrParamRequired("RetiringPrincipal")) 10928 } 10929 if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { 10930 invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) 10931 } 10932 10933 if invalidParams.Len() > 0 { 10934 return invalidParams 10935 } 10936 return nil 10937} 10938 10939// SetLimit sets the Limit field's value. 10940func (s *ListRetirableGrantsInput) SetLimit(v int64) *ListRetirableGrantsInput { 10941 s.Limit = &v 10942 return s 10943} 10944 10945// SetMarker sets the Marker field's value. 10946func (s *ListRetirableGrantsInput) SetMarker(v string) *ListRetirableGrantsInput { 10947 s.Marker = &v 10948 return s 10949} 10950 10951// SetRetiringPrincipal sets the RetiringPrincipal field's value. 10952func (s *ListRetirableGrantsInput) SetRetiringPrincipal(v string) *ListRetirableGrantsInput { 10953 s.RetiringPrincipal = &v 10954 return s 10955} 10956 10957type PutKeyPolicyInput struct { 10958 _ struct{} `type:"structure"` 10959 10960 // A flag to indicate whether to bypass the key policy lockout safety check. 10961 // 10962 // Setting this value to true increases the risk that the CMK becomes unmanageable. 10963 // Do not set this value to true indiscriminately. 10964 // 10965 // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 10966 // section in the AWS Key Management Service Developer Guide. 10967 // 10968 // Use this parameter only when you intend to prevent the principal that is 10969 // making the request from making a subsequent PutKeyPolicy request on the CMK. 10970 // 10971 // The default value is false. 10972 BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` 10973 10974 // A unique identifier for the customer master key (CMK). 10975 // 10976 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 10977 // 10978 // For example: 10979 // 10980 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10981 // 10982 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10983 // 10984 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10985 // 10986 // KeyId is a required field 10987 KeyId *string `min:"1" type:"string" required:"true"` 10988 10989 // The key policy to attach to the CMK. 10990 // 10991 // The key policy must meet the following criteria: 10992 // 10993 // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy 10994 // must allow the principal that is making the PutKeyPolicy request to make 10995 // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that 10996 // the CMK becomes unmanageable. For more information, refer to the scenario 10997 // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 10998 // section of the AWS Key Management Service Developer Guide. 10999 // 11000 // * Each statement in the key policy must contain one or more principals. 11001 // The principals in the key policy must exist and be visible to AWS KMS. 11002 // When you create a new AWS principal (for example, an IAM user or role), 11003 // you might need to enforce a delay before including the new principal in 11004 // a key policy because the new principal might not be immediately visible 11005 // to AWS KMS. For more information, see Changes that I make are not always 11006 // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) 11007 // in the AWS Identity and Access Management User Guide. 11008 // 11009 // The key policy size limit is 32 kilobytes (32768 bytes). 11010 // 11011 // Policy is a required field 11012 Policy *string `min:"1" type:"string" required:"true"` 11013 11014 // The name of the key policy. The only valid value is default. 11015 // 11016 // PolicyName is a required field 11017 PolicyName *string `min:"1" type:"string" required:"true"` 11018} 11019 11020// String returns the string representation 11021func (s PutKeyPolicyInput) String() string { 11022 return awsutil.Prettify(s) 11023} 11024 11025// GoString returns the string representation 11026func (s PutKeyPolicyInput) GoString() string { 11027 return s.String() 11028} 11029 11030// Validate inspects the fields of the type to determine if they are valid. 11031func (s *PutKeyPolicyInput) Validate() error { 11032 invalidParams := request.ErrInvalidParams{Context: "PutKeyPolicyInput"} 11033 if s.KeyId == nil { 11034 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11035 } 11036 if s.KeyId != nil && len(*s.KeyId) < 1 { 11037 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11038 } 11039 if s.Policy == nil { 11040 invalidParams.Add(request.NewErrParamRequired("Policy")) 11041 } 11042 if s.Policy != nil && len(*s.Policy) < 1 { 11043 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 11044 } 11045 if s.PolicyName == nil { 11046 invalidParams.Add(request.NewErrParamRequired("PolicyName")) 11047 } 11048 if s.PolicyName != nil && len(*s.PolicyName) < 1 { 11049 invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) 11050 } 11051 11052 if invalidParams.Len() > 0 { 11053 return invalidParams 11054 } 11055 return nil 11056} 11057 11058// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. 11059func (s *PutKeyPolicyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *PutKeyPolicyInput { 11060 s.BypassPolicyLockoutSafetyCheck = &v 11061 return s 11062} 11063 11064// SetKeyId sets the KeyId field's value. 11065func (s *PutKeyPolicyInput) SetKeyId(v string) *PutKeyPolicyInput { 11066 s.KeyId = &v 11067 return s 11068} 11069 11070// SetPolicy sets the Policy field's value. 11071func (s *PutKeyPolicyInput) SetPolicy(v string) *PutKeyPolicyInput { 11072 s.Policy = &v 11073 return s 11074} 11075 11076// SetPolicyName sets the PolicyName field's value. 11077func (s *PutKeyPolicyInput) SetPolicyName(v string) *PutKeyPolicyInput { 11078 s.PolicyName = &v 11079 return s 11080} 11081 11082type PutKeyPolicyOutput struct { 11083 _ struct{} `type:"structure"` 11084} 11085 11086// String returns the string representation 11087func (s PutKeyPolicyOutput) String() string { 11088 return awsutil.Prettify(s) 11089} 11090 11091// GoString returns the string representation 11092func (s PutKeyPolicyOutput) GoString() string { 11093 return s.String() 11094} 11095 11096type ReEncryptInput struct { 11097 _ struct{} `type:"structure"` 11098 11099 // Ciphertext of the data to reencrypt. 11100 // 11101 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 11102 // 11103 // CiphertextBlob is a required field 11104 CiphertextBlob []byte `min:"1" type:"blob" required:"true"` 11105 11106 // Specifies the encryption algorithm that AWS KMS will use to reecrypt the 11107 // data after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents 11108 // the encryption algorithm used for symmetric CMKs. 11109 // 11110 // This parameter is required only when the destination CMK is an asymmetric 11111 // CMK. 11112 DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 11113 11114 // Specifies that encryption context to use when the reencrypting the data. 11115 // 11116 // A destination encryption context is valid only when the destination CMK is 11117 // a symmetric CMK. The standard ciphertext format for asymmetric CMKs does 11118 // not include fields for metadata. 11119 // 11120 // An encryption context is a collection of non-secret key-value pairs that 11121 // represents additional authenticated data. When you use an encryption context 11122 // to encrypt data, you must specify the same (an exact case-sensitive match) 11123 // encryption context to decrypt the data. An encryption context is optional 11124 // when encrypting with a symmetric CMK, but it is highly recommended. 11125 // 11126 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 11127 // in the AWS Key Management Service Developer Guide. 11128 DestinationEncryptionContext map[string]*string `type:"map"` 11129 11130 // A unique identifier for the CMK that is used to reencrypt the data. Specify 11131 // a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To 11132 // find the KeyUsage value of a CMK, use the DescribeKey operation. 11133 // 11134 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 11135 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 11136 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 11137 // 11138 // For example: 11139 // 11140 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11141 // 11142 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11143 // 11144 // * Alias name: alias/ExampleAlias 11145 // 11146 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 11147 // 11148 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 11149 // get the alias name and alias ARN, use ListAliases. 11150 // 11151 // DestinationKeyId is a required field 11152 DestinationKeyId *string `min:"1" type:"string" required:"true"` 11153 11154 // A list of grant tokens. 11155 // 11156 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 11157 // in the AWS Key Management Service Developer Guide. 11158 GrantTokens []*string `type:"list"` 11159 11160 // Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext 11161 // before it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents 11162 // the algorithm used for symmetric CMKs. 11163 // 11164 // Specify the same algorithm that was used to encrypt the ciphertext. If you 11165 // specify a different algorithm, the decrypt attempt fails. 11166 // 11167 // This parameter is required only when the ciphertext was encrypted under an 11168 // asymmetric CMK. 11169 SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 11170 11171 // Specifies the encryption context to use to decrypt the ciphertext. Enter 11172 // the same encryption context that was used to encrypt the ciphertext. 11173 // 11174 // An encryption context is a collection of non-secret key-value pairs that 11175 // represents additional authenticated data. When you use an encryption context 11176 // to encrypt data, you must specify the same (an exact case-sensitive match) 11177 // encryption context to decrypt the data. An encryption context is optional 11178 // when encrypting with a symmetric CMK, but it is highly recommended. 11179 // 11180 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 11181 // in the AWS Key Management Service Developer Guide. 11182 SourceEncryptionContext map[string]*string `type:"map"` 11183 11184 // A unique identifier for the CMK that is used to decrypt the ciphertext before 11185 // it reencrypts it using the destination CMK. 11186 // 11187 // This parameter is required only when the ciphertext was encrypted under an 11188 // asymmetric CMK. Otherwise, AWS KMS uses the metadata that it adds to the 11189 // ciphertext blob to determine which CMK was used to encrypt the ciphertext. 11190 // However, you can use this parameter to ensure that a particular CMK (of any 11191 // kind) is used to decrypt the ciphertext before it is reencrypted. 11192 // 11193 // If you specify a KeyId value, the decrypt part of the ReEncrypt operation 11194 // succeeds only if the specified CMK was used to encrypt the ciphertext. 11195 // 11196 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 11197 // or alias ARN. When using an alias name, prefix it with "alias/". 11198 // 11199 // For example: 11200 // 11201 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11202 // 11203 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11204 // 11205 // * Alias name: alias/ExampleAlias 11206 // 11207 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 11208 // 11209 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 11210 // get the alias name and alias ARN, use ListAliases. 11211 SourceKeyId *string `min:"1" type:"string"` 11212} 11213 11214// String returns the string representation 11215func (s ReEncryptInput) String() string { 11216 return awsutil.Prettify(s) 11217} 11218 11219// GoString returns the string representation 11220func (s ReEncryptInput) GoString() string { 11221 return s.String() 11222} 11223 11224// Validate inspects the fields of the type to determine if they are valid. 11225func (s *ReEncryptInput) Validate() error { 11226 invalidParams := request.ErrInvalidParams{Context: "ReEncryptInput"} 11227 if s.CiphertextBlob == nil { 11228 invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) 11229 } 11230 if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { 11231 invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) 11232 } 11233 if s.DestinationKeyId == nil { 11234 invalidParams.Add(request.NewErrParamRequired("DestinationKeyId")) 11235 } 11236 if s.DestinationKeyId != nil && len(*s.DestinationKeyId) < 1 { 11237 invalidParams.Add(request.NewErrParamMinLen("DestinationKeyId", 1)) 11238 } 11239 if s.SourceKeyId != nil && len(*s.SourceKeyId) < 1 { 11240 invalidParams.Add(request.NewErrParamMinLen("SourceKeyId", 1)) 11241 } 11242 11243 if invalidParams.Len() > 0 { 11244 return invalidParams 11245 } 11246 return nil 11247} 11248 11249// SetCiphertextBlob sets the CiphertextBlob field's value. 11250func (s *ReEncryptInput) SetCiphertextBlob(v []byte) *ReEncryptInput { 11251 s.CiphertextBlob = v 11252 return s 11253} 11254 11255// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value. 11256func (s *ReEncryptInput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptInput { 11257 s.DestinationEncryptionAlgorithm = &v 11258 return s 11259} 11260 11261// SetDestinationEncryptionContext sets the DestinationEncryptionContext field's value. 11262func (s *ReEncryptInput) SetDestinationEncryptionContext(v map[string]*string) *ReEncryptInput { 11263 s.DestinationEncryptionContext = v 11264 return s 11265} 11266 11267// SetDestinationKeyId sets the DestinationKeyId field's value. 11268func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput { 11269 s.DestinationKeyId = &v 11270 return s 11271} 11272 11273// SetGrantTokens sets the GrantTokens field's value. 11274func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput { 11275 s.GrantTokens = v 11276 return s 11277} 11278 11279// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value. 11280func (s *ReEncryptInput) SetSourceEncryptionAlgorithm(v string) *ReEncryptInput { 11281 s.SourceEncryptionAlgorithm = &v 11282 return s 11283} 11284 11285// SetSourceEncryptionContext sets the SourceEncryptionContext field's value. 11286func (s *ReEncryptInput) SetSourceEncryptionContext(v map[string]*string) *ReEncryptInput { 11287 s.SourceEncryptionContext = v 11288 return s 11289} 11290 11291// SetSourceKeyId sets the SourceKeyId field's value. 11292func (s *ReEncryptInput) SetSourceKeyId(v string) *ReEncryptInput { 11293 s.SourceKeyId = &v 11294 return s 11295} 11296 11297type ReEncryptOutput struct { 11298 _ struct{} `type:"structure"` 11299 11300 // The reencrypted data. When you use the HTTP API or the AWS CLI, the value 11301 // is Base64-encoded. Otherwise, it is not Base64-encoded. 11302 // 11303 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 11304 CiphertextBlob []byte `min:"1" type:"blob"` 11305 11306 // The encryption algorithm that was used to reencrypt the data. 11307 DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 11308 11309 // Unique identifier of the CMK used to reencrypt the data. 11310 KeyId *string `min:"1" type:"string"` 11311 11312 // The encryption algorithm that was used to decrypt the ciphertext before it 11313 // was reencrypted. 11314 SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 11315 11316 // Unique identifier of the CMK used to originally encrypt the data. 11317 SourceKeyId *string `min:"1" type:"string"` 11318} 11319 11320// String returns the string representation 11321func (s ReEncryptOutput) String() string { 11322 return awsutil.Prettify(s) 11323} 11324 11325// GoString returns the string representation 11326func (s ReEncryptOutput) GoString() string { 11327 return s.String() 11328} 11329 11330// SetCiphertextBlob sets the CiphertextBlob field's value. 11331func (s *ReEncryptOutput) SetCiphertextBlob(v []byte) *ReEncryptOutput { 11332 s.CiphertextBlob = v 11333 return s 11334} 11335 11336// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value. 11337func (s *ReEncryptOutput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptOutput { 11338 s.DestinationEncryptionAlgorithm = &v 11339 return s 11340} 11341 11342// SetKeyId sets the KeyId field's value. 11343func (s *ReEncryptOutput) SetKeyId(v string) *ReEncryptOutput { 11344 s.KeyId = &v 11345 return s 11346} 11347 11348// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value. 11349func (s *ReEncryptOutput) SetSourceEncryptionAlgorithm(v string) *ReEncryptOutput { 11350 s.SourceEncryptionAlgorithm = &v 11351 return s 11352} 11353 11354// SetSourceKeyId sets the SourceKeyId field's value. 11355func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput { 11356 s.SourceKeyId = &v 11357 return s 11358} 11359 11360type RetireGrantInput struct { 11361 _ struct{} `type:"structure"` 11362 11363 // Unique identifier of the grant to retire. The grant ID is returned in the 11364 // response to a CreateGrant operation. 11365 // 11366 // * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123 11367 GrantId *string `min:"1" type:"string"` 11368 11369 // Token that identifies the grant to be retired. 11370 GrantToken *string `min:"1" type:"string"` 11371 11372 // The Amazon Resource Name (ARN) of the CMK associated with the grant. 11373 // 11374 // For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab 11375 KeyId *string `min:"1" type:"string"` 11376} 11377 11378// String returns the string representation 11379func (s RetireGrantInput) String() string { 11380 return awsutil.Prettify(s) 11381} 11382 11383// GoString returns the string representation 11384func (s RetireGrantInput) GoString() string { 11385 return s.String() 11386} 11387 11388// Validate inspects the fields of the type to determine if they are valid. 11389func (s *RetireGrantInput) Validate() error { 11390 invalidParams := request.ErrInvalidParams{Context: "RetireGrantInput"} 11391 if s.GrantId != nil && len(*s.GrantId) < 1 { 11392 invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) 11393 } 11394 if s.GrantToken != nil && len(*s.GrantToken) < 1 { 11395 invalidParams.Add(request.NewErrParamMinLen("GrantToken", 1)) 11396 } 11397 if s.KeyId != nil && len(*s.KeyId) < 1 { 11398 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11399 } 11400 11401 if invalidParams.Len() > 0 { 11402 return invalidParams 11403 } 11404 return nil 11405} 11406 11407// SetGrantId sets the GrantId field's value. 11408func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput { 11409 s.GrantId = &v 11410 return s 11411} 11412 11413// SetGrantToken sets the GrantToken field's value. 11414func (s *RetireGrantInput) SetGrantToken(v string) *RetireGrantInput { 11415 s.GrantToken = &v 11416 return s 11417} 11418 11419// SetKeyId sets the KeyId field's value. 11420func (s *RetireGrantInput) SetKeyId(v string) *RetireGrantInput { 11421 s.KeyId = &v 11422 return s 11423} 11424 11425type RetireGrantOutput struct { 11426 _ struct{} `type:"structure"` 11427} 11428 11429// String returns the string representation 11430func (s RetireGrantOutput) String() string { 11431 return awsutil.Prettify(s) 11432} 11433 11434// GoString returns the string representation 11435func (s RetireGrantOutput) GoString() string { 11436 return s.String() 11437} 11438 11439type RevokeGrantInput struct { 11440 _ struct{} `type:"structure"` 11441 11442 // Identifier of the grant to be revoked. 11443 // 11444 // GrantId is a required field 11445 GrantId *string `min:"1" type:"string" required:"true"` 11446 11447 // A unique identifier for the customer master key associated with the grant. 11448 // 11449 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify 11450 // a CMK in a different AWS account, you must use the key ARN. 11451 // 11452 // For example: 11453 // 11454 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11455 // 11456 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11457 // 11458 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11459 // 11460 // KeyId is a required field 11461 KeyId *string `min:"1" type:"string" required:"true"` 11462} 11463 11464// String returns the string representation 11465func (s RevokeGrantInput) String() string { 11466 return awsutil.Prettify(s) 11467} 11468 11469// GoString returns the string representation 11470func (s RevokeGrantInput) GoString() string { 11471 return s.String() 11472} 11473 11474// Validate inspects the fields of the type to determine if they are valid. 11475func (s *RevokeGrantInput) Validate() error { 11476 invalidParams := request.ErrInvalidParams{Context: "RevokeGrantInput"} 11477 if s.GrantId == nil { 11478 invalidParams.Add(request.NewErrParamRequired("GrantId")) 11479 } 11480 if s.GrantId != nil && len(*s.GrantId) < 1 { 11481 invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) 11482 } 11483 if s.KeyId == nil { 11484 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11485 } 11486 if s.KeyId != nil && len(*s.KeyId) < 1 { 11487 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11488 } 11489 11490 if invalidParams.Len() > 0 { 11491 return invalidParams 11492 } 11493 return nil 11494} 11495 11496// SetGrantId sets the GrantId field's value. 11497func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput { 11498 s.GrantId = &v 11499 return s 11500} 11501 11502// SetKeyId sets the KeyId field's value. 11503func (s *RevokeGrantInput) SetKeyId(v string) *RevokeGrantInput { 11504 s.KeyId = &v 11505 return s 11506} 11507 11508type RevokeGrantOutput struct { 11509 _ struct{} `type:"structure"` 11510} 11511 11512// String returns the string representation 11513func (s RevokeGrantOutput) String() string { 11514 return awsutil.Prettify(s) 11515} 11516 11517// GoString returns the string representation 11518func (s RevokeGrantOutput) GoString() string { 11519 return s.String() 11520} 11521 11522type ScheduleKeyDeletionInput struct { 11523 _ struct{} `type:"structure"` 11524 11525 // The unique identifier of the customer master key (CMK) to delete. 11526 // 11527 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 11528 // 11529 // For example: 11530 // 11531 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11532 // 11533 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11534 // 11535 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11536 // 11537 // KeyId is a required field 11538 KeyId *string `min:"1" type:"string" required:"true"` 11539 11540 // The waiting period, specified in number of days. After the waiting period 11541 // ends, AWS KMS deletes the customer master key (CMK). 11542 // 11543 // This value is optional. If you include a value, it must be between 7 and 11544 // 30, inclusive. If you do not include a value, it defaults to 30. 11545 PendingWindowInDays *int64 `min:"1" type:"integer"` 11546} 11547 11548// String returns the string representation 11549func (s ScheduleKeyDeletionInput) String() string { 11550 return awsutil.Prettify(s) 11551} 11552 11553// GoString returns the string representation 11554func (s ScheduleKeyDeletionInput) GoString() string { 11555 return s.String() 11556} 11557 11558// Validate inspects the fields of the type to determine if they are valid. 11559func (s *ScheduleKeyDeletionInput) Validate() error { 11560 invalidParams := request.ErrInvalidParams{Context: "ScheduleKeyDeletionInput"} 11561 if s.KeyId == nil { 11562 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11563 } 11564 if s.KeyId != nil && len(*s.KeyId) < 1 { 11565 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11566 } 11567 if s.PendingWindowInDays != nil && *s.PendingWindowInDays < 1 { 11568 invalidParams.Add(request.NewErrParamMinValue("PendingWindowInDays", 1)) 11569 } 11570 11571 if invalidParams.Len() > 0 { 11572 return invalidParams 11573 } 11574 return nil 11575} 11576 11577// SetKeyId sets the KeyId field's value. 11578func (s *ScheduleKeyDeletionInput) SetKeyId(v string) *ScheduleKeyDeletionInput { 11579 s.KeyId = &v 11580 return s 11581} 11582 11583// SetPendingWindowInDays sets the PendingWindowInDays field's value. 11584func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionInput { 11585 s.PendingWindowInDays = &v 11586 return s 11587} 11588 11589type ScheduleKeyDeletionOutput struct { 11590 _ struct{} `type:"structure"` 11591 11592 // The date and time after which AWS KMS deletes the customer master key (CMK). 11593 DeletionDate *time.Time `type:"timestamp"` 11594 11595 // The unique identifier of the customer master key (CMK) for which deletion 11596 // is scheduled. 11597 KeyId *string `min:"1" type:"string"` 11598} 11599 11600// String returns the string representation 11601func (s ScheduleKeyDeletionOutput) String() string { 11602 return awsutil.Prettify(s) 11603} 11604 11605// GoString returns the string representation 11606func (s ScheduleKeyDeletionOutput) GoString() string { 11607 return s.String() 11608} 11609 11610// SetDeletionDate sets the DeletionDate field's value. 11611func (s *ScheduleKeyDeletionOutput) SetDeletionDate(v time.Time) *ScheduleKeyDeletionOutput { 11612 s.DeletionDate = &v 11613 return s 11614} 11615 11616// SetKeyId sets the KeyId field's value. 11617func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutput { 11618 s.KeyId = &v 11619 return s 11620} 11621 11622type SignInput struct { 11623 _ struct{} `type:"structure"` 11624 11625 // A list of grant tokens. 11626 // 11627 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 11628 // in the AWS Key Management Service Developer Guide. 11629 GrantTokens []*string `type:"list"` 11630 11631 // Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric 11632 // CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY. 11633 // To find the KeyUsage of a CMK, use the DescribeKey operation. 11634 // 11635 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 11636 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 11637 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 11638 // 11639 // For example: 11640 // 11641 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11642 // 11643 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11644 // 11645 // * Alias name: alias/ExampleAlias 11646 // 11647 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 11648 // 11649 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 11650 // get the alias name and alias ARN, use ListAliases. 11651 // 11652 // KeyId is a required field 11653 KeyId *string `min:"1" type:"string" required:"true"` 11654 11655 // Specifies the message or message digest to sign. Messages can be 0-4096 bytes. 11656 // To sign a larger message, provide the message digest. 11657 // 11658 // If you provide a message, AWS KMS generates a hash digest of the message 11659 // and then signs it. 11660 // 11661 // Message is automatically base64 encoded/decoded by the SDK. 11662 // 11663 // Message is a required field 11664 Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` 11665 11666 // Tells AWS KMS whether the value of the Message parameter is a message or 11667 // message digest. To indicate a message, enter RAW. To indicate a message digest, 11668 // enter DIGEST. 11669 MessageType *string `type:"string" enum:"MessageType"` 11670 11671 // Specifies the signing algorithm to use when signing the message. 11672 // 11673 // Choose an algorithm that is compatible with the type and size of the specified 11674 // asymmetric CMK. 11675 // 11676 // SigningAlgorithm is a required field 11677 SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` 11678} 11679 11680// String returns the string representation 11681func (s SignInput) String() string { 11682 return awsutil.Prettify(s) 11683} 11684 11685// GoString returns the string representation 11686func (s SignInput) GoString() string { 11687 return s.String() 11688} 11689 11690// Validate inspects the fields of the type to determine if they are valid. 11691func (s *SignInput) Validate() error { 11692 invalidParams := request.ErrInvalidParams{Context: "SignInput"} 11693 if s.KeyId == nil { 11694 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11695 } 11696 if s.KeyId != nil && len(*s.KeyId) < 1 { 11697 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11698 } 11699 if s.Message == nil { 11700 invalidParams.Add(request.NewErrParamRequired("Message")) 11701 } 11702 if s.Message != nil && len(s.Message) < 1 { 11703 invalidParams.Add(request.NewErrParamMinLen("Message", 1)) 11704 } 11705 if s.SigningAlgorithm == nil { 11706 invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm")) 11707 } 11708 11709 if invalidParams.Len() > 0 { 11710 return invalidParams 11711 } 11712 return nil 11713} 11714 11715// SetGrantTokens sets the GrantTokens field's value. 11716func (s *SignInput) SetGrantTokens(v []*string) *SignInput { 11717 s.GrantTokens = v 11718 return s 11719} 11720 11721// SetKeyId sets the KeyId field's value. 11722func (s *SignInput) SetKeyId(v string) *SignInput { 11723 s.KeyId = &v 11724 return s 11725} 11726 11727// SetMessage sets the Message field's value. 11728func (s *SignInput) SetMessage(v []byte) *SignInput { 11729 s.Message = v 11730 return s 11731} 11732 11733// SetMessageType sets the MessageType field's value. 11734func (s *SignInput) SetMessageType(v string) *SignInput { 11735 s.MessageType = &v 11736 return s 11737} 11738 11739// SetSigningAlgorithm sets the SigningAlgorithm field's value. 11740func (s *SignInput) SetSigningAlgorithm(v string) *SignInput { 11741 s.SigningAlgorithm = &v 11742 return s 11743} 11744 11745type SignOutput struct { 11746 _ struct{} `type:"structure"` 11747 11748 // The Amazon Resource Name (ARN) of the asymmetric CMK that was used to sign 11749 // the message. 11750 KeyId *string `min:"1" type:"string"` 11751 11752 // The cryptographic signature that was generated for the message. 11753 // 11754 // Signature is automatically base64 encoded/decoded by the SDK. 11755 Signature []byte `min:"1" type:"blob"` 11756 11757 // The signing algorithm that was used to sign the message. 11758 SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"` 11759} 11760 11761// String returns the string representation 11762func (s SignOutput) String() string { 11763 return awsutil.Prettify(s) 11764} 11765 11766// GoString returns the string representation 11767func (s SignOutput) GoString() string { 11768 return s.String() 11769} 11770 11771// SetKeyId sets the KeyId field's value. 11772func (s *SignOutput) SetKeyId(v string) *SignOutput { 11773 s.KeyId = &v 11774 return s 11775} 11776 11777// SetSignature sets the Signature field's value. 11778func (s *SignOutput) SetSignature(v []byte) *SignOutput { 11779 s.Signature = v 11780 return s 11781} 11782 11783// SetSigningAlgorithm sets the SigningAlgorithm field's value. 11784func (s *SignOutput) SetSigningAlgorithm(v string) *SignOutput { 11785 s.SigningAlgorithm = &v 11786 return s 11787} 11788 11789// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and 11790// tag values are both required, but tag values can be empty (null) strings. 11791// 11792// For information about the rules that apply to tag keys and tag values, see 11793// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) 11794// in the AWS Billing and Cost Management User Guide. 11795type Tag struct { 11796 _ struct{} `type:"structure"` 11797 11798 // The key of the tag. 11799 // 11800 // TagKey is a required field 11801 TagKey *string `min:"1" type:"string" required:"true"` 11802 11803 // The value of the tag. 11804 // 11805 // TagValue is a required field 11806 TagValue *string `type:"string" required:"true"` 11807} 11808 11809// String returns the string representation 11810func (s Tag) String() string { 11811 return awsutil.Prettify(s) 11812} 11813 11814// GoString returns the string representation 11815func (s Tag) GoString() string { 11816 return s.String() 11817} 11818 11819// Validate inspects the fields of the type to determine if they are valid. 11820func (s *Tag) Validate() error { 11821 invalidParams := request.ErrInvalidParams{Context: "Tag"} 11822 if s.TagKey == nil { 11823 invalidParams.Add(request.NewErrParamRequired("TagKey")) 11824 } 11825 if s.TagKey != nil && len(*s.TagKey) < 1 { 11826 invalidParams.Add(request.NewErrParamMinLen("TagKey", 1)) 11827 } 11828 if s.TagValue == nil { 11829 invalidParams.Add(request.NewErrParamRequired("TagValue")) 11830 } 11831 11832 if invalidParams.Len() > 0 { 11833 return invalidParams 11834 } 11835 return nil 11836} 11837 11838// SetTagKey sets the TagKey field's value. 11839func (s *Tag) SetTagKey(v string) *Tag { 11840 s.TagKey = &v 11841 return s 11842} 11843 11844// SetTagValue sets the TagValue field's value. 11845func (s *Tag) SetTagValue(v string) *Tag { 11846 s.TagValue = &v 11847 return s 11848} 11849 11850type TagResourceInput struct { 11851 _ struct{} `type:"structure"` 11852 11853 // A unique identifier for the CMK you are tagging. 11854 // 11855 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 11856 // 11857 // For example: 11858 // 11859 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11860 // 11861 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11862 // 11863 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11864 // 11865 // KeyId is a required field 11866 KeyId *string `min:"1" type:"string" required:"true"` 11867 11868 // One or more tags. Each tag consists of a tag key and a tag value. 11869 // 11870 // Tags is a required field 11871 Tags []*Tag `type:"list" required:"true"` 11872} 11873 11874// String returns the string representation 11875func (s TagResourceInput) String() string { 11876 return awsutil.Prettify(s) 11877} 11878 11879// GoString returns the string representation 11880func (s TagResourceInput) GoString() string { 11881 return s.String() 11882} 11883 11884// Validate inspects the fields of the type to determine if they are valid. 11885func (s *TagResourceInput) Validate() error { 11886 invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"} 11887 if s.KeyId == nil { 11888 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11889 } 11890 if s.KeyId != nil && len(*s.KeyId) < 1 { 11891 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11892 } 11893 if s.Tags == nil { 11894 invalidParams.Add(request.NewErrParamRequired("Tags")) 11895 } 11896 if s.Tags != nil { 11897 for i, v := range s.Tags { 11898 if v == nil { 11899 continue 11900 } 11901 if err := v.Validate(); err != nil { 11902 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 11903 } 11904 } 11905 } 11906 11907 if invalidParams.Len() > 0 { 11908 return invalidParams 11909 } 11910 return nil 11911} 11912 11913// SetKeyId sets the KeyId field's value. 11914func (s *TagResourceInput) SetKeyId(v string) *TagResourceInput { 11915 s.KeyId = &v 11916 return s 11917} 11918 11919// SetTags sets the Tags field's value. 11920func (s *TagResourceInput) SetTags(v []*Tag) *TagResourceInput { 11921 s.Tags = v 11922 return s 11923} 11924 11925type TagResourceOutput struct { 11926 _ struct{} `type:"structure"` 11927} 11928 11929// String returns the string representation 11930func (s TagResourceOutput) String() string { 11931 return awsutil.Prettify(s) 11932} 11933 11934// GoString returns the string representation 11935func (s TagResourceOutput) GoString() string { 11936 return s.String() 11937} 11938 11939type UntagResourceInput struct { 11940 _ struct{} `type:"structure"` 11941 11942 // A unique identifier for the CMK from which you are removing tags. 11943 // 11944 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 11945 // 11946 // For example: 11947 // 11948 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11949 // 11950 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11951 // 11952 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11953 // 11954 // KeyId is a required field 11955 KeyId *string `min:"1" type:"string" required:"true"` 11956 11957 // One or more tag keys. Specify only the tag keys, not the tag values. 11958 // 11959 // TagKeys is a required field 11960 TagKeys []*string `type:"list" required:"true"` 11961} 11962 11963// String returns the string representation 11964func (s UntagResourceInput) String() string { 11965 return awsutil.Prettify(s) 11966} 11967 11968// GoString returns the string representation 11969func (s UntagResourceInput) GoString() string { 11970 return s.String() 11971} 11972 11973// Validate inspects the fields of the type to determine if they are valid. 11974func (s *UntagResourceInput) Validate() error { 11975 invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"} 11976 if s.KeyId == nil { 11977 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11978 } 11979 if s.KeyId != nil && len(*s.KeyId) < 1 { 11980 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11981 } 11982 if s.TagKeys == nil { 11983 invalidParams.Add(request.NewErrParamRequired("TagKeys")) 11984 } 11985 11986 if invalidParams.Len() > 0 { 11987 return invalidParams 11988 } 11989 return nil 11990} 11991 11992// SetKeyId sets the KeyId field's value. 11993func (s *UntagResourceInput) SetKeyId(v string) *UntagResourceInput { 11994 s.KeyId = &v 11995 return s 11996} 11997 11998// SetTagKeys sets the TagKeys field's value. 11999func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput { 12000 s.TagKeys = v 12001 return s 12002} 12003 12004type UntagResourceOutput struct { 12005 _ struct{} `type:"structure"` 12006} 12007 12008// String returns the string representation 12009func (s UntagResourceOutput) String() string { 12010 return awsutil.Prettify(s) 12011} 12012 12013// GoString returns the string representation 12014func (s UntagResourceOutput) GoString() string { 12015 return s.String() 12016} 12017 12018type UpdateAliasInput struct { 12019 _ struct{} `type:"structure"` 12020 12021 // Identifies the alias that is changing its CMK. This value must begin with 12022 // alias/ followed by the alias name, such as alias/ExampleAlias. You cannot 12023 // use UpdateAlias to change the alias name. 12024 // 12025 // AliasName is a required field 12026 AliasName *string `min:"1" type:"string" required:"true"` 12027 12028 // Identifies the CMK to associate with the alias. When the update operation 12029 // completes, the alias will point to this CMK. 12030 // 12031 // The CMK must be in the same AWS account and Region as the alias. Also, the 12032 // new target CMK must be the same type as the current target CMK (both symmetric 12033 // or both asymmetric) and they must have the same key usage. 12034 // 12035 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 12036 // 12037 // For example: 12038 // 12039 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 12040 // 12041 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 12042 // 12043 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 12044 // 12045 // To verify that the alias is mapped to the correct CMK, use ListAliases. 12046 // 12047 // TargetKeyId is a required field 12048 TargetKeyId *string `min:"1" type:"string" required:"true"` 12049} 12050 12051// String returns the string representation 12052func (s UpdateAliasInput) String() string { 12053 return awsutil.Prettify(s) 12054} 12055 12056// GoString returns the string representation 12057func (s UpdateAliasInput) GoString() string { 12058 return s.String() 12059} 12060 12061// Validate inspects the fields of the type to determine if they are valid. 12062func (s *UpdateAliasInput) Validate() error { 12063 invalidParams := request.ErrInvalidParams{Context: "UpdateAliasInput"} 12064 if s.AliasName == nil { 12065 invalidParams.Add(request.NewErrParamRequired("AliasName")) 12066 } 12067 if s.AliasName != nil && len(*s.AliasName) < 1 { 12068 invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) 12069 } 12070 if s.TargetKeyId == nil { 12071 invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) 12072 } 12073 if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { 12074 invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) 12075 } 12076 12077 if invalidParams.Len() > 0 { 12078 return invalidParams 12079 } 12080 return nil 12081} 12082 12083// SetAliasName sets the AliasName field's value. 12084func (s *UpdateAliasInput) SetAliasName(v string) *UpdateAliasInput { 12085 s.AliasName = &v 12086 return s 12087} 12088 12089// SetTargetKeyId sets the TargetKeyId field's value. 12090func (s *UpdateAliasInput) SetTargetKeyId(v string) *UpdateAliasInput { 12091 s.TargetKeyId = &v 12092 return s 12093} 12094 12095type UpdateAliasOutput struct { 12096 _ struct{} `type:"structure"` 12097} 12098 12099// String returns the string representation 12100func (s UpdateAliasOutput) String() string { 12101 return awsutil.Prettify(s) 12102} 12103 12104// GoString returns the string representation 12105func (s UpdateAliasOutput) GoString() string { 12106 return s.String() 12107} 12108 12109type UpdateCustomKeyStoreInput struct { 12110 _ struct{} `type:"structure"` 12111 12112 // Associates the custom key store with a related AWS CloudHSM cluster. 12113 // 12114 // Enter the cluster ID of the cluster that you used to create the custom key 12115 // store or a cluster that shares a backup history and has the same cluster 12116 // certificate as the original cluster. You cannot use this parameter to associate 12117 // a custom key store with an unrelated cluster. In addition, the replacement 12118 // cluster must fulfill the requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 12119 // for a cluster associated with a custom key store. To view the cluster certificate 12120 // of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 12121 // operation. 12122 CloudHsmClusterId *string `min:"19" type:"string"` 12123 12124 // Identifies the custom key store that you want to update. Enter the ID of 12125 // the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores 12126 // operation. 12127 // 12128 // CustomKeyStoreId is a required field 12129 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 12130 12131 // Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM 12132 // cluster that is associated with the custom key store. 12133 // 12134 // This parameter tells AWS KMS the current password of the kmsuser crypto user 12135 // (CU). It does not set or change the password of any users in the AWS CloudHSM 12136 // cluster. 12137 KeyStorePassword *string `min:"1" type:"string" sensitive:"true"` 12138 12139 // Changes the friendly name of the custom key store to the value that you specify. 12140 // The custom key store name must be unique in the AWS account. 12141 NewCustomKeyStoreName *string `min:"1" type:"string"` 12142} 12143 12144// String returns the string representation 12145func (s UpdateCustomKeyStoreInput) String() string { 12146 return awsutil.Prettify(s) 12147} 12148 12149// GoString returns the string representation 12150func (s UpdateCustomKeyStoreInput) GoString() string { 12151 return s.String() 12152} 12153 12154// Validate inspects the fields of the type to determine if they are valid. 12155func (s *UpdateCustomKeyStoreInput) Validate() error { 12156 invalidParams := request.ErrInvalidParams{Context: "UpdateCustomKeyStoreInput"} 12157 if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { 12158 invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) 12159 } 12160 if s.CustomKeyStoreId == nil { 12161 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 12162 } 12163 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 12164 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 12165 } 12166 if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 1 { 12167 invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 1)) 12168 } 12169 if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 { 12170 invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1)) 12171 } 12172 12173 if invalidParams.Len() > 0 { 12174 return invalidParams 12175 } 12176 return nil 12177} 12178 12179// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 12180func (s *UpdateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *UpdateCustomKeyStoreInput { 12181 s.CloudHsmClusterId = &v 12182 return s 12183} 12184 12185// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 12186func (s *UpdateCustomKeyStoreInput) SetCustomKeyStoreId(v string) *UpdateCustomKeyStoreInput { 12187 s.CustomKeyStoreId = &v 12188 return s 12189} 12190 12191// SetKeyStorePassword sets the KeyStorePassword field's value. 12192func (s *UpdateCustomKeyStoreInput) SetKeyStorePassword(v string) *UpdateCustomKeyStoreInput { 12193 s.KeyStorePassword = &v 12194 return s 12195} 12196 12197// SetNewCustomKeyStoreName sets the NewCustomKeyStoreName field's value. 12198func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCustomKeyStoreInput { 12199 s.NewCustomKeyStoreName = &v 12200 return s 12201} 12202 12203type UpdateCustomKeyStoreOutput struct { 12204 _ struct{} `type:"structure"` 12205} 12206 12207// String returns the string representation 12208func (s UpdateCustomKeyStoreOutput) String() string { 12209 return awsutil.Prettify(s) 12210} 12211 12212// GoString returns the string representation 12213func (s UpdateCustomKeyStoreOutput) GoString() string { 12214 return s.String() 12215} 12216 12217type UpdateKeyDescriptionInput struct { 12218 _ struct{} `type:"structure"` 12219 12220 // New description for the CMK. 12221 // 12222 // Description is a required field 12223 Description *string `type:"string" required:"true"` 12224 12225 // A unique identifier for the customer master key (CMK). 12226 // 12227 // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. 12228 // 12229 // For example: 12230 // 12231 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 12232 // 12233 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 12234 // 12235 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 12236 // 12237 // KeyId is a required field 12238 KeyId *string `min:"1" type:"string" required:"true"` 12239} 12240 12241// String returns the string representation 12242func (s UpdateKeyDescriptionInput) String() string { 12243 return awsutil.Prettify(s) 12244} 12245 12246// GoString returns the string representation 12247func (s UpdateKeyDescriptionInput) GoString() string { 12248 return s.String() 12249} 12250 12251// Validate inspects the fields of the type to determine if they are valid. 12252func (s *UpdateKeyDescriptionInput) Validate() error { 12253 invalidParams := request.ErrInvalidParams{Context: "UpdateKeyDescriptionInput"} 12254 if s.Description == nil { 12255 invalidParams.Add(request.NewErrParamRequired("Description")) 12256 } 12257 if s.KeyId == nil { 12258 invalidParams.Add(request.NewErrParamRequired("KeyId")) 12259 } 12260 if s.KeyId != nil && len(*s.KeyId) < 1 { 12261 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 12262 } 12263 12264 if invalidParams.Len() > 0 { 12265 return invalidParams 12266 } 12267 return nil 12268} 12269 12270// SetDescription sets the Description field's value. 12271func (s *UpdateKeyDescriptionInput) SetDescription(v string) *UpdateKeyDescriptionInput { 12272 s.Description = &v 12273 return s 12274} 12275 12276// SetKeyId sets the KeyId field's value. 12277func (s *UpdateKeyDescriptionInput) SetKeyId(v string) *UpdateKeyDescriptionInput { 12278 s.KeyId = &v 12279 return s 12280} 12281 12282type UpdateKeyDescriptionOutput struct { 12283 _ struct{} `type:"structure"` 12284} 12285 12286// String returns the string representation 12287func (s UpdateKeyDescriptionOutput) String() string { 12288 return awsutil.Prettify(s) 12289} 12290 12291// GoString returns the string representation 12292func (s UpdateKeyDescriptionOutput) GoString() string { 12293 return s.String() 12294} 12295 12296type VerifyInput struct { 12297 _ struct{} `type:"structure"` 12298 12299 // A list of grant tokens. 12300 // 12301 // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 12302 // in the AWS Key Management Service Developer Guide. 12303 GrantTokens []*string `type:"list"` 12304 12305 // Identifies the asymmetric CMK that will be used to verify the signature. 12306 // This must be the same CMK that was used to generate the signature. If you 12307 // specify a different CMK, the signature verification fails. 12308 // 12309 // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, 12310 // or alias ARN. When using an alias name, prefix it with "alias/". To specify 12311 // a CMK in a different AWS account, you must use the key ARN or alias ARN. 12312 // 12313 // For example: 12314 // 12315 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 12316 // 12317 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 12318 // 12319 // * Alias name: alias/ExampleAlias 12320 // 12321 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 12322 // 12323 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 12324 // get the alias name and alias ARN, use ListAliases. 12325 // 12326 // KeyId is a required field 12327 KeyId *string `min:"1" type:"string" required:"true"` 12328 12329 // Specifies the message that was signed, or a hash digest of that message. 12330 // Messages can be 0-4096 bytes. To verify a larger message, provide a hash 12331 // digest of the message. 12332 // 12333 // If the digest of the message specified here is different from the message 12334 // digest that was signed, the signature verification fails. 12335 // 12336 // Message is automatically base64 encoded/decoded by the SDK. 12337 // 12338 // Message is a required field 12339 Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` 12340 12341 // Tells AWS KMS whether the value of the Message parameter is a message or 12342 // message digest. To indicate a message, enter RAW. To indicate a message digest, 12343 // enter DIGEST. 12344 MessageType *string `type:"string" enum:"MessageType"` 12345 12346 // The signature that the Sign operation generated. 12347 // 12348 // Signature is automatically base64 encoded/decoded by the SDK. 12349 // 12350 // Signature is a required field 12351 Signature []byte `min:"1" type:"blob" required:"true"` 12352 12353 // The signing algorithm that was used to sign the message. If you submit a 12354 // different algorithm, the signature verification fails. 12355 // 12356 // SigningAlgorithm is a required field 12357 SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` 12358} 12359 12360// String returns the string representation 12361func (s VerifyInput) String() string { 12362 return awsutil.Prettify(s) 12363} 12364 12365// GoString returns the string representation 12366func (s VerifyInput) GoString() string { 12367 return s.String() 12368} 12369 12370// Validate inspects the fields of the type to determine if they are valid. 12371func (s *VerifyInput) Validate() error { 12372 invalidParams := request.ErrInvalidParams{Context: "VerifyInput"} 12373 if s.KeyId == nil { 12374 invalidParams.Add(request.NewErrParamRequired("KeyId")) 12375 } 12376 if s.KeyId != nil && len(*s.KeyId) < 1 { 12377 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 12378 } 12379 if s.Message == nil { 12380 invalidParams.Add(request.NewErrParamRequired("Message")) 12381 } 12382 if s.Message != nil && len(s.Message) < 1 { 12383 invalidParams.Add(request.NewErrParamMinLen("Message", 1)) 12384 } 12385 if s.Signature == nil { 12386 invalidParams.Add(request.NewErrParamRequired("Signature")) 12387 } 12388 if s.Signature != nil && len(s.Signature) < 1 { 12389 invalidParams.Add(request.NewErrParamMinLen("Signature", 1)) 12390 } 12391 if s.SigningAlgorithm == nil { 12392 invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm")) 12393 } 12394 12395 if invalidParams.Len() > 0 { 12396 return invalidParams 12397 } 12398 return nil 12399} 12400 12401// SetGrantTokens sets the GrantTokens field's value. 12402func (s *VerifyInput) SetGrantTokens(v []*string) *VerifyInput { 12403 s.GrantTokens = v 12404 return s 12405} 12406 12407// SetKeyId sets the KeyId field's value. 12408func (s *VerifyInput) SetKeyId(v string) *VerifyInput { 12409 s.KeyId = &v 12410 return s 12411} 12412 12413// SetMessage sets the Message field's value. 12414func (s *VerifyInput) SetMessage(v []byte) *VerifyInput { 12415 s.Message = v 12416 return s 12417} 12418 12419// SetMessageType sets the MessageType field's value. 12420func (s *VerifyInput) SetMessageType(v string) *VerifyInput { 12421 s.MessageType = &v 12422 return s 12423} 12424 12425// SetSignature sets the Signature field's value. 12426func (s *VerifyInput) SetSignature(v []byte) *VerifyInput { 12427 s.Signature = v 12428 return s 12429} 12430 12431// SetSigningAlgorithm sets the SigningAlgorithm field's value. 12432func (s *VerifyInput) SetSigningAlgorithm(v string) *VerifyInput { 12433 s.SigningAlgorithm = &v 12434 return s 12435} 12436 12437type VerifyOutput struct { 12438 _ struct{} `type:"structure"` 12439 12440 // The unique identifier for the asymmetric CMK that was used to verify the 12441 // signature. 12442 KeyId *string `min:"1" type:"string"` 12443 12444 // A Boolean value that indicates whether the signature was verified. A value 12445 // of True indicates that the Signature was produced by signing the Message 12446 // with the specified KeyID and SigningAlgorithm. If the signature is not verified, 12447 // the Verify operation fails with a KMSInvalidSignatureException exception. 12448 SignatureValid *bool `type:"boolean"` 12449 12450 // The signing algorithm that was used to verify the signature. 12451 SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"` 12452} 12453 12454// String returns the string representation 12455func (s VerifyOutput) String() string { 12456 return awsutil.Prettify(s) 12457} 12458 12459// GoString returns the string representation 12460func (s VerifyOutput) GoString() string { 12461 return s.String() 12462} 12463 12464// SetKeyId sets the KeyId field's value. 12465func (s *VerifyOutput) SetKeyId(v string) *VerifyOutput { 12466 s.KeyId = &v 12467 return s 12468} 12469 12470// SetSignatureValid sets the SignatureValid field's value. 12471func (s *VerifyOutput) SetSignatureValid(v bool) *VerifyOutput { 12472 s.SignatureValid = &v 12473 return s 12474} 12475 12476// SetSigningAlgorithm sets the SigningAlgorithm field's value. 12477func (s *VerifyOutput) SetSigningAlgorithm(v string) *VerifyOutput { 12478 s.SigningAlgorithm = &v 12479 return s 12480} 12481 12482const ( 12483 // AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value 12484 AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5" 12485 12486 // AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value 12487 AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" 12488 12489 // AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value 12490 AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" 12491) 12492 12493const ( 12494 // ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value 12495 ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS" 12496 12497 // ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value 12498 ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND" 12499 12500 // ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value 12501 ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS" 12502 12503 // ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value 12504 ConnectionErrorCodeTypeInternalError = "INTERNAL_ERROR" 12505 12506 // ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value 12507 ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS" 12508 12509 // ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value 12510 ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT" 12511) 12512 12513const ( 12514 // ConnectionStateTypeConnected is a ConnectionStateType enum value 12515 ConnectionStateTypeConnected = "CONNECTED" 12516 12517 // ConnectionStateTypeConnecting is a ConnectionStateType enum value 12518 ConnectionStateTypeConnecting = "CONNECTING" 12519 12520 // ConnectionStateTypeFailed is a ConnectionStateType enum value 12521 ConnectionStateTypeFailed = "FAILED" 12522 12523 // ConnectionStateTypeDisconnected is a ConnectionStateType enum value 12524 ConnectionStateTypeDisconnected = "DISCONNECTED" 12525 12526 // ConnectionStateTypeDisconnecting is a ConnectionStateType enum value 12527 ConnectionStateTypeDisconnecting = "DISCONNECTING" 12528) 12529 12530const ( 12531 // CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value 12532 CustomerMasterKeySpecRsa2048 = "RSA_2048" 12533 12534 // CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value 12535 CustomerMasterKeySpecRsa3072 = "RSA_3072" 12536 12537 // CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value 12538 CustomerMasterKeySpecRsa4096 = "RSA_4096" 12539 12540 // CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value 12541 CustomerMasterKeySpecEccNistP256 = "ECC_NIST_P256" 12542 12543 // CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value 12544 CustomerMasterKeySpecEccNistP384 = "ECC_NIST_P384" 12545 12546 // CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value 12547 CustomerMasterKeySpecEccNistP521 = "ECC_NIST_P521" 12548 12549 // CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value 12550 CustomerMasterKeySpecEccSecgP256k1 = "ECC_SECG_P256K1" 12551 12552 // CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value 12553 CustomerMasterKeySpecSymmetricDefault = "SYMMETRIC_DEFAULT" 12554) 12555 12556const ( 12557 // DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value 12558 DataKeyPairSpecRsa2048 = "RSA_2048" 12559 12560 // DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value 12561 DataKeyPairSpecRsa3072 = "RSA_3072" 12562 12563 // DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value 12564 DataKeyPairSpecRsa4096 = "RSA_4096" 12565 12566 // DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value 12567 DataKeyPairSpecEccNistP256 = "ECC_NIST_P256" 12568 12569 // DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value 12570 DataKeyPairSpecEccNistP384 = "ECC_NIST_P384" 12571 12572 // DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value 12573 DataKeyPairSpecEccNistP521 = "ECC_NIST_P521" 12574 12575 // DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value 12576 DataKeyPairSpecEccSecgP256k1 = "ECC_SECG_P256K1" 12577) 12578 12579const ( 12580 // DataKeySpecAes256 is a DataKeySpec enum value 12581 DataKeySpecAes256 = "AES_256" 12582 12583 // DataKeySpecAes128 is a DataKeySpec enum value 12584 DataKeySpecAes128 = "AES_128" 12585) 12586 12587const ( 12588 // EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value 12589 EncryptionAlgorithmSpecSymmetricDefault = "SYMMETRIC_DEFAULT" 12590 12591 // EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value 12592 EncryptionAlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" 12593 12594 // EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value 12595 EncryptionAlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" 12596) 12597 12598const ( 12599 // ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value 12600 ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES" 12601 12602 // ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value 12603 ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE" 12604) 12605 12606const ( 12607 // GrantOperationDecrypt is a GrantOperation enum value 12608 GrantOperationDecrypt = "Decrypt" 12609 12610 // GrantOperationEncrypt is a GrantOperation enum value 12611 GrantOperationEncrypt = "Encrypt" 12612 12613 // GrantOperationGenerateDataKey is a GrantOperation enum value 12614 GrantOperationGenerateDataKey = "GenerateDataKey" 12615 12616 // GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value 12617 GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" 12618 12619 // GrantOperationReEncryptFrom is a GrantOperation enum value 12620 GrantOperationReEncryptFrom = "ReEncryptFrom" 12621 12622 // GrantOperationReEncryptTo is a GrantOperation enum value 12623 GrantOperationReEncryptTo = "ReEncryptTo" 12624 12625 // GrantOperationSign is a GrantOperation enum value 12626 GrantOperationSign = "Sign" 12627 12628 // GrantOperationVerify is a GrantOperation enum value 12629 GrantOperationVerify = "Verify" 12630 12631 // GrantOperationGetPublicKey is a GrantOperation enum value 12632 GrantOperationGetPublicKey = "GetPublicKey" 12633 12634 // GrantOperationCreateGrant is a GrantOperation enum value 12635 GrantOperationCreateGrant = "CreateGrant" 12636 12637 // GrantOperationRetireGrant is a GrantOperation enum value 12638 GrantOperationRetireGrant = "RetireGrant" 12639 12640 // GrantOperationDescribeKey is a GrantOperation enum value 12641 GrantOperationDescribeKey = "DescribeKey" 12642 12643 // GrantOperationGenerateDataKeyPair is a GrantOperation enum value 12644 GrantOperationGenerateDataKeyPair = "GenerateDataKeyPair" 12645 12646 // GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value 12647 GrantOperationGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext" 12648) 12649 12650const ( 12651 // KeyManagerTypeAws is a KeyManagerType enum value 12652 KeyManagerTypeAws = "AWS" 12653 12654 // KeyManagerTypeCustomer is a KeyManagerType enum value 12655 KeyManagerTypeCustomer = "CUSTOMER" 12656) 12657 12658const ( 12659 // KeyStateEnabled is a KeyState enum value 12660 KeyStateEnabled = "Enabled" 12661 12662 // KeyStateDisabled is a KeyState enum value 12663 KeyStateDisabled = "Disabled" 12664 12665 // KeyStatePendingDeletion is a KeyState enum value 12666 KeyStatePendingDeletion = "PendingDeletion" 12667 12668 // KeyStatePendingImport is a KeyState enum value 12669 KeyStatePendingImport = "PendingImport" 12670 12671 // KeyStateUnavailable is a KeyState enum value 12672 KeyStateUnavailable = "Unavailable" 12673) 12674 12675const ( 12676 // KeyUsageTypeSignVerify is a KeyUsageType enum value 12677 KeyUsageTypeSignVerify = "SIGN_VERIFY" 12678 12679 // KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value 12680 KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT" 12681) 12682 12683const ( 12684 // MessageTypeRaw is a MessageType enum value 12685 MessageTypeRaw = "RAW" 12686 12687 // MessageTypeDigest is a MessageType enum value 12688 MessageTypeDigest = "DIGEST" 12689) 12690 12691const ( 12692 // OriginTypeAwsKms is a OriginType enum value 12693 OriginTypeAwsKms = "AWS_KMS" 12694 12695 // OriginTypeExternal is a OriginType enum value 12696 OriginTypeExternal = "EXTERNAL" 12697 12698 // OriginTypeAwsCloudhsm is a OriginType enum value 12699 OriginTypeAwsCloudhsm = "AWS_CLOUDHSM" 12700) 12701 12702const ( 12703 // SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value 12704 SigningAlgorithmSpecRsassaPssSha256 = "RSASSA_PSS_SHA_256" 12705 12706 // SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value 12707 SigningAlgorithmSpecRsassaPssSha384 = "RSASSA_PSS_SHA_384" 12708 12709 // SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value 12710 SigningAlgorithmSpecRsassaPssSha512 = "RSASSA_PSS_SHA_512" 12711 12712 // SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value 12713 SigningAlgorithmSpecRsassaPkcs1V15Sha256 = "RSASSA_PKCS1_V1_5_SHA_256" 12714 12715 // SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value 12716 SigningAlgorithmSpecRsassaPkcs1V15Sha384 = "RSASSA_PKCS1_V1_5_SHA_384" 12717 12718 // SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value 12719 SigningAlgorithmSpecRsassaPkcs1V15Sha512 = "RSASSA_PKCS1_V1_5_SHA_512" 12720 12721 // SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value 12722 SigningAlgorithmSpecEcdsaSha256 = "ECDSA_SHA_256" 12723 12724 // SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value 12725 SigningAlgorithmSpecEcdsaSha384 = "ECDSA_SHA_384" 12726 12727 // SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value 12728 SigningAlgorithmSpecEcdsaSha512 = "ECDSA_SHA_512" 12729) 12730 12731const ( 12732 // WrappingKeySpecRsa2048 is a WrappingKeySpec enum value 12733 WrappingKeySpecRsa2048 = "RSA_2048" 12734) 12735