1// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. 2 3package kms 4 5import ( 6 "fmt" 7 "time" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awsutil" 11 "github.com/aws/aws-sdk-go/aws/request" 12 "github.com/aws/aws-sdk-go/private/protocol" 13 "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" 14) 15 16const opCancelKeyDeletion = "CancelKeyDeletion" 17 18// CancelKeyDeletionRequest generates a "aws/request.Request" representing the 19// client's request for the CancelKeyDeletion operation. The "output" return 20// value will be populated with the request's response once the request completes 21// successfully. 22// 23// Use "Send" method on the returned Request to send the API call to the service. 24// the "output" return value is not valid until after Send returns without error. 25// 26// See CancelKeyDeletion for more information on using the CancelKeyDeletion 27// API call, and error handling. 28// 29// This method is useful when you want to inject custom logic or configuration 30// into the SDK's request lifecycle. Such as custom headers, or retry logic. 31// 32// 33// // Example sending a request using the CancelKeyDeletionRequest method. 34// req, resp := client.CancelKeyDeletionRequest(params) 35// 36// err := req.Send() 37// if err == nil { // resp is now filled 38// fmt.Println(resp) 39// } 40// 41// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion 42func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *request.Request, output *CancelKeyDeletionOutput) { 43 op := &request.Operation{ 44 Name: opCancelKeyDeletion, 45 HTTPMethod: "POST", 46 HTTPPath: "/", 47 } 48 49 if input == nil { 50 input = &CancelKeyDeletionInput{} 51 } 52 53 output = &CancelKeyDeletionOutput{} 54 req = c.newRequest(op, input, output) 55 return 56} 57 58// CancelKeyDeletion API operation for AWS Key Management Service. 59// 60// Cancels the deletion of a customer master key (CMK). When this operation 61// succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey. 62// 63// For more information about scheduling and canceling deletion of a CMK, see 64// Deleting Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) 65// in the AWS Key Management Service Developer Guide. 66// 67// The CMK that you use for this operation must be in a compatible key state. 68// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 69// in the AWS Key Management Service Developer Guide. 70// 71// Cross-account use: No. You cannot perform this operation on a CMK in a different 72// AWS account. 73// 74// Required permissions: kms:CancelKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 75// (key policy) 76// 77// Related operations: ScheduleKeyDeletion 78// 79// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 80// with awserr.Error's Code and Message methods to get detailed information about 81// the error. 82// 83// See the AWS API reference guide for AWS Key Management Service's 84// API operation CancelKeyDeletion for usage and error information. 85// 86// Returned Error Types: 87// * NotFoundException 88// The request was rejected because the specified entity or resource could not 89// be found. 90// 91// * InvalidArnException 92// The request was rejected because a specified ARN, or an ARN in a key policy, 93// is not valid. 94// 95// * DependencyTimeoutException 96// The system timed out while trying to fulfill the request. The request can 97// be retried. 98// 99// * InternalException 100// The request was rejected because an internal exception occurred. The request 101// can be retried. 102// 103// * InvalidStateException 104// The request was rejected because the state of the specified resource is not 105// valid for this request. 106// 107// For more information about how key state affects the use of a CMK, see How 108// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 109// in the AWS Key Management Service Developer Guide . 110// 111// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion 112func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) { 113 req, out := c.CancelKeyDeletionRequest(input) 114 return out, req.Send() 115} 116 117// CancelKeyDeletionWithContext is the same as CancelKeyDeletion with the addition of 118// the ability to pass a context and additional request options. 119// 120// See CancelKeyDeletion for details on how to use this API operation. 121// 122// The context must be non-nil and will be used for request cancellation. If 123// the context is nil a panic will occur. In the future the SDK may create 124// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 125// for more information on using Contexts. 126func (c *KMS) CancelKeyDeletionWithContext(ctx aws.Context, input *CancelKeyDeletionInput, opts ...request.Option) (*CancelKeyDeletionOutput, error) { 127 req, out := c.CancelKeyDeletionRequest(input) 128 req.SetContext(ctx) 129 req.ApplyOptions(opts...) 130 return out, req.Send() 131} 132 133const opConnectCustomKeyStore = "ConnectCustomKeyStore" 134 135// ConnectCustomKeyStoreRequest generates a "aws/request.Request" representing the 136// client's request for the ConnectCustomKeyStore operation. The "output" return 137// value will be populated with the request's response once the request completes 138// successfully. 139// 140// Use "Send" method on the returned Request to send the API call to the service. 141// the "output" return value is not valid until after Send returns without error. 142// 143// See ConnectCustomKeyStore for more information on using the ConnectCustomKeyStore 144// API call, and error handling. 145// 146// This method is useful when you want to inject custom logic or configuration 147// into the SDK's request lifecycle. Such as custom headers, or retry logic. 148// 149// 150// // Example sending a request using the ConnectCustomKeyStoreRequest method. 151// req, resp := client.ConnectCustomKeyStoreRequest(params) 152// 153// err := req.Send() 154// if err == nil { // resp is now filled 155// fmt.Println(resp) 156// } 157// 158// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore 159func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (req *request.Request, output *ConnectCustomKeyStoreOutput) { 160 op := &request.Operation{ 161 Name: opConnectCustomKeyStore, 162 HTTPMethod: "POST", 163 HTTPPath: "/", 164 } 165 166 if input == nil { 167 input = &ConnectCustomKeyStoreInput{} 168 } 169 170 output = &ConnectCustomKeyStoreOutput{} 171 req = c.newRequest(op, input, output) 172 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 173 return 174} 175 176// ConnectCustomKeyStore API operation for AWS Key Management Service. 177// 178// Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 179// to its associated AWS CloudHSM cluster. 180// 181// The custom key store must be connected before you can create customer master 182// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect 183// and reconnect a custom key store at any time. 184// 185// To connect a custom key store, its associated AWS CloudHSM cluster must have 186// at least one active HSM. To get the number of active HSMs in a cluster, use 187// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 188// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 189// operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) 190// (CU) must not be logged into the cluster. This prevents AWS KMS from using 191// this account to log in. 192// 193// The connection process can take an extended amount of time to complete; up 194// to 20 minutes. This operation starts the connection process, but it does 195// not wait for it to complete. When it succeeds, this operation quickly returns 196// an HTTP 200 response and a JSON object with no properties. However, this 197// response does not indicate that the custom key store is connected. To get 198// the connection state of the custom key store, use the DescribeCustomKeyStores 199// operation. 200// 201// During the connection process, AWS KMS finds the AWS CloudHSM cluster that 202// is associated with the custom key store, creates the connection infrastructure, 203// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser 204// CU, and rotates its password. 205// 206// The ConnectCustomKeyStore operation might fail for various reasons. To find 207// the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode 208// in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. 209// 210// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect 211// the custom key store, correct the error, use the UpdateCustomKeyStore operation 212// if necessary, and then use ConnectCustomKeyStore again. 213// 214// If you are having trouble connecting or disconnecting a custom key store, 215// see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 216// in the AWS Key Management Service Developer Guide. 217// 218// Cross-account use: No. You cannot perform this operation on a custom key 219// store in a different AWS account. 220// 221// Required permissions: kms:ConnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 222// (IAM policy) 223// 224// Related operations 225// 226// * CreateCustomKeyStore 227// 228// * DeleteCustomKeyStore 229// 230// * DescribeCustomKeyStores 231// 232// * DisconnectCustomKeyStore 233// 234// * UpdateCustomKeyStore 235// 236// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 237// with awserr.Error's Code and Message methods to get detailed information about 238// the error. 239// 240// See the AWS API reference guide for AWS Key Management Service's 241// API operation ConnectCustomKeyStore for usage and error information. 242// 243// Returned Error Types: 244// * CloudHsmClusterNotActiveException 245// The request was rejected because the AWS CloudHSM cluster that is associated 246// with the custom key store is not active. Initialize and activate the cluster 247// and try the command again. For detailed instructions, see Getting Started 248// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 249// in the AWS CloudHSM User Guide. 250// 251// * CustomKeyStoreInvalidStateException 252// The request was rejected because of the ConnectionState of the custom key 253// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 254// operation. 255// 256// This exception is thrown under the following conditions: 257// 258// * You requested the CreateKey or GenerateRandom operation in a custom 259// key store that is not connected. These operations are valid only when 260// the custom key store ConnectionState is CONNECTED. 261// 262// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 263// on a custom key store that is not disconnected. This operation is valid 264// only when the custom key store ConnectionState is DISCONNECTED. 265// 266// * You requested the ConnectCustomKeyStore operation on a custom key store 267// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 268// for all other ConnectionState values. 269// 270// * CustomKeyStoreNotFoundException 271// The request was rejected because AWS KMS cannot find a custom key store with 272// the specified key store name or ID. 273// 274// * InternalException 275// The request was rejected because an internal exception occurred. The request 276// can be retried. 277// 278// * CloudHsmClusterInvalidConfigurationException 279// The request was rejected because the associated AWS CloudHSM cluster did 280// not meet the configuration requirements for a custom key store. 281// 282// * The cluster must be configured with private subnets in at least two 283// different Availability Zones in the Region. 284// 285// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 286// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 287// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 288// rules and the Destination in the outbound rules must match the security 289// group ID. These rules are set by default when you create the cluster. 290// Do not delete or change them. To get information about a particular security 291// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 292// operation. 293// 294// * The cluster must contain at least as many HSMs as the operation requires. 295// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 296// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 297// operations, the AWS CloudHSM cluster must have at least two active HSMs, 298// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 299// the AWS CloudHSM must contain at least one active HSM. 300// 301// For information about the requirements for an AWS CloudHSM cluster that is 302// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 303// in the AWS Key Management Service Developer Guide. For information about 304// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 305// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 306// in the AWS CloudHSM User Guide. For information about cluster security groups, 307// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 308// in the AWS CloudHSM User Guide . 309// 310// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore 311func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) { 312 req, out := c.ConnectCustomKeyStoreRequest(input) 313 return out, req.Send() 314} 315 316// ConnectCustomKeyStoreWithContext is the same as ConnectCustomKeyStore with the addition of 317// the ability to pass a context and additional request options. 318// 319// See ConnectCustomKeyStore for details on how to use this API operation. 320// 321// The context must be non-nil and will be used for request cancellation. If 322// the context is nil a panic will occur. In the future the SDK may create 323// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 324// for more information on using Contexts. 325func (c *KMS) ConnectCustomKeyStoreWithContext(ctx aws.Context, input *ConnectCustomKeyStoreInput, opts ...request.Option) (*ConnectCustomKeyStoreOutput, error) { 326 req, out := c.ConnectCustomKeyStoreRequest(input) 327 req.SetContext(ctx) 328 req.ApplyOptions(opts...) 329 return out, req.Send() 330} 331 332const opCreateAlias = "CreateAlias" 333 334// CreateAliasRequest generates a "aws/request.Request" representing the 335// client's request for the CreateAlias operation. The "output" return 336// value will be populated with the request's response once the request completes 337// successfully. 338// 339// Use "Send" method on the returned Request to send the API call to the service. 340// the "output" return value is not valid until after Send returns without error. 341// 342// See CreateAlias for more information on using the CreateAlias 343// API call, and error handling. 344// 345// This method is useful when you want to inject custom logic or configuration 346// into the SDK's request lifecycle. Such as custom headers, or retry logic. 347// 348// 349// // Example sending a request using the CreateAliasRequest method. 350// req, resp := client.CreateAliasRequest(params) 351// 352// err := req.Send() 353// if err == nil { // resp is now filled 354// fmt.Println(resp) 355// } 356// 357// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias 358func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, output *CreateAliasOutput) { 359 op := &request.Operation{ 360 Name: opCreateAlias, 361 HTTPMethod: "POST", 362 HTTPPath: "/", 363 } 364 365 if input == nil { 366 input = &CreateAliasInput{} 367 } 368 369 output = &CreateAliasOutput{} 370 req = c.newRequest(op, input, output) 371 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 372 return 373} 374 375// CreateAlias API operation for AWS Key Management Service. 376// 377// Creates a friendly name for a customer master key (CMK). 378// 379// Adding, deleting, or updating an alias can allow or deny permission to the 380// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 381// in the AWS Key Management Service Developer Guide. 382// 383// You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey 384// operation and in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), 385// such as Encrypt and GenerateDataKey. You can also change the CMK that's associated 386// with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. 387// These operations don't affect the underlying CMK. 388// 389// You can associate the alias with any customer managed CMK in the same AWS 390// Region. Each alias is associated with only one CMK at a time, but a CMK can 391// have multiple aliases. A valid CMK is required. You can't create an alias 392// without a CMK. 393// 394// The alias must be unique in the account and Region, but you can have aliases 395// with the same name in different Regions. For detailed information about aliases, 396// see Using aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) 397// in the AWS Key Management Service Developer Guide. 398// 399// This operation does not return a response. To get the alias that you created, 400// use the ListAliases operation. 401// 402// The CMK that you use for this operation must be in a compatible key state. 403// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 404// in the AWS Key Management Service Developer Guide. 405// 406// Cross-account use: No. You cannot perform this operation on an alias in a 407// different AWS account. 408// 409// Required permissions 410// 411// * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 412// on the alias (IAM policy). 413// 414// * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 415// on the CMK (key policy). 416// 417// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) 418// in the AWS Key Management Service Developer Guide. 419// 420// Related operations: 421// 422// * DeleteAlias 423// 424// * ListAliases 425// 426// * UpdateAlias 427// 428// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 429// with awserr.Error's Code and Message methods to get detailed information about 430// the error. 431// 432// See the AWS API reference guide for AWS Key Management Service's 433// API operation CreateAlias for usage and error information. 434// 435// Returned Error Types: 436// * DependencyTimeoutException 437// The system timed out while trying to fulfill the request. The request can 438// be retried. 439// 440// * AlreadyExistsException 441// The request was rejected because it attempted to create a resource that already 442// exists. 443// 444// * NotFoundException 445// The request was rejected because the specified entity or resource could not 446// be found. 447// 448// * InvalidAliasNameException 449// The request was rejected because the specified alias name is not valid. 450// 451// * InternalException 452// The request was rejected because an internal exception occurred. The request 453// can be retried. 454// 455// * LimitExceededException 456// The request was rejected because a quota was exceeded. For more information, 457// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 458// in the AWS Key Management Service Developer Guide. 459// 460// * InvalidStateException 461// The request was rejected because the state of the specified resource is not 462// valid for this request. 463// 464// For more information about how key state affects the use of a CMK, see How 465// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 466// in the AWS Key Management Service Developer Guide . 467// 468// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias 469func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) { 470 req, out := c.CreateAliasRequest(input) 471 return out, req.Send() 472} 473 474// CreateAliasWithContext is the same as CreateAlias with the addition of 475// the ability to pass a context and additional request options. 476// 477// See CreateAlias for details on how to use this API operation. 478// 479// The context must be non-nil and will be used for request cancellation. If 480// the context is nil a panic will occur. In the future the SDK may create 481// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 482// for more information on using Contexts. 483func (c *KMS) CreateAliasWithContext(ctx aws.Context, input *CreateAliasInput, opts ...request.Option) (*CreateAliasOutput, error) { 484 req, out := c.CreateAliasRequest(input) 485 req.SetContext(ctx) 486 req.ApplyOptions(opts...) 487 return out, req.Send() 488} 489 490const opCreateCustomKeyStore = "CreateCustomKeyStore" 491 492// CreateCustomKeyStoreRequest generates a "aws/request.Request" representing the 493// client's request for the CreateCustomKeyStore operation. The "output" return 494// value will be populated with the request's response once the request completes 495// successfully. 496// 497// Use "Send" method on the returned Request to send the API call to the service. 498// the "output" return value is not valid until after Send returns without error. 499// 500// See CreateCustomKeyStore for more information on using the CreateCustomKeyStore 501// API call, and error handling. 502// 503// This method is useful when you want to inject custom logic or configuration 504// into the SDK's request lifecycle. Such as custom headers, or retry logic. 505// 506// 507// // Example sending a request using the CreateCustomKeyStoreRequest method. 508// req, resp := client.CreateCustomKeyStoreRequest(params) 509// 510// err := req.Send() 511// if err == nil { // resp is now filled 512// fmt.Println(resp) 513// } 514// 515// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore 516func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req *request.Request, output *CreateCustomKeyStoreOutput) { 517 op := &request.Operation{ 518 Name: opCreateCustomKeyStore, 519 HTTPMethod: "POST", 520 HTTPPath: "/", 521 } 522 523 if input == nil { 524 input = &CreateCustomKeyStoreInput{} 525 } 526 527 output = &CreateCustomKeyStoreOutput{} 528 req = c.newRequest(op, input, output) 529 return 530} 531 532// CreateCustomKeyStore API operation for AWS Key Management Service. 533// 534// Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 535// that is associated with an AWS CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) 536// that you own and manage. 537// 538// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 539// feature in AWS KMS, which combines the convenience and extensive integration 540// of AWS KMS with the isolation and control of a single-tenant key store. 541// 542// Before you create the custom key store, you must assemble the required elements, 543// including an AWS CloudHSM cluster that fulfills the requirements for a custom 544// key store. For details about the required elements, see Assemble the Prerequisites 545// (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 546// in the AWS Key Management Service Developer Guide. 547// 548// When the operation completes successfully, it returns the ID of the new custom 549// key store. Before you can use your new custom key store, you need to use 550// the ConnectCustomKeyStore operation to connect the new key store to its AWS 551// CloudHSM cluster. Even if you are not going to use your custom key store 552// immediately, you might want to connect it to verify that all settings are 553// correct and then disconnect it until you are ready to use it. 554// 555// For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 556// in the AWS Key Management Service Developer Guide. 557// 558// Cross-account use: No. You cannot perform this operation on a custom key 559// store in a different AWS account. 560// 561// Required permissions: kms:CreateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 562// (IAM policy). 563// 564// Related operations: 565// 566// * ConnectCustomKeyStore 567// 568// * DeleteCustomKeyStore 569// 570// * DescribeCustomKeyStores 571// 572// * DisconnectCustomKeyStore 573// 574// * UpdateCustomKeyStore 575// 576// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 577// with awserr.Error's Code and Message methods to get detailed information about 578// the error. 579// 580// See the AWS API reference guide for AWS Key Management Service's 581// API operation CreateCustomKeyStore for usage and error information. 582// 583// Returned Error Types: 584// * CloudHsmClusterInUseException 585// The request was rejected because the specified AWS CloudHSM cluster is already 586// associated with a custom key store or it shares a backup history with a cluster 587// that is associated with a custom key store. Each custom key store must be 588// associated with a different AWS CloudHSM cluster. 589// 590// Clusters that share a backup history have the same cluster certificate. To 591// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 592// operation. 593// 594// * CustomKeyStoreNameInUseException 595// The request was rejected because the specified custom key store name is already 596// assigned to another custom key store in the account. Try again with a custom 597// key store name that is unique in the account. 598// 599// * CloudHsmClusterNotFoundException 600// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster 601// with the specified cluster ID. Retry the request with a different cluster 602// ID. 603// 604// * InternalException 605// The request was rejected because an internal exception occurred. The request 606// can be retried. 607// 608// * CloudHsmClusterNotActiveException 609// The request was rejected because the AWS CloudHSM cluster that is associated 610// with the custom key store is not active. Initialize and activate the cluster 611// and try the command again. For detailed instructions, see Getting Started 612// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 613// in the AWS CloudHSM User Guide. 614// 615// * IncorrectTrustAnchorException 616// The request was rejected because the trust anchor certificate in the request 617// is not the trust anchor certificate for the specified AWS CloudHSM cluster. 618// 619// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), 620// you create the trust anchor certificate and save it in the customerCA.crt 621// file. 622// 623// * CloudHsmClusterInvalidConfigurationException 624// The request was rejected because the associated AWS CloudHSM cluster did 625// not meet the configuration requirements for a custom key store. 626// 627// * The cluster must be configured with private subnets in at least two 628// different Availability Zones in the Region. 629// 630// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 631// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 632// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 633// rules and the Destination in the outbound rules must match the security 634// group ID. These rules are set by default when you create the cluster. 635// Do not delete or change them. To get information about a particular security 636// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 637// operation. 638// 639// * The cluster must contain at least as many HSMs as the operation requires. 640// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 641// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 642// operations, the AWS CloudHSM cluster must have at least two active HSMs, 643// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 644// the AWS CloudHSM must contain at least one active HSM. 645// 646// For information about the requirements for an AWS CloudHSM cluster that is 647// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 648// in the AWS Key Management Service Developer Guide. For information about 649// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 650// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 651// in the AWS CloudHSM User Guide. For information about cluster security groups, 652// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 653// in the AWS CloudHSM User Guide . 654// 655// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore 656func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) { 657 req, out := c.CreateCustomKeyStoreRequest(input) 658 return out, req.Send() 659} 660 661// CreateCustomKeyStoreWithContext is the same as CreateCustomKeyStore with the addition of 662// the ability to pass a context and additional request options. 663// 664// See CreateCustomKeyStore for details on how to use this API operation. 665// 666// The context must be non-nil and will be used for request cancellation. If 667// the context is nil a panic will occur. In the future the SDK may create 668// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 669// for more information on using Contexts. 670func (c *KMS) CreateCustomKeyStoreWithContext(ctx aws.Context, input *CreateCustomKeyStoreInput, opts ...request.Option) (*CreateCustomKeyStoreOutput, error) { 671 req, out := c.CreateCustomKeyStoreRequest(input) 672 req.SetContext(ctx) 673 req.ApplyOptions(opts...) 674 return out, req.Send() 675} 676 677const opCreateGrant = "CreateGrant" 678 679// CreateGrantRequest generates a "aws/request.Request" representing the 680// client's request for the CreateGrant operation. The "output" return 681// value will be populated with the request's response once the request completes 682// successfully. 683// 684// Use "Send" method on the returned Request to send the API call to the service. 685// the "output" return value is not valid until after Send returns without error. 686// 687// See CreateGrant for more information on using the CreateGrant 688// API call, and error handling. 689// 690// This method is useful when you want to inject custom logic or configuration 691// into the SDK's request lifecycle. Such as custom headers, or retry logic. 692// 693// 694// // Example sending a request using the CreateGrantRequest method. 695// req, resp := client.CreateGrantRequest(params) 696// 697// err := req.Send() 698// if err == nil { // resp is now filled 699// fmt.Println(resp) 700// } 701// 702// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant 703func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, output *CreateGrantOutput) { 704 op := &request.Operation{ 705 Name: opCreateGrant, 706 HTTPMethod: "POST", 707 HTTPPath: "/", 708 } 709 710 if input == nil { 711 input = &CreateGrantInput{} 712 } 713 714 output = &CreateGrantOutput{} 715 req = c.newRequest(op, input, output) 716 return 717} 718 719// CreateGrant API operation for AWS Key Management Service. 720// 721// Adds a grant to a customer master key (CMK). 722// 723// A grant is a policy instrument that allows AWS principals to use AWS KMS 724// customer master keys (CMKs) in cryptographic operations. It also can allow 725// them to view a CMK (DescribeKey) and create and manage grants. When authorizing 726// access to a CMK, grants are considered along with key policies and IAM policies. 727// Grants are often used for temporary permissions because you can create one, 728// use its permissions, and delete it without changing your key policies or 729// IAM policies. 730// 731// For detailed information about grants, including grant terminology, see Using 732// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) 733// in the AWS Key Management Service Developer Guide . For examples of working 734// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). 735// 736// The CreateGrant operation returns a GrantToken and a GrantId. 737// 738// * When you create, retire, or revoke a grant, there might be a brief delay, 739// usually less than five minutes, until the grant is available throughout 740// AWS KMS. This state is known as eventual consistency. Once the grant has 741// achieved eventual consistency, the grantee principal can use the permissions 742// in the grant without identifying the grant. However, to use the permissions 743// in the grant immediately, use the GrantToken that CreateGrant returns. 744// For details, see Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html) 745// in the AWS Key Management Service Developer Guide . 746// 747// * The CreateGrant operation also returns a GrantId. You can use the GrantId 748// and a key identifier to identify the grant in the RetireGrant and RevokeGrant 749// operations. To find the grant ID, use the ListGrants or ListRetirableGrants 750// operations. 751// 752// For information about symmetric and asymmetric CMKs, see Using Symmetric 753// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 754// in the AWS Key Management Service Developer Guide. For more information about 755// grants, see Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) 756// in the AWS Key Management Service Developer Guide . 757// 758// The CMK that you use for this operation must be in a compatible key state. 759// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 760// in the AWS Key Management Service Developer Guide. 761// 762// Cross-account use: Yes. To perform this operation on a CMK in a different 763// AWS account, specify the key ARN in the value of the KeyId parameter. 764// 765// Required permissions: kms:CreateGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 766// (key policy) 767// 768// Related operations: 769// 770// * ListGrants 771// 772// * ListRetirableGrants 773// 774// * RetireGrant 775// 776// * RevokeGrant 777// 778// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 779// with awserr.Error's Code and Message methods to get detailed information about 780// the error. 781// 782// See the AWS API reference guide for AWS Key Management Service's 783// API operation CreateGrant for usage and error information. 784// 785// Returned Error Types: 786// * NotFoundException 787// The request was rejected because the specified entity or resource could not 788// be found. 789// 790// * DisabledException 791// The request was rejected because the specified CMK is not enabled. 792// 793// * DependencyTimeoutException 794// The system timed out while trying to fulfill the request. The request can 795// be retried. 796// 797// * InvalidArnException 798// The request was rejected because a specified ARN, or an ARN in a key policy, 799// is not valid. 800// 801// * InternalException 802// The request was rejected because an internal exception occurred. The request 803// can be retried. 804// 805// * InvalidGrantTokenException 806// The request was rejected because the specified grant token is not valid. 807// 808// * LimitExceededException 809// The request was rejected because a quota was exceeded. For more information, 810// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 811// in the AWS Key Management Service Developer Guide. 812// 813// * InvalidStateException 814// The request was rejected because the state of the specified resource is not 815// valid for this request. 816// 817// For more information about how key state affects the use of a CMK, see How 818// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 819// in the AWS Key Management Service Developer Guide . 820// 821// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant 822func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) { 823 req, out := c.CreateGrantRequest(input) 824 return out, req.Send() 825} 826 827// CreateGrantWithContext is the same as CreateGrant with the addition of 828// the ability to pass a context and additional request options. 829// 830// See CreateGrant for details on how to use this API operation. 831// 832// The context must be non-nil and will be used for request cancellation. If 833// the context is nil a panic will occur. In the future the SDK may create 834// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 835// for more information on using Contexts. 836func (c *KMS) CreateGrantWithContext(ctx aws.Context, input *CreateGrantInput, opts ...request.Option) (*CreateGrantOutput, error) { 837 req, out := c.CreateGrantRequest(input) 838 req.SetContext(ctx) 839 req.ApplyOptions(opts...) 840 return out, req.Send() 841} 842 843const opCreateKey = "CreateKey" 844 845// CreateKeyRequest generates a "aws/request.Request" representing the 846// client's request for the CreateKey operation. The "output" return 847// value will be populated with the request's response once the request completes 848// successfully. 849// 850// Use "Send" method on the returned Request to send the API call to the service. 851// the "output" return value is not valid until after Send returns without error. 852// 853// See CreateKey for more information on using the CreateKey 854// API call, and error handling. 855// 856// This method is useful when you want to inject custom logic or configuration 857// into the SDK's request lifecycle. Such as custom headers, or retry logic. 858// 859// 860// // Example sending a request using the CreateKeyRequest method. 861// req, resp := client.CreateKeyRequest(params) 862// 863// err := req.Send() 864// if err == nil { // resp is now filled 865// fmt.Println(resp) 866// } 867// 868// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey 869func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, output *CreateKeyOutput) { 870 op := &request.Operation{ 871 Name: opCreateKey, 872 HTTPMethod: "POST", 873 HTTPPath: "/", 874 } 875 876 if input == nil { 877 input = &CreateKeyInput{} 878 } 879 880 output = &CreateKeyOutput{} 881 req = c.newRequest(op, input, output) 882 return 883} 884 885// CreateKey API operation for AWS Key Management Service. 886// 887// Creates a unique customer managed customer master key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys) 888// (CMK) in your AWS account and Region. 889// 890// You can use the CreateKey operation to create symmetric or asymmetric CMKs. 891// 892// * Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS 893// KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a 894// symmetric CMK to encrypt and decrypt small amounts of data, but they are 895// typically used to generate data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) 896// and data keys pairs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs). 897// For details, see GenerateDataKey and GenerateDataKeyPair. 898// 899// * Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) 900// key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted. 901// However, you can use the GetPublicKey operation to download the public 902// key so it can be used outside of AWS KMS. CMKs with RSA key pairs can 903// be used to encrypt or decrypt data or sign and verify messages (but not 904// both). CMKs with ECC key pairs can be used only to sign and verify messages. 905// 906// For information about symmetric and asymmetric CMKs, see Using Symmetric 907// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 908// in the AWS Key Management Service Developer Guide. 909// 910// To create different types of CMKs, use the following guidance: 911// 912// Asymmetric CMKs 913// 914// To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify 915// the type of key material in the CMK. Then, use the KeyUsage parameter to 916// determine whether the CMK will be used to encrypt and decrypt or sign and 917// verify. You can't change these properties after the CMK is created. 918// 919// Symmetric CMKs 920// 921// When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec 922// or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, 923// and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values 924// for symmetric CMKs. 925// 926// Multi-Region primary keys 927// 928// Imported key material 929// 930// To create a multi-Region primary key in the local AWS Region, use the MultiRegion 931// parameter with a value of True. To create a multi-Region replica key, that 932// is, a CMK with the same key ID and key material as a primary key, but in 933// a different AWS Region, use the ReplicateKey operation. To change a replica 934// key to a primary key, and its primary key to a replica key, use the UpdatePrimaryRegion 935// operation. 936// 937// This operation supports multi-Region keys, an AWS KMS feature that lets you 938// create multiple interoperable CMKs in different AWS Regions. Because these 939// CMKs have the same key ID, key material, and other metadata, you can use 940// them to encrypt data in one AWS Region and decrypt it in a different AWS 941// Region without making a cross-Region call or exposing the plaintext data. 942// For more information about multi-Region keys, see Using multi-Region keys 943// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) 944// in the AWS Key Management Service Developer Guide. 945// 946// You can create symmetric and asymmetric multi-Region keys and multi-Region 947// keys with imported key material. You cannot create multi-Region keys in a 948// custom key store. 949// 950// To import your own key material, begin by creating a symmetric CMK with no 951// key material. To do this, use the Origin parameter of CreateKey with a value 952// of EXTERNAL. Next, use GetParametersForImport operation to get a public key 953// and import token, and use the public key to encrypt your key material. Then, 954// use ImportKeyMaterial with your import token to import the key material. 955// For step-by-step instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 956// in the AWS Key Management Service Developer Guide . You cannot import the 957// key material into an asymmetric CMK. 958// 959// To create a multi-Region primary key with imported key material, use the 960// Origin parameter of CreateKey with a value of EXTERNAL and the MultiRegion 961// parameter with a value of True. To create replicas of the multi-Region primary 962// key, use the ReplicateKey operation. For more information about multi-Region 963// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) 964// in the AWS Key Management Service Developer Guide. 965// 966// Custom key store 967// 968// To create a symmetric CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 969// use the CustomKeyStoreId parameter to specify the custom key store. You must 970// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM 971// cluster that is associated with the custom key store must have at least two 972// active HSMs in different Availability Zones in the AWS Region. 973// 974// You cannot create an asymmetric CMK or a multi-Region CMK in a custom key 975// store. For information about custom key stores in AWS KMS see Using Custom 976// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 977// in the AWS Key Management Service Developer Guide . 978// 979// Cross-account use: No. You cannot use this operation to create a CMK in a 980// different AWS account. 981// 982// Required permissions: kms:CreateKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 983// (IAM policy). To use the Tags parameter, kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 984// (IAM policy). For examples and information about related permissions, see 985// Allow a user to create CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key) 986// in the AWS Key Management Service Developer Guide. 987// 988// Related operations: 989// 990// * DescribeKey 991// 992// * ListKeys 993// 994// * ScheduleKeyDeletion 995// 996// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 997// with awserr.Error's Code and Message methods to get detailed information about 998// the error. 999// 1000// See the AWS API reference guide for AWS Key Management Service's 1001// API operation CreateKey for usage and error information. 1002// 1003// Returned Error Types: 1004// * MalformedPolicyDocumentException 1005// The request was rejected because the specified policy is not syntactically 1006// or semantically correct. 1007// 1008// * DependencyTimeoutException 1009// The system timed out while trying to fulfill the request. The request can 1010// be retried. 1011// 1012// * InvalidArnException 1013// The request was rejected because a specified ARN, or an ARN in a key policy, 1014// is not valid. 1015// 1016// * UnsupportedOperationException 1017// The request was rejected because a specified parameter is not supported or 1018// a specified resource is not valid for this operation. 1019// 1020// * InternalException 1021// The request was rejected because an internal exception occurred. The request 1022// can be retried. 1023// 1024// * LimitExceededException 1025// The request was rejected because a quota was exceeded. For more information, 1026// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 1027// in the AWS Key Management Service Developer Guide. 1028// 1029// * TagException 1030// The request was rejected because one or more tags are not valid. 1031// 1032// * CustomKeyStoreNotFoundException 1033// The request was rejected because AWS KMS cannot find a custom key store with 1034// the specified key store name or ID. 1035// 1036// * CustomKeyStoreInvalidStateException 1037// The request was rejected because of the ConnectionState of the custom key 1038// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 1039// operation. 1040// 1041// This exception is thrown under the following conditions: 1042// 1043// * You requested the CreateKey or GenerateRandom operation in a custom 1044// key store that is not connected. These operations are valid only when 1045// the custom key store ConnectionState is CONNECTED. 1046// 1047// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 1048// on a custom key store that is not disconnected. This operation is valid 1049// only when the custom key store ConnectionState is DISCONNECTED. 1050// 1051// * You requested the ConnectCustomKeyStore operation on a custom key store 1052// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 1053// for all other ConnectionState values. 1054// 1055// * CloudHsmClusterInvalidConfigurationException 1056// The request was rejected because the associated AWS CloudHSM cluster did 1057// not meet the configuration requirements for a custom key store. 1058// 1059// * The cluster must be configured with private subnets in at least two 1060// different Availability Zones in the Region. 1061// 1062// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 1063// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 1064// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 1065// rules and the Destination in the outbound rules must match the security 1066// group ID. These rules are set by default when you create the cluster. 1067// Do not delete or change them. To get information about a particular security 1068// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 1069// operation. 1070// 1071// * The cluster must contain at least as many HSMs as the operation requires. 1072// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 1073// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 1074// operations, the AWS CloudHSM cluster must have at least two active HSMs, 1075// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 1076// the AWS CloudHSM must contain at least one active HSM. 1077// 1078// For information about the requirements for an AWS CloudHSM cluster that is 1079// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 1080// in the AWS Key Management Service Developer Guide. For information about 1081// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 1082// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 1083// in the AWS CloudHSM User Guide. For information about cluster security groups, 1084// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 1085// in the AWS CloudHSM User Guide . 1086// 1087// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey 1088func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) { 1089 req, out := c.CreateKeyRequest(input) 1090 return out, req.Send() 1091} 1092 1093// CreateKeyWithContext is the same as CreateKey with the addition of 1094// the ability to pass a context and additional request options. 1095// 1096// See CreateKey for details on how to use this API operation. 1097// 1098// The context must be non-nil and will be used for request cancellation. If 1099// the context is nil a panic will occur. In the future the SDK may create 1100// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1101// for more information on using Contexts. 1102func (c *KMS) CreateKeyWithContext(ctx aws.Context, input *CreateKeyInput, opts ...request.Option) (*CreateKeyOutput, error) { 1103 req, out := c.CreateKeyRequest(input) 1104 req.SetContext(ctx) 1105 req.ApplyOptions(opts...) 1106 return out, req.Send() 1107} 1108 1109const opDecrypt = "Decrypt" 1110 1111// DecryptRequest generates a "aws/request.Request" representing the 1112// client's request for the Decrypt operation. The "output" return 1113// value will be populated with the request's response once the request completes 1114// successfully. 1115// 1116// Use "Send" method on the returned Request to send the API call to the service. 1117// the "output" return value is not valid until after Send returns without error. 1118// 1119// See Decrypt for more information on using the Decrypt 1120// API call, and error handling. 1121// 1122// This method is useful when you want to inject custom logic or configuration 1123// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1124// 1125// 1126// // Example sending a request using the DecryptRequest method. 1127// req, resp := client.DecryptRequest(params) 1128// 1129// err := req.Send() 1130// if err == nil { // resp is now filled 1131// fmt.Println(resp) 1132// } 1133// 1134// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt 1135func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output *DecryptOutput) { 1136 op := &request.Operation{ 1137 Name: opDecrypt, 1138 HTTPMethod: "POST", 1139 HTTPPath: "/", 1140 } 1141 1142 if input == nil { 1143 input = &DecryptInput{} 1144 } 1145 1146 output = &DecryptOutput{} 1147 req = c.newRequest(op, input, output) 1148 return 1149} 1150 1151// Decrypt API operation for AWS Key Management Service. 1152// 1153// Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) 1154// using any of the following operations: 1155// 1156// * Encrypt 1157// 1158// * GenerateDataKey 1159// 1160// * GenerateDataKeyPair 1161// 1162// * GenerateDataKeyWithoutPlaintext 1163// 1164// * GenerateDataKeyPairWithoutPlaintext 1165// 1166// You can use this operation to decrypt ciphertext that was encrypted under 1167// a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify 1168// the CMK and the encryption algorithm that was used to encrypt the ciphertext. 1169// For information about symmetric and asymmetric CMKs, see Using Symmetric 1170// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 1171// in the AWS Key Management Service Developer Guide. 1172// 1173// The Decrypt operation also decrypts ciphertext that was encrypted outside 1174// of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot 1175// decrypt ciphertext produced by other libraries, such as the AWS Encryption 1176// SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) 1177// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). 1178// These libraries return a ciphertext format that is incompatible with AWS 1179// KMS. 1180// 1181// If the ciphertext was encrypted under a symmetric CMK, the KeyId parameter 1182// is optional. AWS KMS can get this information from metadata that it adds 1183// to the symmetric ciphertext blob. This feature adds durability to your implementation 1184// by ensuring that authorized users can decrypt ciphertext decades after it 1185// was encrypted, even if they've lost track of the CMK ID. However, specifying 1186// the CMK is always recommended as a best practice. When you use the KeyId 1187// parameter to specify a CMK, AWS KMS only uses the CMK you specify. If the 1188// ciphertext was encrypted under a different CMK, the Decrypt operation fails. 1189// This practice ensures that you use the CMK that you intend. 1190// 1191// Whenever possible, use key policies to give users permission to call the 1192// Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise, 1193// you might create an IAM user policy that gives the user Decrypt permission 1194// on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs 1195// in other accounts if the key policy for the cross-account CMK permits it. 1196// If you must use an IAM policy for Decrypt permissions, limit the user to 1197// particular CMKs or particular trusted accounts. For details, see Best practices 1198// for IAM policies (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices) 1199// in the AWS Key Management Service Developer Guide. 1200// 1201// The CMK that you use for this operation must be in a compatible key state. 1202// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1203// in the AWS Key Management Service Developer Guide. 1204// 1205// Cross-account use: Yes. You can decrypt a ciphertext using a CMK in a different 1206// AWS account. 1207// 1208// Required permissions: kms:Decrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1209// (key policy) 1210// 1211// Related operations: 1212// 1213// * Encrypt 1214// 1215// * GenerateDataKey 1216// 1217// * GenerateDataKeyPair 1218// 1219// * ReEncrypt 1220// 1221// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1222// with awserr.Error's Code and Message methods to get detailed information about 1223// the error. 1224// 1225// See the AWS API reference guide for AWS Key Management Service's 1226// API operation Decrypt for usage and error information. 1227// 1228// Returned Error Types: 1229// * NotFoundException 1230// The request was rejected because the specified entity or resource could not 1231// be found. 1232// 1233// * DisabledException 1234// The request was rejected because the specified CMK is not enabled. 1235// 1236// * InvalidCiphertextException 1237// From the Decrypt or ReEncrypt operation, the request was rejected because 1238// the specified ciphertext, or additional authenticated data incorporated into 1239// the ciphertext, such as the encryption context, is corrupted, missing, or 1240// otherwise invalid. 1241// 1242// From the ImportKeyMaterial operation, the request was rejected because AWS 1243// KMS could not decrypt the encrypted (wrapped) key material. 1244// 1245// * KeyUnavailableException 1246// The request was rejected because the specified CMK was not available. You 1247// can retry the request. 1248// 1249// * IncorrectKeyException 1250// The request was rejected because the specified CMK cannot decrypt the data. 1251// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request 1252// must identify the same CMK that was used to encrypt the ciphertext. 1253// 1254// * InvalidKeyUsageException 1255// The request was rejected for one of the following reasons: 1256// 1257// * The KeyUsage value of the CMK is incompatible with the API operation. 1258// 1259// * The encryption algorithm or signing algorithm specified for the operation 1260// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 1261// 1262// For encrypting, decrypting, re-encrypting, and generating data keys, the 1263// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 1264// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 1265// 1266// To find the encryption or signing algorithms supported for a particular CMK, 1267// use the DescribeKey operation. 1268// 1269// * DependencyTimeoutException 1270// The system timed out while trying to fulfill the request. The request can 1271// be retried. 1272// 1273// * InvalidGrantTokenException 1274// The request was rejected because the specified grant token is not valid. 1275// 1276// * InternalException 1277// The request was rejected because an internal exception occurred. The request 1278// can be retried. 1279// 1280// * InvalidStateException 1281// The request was rejected because the state of the specified resource is not 1282// valid for this request. 1283// 1284// For more information about how key state affects the use of a CMK, see How 1285// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1286// in the AWS Key Management Service Developer Guide . 1287// 1288// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt 1289func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) { 1290 req, out := c.DecryptRequest(input) 1291 return out, req.Send() 1292} 1293 1294// DecryptWithContext is the same as Decrypt with the addition of 1295// the ability to pass a context and additional request options. 1296// 1297// See Decrypt for details on how to use this API operation. 1298// 1299// The context must be non-nil and will be used for request cancellation. If 1300// the context is nil a panic will occur. In the future the SDK may create 1301// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1302// for more information on using Contexts. 1303func (c *KMS) DecryptWithContext(ctx aws.Context, input *DecryptInput, opts ...request.Option) (*DecryptOutput, error) { 1304 req, out := c.DecryptRequest(input) 1305 req.SetContext(ctx) 1306 req.ApplyOptions(opts...) 1307 return out, req.Send() 1308} 1309 1310const opDeleteAlias = "DeleteAlias" 1311 1312// DeleteAliasRequest generates a "aws/request.Request" representing the 1313// client's request for the DeleteAlias operation. The "output" return 1314// value will be populated with the request's response once the request completes 1315// successfully. 1316// 1317// Use "Send" method on the returned Request to send the API call to the service. 1318// the "output" return value is not valid until after Send returns without error. 1319// 1320// See DeleteAlias for more information on using the DeleteAlias 1321// API call, and error handling. 1322// 1323// This method is useful when you want to inject custom logic or configuration 1324// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1325// 1326// 1327// // Example sending a request using the DeleteAliasRequest method. 1328// req, resp := client.DeleteAliasRequest(params) 1329// 1330// err := req.Send() 1331// if err == nil { // resp is now filled 1332// fmt.Println(resp) 1333// } 1334// 1335// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias 1336func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, output *DeleteAliasOutput) { 1337 op := &request.Operation{ 1338 Name: opDeleteAlias, 1339 HTTPMethod: "POST", 1340 HTTPPath: "/", 1341 } 1342 1343 if input == nil { 1344 input = &DeleteAliasInput{} 1345 } 1346 1347 output = &DeleteAliasOutput{} 1348 req = c.newRequest(op, input, output) 1349 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1350 return 1351} 1352 1353// DeleteAlias API operation for AWS Key Management Service. 1354// 1355// Deletes the specified alias. 1356// 1357// Adding, deleting, or updating an alias can allow or deny permission to the 1358// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 1359// in the AWS Key Management Service Developer Guide. 1360// 1361// Because an alias is not a property of a CMK, you can delete and change the 1362// aliases of a CMK without affecting the CMK. Also, aliases do not appear in 1363// the response from the DescribeKey operation. To get the aliases of all CMKs, 1364// use the ListAliases operation. 1365// 1366// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias 1367// to delete the current alias and CreateAlias to create a new alias. To associate 1368// an existing alias with a different customer master key (CMK), call UpdateAlias. 1369// 1370// Cross-account use: No. You cannot perform this operation on an alias in a 1371// different AWS account. 1372// 1373// Required permissions 1374// 1375// * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1376// on the alias (IAM policy). 1377// 1378// * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1379// on the CMK (key policy). 1380// 1381// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) 1382// in the AWS Key Management Service Developer Guide. 1383// 1384// Related operations: 1385// 1386// * CreateAlias 1387// 1388// * ListAliases 1389// 1390// * UpdateAlias 1391// 1392// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1393// with awserr.Error's Code and Message methods to get detailed information about 1394// the error. 1395// 1396// See the AWS API reference guide for AWS Key Management Service's 1397// API operation DeleteAlias for usage and error information. 1398// 1399// Returned Error Types: 1400// * DependencyTimeoutException 1401// The system timed out while trying to fulfill the request. The request can 1402// be retried. 1403// 1404// * NotFoundException 1405// The request was rejected because the specified entity or resource could not 1406// be found. 1407// 1408// * InternalException 1409// The request was rejected because an internal exception occurred. The request 1410// can be retried. 1411// 1412// * InvalidStateException 1413// The request was rejected because the state of the specified resource is not 1414// valid for this request. 1415// 1416// For more information about how key state affects the use of a CMK, see How 1417// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1418// in the AWS Key Management Service Developer Guide . 1419// 1420// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias 1421func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) { 1422 req, out := c.DeleteAliasRequest(input) 1423 return out, req.Send() 1424} 1425 1426// DeleteAliasWithContext is the same as DeleteAlias with the addition of 1427// the ability to pass a context and additional request options. 1428// 1429// See DeleteAlias for details on how to use this API operation. 1430// 1431// The context must be non-nil and will be used for request cancellation. If 1432// the context is nil a panic will occur. In the future the SDK may create 1433// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1434// for more information on using Contexts. 1435func (c *KMS) DeleteAliasWithContext(ctx aws.Context, input *DeleteAliasInput, opts ...request.Option) (*DeleteAliasOutput, error) { 1436 req, out := c.DeleteAliasRequest(input) 1437 req.SetContext(ctx) 1438 req.ApplyOptions(opts...) 1439 return out, req.Send() 1440} 1441 1442const opDeleteCustomKeyStore = "DeleteCustomKeyStore" 1443 1444// DeleteCustomKeyStoreRequest generates a "aws/request.Request" representing the 1445// client's request for the DeleteCustomKeyStore operation. The "output" return 1446// value will be populated with the request's response once the request completes 1447// successfully. 1448// 1449// Use "Send" method on the returned Request to send the API call to the service. 1450// the "output" return value is not valid until after Send returns without error. 1451// 1452// See DeleteCustomKeyStore for more information on using the DeleteCustomKeyStore 1453// API call, and error handling. 1454// 1455// This method is useful when you want to inject custom logic or configuration 1456// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1457// 1458// 1459// // Example sending a request using the DeleteCustomKeyStoreRequest method. 1460// req, resp := client.DeleteCustomKeyStoreRequest(params) 1461// 1462// err := req.Send() 1463// if err == nil { // resp is now filled 1464// fmt.Println(resp) 1465// } 1466// 1467// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore 1468func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req *request.Request, output *DeleteCustomKeyStoreOutput) { 1469 op := &request.Operation{ 1470 Name: opDeleteCustomKeyStore, 1471 HTTPMethod: "POST", 1472 HTTPPath: "/", 1473 } 1474 1475 if input == nil { 1476 input = &DeleteCustomKeyStoreInput{} 1477 } 1478 1479 output = &DeleteCustomKeyStoreOutput{} 1480 req = c.newRequest(op, input, output) 1481 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1482 return 1483} 1484 1485// DeleteCustomKeyStore API operation for AWS Key Management Service. 1486// 1487// Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 1488// This operation does not delete the AWS CloudHSM cluster that is associated 1489// with the custom key store, or affect any users or keys in the cluster. 1490// 1491// The custom key store that you delete cannot contain any AWS KMS customer 1492// master keys (CMKs) (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). 1493// Before deleting the key store, verify that you will never need to use any 1494// of the CMKs in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). 1495// Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys 1496// (CMKs) from the key store. When the scheduled waiting period expires, the 1497// ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort 1498// to delete the key material from the associated cluster. However, you might 1499// need to manually delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) 1500// from the cluster and its backups. 1501// 1502// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to 1503// disconnect the key store from AWS KMS. Then, you can delete the custom key 1504// store. 1505// 1506// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore 1507// to disconnect it from AWS KMS. While the key store is disconnected, you cannot 1508// create or use the CMKs in the key store. But, you do not need to delete CMKs 1509// and you can reconnect a disconnected custom key store at any time. 1510// 1511// If the operation succeeds, it returns a JSON object with no properties. 1512// 1513// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 1514// feature in AWS KMS, which combines the convenience and extensive integration 1515// of AWS KMS with the isolation and control of a single-tenant key store. 1516// 1517// Cross-account use: No. You cannot perform this operation on a custom key 1518// store in a different AWS account. 1519// 1520// Required permissions: kms:DeleteCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1521// (IAM policy) 1522// 1523// Related operations: 1524// 1525// * ConnectCustomKeyStore 1526// 1527// * CreateCustomKeyStore 1528// 1529// * DescribeCustomKeyStores 1530// 1531// * DisconnectCustomKeyStore 1532// 1533// * UpdateCustomKeyStore 1534// 1535// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1536// with awserr.Error's Code and Message methods to get detailed information about 1537// the error. 1538// 1539// See the AWS API reference guide for AWS Key Management Service's 1540// API operation DeleteCustomKeyStore for usage and error information. 1541// 1542// Returned Error Types: 1543// * CustomKeyStoreHasCMKsException 1544// The request was rejected because the custom key store contains AWS KMS customer 1545// master keys (CMKs). After verifying that you do not need to use the CMKs, 1546// use the ScheduleKeyDeletion operation to delete the CMKs. After they are 1547// deleted, you can delete the custom key store. 1548// 1549// * CustomKeyStoreInvalidStateException 1550// The request was rejected because of the ConnectionState of the custom key 1551// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 1552// operation. 1553// 1554// This exception is thrown under the following conditions: 1555// 1556// * You requested the CreateKey or GenerateRandom operation in a custom 1557// key store that is not connected. These operations are valid only when 1558// the custom key store ConnectionState is CONNECTED. 1559// 1560// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 1561// on a custom key store that is not disconnected. This operation is valid 1562// only when the custom key store ConnectionState is DISCONNECTED. 1563// 1564// * You requested the ConnectCustomKeyStore operation on a custom key store 1565// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 1566// for all other ConnectionState values. 1567// 1568// * CustomKeyStoreNotFoundException 1569// The request was rejected because AWS KMS cannot find a custom key store with 1570// the specified key store name or ID. 1571// 1572// * InternalException 1573// The request was rejected because an internal exception occurred. The request 1574// can be retried. 1575// 1576// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore 1577func (c *KMS) DeleteCustomKeyStore(input *DeleteCustomKeyStoreInput) (*DeleteCustomKeyStoreOutput, error) { 1578 req, out := c.DeleteCustomKeyStoreRequest(input) 1579 return out, req.Send() 1580} 1581 1582// DeleteCustomKeyStoreWithContext is the same as DeleteCustomKeyStore with the addition of 1583// the ability to pass a context and additional request options. 1584// 1585// See DeleteCustomKeyStore for details on how to use this API operation. 1586// 1587// The context must be non-nil and will be used for request cancellation. If 1588// the context is nil a panic will occur. In the future the SDK may create 1589// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1590// for more information on using Contexts. 1591func (c *KMS) DeleteCustomKeyStoreWithContext(ctx aws.Context, input *DeleteCustomKeyStoreInput, opts ...request.Option) (*DeleteCustomKeyStoreOutput, error) { 1592 req, out := c.DeleteCustomKeyStoreRequest(input) 1593 req.SetContext(ctx) 1594 req.ApplyOptions(opts...) 1595 return out, req.Send() 1596} 1597 1598const opDeleteImportedKeyMaterial = "DeleteImportedKeyMaterial" 1599 1600// DeleteImportedKeyMaterialRequest generates a "aws/request.Request" representing the 1601// client's request for the DeleteImportedKeyMaterial operation. The "output" return 1602// value will be populated with the request's response once the request completes 1603// successfully. 1604// 1605// Use "Send" method on the returned Request to send the API call to the service. 1606// the "output" return value is not valid until after Send returns without error. 1607// 1608// See DeleteImportedKeyMaterial for more information on using the DeleteImportedKeyMaterial 1609// API call, and error handling. 1610// 1611// This method is useful when you want to inject custom logic or configuration 1612// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1613// 1614// 1615// // Example sending a request using the DeleteImportedKeyMaterialRequest method. 1616// req, resp := client.DeleteImportedKeyMaterialRequest(params) 1617// 1618// err := req.Send() 1619// if err == nil { // resp is now filled 1620// fmt.Println(resp) 1621// } 1622// 1623// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial 1624func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialInput) (req *request.Request, output *DeleteImportedKeyMaterialOutput) { 1625 op := &request.Operation{ 1626 Name: opDeleteImportedKeyMaterial, 1627 HTTPMethod: "POST", 1628 HTTPPath: "/", 1629 } 1630 1631 if input == nil { 1632 input = &DeleteImportedKeyMaterialInput{} 1633 } 1634 1635 output = &DeleteImportedKeyMaterialOutput{} 1636 req = c.newRequest(op, input, output) 1637 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 1638 return 1639} 1640 1641// DeleteImportedKeyMaterial API operation for AWS Key Management Service. 1642// 1643// Deletes key material that you previously imported. This operation makes the 1644// specified customer master key (CMK) unusable. For more information about 1645// importing key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 1646// in the AWS Key Management Service Developer Guide. 1647// 1648// When the specified CMK is in the PendingDeletion state, this operation does 1649// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport. 1650// 1651// After you delete key material, you can use ImportKeyMaterial to reimport 1652// the same key material into the CMK. 1653// 1654// The CMK that you use for this operation must be in a compatible key state. 1655// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1656// in the AWS Key Management Service Developer Guide. 1657// 1658// Cross-account use: No. You cannot perform this operation on a CMK in a different 1659// AWS account. 1660// 1661// Required permissions: kms:DeleteImportedKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1662// (key policy) 1663// 1664// Related operations: 1665// 1666// * GetParametersForImport 1667// 1668// * ImportKeyMaterial 1669// 1670// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1671// with awserr.Error's Code and Message methods to get detailed information about 1672// the error. 1673// 1674// See the AWS API reference guide for AWS Key Management Service's 1675// API operation DeleteImportedKeyMaterial for usage and error information. 1676// 1677// Returned Error Types: 1678// * InvalidArnException 1679// The request was rejected because a specified ARN, or an ARN in a key policy, 1680// is not valid. 1681// 1682// * UnsupportedOperationException 1683// The request was rejected because a specified parameter is not supported or 1684// a specified resource is not valid for this operation. 1685// 1686// * DependencyTimeoutException 1687// The system timed out while trying to fulfill the request. The request can 1688// be retried. 1689// 1690// * NotFoundException 1691// The request was rejected because the specified entity or resource could not 1692// be found. 1693// 1694// * InternalException 1695// The request was rejected because an internal exception occurred. The request 1696// can be retried. 1697// 1698// * InvalidStateException 1699// The request was rejected because the state of the specified resource is not 1700// valid for this request. 1701// 1702// For more information about how key state affects the use of a CMK, see How 1703// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 1704// in the AWS Key Management Service Developer Guide . 1705// 1706// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial 1707func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) { 1708 req, out := c.DeleteImportedKeyMaterialRequest(input) 1709 return out, req.Send() 1710} 1711 1712// DeleteImportedKeyMaterialWithContext is the same as DeleteImportedKeyMaterial with the addition of 1713// the ability to pass a context and additional request options. 1714// 1715// See DeleteImportedKeyMaterial for details on how to use this API operation. 1716// 1717// The context must be non-nil and will be used for request cancellation. If 1718// the context is nil a panic will occur. In the future the SDK may create 1719// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1720// for more information on using Contexts. 1721func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *DeleteImportedKeyMaterialInput, opts ...request.Option) (*DeleteImportedKeyMaterialOutput, error) { 1722 req, out := c.DeleteImportedKeyMaterialRequest(input) 1723 req.SetContext(ctx) 1724 req.ApplyOptions(opts...) 1725 return out, req.Send() 1726} 1727 1728const opDescribeCustomKeyStores = "DescribeCustomKeyStores" 1729 1730// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the 1731// client's request for the DescribeCustomKeyStores operation. The "output" return 1732// value will be populated with the request's response once the request completes 1733// successfully. 1734// 1735// Use "Send" method on the returned Request to send the API call to the service. 1736// the "output" return value is not valid until after Send returns without error. 1737// 1738// See DescribeCustomKeyStores for more information on using the DescribeCustomKeyStores 1739// API call, and error handling. 1740// 1741// This method is useful when you want to inject custom logic or configuration 1742// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1743// 1744// 1745// // Example sending a request using the DescribeCustomKeyStoresRequest method. 1746// req, resp := client.DescribeCustomKeyStoresRequest(params) 1747// 1748// err := req.Send() 1749// if err == nil { // resp is now filled 1750// fmt.Println(resp) 1751// } 1752// 1753// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores 1754func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput) (req *request.Request, output *DescribeCustomKeyStoresOutput) { 1755 op := &request.Operation{ 1756 Name: opDescribeCustomKeyStores, 1757 HTTPMethod: "POST", 1758 HTTPPath: "/", 1759 } 1760 1761 if input == nil { 1762 input = &DescribeCustomKeyStoresInput{} 1763 } 1764 1765 output = &DescribeCustomKeyStoresOutput{} 1766 req = c.newRequest(op, input, output) 1767 return 1768} 1769 1770// DescribeCustomKeyStores API operation for AWS Key Management Service. 1771// 1772// Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 1773// in the account and Region. 1774// 1775// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 1776// feature in AWS KMS, which combines the convenience and extensive integration 1777// of AWS KMS with the isolation and control of a single-tenant key store. 1778// 1779// By default, this operation returns information about all custom key stores 1780// in the account and Region. To get only information about a particular custom 1781// key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter 1782// (but not both). 1783// 1784// To determine whether the custom key store is connected to its AWS CloudHSM 1785// cluster, use the ConnectionState element in the response. If an attempt to 1786// connect the custom key store failed, the ConnectionState value is FAILED 1787// and the ConnectionErrorCode element in the response indicates the cause of 1788// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. 1789// 1790// Custom key stores have a DISCONNECTED connection state if the key store has 1791// never been connected or you use the DisconnectCustomKeyStore operation to 1792// disconnect it. If your custom key store state is CONNECTED but you are having 1793// trouble using it, make sure that its associated AWS CloudHSM cluster is active 1794// and contains the minimum number of HSMs required for the operation, if any. 1795// 1796// For help repairing your custom key store, see the Troubleshooting Custom 1797// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 1798// topic in the AWS Key Management Service Developer Guide. 1799// 1800// Cross-account use: No. You cannot perform this operation on a custom key 1801// store in a different AWS account. 1802// 1803// Required permissions: kms:DescribeCustomKeyStores (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1804// (IAM policy) 1805// 1806// Related operations: 1807// 1808// * ConnectCustomKeyStore 1809// 1810// * CreateCustomKeyStore 1811// 1812// * DeleteCustomKeyStore 1813// 1814// * DisconnectCustomKeyStore 1815// 1816// * UpdateCustomKeyStore 1817// 1818// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1819// with awserr.Error's Code and Message methods to get detailed information about 1820// the error. 1821// 1822// See the AWS API reference guide for AWS Key Management Service's 1823// API operation DescribeCustomKeyStores for usage and error information. 1824// 1825// Returned Error Types: 1826// * CustomKeyStoreNotFoundException 1827// The request was rejected because AWS KMS cannot find a custom key store with 1828// the specified key store name or ID. 1829// 1830// * InvalidMarkerException 1831// The request was rejected because the marker that specifies where pagination 1832// should next begin is not valid. 1833// 1834// * InternalException 1835// The request was rejected because an internal exception occurred. The request 1836// can be retried. 1837// 1838// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores 1839func (c *KMS) DescribeCustomKeyStores(input *DescribeCustomKeyStoresInput) (*DescribeCustomKeyStoresOutput, error) { 1840 req, out := c.DescribeCustomKeyStoresRequest(input) 1841 return out, req.Send() 1842} 1843 1844// DescribeCustomKeyStoresWithContext is the same as DescribeCustomKeyStores with the addition of 1845// the ability to pass a context and additional request options. 1846// 1847// See DescribeCustomKeyStores for details on how to use this API operation. 1848// 1849// The context must be non-nil and will be used for request cancellation. If 1850// the context is nil a panic will occur. In the future the SDK may create 1851// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1852// for more information on using Contexts. 1853func (c *KMS) DescribeCustomKeyStoresWithContext(ctx aws.Context, input *DescribeCustomKeyStoresInput, opts ...request.Option) (*DescribeCustomKeyStoresOutput, error) { 1854 req, out := c.DescribeCustomKeyStoresRequest(input) 1855 req.SetContext(ctx) 1856 req.ApplyOptions(opts...) 1857 return out, req.Send() 1858} 1859 1860const opDescribeKey = "DescribeKey" 1861 1862// DescribeKeyRequest generates a "aws/request.Request" representing the 1863// client's request for the DescribeKey operation. The "output" return 1864// value will be populated with the request's response once the request completes 1865// successfully. 1866// 1867// Use "Send" method on the returned Request to send the API call to the service. 1868// the "output" return value is not valid until after Send returns without error. 1869// 1870// See DescribeKey for more information on using the DescribeKey 1871// API call, and error handling. 1872// 1873// This method is useful when you want to inject custom logic or configuration 1874// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1875// 1876// 1877// // Example sending a request using the DescribeKeyRequest method. 1878// req, resp := client.DescribeKeyRequest(params) 1879// 1880// err := req.Send() 1881// if err == nil { // resp is now filled 1882// fmt.Println(resp) 1883// } 1884// 1885// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey 1886func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, output *DescribeKeyOutput) { 1887 op := &request.Operation{ 1888 Name: opDescribeKey, 1889 HTTPMethod: "POST", 1890 HTTPPath: "/", 1891 } 1892 1893 if input == nil { 1894 input = &DescribeKeyInput{} 1895 } 1896 1897 output = &DescribeKeyOutput{} 1898 req = c.newRequest(op, input, output) 1899 return 1900} 1901 1902// DescribeKey API operation for AWS Key Management Service. 1903// 1904// Provides detailed information about a customer master key (CMK). You can 1905// run DescribeKey on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) 1906// or an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). 1907// 1908// This detailed information includes the key ARN, creation date (and deletion 1909// date, if applicable), the key state, and the origin and expiration date (if 1910// any) of the key material. For CMKs in custom key stores, it includes information 1911// about the custom key store, such as the key store ID and the AWS CloudHSM 1912// cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric 1913// from asymmetric CMKs. It also provides information that is particularly important 1914// to asymmetric CMKs, such as the key usage (encryption or signing) and the 1915// encryption algorithms or signing algorithms that the CMK supports. 1916// 1917// DescribeKey does not return the following information: 1918// 1919// * Aliases associated with the CMK. To get this information, use ListAliases. 1920// 1921// * Whether automatic key rotation is enabled on the CMK. To get this information, 1922// use GetKeyRotationStatus. Also, some key states prevent a CMK from being 1923// automatically rotated. For details, see How Automatic Key Rotation Works 1924// (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) 1925// in AWS Key Management Service Developer Guide. 1926// 1927// * Tags on the CMK. To get this information, use ListResourceTags. 1928// 1929// * Key policies and grants on the CMK. To get this information, use GetKeyPolicy 1930// and ListGrants. 1931// 1932// If you call the DescribeKey operation on a predefined AWS alias, that is, 1933// an AWS alias with no key ID, AWS KMS creates an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). 1934// Then, it associates the alias with the new CMK, and returns the KeyId and 1935// Arn of the new CMK in the response. 1936// 1937// Cross-account use: Yes. To perform this operation with a CMK in a different 1938// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 1939// 1940// Required permissions: kms:DescribeKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 1941// (key policy) 1942// 1943// Related operations: 1944// 1945// * GetKeyPolicy 1946// 1947// * GetKeyRotationStatus 1948// 1949// * ListAliases 1950// 1951// * ListGrants 1952// 1953// * ListKeys 1954// 1955// * ListResourceTags 1956// 1957// * ListRetirableGrants 1958// 1959// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1960// with awserr.Error's Code and Message methods to get detailed information about 1961// the error. 1962// 1963// See the AWS API reference guide for AWS Key Management Service's 1964// API operation DescribeKey for usage and error information. 1965// 1966// Returned Error Types: 1967// * NotFoundException 1968// The request was rejected because the specified entity or resource could not 1969// be found. 1970// 1971// * InvalidArnException 1972// The request was rejected because a specified ARN, or an ARN in a key policy, 1973// is not valid. 1974// 1975// * DependencyTimeoutException 1976// The system timed out while trying to fulfill the request. The request can 1977// be retried. 1978// 1979// * InternalException 1980// The request was rejected because an internal exception occurred. The request 1981// can be retried. 1982// 1983// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey 1984func (c *KMS) DescribeKey(input *DescribeKeyInput) (*DescribeKeyOutput, error) { 1985 req, out := c.DescribeKeyRequest(input) 1986 return out, req.Send() 1987} 1988 1989// DescribeKeyWithContext is the same as DescribeKey with the addition of 1990// the ability to pass a context and additional request options. 1991// 1992// See DescribeKey for details on how to use this API operation. 1993// 1994// The context must be non-nil and will be used for request cancellation. If 1995// the context is nil a panic will occur. In the future the SDK may create 1996// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1997// for more information on using Contexts. 1998func (c *KMS) DescribeKeyWithContext(ctx aws.Context, input *DescribeKeyInput, opts ...request.Option) (*DescribeKeyOutput, error) { 1999 req, out := c.DescribeKeyRequest(input) 2000 req.SetContext(ctx) 2001 req.ApplyOptions(opts...) 2002 return out, req.Send() 2003} 2004 2005const opDisableKey = "DisableKey" 2006 2007// DisableKeyRequest generates a "aws/request.Request" representing the 2008// client's request for the DisableKey operation. The "output" return 2009// value will be populated with the request's response once the request completes 2010// successfully. 2011// 2012// Use "Send" method on the returned Request to send the API call to the service. 2013// the "output" return value is not valid until after Send returns without error. 2014// 2015// See DisableKey for more information on using the DisableKey 2016// API call, and error handling. 2017// 2018// This method is useful when you want to inject custom logic or configuration 2019// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2020// 2021// 2022// // Example sending a request using the DisableKeyRequest method. 2023// req, resp := client.DisableKeyRequest(params) 2024// 2025// err := req.Send() 2026// if err == nil { // resp is now filled 2027// fmt.Println(resp) 2028// } 2029// 2030// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey 2031func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, output *DisableKeyOutput) { 2032 op := &request.Operation{ 2033 Name: opDisableKey, 2034 HTTPMethod: "POST", 2035 HTTPPath: "/", 2036 } 2037 2038 if input == nil { 2039 input = &DisableKeyInput{} 2040 } 2041 2042 output = &DisableKeyOutput{} 2043 req = c.newRequest(op, input, output) 2044 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2045 return 2046} 2047 2048// DisableKey API operation for AWS Key Management Service. 2049// 2050// Sets the state of a customer master key (CMK) to disabled. This change temporarily 2051// prevents use of the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). 2052// 2053// For more information about how key state affects the use of a CMK, see Key 2054// state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2055// in the AWS Key Management Service Developer Guide . 2056// 2057// The CMK that you use for this operation must be in a compatible key state. 2058// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2059// in the AWS Key Management Service Developer Guide. 2060// 2061// Cross-account use: No. You cannot perform this operation on a CMK in a different 2062// AWS account. 2063// 2064// Required permissions: kms:DisableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2065// (key policy) 2066// 2067// Related operations: EnableKey 2068// 2069// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2070// with awserr.Error's Code and Message methods to get detailed information about 2071// the error. 2072// 2073// See the AWS API reference guide for AWS Key Management Service's 2074// API operation DisableKey for usage and error information. 2075// 2076// Returned Error Types: 2077// * NotFoundException 2078// The request was rejected because the specified entity or resource could not 2079// be found. 2080// 2081// * InvalidArnException 2082// The request was rejected because a specified ARN, or an ARN in a key policy, 2083// is not valid. 2084// 2085// * DependencyTimeoutException 2086// The system timed out while trying to fulfill the request. The request can 2087// be retried. 2088// 2089// * InternalException 2090// The request was rejected because an internal exception occurred. The request 2091// can be retried. 2092// 2093// * InvalidStateException 2094// The request was rejected because the state of the specified resource is not 2095// valid for this request. 2096// 2097// For more information about how key state affects the use of a CMK, see How 2098// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2099// in the AWS Key Management Service Developer Guide . 2100// 2101// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey 2102func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) { 2103 req, out := c.DisableKeyRequest(input) 2104 return out, req.Send() 2105} 2106 2107// DisableKeyWithContext is the same as DisableKey with the addition of 2108// the ability to pass a context and additional request options. 2109// 2110// See DisableKey for details on how to use this API operation. 2111// 2112// The context must be non-nil and will be used for request cancellation. If 2113// the context is nil a panic will occur. In the future the SDK may create 2114// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2115// for more information on using Contexts. 2116func (c *KMS) DisableKeyWithContext(ctx aws.Context, input *DisableKeyInput, opts ...request.Option) (*DisableKeyOutput, error) { 2117 req, out := c.DisableKeyRequest(input) 2118 req.SetContext(ctx) 2119 req.ApplyOptions(opts...) 2120 return out, req.Send() 2121} 2122 2123const opDisableKeyRotation = "DisableKeyRotation" 2124 2125// DisableKeyRotationRequest generates a "aws/request.Request" representing the 2126// client's request for the DisableKeyRotation operation. The "output" return 2127// value will be populated with the request's response once the request completes 2128// successfully. 2129// 2130// Use "Send" method on the returned Request to send the API call to the service. 2131// the "output" return value is not valid until after Send returns without error. 2132// 2133// See DisableKeyRotation for more information on using the DisableKeyRotation 2134// API call, and error handling. 2135// 2136// This method is useful when you want to inject custom logic or configuration 2137// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2138// 2139// 2140// // Example sending a request using the DisableKeyRotationRequest method. 2141// req, resp := client.DisableKeyRotationRequest(params) 2142// 2143// err := req.Send() 2144// if err == nil { // resp is now filled 2145// fmt.Println(resp) 2146// } 2147// 2148// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation 2149func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *request.Request, output *DisableKeyRotationOutput) { 2150 op := &request.Operation{ 2151 Name: opDisableKeyRotation, 2152 HTTPMethod: "POST", 2153 HTTPPath: "/", 2154 } 2155 2156 if input == nil { 2157 input = &DisableKeyRotationInput{} 2158 } 2159 2160 output = &DisableKeyRotationOutput{} 2161 req = c.newRequest(op, input, output) 2162 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2163 return 2164} 2165 2166// DisableKeyRotation API operation for AWS Key Management Service. 2167// 2168// Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) 2169// for the specified symmetric customer master key (CMK). 2170// 2171// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), 2172// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 2173// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 2174// To enable or disable automatic rotation of a set of related multi-Region 2175// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), 2176// set the property on the primary key. 2177// 2178// The CMK that you use for this operation must be in a compatible key state. 2179// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2180// in the AWS Key Management Service Developer Guide. 2181// 2182// Cross-account use: No. You cannot perform this operation on a CMK in a different 2183// AWS account. 2184// 2185// Required permissions: kms:DisableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2186// (key policy) 2187// 2188// Related operations: 2189// 2190// * EnableKeyRotation 2191// 2192// * GetKeyRotationStatus 2193// 2194// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2195// with awserr.Error's Code and Message methods to get detailed information about 2196// the error. 2197// 2198// See the AWS API reference guide for AWS Key Management Service's 2199// API operation DisableKeyRotation for usage and error information. 2200// 2201// Returned Error Types: 2202// * NotFoundException 2203// The request was rejected because the specified entity or resource could not 2204// be found. 2205// 2206// * DisabledException 2207// The request was rejected because the specified CMK is not enabled. 2208// 2209// * InvalidArnException 2210// The request was rejected because a specified ARN, or an ARN in a key policy, 2211// is not valid. 2212// 2213// * DependencyTimeoutException 2214// The system timed out while trying to fulfill the request. The request can 2215// be retried. 2216// 2217// * InternalException 2218// The request was rejected because an internal exception occurred. The request 2219// can be retried. 2220// 2221// * InvalidStateException 2222// The request was rejected because the state of the specified resource is not 2223// valid for this request. 2224// 2225// For more information about how key state affects the use of a CMK, see How 2226// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2227// in the AWS Key Management Service Developer Guide . 2228// 2229// * UnsupportedOperationException 2230// The request was rejected because a specified parameter is not supported or 2231// a specified resource is not valid for this operation. 2232// 2233// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation 2234func (c *KMS) DisableKeyRotation(input *DisableKeyRotationInput) (*DisableKeyRotationOutput, error) { 2235 req, out := c.DisableKeyRotationRequest(input) 2236 return out, req.Send() 2237} 2238 2239// DisableKeyRotationWithContext is the same as DisableKeyRotation with the addition of 2240// the ability to pass a context and additional request options. 2241// 2242// See DisableKeyRotation for details on how to use this API operation. 2243// 2244// The context must be non-nil and will be used for request cancellation. If 2245// the context is nil a panic will occur. In the future the SDK may create 2246// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2247// for more information on using Contexts. 2248func (c *KMS) DisableKeyRotationWithContext(ctx aws.Context, input *DisableKeyRotationInput, opts ...request.Option) (*DisableKeyRotationOutput, error) { 2249 req, out := c.DisableKeyRotationRequest(input) 2250 req.SetContext(ctx) 2251 req.ApplyOptions(opts...) 2252 return out, req.Send() 2253} 2254 2255const opDisconnectCustomKeyStore = "DisconnectCustomKeyStore" 2256 2257// DisconnectCustomKeyStoreRequest generates a "aws/request.Request" representing the 2258// client's request for the DisconnectCustomKeyStore operation. The "output" return 2259// value will be populated with the request's response once the request completes 2260// successfully. 2261// 2262// Use "Send" method on the returned Request to send the API call to the service. 2263// the "output" return value is not valid until after Send returns without error. 2264// 2265// See DisconnectCustomKeyStore for more information on using the DisconnectCustomKeyStore 2266// API call, and error handling. 2267// 2268// This method is useful when you want to inject custom logic or configuration 2269// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2270// 2271// 2272// // Example sending a request using the DisconnectCustomKeyStoreRequest method. 2273// req, resp := client.DisconnectCustomKeyStoreRequest(params) 2274// 2275// err := req.Send() 2276// if err == nil { // resp is now filled 2277// fmt.Println(resp) 2278// } 2279// 2280// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore 2281func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInput) (req *request.Request, output *DisconnectCustomKeyStoreOutput) { 2282 op := &request.Operation{ 2283 Name: opDisconnectCustomKeyStore, 2284 HTTPMethod: "POST", 2285 HTTPPath: "/", 2286 } 2287 2288 if input == nil { 2289 input = &DisconnectCustomKeyStoreInput{} 2290 } 2291 2292 output = &DisconnectCustomKeyStoreOutput{} 2293 req = c.newRequest(op, input, output) 2294 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2295 return 2296} 2297 2298// DisconnectCustomKeyStore API operation for AWS Key Management Service. 2299// 2300// Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 2301// from its associated AWS CloudHSM cluster. While a custom key store is disconnected, 2302// you can manage the custom key store and its customer master keys (CMKs), 2303// but you cannot create or use CMKs in the custom key store. You can reconnect 2304// the custom key store at any time. 2305// 2306// While a custom key store is disconnected, all attempts to create customer 2307// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic 2308// operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 2309// will fail. This action can prevent users from storing and accessing sensitive 2310// data. 2311// 2312// To find the connection state of a custom key store, use the DescribeCustomKeyStores 2313// operation. To reconnect a custom key store, use the ConnectCustomKeyStore 2314// operation. 2315// 2316// If the operation succeeds, it returns a JSON object with no properties. 2317// 2318// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 2319// feature in AWS KMS, which combines the convenience and extensive integration 2320// of AWS KMS with the isolation and control of a single-tenant key store. 2321// 2322// Cross-account use: No. You cannot perform this operation on a custom key 2323// store in a different AWS account. 2324// 2325// Required permissions: kms:DisconnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2326// (IAM policy) 2327// 2328// Related operations: 2329// 2330// * ConnectCustomKeyStore 2331// 2332// * CreateCustomKeyStore 2333// 2334// * DeleteCustomKeyStore 2335// 2336// * DescribeCustomKeyStores 2337// 2338// * UpdateCustomKeyStore 2339// 2340// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2341// with awserr.Error's Code and Message methods to get detailed information about 2342// the error. 2343// 2344// See the AWS API reference guide for AWS Key Management Service's 2345// API operation DisconnectCustomKeyStore for usage and error information. 2346// 2347// Returned Error Types: 2348// * CustomKeyStoreInvalidStateException 2349// The request was rejected because of the ConnectionState of the custom key 2350// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 2351// operation. 2352// 2353// This exception is thrown under the following conditions: 2354// 2355// * You requested the CreateKey or GenerateRandom operation in a custom 2356// key store that is not connected. These operations are valid only when 2357// the custom key store ConnectionState is CONNECTED. 2358// 2359// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 2360// on a custom key store that is not disconnected. This operation is valid 2361// only when the custom key store ConnectionState is DISCONNECTED. 2362// 2363// * You requested the ConnectCustomKeyStore operation on a custom key store 2364// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 2365// for all other ConnectionState values. 2366// 2367// * CustomKeyStoreNotFoundException 2368// The request was rejected because AWS KMS cannot find a custom key store with 2369// the specified key store name or ID. 2370// 2371// * InternalException 2372// The request was rejected because an internal exception occurred. The request 2373// can be retried. 2374// 2375// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore 2376func (c *KMS) DisconnectCustomKeyStore(input *DisconnectCustomKeyStoreInput) (*DisconnectCustomKeyStoreOutput, error) { 2377 req, out := c.DisconnectCustomKeyStoreRequest(input) 2378 return out, req.Send() 2379} 2380 2381// DisconnectCustomKeyStoreWithContext is the same as DisconnectCustomKeyStore with the addition of 2382// the ability to pass a context and additional request options. 2383// 2384// See DisconnectCustomKeyStore for details on how to use this API operation. 2385// 2386// The context must be non-nil and will be used for request cancellation. If 2387// the context is nil a panic will occur. In the future the SDK may create 2388// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2389// for more information on using Contexts. 2390func (c *KMS) DisconnectCustomKeyStoreWithContext(ctx aws.Context, input *DisconnectCustomKeyStoreInput, opts ...request.Option) (*DisconnectCustomKeyStoreOutput, error) { 2391 req, out := c.DisconnectCustomKeyStoreRequest(input) 2392 req.SetContext(ctx) 2393 req.ApplyOptions(opts...) 2394 return out, req.Send() 2395} 2396 2397const opEnableKey = "EnableKey" 2398 2399// EnableKeyRequest generates a "aws/request.Request" representing the 2400// client's request for the EnableKey operation. The "output" return 2401// value will be populated with the request's response once the request completes 2402// successfully. 2403// 2404// Use "Send" method on the returned Request to send the API call to the service. 2405// the "output" return value is not valid until after Send returns without error. 2406// 2407// See EnableKey for more information on using the EnableKey 2408// API call, and error handling. 2409// 2410// This method is useful when you want to inject custom logic or configuration 2411// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2412// 2413// 2414// // Example sending a request using the EnableKeyRequest method. 2415// req, resp := client.EnableKeyRequest(params) 2416// 2417// err := req.Send() 2418// if err == nil { // resp is now filled 2419// fmt.Println(resp) 2420// } 2421// 2422// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey 2423func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, output *EnableKeyOutput) { 2424 op := &request.Operation{ 2425 Name: opEnableKey, 2426 HTTPMethod: "POST", 2427 HTTPPath: "/", 2428 } 2429 2430 if input == nil { 2431 input = &EnableKeyInput{} 2432 } 2433 2434 output = &EnableKeyOutput{} 2435 req = c.newRequest(op, input, output) 2436 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2437 return 2438} 2439 2440// EnableKey API operation for AWS Key Management Service. 2441// 2442// Sets the key state of a customer master key (CMK) to enabled. This allows 2443// you to use the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). 2444// 2445// The CMK that you use for this operation must be in a compatible key state. 2446// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2447// in the AWS Key Management Service Developer Guide. 2448// 2449// Cross-account use: No. You cannot perform this operation on a CMK in a different 2450// AWS account. 2451// 2452// Required permissions: kms:EnableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2453// (key policy) 2454// 2455// Related operations: DisableKey 2456// 2457// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2458// with awserr.Error's Code and Message methods to get detailed information about 2459// the error. 2460// 2461// See the AWS API reference guide for AWS Key Management Service's 2462// API operation EnableKey for usage and error information. 2463// 2464// Returned Error Types: 2465// * NotFoundException 2466// The request was rejected because the specified entity or resource could not 2467// be found. 2468// 2469// * InvalidArnException 2470// The request was rejected because a specified ARN, or an ARN in a key policy, 2471// is not valid. 2472// 2473// * DependencyTimeoutException 2474// The system timed out while trying to fulfill the request. The request can 2475// be retried. 2476// 2477// * InternalException 2478// The request was rejected because an internal exception occurred. The request 2479// can be retried. 2480// 2481// * LimitExceededException 2482// The request was rejected because a quota was exceeded. For more information, 2483// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 2484// in the AWS Key Management Service Developer Guide. 2485// 2486// * InvalidStateException 2487// The request was rejected because the state of the specified resource is not 2488// valid for this request. 2489// 2490// For more information about how key state affects the use of a CMK, see How 2491// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2492// in the AWS Key Management Service Developer Guide . 2493// 2494// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey 2495func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) { 2496 req, out := c.EnableKeyRequest(input) 2497 return out, req.Send() 2498} 2499 2500// EnableKeyWithContext is the same as EnableKey with the addition of 2501// the ability to pass a context and additional request options. 2502// 2503// See EnableKey for details on how to use this API operation. 2504// 2505// The context must be non-nil and will be used for request cancellation. If 2506// the context is nil a panic will occur. In the future the SDK may create 2507// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2508// for more information on using Contexts. 2509func (c *KMS) EnableKeyWithContext(ctx aws.Context, input *EnableKeyInput, opts ...request.Option) (*EnableKeyOutput, error) { 2510 req, out := c.EnableKeyRequest(input) 2511 req.SetContext(ctx) 2512 req.ApplyOptions(opts...) 2513 return out, req.Send() 2514} 2515 2516const opEnableKeyRotation = "EnableKeyRotation" 2517 2518// EnableKeyRotationRequest generates a "aws/request.Request" representing the 2519// client's request for the EnableKeyRotation operation. The "output" return 2520// value will be populated with the request's response once the request completes 2521// successfully. 2522// 2523// Use "Send" method on the returned Request to send the API call to the service. 2524// the "output" return value is not valid until after Send returns without error. 2525// 2526// See EnableKeyRotation for more information on using the EnableKeyRotation 2527// API call, and error handling. 2528// 2529// This method is useful when you want to inject custom logic or configuration 2530// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2531// 2532// 2533// // Example sending a request using the EnableKeyRotationRequest method. 2534// req, resp := client.EnableKeyRotationRequest(params) 2535// 2536// err := req.Send() 2537// if err == nil { // resp is now filled 2538// fmt.Println(resp) 2539// } 2540// 2541// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation 2542func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *request.Request, output *EnableKeyRotationOutput) { 2543 op := &request.Operation{ 2544 Name: opEnableKeyRotation, 2545 HTTPMethod: "POST", 2546 HTTPPath: "/", 2547 } 2548 2549 if input == nil { 2550 input = &EnableKeyRotationInput{} 2551 } 2552 2553 output = &EnableKeyRotationOutput{} 2554 req = c.newRequest(op, input, output) 2555 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 2556 return 2557} 2558 2559// EnableKeyRotation API operation for AWS Key Management Service. 2560// 2561// Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) 2562// for the specified symmetric customer master key (CMK). 2563// 2564// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), 2565// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 2566// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 2567// To enable or disable automatic rotation of a set of related multi-Region 2568// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), 2569// set the property on the primary key. 2570// 2571// The CMK that you use for this operation must be in a compatible key state. 2572// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2573// in the AWS Key Management Service Developer Guide. 2574// 2575// Cross-account use: No. You cannot perform this operation on a CMK in a different 2576// AWS account. 2577// 2578// Required permissions: kms:EnableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2579// (key policy) 2580// 2581// Related operations: 2582// 2583// * DisableKeyRotation 2584// 2585// * GetKeyRotationStatus 2586// 2587// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2588// with awserr.Error's Code and Message methods to get detailed information about 2589// the error. 2590// 2591// See the AWS API reference guide for AWS Key Management Service's 2592// API operation EnableKeyRotation for usage and error information. 2593// 2594// Returned Error Types: 2595// * NotFoundException 2596// The request was rejected because the specified entity or resource could not 2597// be found. 2598// 2599// * DisabledException 2600// The request was rejected because the specified CMK is not enabled. 2601// 2602// * InvalidArnException 2603// The request was rejected because a specified ARN, or an ARN in a key policy, 2604// is not valid. 2605// 2606// * DependencyTimeoutException 2607// The system timed out while trying to fulfill the request. The request can 2608// be retried. 2609// 2610// * InternalException 2611// The request was rejected because an internal exception occurred. The request 2612// can be retried. 2613// 2614// * InvalidStateException 2615// The request was rejected because the state of the specified resource is not 2616// valid for this request. 2617// 2618// For more information about how key state affects the use of a CMK, see How 2619// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2620// in the AWS Key Management Service Developer Guide . 2621// 2622// * UnsupportedOperationException 2623// The request was rejected because a specified parameter is not supported or 2624// a specified resource is not valid for this operation. 2625// 2626// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation 2627func (c *KMS) EnableKeyRotation(input *EnableKeyRotationInput) (*EnableKeyRotationOutput, error) { 2628 req, out := c.EnableKeyRotationRequest(input) 2629 return out, req.Send() 2630} 2631 2632// EnableKeyRotationWithContext is the same as EnableKeyRotation with the addition of 2633// the ability to pass a context and additional request options. 2634// 2635// See EnableKeyRotation for details on how to use this API operation. 2636// 2637// The context must be non-nil and will be used for request cancellation. If 2638// the context is nil a panic will occur. In the future the SDK may create 2639// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2640// for more information on using Contexts. 2641func (c *KMS) EnableKeyRotationWithContext(ctx aws.Context, input *EnableKeyRotationInput, opts ...request.Option) (*EnableKeyRotationOutput, error) { 2642 req, out := c.EnableKeyRotationRequest(input) 2643 req.SetContext(ctx) 2644 req.ApplyOptions(opts...) 2645 return out, req.Send() 2646} 2647 2648const opEncrypt = "Encrypt" 2649 2650// EncryptRequest generates a "aws/request.Request" representing the 2651// client's request for the Encrypt operation. The "output" return 2652// value will be populated with the request's response once the request completes 2653// successfully. 2654// 2655// Use "Send" method on the returned Request to send the API call to the service. 2656// the "output" return value is not valid until after Send returns without error. 2657// 2658// See Encrypt for more information on using the Encrypt 2659// API call, and error handling. 2660// 2661// This method is useful when you want to inject custom logic or configuration 2662// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2663// 2664// 2665// // Example sending a request using the EncryptRequest method. 2666// req, resp := client.EncryptRequest(params) 2667// 2668// err := req.Send() 2669// if err == nil { // resp is now filled 2670// fmt.Println(resp) 2671// } 2672// 2673// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt 2674func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output *EncryptOutput) { 2675 op := &request.Operation{ 2676 Name: opEncrypt, 2677 HTTPMethod: "POST", 2678 HTTPPath: "/", 2679 } 2680 2681 if input == nil { 2682 input = &EncryptInput{} 2683 } 2684 2685 output = &EncryptOutput{} 2686 req = c.newRequest(op, input, output) 2687 return 2688} 2689 2690// Encrypt API operation for AWS Key Management Service. 2691// 2692// Encrypts plaintext into ciphertext by using a customer master key (CMK). 2693// The Encrypt operation has two primary use cases: 2694// 2695// * You can encrypt small amounts of arbitrary data, such as a personal 2696// identifier or database password, or other sensitive information. 2697// 2698// * You can use the Encrypt operation to move encrypted data from one AWS 2699// Region to another. For example, in Region A, generate a data key and use 2700// the plaintext key to encrypt your data. Then, in Region A, use the Encrypt 2701// operation to encrypt the plaintext data key under a CMK in Region B. Now, 2702// you can move the encrypted data and the encrypted data key to Region B. 2703// When necessary, you can decrypt the encrypted data key and the encrypted 2704// data entirely within in Region B. 2705// 2706// You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey 2707// and GenerateDataKeyPair operations return a plaintext data key and an encrypted 2708// copy of that data key. 2709// 2710// When you encrypt data, you must specify a symmetric or asymmetric CMK to 2711// use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. 2712// To find the KeyUsage of a CMK, use the DescribeKey operation. 2713// 2714// If you use a symmetric CMK, you can use an encryption context to add additional 2715// security to your encryption operation. If you specify an EncryptionContext 2716// when encrypting data, you must specify the same encryption context (a case-sensitive 2717// exact match) when decrypting the data. Otherwise, the request to decrypt 2718// fails with an InvalidCiphertextException. For more information, see Encryption 2719// Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 2720// in the AWS Key Management Service Developer Guide. 2721// 2722// If you specify an asymmetric CMK, you must also specify the encryption algorithm. 2723// The algorithm must be compatible with the CMK type. 2724// 2725// When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record 2726// the CMK and encryption algorithm that you choose. You will be required to 2727// provide the same CMK and encryption algorithm when you decrypt the data. 2728// If the CMK and algorithm do not match the values used to encrypt the data, 2729// the decrypt operation fails. 2730// 2731// You are not required to supply the CMK ID and encryption algorithm when you 2732// decrypt with symmetric CMKs because AWS KMS stores this information in the 2733// ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with 2734// asymmetric keys. The standard format for asymmetric key ciphertext does not 2735// include configurable fields. 2736// 2737// The maximum size of the data that you can encrypt varies with the type of 2738// CMK and the encryption algorithm that you choose. 2739// 2740// * Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes 2741// 2742// * RSA_2048 RSAES_OAEP_SHA_1: 214 bytes RSAES_OAEP_SHA_256: 190 bytes 2743// 2744// * RSA_3072 RSAES_OAEP_SHA_1: 342 bytes RSAES_OAEP_SHA_256: 318 bytes 2745// 2746// * RSA_4096 RSAES_OAEP_SHA_1: 470 bytes RSAES_OAEP_SHA_256: 446 bytes 2747// 2748// The CMK that you use for this operation must be in a compatible key state. 2749// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2750// in the AWS Key Management Service Developer Guide. 2751// 2752// Cross-account use: Yes. To perform this operation with a CMK in a different 2753// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 2754// 2755// Required permissions: kms:Encrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2756// (key policy) 2757// 2758// Related operations: 2759// 2760// * Decrypt 2761// 2762// * GenerateDataKey 2763// 2764// * GenerateDataKeyPair 2765// 2766// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2767// with awserr.Error's Code and Message methods to get detailed information about 2768// the error. 2769// 2770// See the AWS API reference guide for AWS Key Management Service's 2771// API operation Encrypt for usage and error information. 2772// 2773// Returned Error Types: 2774// * NotFoundException 2775// The request was rejected because the specified entity or resource could not 2776// be found. 2777// 2778// * DisabledException 2779// The request was rejected because the specified CMK is not enabled. 2780// 2781// * KeyUnavailableException 2782// The request was rejected because the specified CMK was not available. You 2783// can retry the request. 2784// 2785// * DependencyTimeoutException 2786// The system timed out while trying to fulfill the request. The request can 2787// be retried. 2788// 2789// * InvalidKeyUsageException 2790// The request was rejected for one of the following reasons: 2791// 2792// * The KeyUsage value of the CMK is incompatible with the API operation. 2793// 2794// * The encryption algorithm or signing algorithm specified for the operation 2795// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 2796// 2797// For encrypting, decrypting, re-encrypting, and generating data keys, the 2798// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 2799// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 2800// 2801// To find the encryption or signing algorithms supported for a particular CMK, 2802// use the DescribeKey operation. 2803// 2804// * InvalidGrantTokenException 2805// The request was rejected because the specified grant token is not valid. 2806// 2807// * InternalException 2808// The request was rejected because an internal exception occurred. The request 2809// can be retried. 2810// 2811// * InvalidStateException 2812// The request was rejected because the state of the specified resource is not 2813// valid for this request. 2814// 2815// For more information about how key state affects the use of a CMK, see How 2816// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2817// in the AWS Key Management Service Developer Guide . 2818// 2819// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt 2820func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) { 2821 req, out := c.EncryptRequest(input) 2822 return out, req.Send() 2823} 2824 2825// EncryptWithContext is the same as Encrypt with the addition of 2826// the ability to pass a context and additional request options. 2827// 2828// See Encrypt for details on how to use this API operation. 2829// 2830// The context must be non-nil and will be used for request cancellation. If 2831// the context is nil a panic will occur. In the future the SDK may create 2832// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 2833// for more information on using Contexts. 2834func (c *KMS) EncryptWithContext(ctx aws.Context, input *EncryptInput, opts ...request.Option) (*EncryptOutput, error) { 2835 req, out := c.EncryptRequest(input) 2836 req.SetContext(ctx) 2837 req.ApplyOptions(opts...) 2838 return out, req.Send() 2839} 2840 2841const opGenerateDataKey = "GenerateDataKey" 2842 2843// GenerateDataKeyRequest generates a "aws/request.Request" representing the 2844// client's request for the GenerateDataKey operation. The "output" return 2845// value will be populated with the request's response once the request completes 2846// successfully. 2847// 2848// Use "Send" method on the returned Request to send the API call to the service. 2849// the "output" return value is not valid until after Send returns without error. 2850// 2851// See GenerateDataKey for more information on using the GenerateDataKey 2852// API call, and error handling. 2853// 2854// This method is useful when you want to inject custom logic or configuration 2855// into the SDK's request lifecycle. Such as custom headers, or retry logic. 2856// 2857// 2858// // Example sending a request using the GenerateDataKeyRequest method. 2859// req, resp := client.GenerateDataKeyRequest(params) 2860// 2861// err := req.Send() 2862// if err == nil { // resp is now filled 2863// fmt.Println(resp) 2864// } 2865// 2866// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey 2867func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.Request, output *GenerateDataKeyOutput) { 2868 op := &request.Operation{ 2869 Name: opGenerateDataKey, 2870 HTTPMethod: "POST", 2871 HTTPPath: "/", 2872 } 2873 2874 if input == nil { 2875 input = &GenerateDataKeyInput{} 2876 } 2877 2878 output = &GenerateDataKeyOutput{} 2879 req = c.newRequest(op, input, output) 2880 return 2881} 2882 2883// GenerateDataKey API operation for AWS Key Management Service. 2884// 2885// Generates a unique symmetric data key for client-side encryption. This operation 2886// returns a plaintext copy of the data key and a copy that is encrypted under 2887// a customer master key (CMK) that you specify. You can use the plaintext key 2888// to encrypt your data outside of AWS KMS and store the encrypted data key 2889// with the encrypted data. 2890// 2891// GenerateDataKey returns a unique data key for each request. The bytes in 2892// the plaintext key are not related to the caller or the CMK. 2893// 2894// To generate a data key, specify the symmetric CMK that will be used to encrypt 2895// the data key. You cannot use an asymmetric CMK to generate data keys. To 2896// get the type of your CMK, use the DescribeKey operation. You must also specify 2897// the length of the data key. Use either the KeySpec or NumberOfBytes parameters 2898// (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter. 2899// 2900// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. 2901// To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext 2902// operation. To get a cryptographically secure random byte string, use GenerateRandom. 2903// 2904// You can use the optional encryption context to add additional security to 2905// the encryption operation. If you specify an EncryptionContext, you must specify 2906// the same encryption context (a case-sensitive exact match) when decrypting 2907// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 2908// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 2909// in the AWS Key Management Service Developer Guide. 2910// 2911// The CMK that you use for this operation must be in a compatible key state. 2912// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 2913// in the AWS Key Management Service Developer Guide. 2914// 2915// How to use your data key 2916// 2917// We recommend that you use the following pattern to encrypt data locally in 2918// your application. You can write your own code or use a client-side encryption 2919// library, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/), 2920// the Amazon DynamoDB Encryption Client (https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/), 2921// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html) 2922// to do these tasks for you. 2923// 2924// To encrypt data outside of AWS KMS: 2925// 2926// Use the GenerateDataKey operation to get a data key. 2927// 2928// Use the plaintext data key (in the Plaintext field of the response) to encrypt 2929// your data outside of AWS KMS. Then erase the plaintext data key from memory. 2930// 2931// Store the encrypted data key (in the CiphertextBlob field of the response) 2932// with the encrypted data. 2933// 2934// To decrypt data outside of AWS KMS: 2935// 2936// Use the Decrypt operation to decrypt the encrypted data key. The operation 2937// returns a plaintext copy of the data key. 2938// 2939// Use the plaintext data key to decrypt data outside of AWS KMS, then erase 2940// the plaintext data key from memory. 2941// 2942// Cross-account use: Yes. To perform this operation with a CMK in a different 2943// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 2944// 2945// Required permissions: kms:GenerateDataKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 2946// (key policy) 2947// 2948// Related operations: 2949// 2950// * Decrypt 2951// 2952// * Encrypt 2953// 2954// * GenerateDataKeyPair 2955// 2956// * GenerateDataKeyPairWithoutPlaintext 2957// 2958// * GenerateDataKeyWithoutPlaintext 2959// 2960// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 2961// with awserr.Error's Code and Message methods to get detailed information about 2962// the error. 2963// 2964// See the AWS API reference guide for AWS Key Management Service's 2965// API operation GenerateDataKey for usage and error information. 2966// 2967// Returned Error Types: 2968// * NotFoundException 2969// The request was rejected because the specified entity or resource could not 2970// be found. 2971// 2972// * DisabledException 2973// The request was rejected because the specified CMK is not enabled. 2974// 2975// * KeyUnavailableException 2976// The request was rejected because the specified CMK was not available. You 2977// can retry the request. 2978// 2979// * DependencyTimeoutException 2980// The system timed out while trying to fulfill the request. The request can 2981// be retried. 2982// 2983// * InvalidKeyUsageException 2984// The request was rejected for one of the following reasons: 2985// 2986// * The KeyUsage value of the CMK is incompatible with the API operation. 2987// 2988// * The encryption algorithm or signing algorithm specified for the operation 2989// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 2990// 2991// For encrypting, decrypting, re-encrypting, and generating data keys, the 2992// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 2993// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 2994// 2995// To find the encryption or signing algorithms supported for a particular CMK, 2996// use the DescribeKey operation. 2997// 2998// * InvalidGrantTokenException 2999// The request was rejected because the specified grant token is not valid. 3000// 3001// * InternalException 3002// The request was rejected because an internal exception occurred. The request 3003// can be retried. 3004// 3005// * InvalidStateException 3006// The request was rejected because the state of the specified resource is not 3007// valid for this request. 3008// 3009// For more information about how key state affects the use of a CMK, see How 3010// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3011// in the AWS Key Management Service Developer Guide . 3012// 3013// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey 3014func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) { 3015 req, out := c.GenerateDataKeyRequest(input) 3016 return out, req.Send() 3017} 3018 3019// GenerateDataKeyWithContext is the same as GenerateDataKey with the addition of 3020// the ability to pass a context and additional request options. 3021// 3022// See GenerateDataKey for details on how to use this API operation. 3023// 3024// The context must be non-nil and will be used for request cancellation. If 3025// the context is nil a panic will occur. In the future the SDK may create 3026// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3027// for more information on using Contexts. 3028func (c *KMS) GenerateDataKeyWithContext(ctx aws.Context, input *GenerateDataKeyInput, opts ...request.Option) (*GenerateDataKeyOutput, error) { 3029 req, out := c.GenerateDataKeyRequest(input) 3030 req.SetContext(ctx) 3031 req.ApplyOptions(opts...) 3032 return out, req.Send() 3033} 3034 3035const opGenerateDataKeyPair = "GenerateDataKeyPair" 3036 3037// GenerateDataKeyPairRequest generates a "aws/request.Request" representing the 3038// client's request for the GenerateDataKeyPair operation. The "output" return 3039// value will be populated with the request's response once the request completes 3040// successfully. 3041// 3042// Use "Send" method on the returned Request to send the API call to the service. 3043// the "output" return value is not valid until after Send returns without error. 3044// 3045// See GenerateDataKeyPair for more information on using the GenerateDataKeyPair 3046// API call, and error handling. 3047// 3048// This method is useful when you want to inject custom logic or configuration 3049// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3050// 3051// 3052// // Example sending a request using the GenerateDataKeyPairRequest method. 3053// req, resp := client.GenerateDataKeyPairRequest(params) 3054// 3055// err := req.Send() 3056// if err == nil { // resp is now filled 3057// fmt.Println(resp) 3058// } 3059// 3060// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair 3061func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *request.Request, output *GenerateDataKeyPairOutput) { 3062 op := &request.Operation{ 3063 Name: opGenerateDataKeyPair, 3064 HTTPMethod: "POST", 3065 HTTPPath: "/", 3066 } 3067 3068 if input == nil { 3069 input = &GenerateDataKeyPairInput{} 3070 } 3071 3072 output = &GenerateDataKeyPairOutput{} 3073 req = c.newRequest(op, input, output) 3074 return 3075} 3076 3077// GenerateDataKeyPair API operation for AWS Key Management Service. 3078// 3079// Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation 3080// returns a plaintext public key, a plaintext private key, and a copy of the 3081// private key that is encrypted under the symmetric CMK you specify. You can 3082// use the data key pair to perform asymmetric cryptography outside of AWS KMS. 3083// 3084// GenerateDataKeyPair returns a unique data key pair for each request. The 3085// bytes in the keys are not related to the caller or the CMK that is used to 3086// encrypt the private key. 3087// 3088// You can use the public key that GenerateDataKeyPair returns to encrypt data 3089// or verify a signature outside of AWS KMS. Then, store the encrypted private 3090// key with the data. When you are ready to decrypt data or sign a message, 3091// you can use the Decrypt operation to decrypt the encrypted private key. 3092// 3093// To generate a data key pair, you must specify a symmetric customer master 3094// key (CMK) to encrypt the private key in a data key pair. You cannot use an 3095// asymmetric CMK or a CMK in a custom key store. To get the type and origin 3096// of your CMK, use the DescribeKey operation. 3097// 3098// If you are using the data key pair to encrypt data, or for any operation 3099// where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext 3100// operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public 3101// key and an encrypted private key, but omits the plaintext private key that 3102// you need only to decrypt ciphertext or sign a message. Later, when you need 3103// to decrypt the data or sign a message, use the Decrypt operation to decrypt 3104// the encrypted private key in the data key pair. 3105// 3106// You can use the optional encryption context to add additional security to 3107// the encryption operation. If you specify an EncryptionContext, you must specify 3108// the same encryption context (a case-sensitive exact match) when decrypting 3109// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 3110// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 3111// in the AWS Key Management Service Developer Guide. 3112// 3113// The CMK that you use for this operation must be in a compatible key state. 3114// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3115// in the AWS Key Management Service Developer Guide. 3116// 3117// Cross-account use: Yes. To perform this operation with a CMK in a different 3118// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 3119// 3120// Required permissions: kms:GenerateDataKeyPair (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 3121// (key policy) 3122// 3123// Related operations: 3124// 3125// * Decrypt 3126// 3127// * Encrypt 3128// 3129// * GenerateDataKey 3130// 3131// * GenerateDataKeyPairWithoutPlaintext 3132// 3133// * GenerateDataKeyWithoutPlaintext 3134// 3135// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3136// with awserr.Error's Code and Message methods to get detailed information about 3137// the error. 3138// 3139// See the AWS API reference guide for AWS Key Management Service's 3140// API operation GenerateDataKeyPair for usage and error information. 3141// 3142// Returned Error Types: 3143// * NotFoundException 3144// The request was rejected because the specified entity or resource could not 3145// be found. 3146// 3147// * DisabledException 3148// The request was rejected because the specified CMK is not enabled. 3149// 3150// * KeyUnavailableException 3151// The request was rejected because the specified CMK was not available. You 3152// can retry the request. 3153// 3154// * DependencyTimeoutException 3155// The system timed out while trying to fulfill the request. The request can 3156// be retried. 3157// 3158// * InvalidKeyUsageException 3159// The request was rejected for one of the following reasons: 3160// 3161// * The KeyUsage value of the CMK is incompatible with the API operation. 3162// 3163// * The encryption algorithm or signing algorithm specified for the operation 3164// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 3165// 3166// For encrypting, decrypting, re-encrypting, and generating data keys, the 3167// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 3168// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 3169// 3170// To find the encryption or signing algorithms supported for a particular CMK, 3171// use the DescribeKey operation. 3172// 3173// * InvalidGrantTokenException 3174// The request was rejected because the specified grant token is not valid. 3175// 3176// * InternalException 3177// The request was rejected because an internal exception occurred. The request 3178// can be retried. 3179// 3180// * InvalidStateException 3181// The request was rejected because the state of the specified resource is not 3182// valid for this request. 3183// 3184// For more information about how key state affects the use of a CMK, see How 3185// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3186// in the AWS Key Management Service Developer Guide . 3187// 3188// * UnsupportedOperationException 3189// The request was rejected because a specified parameter is not supported or 3190// a specified resource is not valid for this operation. 3191// 3192// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair 3193func (c *KMS) GenerateDataKeyPair(input *GenerateDataKeyPairInput) (*GenerateDataKeyPairOutput, error) { 3194 req, out := c.GenerateDataKeyPairRequest(input) 3195 return out, req.Send() 3196} 3197 3198// GenerateDataKeyPairWithContext is the same as GenerateDataKeyPair with the addition of 3199// the ability to pass a context and additional request options. 3200// 3201// See GenerateDataKeyPair for details on how to use this API operation. 3202// 3203// The context must be non-nil and will be used for request cancellation. If 3204// the context is nil a panic will occur. In the future the SDK may create 3205// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3206// for more information on using Contexts. 3207func (c *KMS) GenerateDataKeyPairWithContext(ctx aws.Context, input *GenerateDataKeyPairInput, opts ...request.Option) (*GenerateDataKeyPairOutput, error) { 3208 req, out := c.GenerateDataKeyPairRequest(input) 3209 req.SetContext(ctx) 3210 req.ApplyOptions(opts...) 3211 return out, req.Send() 3212} 3213 3214const opGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext" 3215 3216// GenerateDataKeyPairWithoutPlaintextRequest generates a "aws/request.Request" representing the 3217// client's request for the GenerateDataKeyPairWithoutPlaintext operation. The "output" return 3218// value will be populated with the request's response once the request completes 3219// successfully. 3220// 3221// Use "Send" method on the returned Request to send the API call to the service. 3222// the "output" return value is not valid until after Send returns without error. 3223// 3224// See GenerateDataKeyPairWithoutPlaintext for more information on using the GenerateDataKeyPairWithoutPlaintext 3225// API call, and error handling. 3226// 3227// This method is useful when you want to inject custom logic or configuration 3228// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3229// 3230// 3231// // Example sending a request using the GenerateDataKeyPairWithoutPlaintextRequest method. 3232// req, resp := client.GenerateDataKeyPairWithoutPlaintextRequest(params) 3233// 3234// err := req.Send() 3235// if err == nil { // resp is now filled 3236// fmt.Println(resp) 3237// } 3238// 3239// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext 3240func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyPairWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyPairWithoutPlaintextOutput) { 3241 op := &request.Operation{ 3242 Name: opGenerateDataKeyPairWithoutPlaintext, 3243 HTTPMethod: "POST", 3244 HTTPPath: "/", 3245 } 3246 3247 if input == nil { 3248 input = &GenerateDataKeyPairWithoutPlaintextInput{} 3249 } 3250 3251 output = &GenerateDataKeyPairWithoutPlaintextOutput{} 3252 req = c.newRequest(op, input, output) 3253 return 3254} 3255 3256// GenerateDataKeyPairWithoutPlaintext API operation for AWS Key Management Service. 3257// 3258// Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext 3259// operation returns a plaintext public key and a copy of the private key that 3260// is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, 3261// this operation does not return a plaintext private key. 3262// 3263// To generate a data key pair, you must specify a symmetric customer master 3264// key (CMK) to encrypt the private key in the data key pair. You cannot use 3265// an asymmetric CMK or a CMK in a custom key store. To get the type and origin 3266// of your CMK, use the KeySpec field in the DescribeKey response. 3267// 3268// You can use the public key that GenerateDataKeyPairWithoutPlaintext returns 3269// to encrypt data or verify a signature outside of AWS KMS. Then, store the 3270// encrypted private key with the data. When you are ready to decrypt data or 3271// sign a message, you can use the Decrypt operation to decrypt the encrypted 3272// private key. 3273// 3274// GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each 3275// request. The bytes in the key are not related to the caller or CMK that is 3276// used to encrypt the private key. 3277// 3278// You can use the optional encryption context to add additional security to 3279// the encryption operation. If you specify an EncryptionContext, you must specify 3280// the same encryption context (a case-sensitive exact match) when decrypting 3281// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 3282// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 3283// in the AWS Key Management Service Developer Guide. 3284// 3285// The CMK that you use for this operation must be in a compatible key state. 3286// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3287// in the AWS Key Management Service Developer Guide. 3288// 3289// Cross-account use: Yes. To perform this operation with a CMK in a different 3290// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 3291// 3292// Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 3293// (key policy) 3294// 3295// Related operations: 3296// 3297// * Decrypt 3298// 3299// * Encrypt 3300// 3301// * GenerateDataKey 3302// 3303// * GenerateDataKeyPair 3304// 3305// * GenerateDataKeyWithoutPlaintext 3306// 3307// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3308// with awserr.Error's Code and Message methods to get detailed information about 3309// the error. 3310// 3311// See the AWS API reference guide for AWS Key Management Service's 3312// API operation GenerateDataKeyPairWithoutPlaintext for usage and error information. 3313// 3314// Returned Error Types: 3315// * NotFoundException 3316// The request was rejected because the specified entity or resource could not 3317// be found. 3318// 3319// * DisabledException 3320// The request was rejected because the specified CMK is not enabled. 3321// 3322// * KeyUnavailableException 3323// The request was rejected because the specified CMK was not available. You 3324// can retry the request. 3325// 3326// * DependencyTimeoutException 3327// The system timed out while trying to fulfill the request. The request can 3328// be retried. 3329// 3330// * InvalidKeyUsageException 3331// The request was rejected for one of the following reasons: 3332// 3333// * The KeyUsage value of the CMK is incompatible with the API operation. 3334// 3335// * The encryption algorithm or signing algorithm specified for the operation 3336// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 3337// 3338// For encrypting, decrypting, re-encrypting, and generating data keys, the 3339// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 3340// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 3341// 3342// To find the encryption or signing algorithms supported for a particular CMK, 3343// use the DescribeKey operation. 3344// 3345// * InvalidGrantTokenException 3346// The request was rejected because the specified grant token is not valid. 3347// 3348// * InternalException 3349// The request was rejected because an internal exception occurred. The request 3350// can be retried. 3351// 3352// * InvalidStateException 3353// The request was rejected because the state of the specified resource is not 3354// valid for this request. 3355// 3356// For more information about how key state affects the use of a CMK, see How 3357// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3358// in the AWS Key Management Service Developer Guide . 3359// 3360// * UnsupportedOperationException 3361// The request was rejected because a specified parameter is not supported or 3362// a specified resource is not valid for this operation. 3363// 3364// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext 3365func (c *KMS) GenerateDataKeyPairWithoutPlaintext(input *GenerateDataKeyPairWithoutPlaintextInput) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { 3366 req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input) 3367 return out, req.Send() 3368} 3369 3370// GenerateDataKeyPairWithoutPlaintextWithContext is the same as GenerateDataKeyPairWithoutPlaintext with the addition of 3371// the ability to pass a context and additional request options. 3372// 3373// See GenerateDataKeyPairWithoutPlaintext for details on how to use this API operation. 3374// 3375// The context must be non-nil and will be used for request cancellation. If 3376// the context is nil a panic will occur. In the future the SDK may create 3377// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3378// for more information on using Contexts. 3379func (c *KMS) GenerateDataKeyPairWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyPairWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyPairWithoutPlaintextOutput, error) { 3380 req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input) 3381 req.SetContext(ctx) 3382 req.ApplyOptions(opts...) 3383 return out, req.Send() 3384} 3385 3386const opGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" 3387 3388// GenerateDataKeyWithoutPlaintextRequest generates a "aws/request.Request" representing the 3389// client's request for the GenerateDataKeyWithoutPlaintext operation. The "output" return 3390// value will be populated with the request's response once the request completes 3391// successfully. 3392// 3393// Use "Send" method on the returned Request to send the API call to the service. 3394// the "output" return value is not valid until after Send returns without error. 3395// 3396// See GenerateDataKeyWithoutPlaintext for more information on using the GenerateDataKeyWithoutPlaintext 3397// API call, and error handling. 3398// 3399// This method is useful when you want to inject custom logic or configuration 3400// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3401// 3402// 3403// // Example sending a request using the GenerateDataKeyWithoutPlaintextRequest method. 3404// req, resp := client.GenerateDataKeyWithoutPlaintextRequest(params) 3405// 3406// err := req.Send() 3407// if err == nil { // resp is now filled 3408// fmt.Println(resp) 3409// } 3410// 3411// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext 3412func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyWithoutPlaintextOutput) { 3413 op := &request.Operation{ 3414 Name: opGenerateDataKeyWithoutPlaintext, 3415 HTTPMethod: "POST", 3416 HTTPPath: "/", 3417 } 3418 3419 if input == nil { 3420 input = &GenerateDataKeyWithoutPlaintextInput{} 3421 } 3422 3423 output = &GenerateDataKeyWithoutPlaintextOutput{} 3424 req = c.newRequest(op, input, output) 3425 return 3426} 3427 3428// GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service. 3429// 3430// Generates a unique symmetric data key. This operation returns a data key 3431// that is encrypted under a customer master key (CMK) that you specify. To 3432// request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext 3433// operations. 3434// 3435// GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation 3436// except that returns only the encrypted copy of the data key. This operation 3437// is useful for systems that need to encrypt data at some point, but not immediately. 3438// When you need to encrypt the data, you call the Decrypt operation on the 3439// encrypted copy of the key. 3440// 3441// It's also useful in distributed systems with different levels of trust. For 3442// example, you might store encrypted data in containers. One component of your 3443// system creates new containers and stores an encrypted data key with each 3444// container. Then, a different component puts the data into the containers. 3445// That component first decrypts the data key, uses the plaintext data key to 3446// encrypt data, puts the encrypted data into the container, and then destroys 3447// the plaintext data key. In this system, the component that creates the containers 3448// never sees the plaintext data key. 3449// 3450// GenerateDataKeyWithoutPlaintext returns a unique data key for each request. 3451// The bytes in the keys are not related to the caller or CMK that is used to 3452// encrypt the private key. 3453// 3454// To generate a data key, you must specify the symmetric customer master key 3455// (CMK) that is used to encrypt the data key. You cannot use an asymmetric 3456// CMK to generate a data key. To get the type of your CMK, use the DescribeKey 3457// operation. 3458// 3459// If the operation succeeds, you will find the encrypted copy of the data key 3460// in the CiphertextBlob field. 3461// 3462// You can use the optional encryption context to add additional security to 3463// the encryption operation. If you specify an EncryptionContext, you must specify 3464// the same encryption context (a case-sensitive exact match) when decrypting 3465// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. 3466// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 3467// in the AWS Key Management Service Developer Guide. 3468// 3469// The CMK that you use for this operation must be in a compatible key state. 3470// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3471// in the AWS Key Management Service Developer Guide. 3472// 3473// Cross-account use: Yes. To perform this operation with a CMK in a different 3474// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 3475// 3476// Required permissions: kms:GenerateDataKeyWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 3477// (key policy) 3478// 3479// Related operations: 3480// 3481// * Decrypt 3482// 3483// * Encrypt 3484// 3485// * GenerateDataKey 3486// 3487// * GenerateDataKeyPair 3488// 3489// * GenerateDataKeyPairWithoutPlaintext 3490// 3491// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3492// with awserr.Error's Code and Message methods to get detailed information about 3493// the error. 3494// 3495// See the AWS API reference guide for AWS Key Management Service's 3496// API operation GenerateDataKeyWithoutPlaintext for usage and error information. 3497// 3498// Returned Error Types: 3499// * NotFoundException 3500// The request was rejected because the specified entity or resource could not 3501// be found. 3502// 3503// * DisabledException 3504// The request was rejected because the specified CMK is not enabled. 3505// 3506// * KeyUnavailableException 3507// The request was rejected because the specified CMK was not available. You 3508// can retry the request. 3509// 3510// * DependencyTimeoutException 3511// The system timed out while trying to fulfill the request. The request can 3512// be retried. 3513// 3514// * InvalidKeyUsageException 3515// The request was rejected for one of the following reasons: 3516// 3517// * The KeyUsage value of the CMK is incompatible with the API operation. 3518// 3519// * The encryption algorithm or signing algorithm specified for the operation 3520// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 3521// 3522// For encrypting, decrypting, re-encrypting, and generating data keys, the 3523// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 3524// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 3525// 3526// To find the encryption or signing algorithms supported for a particular CMK, 3527// use the DescribeKey operation. 3528// 3529// * InvalidGrantTokenException 3530// The request was rejected because the specified grant token is not valid. 3531// 3532// * InternalException 3533// The request was rejected because an internal exception occurred. The request 3534// can be retried. 3535// 3536// * InvalidStateException 3537// The request was rejected because the state of the specified resource is not 3538// valid for this request. 3539// 3540// For more information about how key state affects the use of a CMK, see How 3541// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3542// in the AWS Key Management Service Developer Guide . 3543// 3544// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext 3545func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) { 3546 req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) 3547 return out, req.Send() 3548} 3549 3550// GenerateDataKeyWithoutPlaintextWithContext is the same as GenerateDataKeyWithoutPlaintext with the addition of 3551// the ability to pass a context and additional request options. 3552// 3553// See GenerateDataKeyWithoutPlaintext for details on how to use this API operation. 3554// 3555// The context must be non-nil and will be used for request cancellation. If 3556// the context is nil a panic will occur. In the future the SDK may create 3557// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3558// for more information on using Contexts. 3559func (c *KMS) GenerateDataKeyWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyWithoutPlaintextOutput, error) { 3560 req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) 3561 req.SetContext(ctx) 3562 req.ApplyOptions(opts...) 3563 return out, req.Send() 3564} 3565 3566const opGenerateRandom = "GenerateRandom" 3567 3568// GenerateRandomRequest generates a "aws/request.Request" representing the 3569// client's request for the GenerateRandom operation. The "output" return 3570// value will be populated with the request's response once the request completes 3571// successfully. 3572// 3573// Use "Send" method on the returned Request to send the API call to the service. 3574// the "output" return value is not valid until after Send returns without error. 3575// 3576// See GenerateRandom for more information on using the GenerateRandom 3577// API call, and error handling. 3578// 3579// This method is useful when you want to inject custom logic or configuration 3580// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3581// 3582// 3583// // Example sending a request using the GenerateRandomRequest method. 3584// req, resp := client.GenerateRandomRequest(params) 3585// 3586// err := req.Send() 3587// if err == nil { // resp is now filled 3588// fmt.Println(resp) 3589// } 3590// 3591// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom 3592func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Request, output *GenerateRandomOutput) { 3593 op := &request.Operation{ 3594 Name: opGenerateRandom, 3595 HTTPMethod: "POST", 3596 HTTPPath: "/", 3597 } 3598 3599 if input == nil { 3600 input = &GenerateRandomInput{} 3601 } 3602 3603 output = &GenerateRandomOutput{} 3604 req = c.newRequest(op, input, output) 3605 return 3606} 3607 3608// GenerateRandom API operation for AWS Key Management Service. 3609// 3610// Returns a random byte string that is cryptographically secure. 3611// 3612// By default, the random byte string is generated in AWS KMS. To generate the 3613// byte string in the AWS CloudHSM cluster that is associated with a custom 3614// key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 3615// specify the custom key store ID. 3616// 3617// For more information about entropy and random number generation, see AWS 3618// Key Management Service Cryptographic Details (https://docs.aws.amazon.com/kms/latest/cryptographic-details/). 3619// 3620// Required permissions: kms:GenerateRandom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 3621// (IAM policy) 3622// 3623// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3624// with awserr.Error's Code and Message methods to get detailed information about 3625// the error. 3626// 3627// See the AWS API reference guide for AWS Key Management Service's 3628// API operation GenerateRandom for usage and error information. 3629// 3630// Returned Error Types: 3631// * DependencyTimeoutException 3632// The system timed out while trying to fulfill the request. The request can 3633// be retried. 3634// 3635// * InternalException 3636// The request was rejected because an internal exception occurred. The request 3637// can be retried. 3638// 3639// * CustomKeyStoreNotFoundException 3640// The request was rejected because AWS KMS cannot find a custom key store with 3641// the specified key store name or ID. 3642// 3643// * CustomKeyStoreInvalidStateException 3644// The request was rejected because of the ConnectionState of the custom key 3645// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 3646// operation. 3647// 3648// This exception is thrown under the following conditions: 3649// 3650// * You requested the CreateKey or GenerateRandom operation in a custom 3651// key store that is not connected. These operations are valid only when 3652// the custom key store ConnectionState is CONNECTED. 3653// 3654// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 3655// on a custom key store that is not disconnected. This operation is valid 3656// only when the custom key store ConnectionState is DISCONNECTED. 3657// 3658// * You requested the ConnectCustomKeyStore operation on a custom key store 3659// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 3660// for all other ConnectionState values. 3661// 3662// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom 3663func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) { 3664 req, out := c.GenerateRandomRequest(input) 3665 return out, req.Send() 3666} 3667 3668// GenerateRandomWithContext is the same as GenerateRandom with the addition of 3669// the ability to pass a context and additional request options. 3670// 3671// See GenerateRandom for details on how to use this API operation. 3672// 3673// The context must be non-nil and will be used for request cancellation. If 3674// the context is nil a panic will occur. In the future the SDK may create 3675// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3676// for more information on using Contexts. 3677func (c *KMS) GenerateRandomWithContext(ctx aws.Context, input *GenerateRandomInput, opts ...request.Option) (*GenerateRandomOutput, error) { 3678 req, out := c.GenerateRandomRequest(input) 3679 req.SetContext(ctx) 3680 req.ApplyOptions(opts...) 3681 return out, req.Send() 3682} 3683 3684const opGetKeyPolicy = "GetKeyPolicy" 3685 3686// GetKeyPolicyRequest generates a "aws/request.Request" representing the 3687// client's request for the GetKeyPolicy operation. The "output" return 3688// value will be populated with the request's response once the request completes 3689// successfully. 3690// 3691// Use "Send" method on the returned Request to send the API call to the service. 3692// the "output" return value is not valid until after Send returns without error. 3693// 3694// See GetKeyPolicy for more information on using the GetKeyPolicy 3695// API call, and error handling. 3696// 3697// This method is useful when you want to inject custom logic or configuration 3698// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3699// 3700// 3701// // Example sending a request using the GetKeyPolicyRequest method. 3702// req, resp := client.GetKeyPolicyRequest(params) 3703// 3704// err := req.Send() 3705// if err == nil { // resp is now filled 3706// fmt.Println(resp) 3707// } 3708// 3709// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy 3710func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Request, output *GetKeyPolicyOutput) { 3711 op := &request.Operation{ 3712 Name: opGetKeyPolicy, 3713 HTTPMethod: "POST", 3714 HTTPPath: "/", 3715 } 3716 3717 if input == nil { 3718 input = &GetKeyPolicyInput{} 3719 } 3720 3721 output = &GetKeyPolicyOutput{} 3722 req = c.newRequest(op, input, output) 3723 return 3724} 3725 3726// GetKeyPolicy API operation for AWS Key Management Service. 3727// 3728// Gets a key policy attached to the specified customer master key (CMK). 3729// 3730// Cross-account use: No. You cannot perform this operation on a CMK in a different 3731// AWS account. 3732// 3733// Required permissions: kms:GetKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 3734// (key policy) 3735// 3736// Related operations: PutKeyPolicy 3737// 3738// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3739// with awserr.Error's Code and Message methods to get detailed information about 3740// the error. 3741// 3742// See the AWS API reference guide for AWS Key Management Service's 3743// API operation GetKeyPolicy for usage and error information. 3744// 3745// Returned Error Types: 3746// * NotFoundException 3747// The request was rejected because the specified entity or resource could not 3748// be found. 3749// 3750// * InvalidArnException 3751// The request was rejected because a specified ARN, or an ARN in a key policy, 3752// is not valid. 3753// 3754// * DependencyTimeoutException 3755// The system timed out while trying to fulfill the request. The request can 3756// be retried. 3757// 3758// * InternalException 3759// The request was rejected because an internal exception occurred. The request 3760// can be retried. 3761// 3762// * InvalidStateException 3763// The request was rejected because the state of the specified resource is not 3764// valid for this request. 3765// 3766// For more information about how key state affects the use of a CMK, see How 3767// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3768// in the AWS Key Management Service Developer Guide . 3769// 3770// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy 3771func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) { 3772 req, out := c.GetKeyPolicyRequest(input) 3773 return out, req.Send() 3774} 3775 3776// GetKeyPolicyWithContext is the same as GetKeyPolicy with the addition of 3777// the ability to pass a context and additional request options. 3778// 3779// See GetKeyPolicy for details on how to use this API operation. 3780// 3781// The context must be non-nil and will be used for request cancellation. If 3782// the context is nil a panic will occur. In the future the SDK may create 3783// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3784// for more information on using Contexts. 3785func (c *KMS) GetKeyPolicyWithContext(ctx aws.Context, input *GetKeyPolicyInput, opts ...request.Option) (*GetKeyPolicyOutput, error) { 3786 req, out := c.GetKeyPolicyRequest(input) 3787 req.SetContext(ctx) 3788 req.ApplyOptions(opts...) 3789 return out, req.Send() 3790} 3791 3792const opGetKeyRotationStatus = "GetKeyRotationStatus" 3793 3794// GetKeyRotationStatusRequest generates a "aws/request.Request" representing the 3795// client's request for the GetKeyRotationStatus operation. The "output" return 3796// value will be populated with the request's response once the request completes 3797// successfully. 3798// 3799// Use "Send" method on the returned Request to send the API call to the service. 3800// the "output" return value is not valid until after Send returns without error. 3801// 3802// See GetKeyRotationStatus for more information on using the GetKeyRotationStatus 3803// API call, and error handling. 3804// 3805// This method is useful when you want to inject custom logic or configuration 3806// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3807// 3808// 3809// // Example sending a request using the GetKeyRotationStatusRequest method. 3810// req, resp := client.GetKeyRotationStatusRequest(params) 3811// 3812// err := req.Send() 3813// if err == nil { // resp is now filled 3814// fmt.Println(resp) 3815// } 3816// 3817// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus 3818func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req *request.Request, output *GetKeyRotationStatusOutput) { 3819 op := &request.Operation{ 3820 Name: opGetKeyRotationStatus, 3821 HTTPMethod: "POST", 3822 HTTPPath: "/", 3823 } 3824 3825 if input == nil { 3826 input = &GetKeyRotationStatusInput{} 3827 } 3828 3829 output = &GetKeyRotationStatusOutput{} 3830 req = c.newRequest(op, input, output) 3831 return 3832} 3833 3834// GetKeyRotationStatus API operation for AWS Key Management Service. 3835// 3836// Gets a Boolean value that indicates whether automatic rotation of the key 3837// material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) 3838// is enabled for the specified customer master key (CMK). 3839// 3840// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), 3841// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 3842// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 3843// To enable or disable automatic rotation of a set of related multi-Region 3844// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), 3845// set the property on the primary key. The key rotation status for these CMKs 3846// is always false. 3847// 3848// The CMK that you use for this operation must be in a compatible key state. 3849// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3850// in the AWS Key Management Service Developer Guide. 3851// 3852// * Disabled: The key rotation status does not change when you disable a 3853// CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing 3854// key. 3855// 3856// * Pending deletion: While a CMK is pending deletion, its key rotation 3857// status is false and AWS KMS does not rotate the backing key. If you cancel 3858// the deletion, the original key rotation status is restored. 3859// 3860// Cross-account use: Yes. To perform this operation on a CMK in a different 3861// AWS account, specify the key ARN in the value of the KeyId parameter. 3862// 3863// Required permissions: kms:GetKeyRotationStatus (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 3864// (key policy) 3865// 3866// Related operations: 3867// 3868// * DisableKeyRotation 3869// 3870// * EnableKeyRotation 3871// 3872// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 3873// with awserr.Error's Code and Message methods to get detailed information about 3874// the error. 3875// 3876// See the AWS API reference guide for AWS Key Management Service's 3877// API operation GetKeyRotationStatus for usage and error information. 3878// 3879// Returned Error Types: 3880// * NotFoundException 3881// The request was rejected because the specified entity or resource could not 3882// be found. 3883// 3884// * InvalidArnException 3885// The request was rejected because a specified ARN, or an ARN in a key policy, 3886// is not valid. 3887// 3888// * DependencyTimeoutException 3889// The system timed out while trying to fulfill the request. The request can 3890// be retried. 3891// 3892// * InternalException 3893// The request was rejected because an internal exception occurred. The request 3894// can be retried. 3895// 3896// * InvalidStateException 3897// The request was rejected because the state of the specified resource is not 3898// valid for this request. 3899// 3900// For more information about how key state affects the use of a CMK, see How 3901// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3902// in the AWS Key Management Service Developer Guide . 3903// 3904// * UnsupportedOperationException 3905// The request was rejected because a specified parameter is not supported or 3906// a specified resource is not valid for this operation. 3907// 3908// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus 3909func (c *KMS) GetKeyRotationStatus(input *GetKeyRotationStatusInput) (*GetKeyRotationStatusOutput, error) { 3910 req, out := c.GetKeyRotationStatusRequest(input) 3911 return out, req.Send() 3912} 3913 3914// GetKeyRotationStatusWithContext is the same as GetKeyRotationStatus with the addition of 3915// the ability to pass a context and additional request options. 3916// 3917// See GetKeyRotationStatus for details on how to use this API operation. 3918// 3919// The context must be non-nil and will be used for request cancellation. If 3920// the context is nil a panic will occur. In the future the SDK may create 3921// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 3922// for more information on using Contexts. 3923func (c *KMS) GetKeyRotationStatusWithContext(ctx aws.Context, input *GetKeyRotationStatusInput, opts ...request.Option) (*GetKeyRotationStatusOutput, error) { 3924 req, out := c.GetKeyRotationStatusRequest(input) 3925 req.SetContext(ctx) 3926 req.ApplyOptions(opts...) 3927 return out, req.Send() 3928} 3929 3930const opGetParametersForImport = "GetParametersForImport" 3931 3932// GetParametersForImportRequest generates a "aws/request.Request" representing the 3933// client's request for the GetParametersForImport operation. The "output" return 3934// value will be populated with the request's response once the request completes 3935// successfully. 3936// 3937// Use "Send" method on the returned Request to send the API call to the service. 3938// the "output" return value is not valid until after Send returns without error. 3939// 3940// See GetParametersForImport for more information on using the GetParametersForImport 3941// API call, and error handling. 3942// 3943// This method is useful when you want to inject custom logic or configuration 3944// into the SDK's request lifecycle. Such as custom headers, or retry logic. 3945// 3946// 3947// // Example sending a request using the GetParametersForImportRequest method. 3948// req, resp := client.GetParametersForImportRequest(params) 3949// 3950// err := req.Send() 3951// if err == nil { // resp is now filled 3952// fmt.Println(resp) 3953// } 3954// 3955// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport 3956func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) (req *request.Request, output *GetParametersForImportOutput) { 3957 op := &request.Operation{ 3958 Name: opGetParametersForImport, 3959 HTTPMethod: "POST", 3960 HTTPPath: "/", 3961 } 3962 3963 if input == nil { 3964 input = &GetParametersForImportInput{} 3965 } 3966 3967 output = &GetParametersForImportOutput{} 3968 req = c.newRequest(op, input, output) 3969 return 3970} 3971 3972// GetParametersForImport API operation for AWS Key Management Service. 3973// 3974// Returns the items you need to import key material into a symmetric, customer 3975// managed customer master key (CMK). For more information about importing key 3976// material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 3977// in the AWS Key Management Service Developer Guide. 3978// 3979// This operation returns a public key and an import token. Use the public key 3980// to encrypt the symmetric key material. Store the import token to send with 3981// a subsequent ImportKeyMaterial request. 3982// 3983// You must specify the key ID of the symmetric CMK into which you will import 3984// key material. This CMK's Origin must be EXTERNAL. You must also specify the 3985// wrapping algorithm and type of wrapping key (public key) that you will use 3986// to encrypt the key material. You cannot perform this operation on an asymmetric 3987// CMK or on any CMK in a different AWS account. 3988// 3989// To import key material, you must use the public key and import token from 3990// the same response. These items are valid for 24 hours. The expiration date 3991// and time appear in the GetParametersForImport response. You cannot use an 3992// expired token in an ImportKeyMaterial request. If your key and token expire, 3993// send another GetParametersForImport request. 3994// 3995// The CMK that you use for this operation must be in a compatible key state. 3996// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 3997// in the AWS Key Management Service Developer Guide. 3998// 3999// Cross-account use: No. You cannot perform this operation on a CMK in a different 4000// AWS account. 4001// 4002// Required permissions: kms:GetParametersForImport (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 4003// (key policy) 4004// 4005// Related operations: 4006// 4007// * ImportKeyMaterial 4008// 4009// * DeleteImportedKeyMaterial 4010// 4011// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4012// with awserr.Error's Code and Message methods to get detailed information about 4013// the error. 4014// 4015// See the AWS API reference guide for AWS Key Management Service's 4016// API operation GetParametersForImport for usage and error information. 4017// 4018// Returned Error Types: 4019// * InvalidArnException 4020// The request was rejected because a specified ARN, or an ARN in a key policy, 4021// is not valid. 4022// 4023// * UnsupportedOperationException 4024// The request was rejected because a specified parameter is not supported or 4025// a specified resource is not valid for this operation. 4026// 4027// * DependencyTimeoutException 4028// The system timed out while trying to fulfill the request. The request can 4029// be retried. 4030// 4031// * NotFoundException 4032// The request was rejected because the specified entity or resource could not 4033// be found. 4034// 4035// * InternalException 4036// The request was rejected because an internal exception occurred. The request 4037// can be retried. 4038// 4039// * InvalidStateException 4040// The request was rejected because the state of the specified resource is not 4041// valid for this request. 4042// 4043// For more information about how key state affects the use of a CMK, see How 4044// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4045// in the AWS Key Management Service Developer Guide . 4046// 4047// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport 4048func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) { 4049 req, out := c.GetParametersForImportRequest(input) 4050 return out, req.Send() 4051} 4052 4053// GetParametersForImportWithContext is the same as GetParametersForImport with the addition of 4054// the ability to pass a context and additional request options. 4055// 4056// See GetParametersForImport for details on how to use this API operation. 4057// 4058// The context must be non-nil and will be used for request cancellation. If 4059// the context is nil a panic will occur. In the future the SDK may create 4060// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4061// for more information on using Contexts. 4062func (c *KMS) GetParametersForImportWithContext(ctx aws.Context, input *GetParametersForImportInput, opts ...request.Option) (*GetParametersForImportOutput, error) { 4063 req, out := c.GetParametersForImportRequest(input) 4064 req.SetContext(ctx) 4065 req.ApplyOptions(opts...) 4066 return out, req.Send() 4067} 4068 4069const opGetPublicKey = "GetPublicKey" 4070 4071// GetPublicKeyRequest generates a "aws/request.Request" representing the 4072// client's request for the GetPublicKey operation. The "output" return 4073// value will be populated with the request's response once the request completes 4074// successfully. 4075// 4076// Use "Send" method on the returned Request to send the API call to the service. 4077// the "output" return value is not valid until after Send returns without error. 4078// 4079// See GetPublicKey for more information on using the GetPublicKey 4080// API call, and error handling. 4081// 4082// This method is useful when you want to inject custom logic or configuration 4083// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4084// 4085// 4086// // Example sending a request using the GetPublicKeyRequest method. 4087// req, resp := client.GetPublicKeyRequest(params) 4088// 4089// err := req.Send() 4090// if err == nil { // resp is now filled 4091// fmt.Println(resp) 4092// } 4093// 4094// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey 4095func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Request, output *GetPublicKeyOutput) { 4096 op := &request.Operation{ 4097 Name: opGetPublicKey, 4098 HTTPMethod: "POST", 4099 HTTPPath: "/", 4100 } 4101 4102 if input == nil { 4103 input = &GetPublicKeyInput{} 4104 } 4105 4106 output = &GetPublicKeyOutput{} 4107 req = c.newRequest(op, input, output) 4108 return 4109} 4110 4111// GetPublicKey API operation for AWS Key Management Service. 4112// 4113// Returns the public key of an asymmetric CMK. Unlike the private key of a 4114// asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey 4115// permission can download the public key of an asymmetric CMK. You can share 4116// the public key to allow others to encrypt messages and verify signatures 4117// outside of AWS KMS. For information about symmetric and asymmetric CMKs, 4118// see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 4119// in the AWS Key Management Service Developer Guide. 4120// 4121// You do not need to download the public key. Instead, you can use the public 4122// key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations 4123// with the identifier of an asymmetric CMK. When you use the public key within 4124// AWS KMS, you benefit from the authentication, authorization, and logging 4125// that are part of every AWS KMS operation. You also reduce of risk of encrypting 4126// data that cannot be decrypted. These features are not effective outside of 4127// AWS KMS. For details, see Special Considerations for Downloading Public Keys 4128// (https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations). 4129// 4130// To help you use the public key safely outside of AWS KMS, GetPublicKey returns 4131// important information about the public key in the response, including: 4132// 4133// * CustomerMasterKeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec): 4134// The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521. 4135// 4136// * KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage): 4137// Whether the key is used for encryption or signing. 4138// 4139// * EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms) 4140// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms): 4141// A list of the encryption algorithms or the signing algorithms for the 4142// key. 4143// 4144// Although AWS KMS cannot enforce these restrictions on external operations, 4145// it is crucial that you use this information to prevent the public key from 4146// being used improperly. For example, you can prevent a public signing key 4147// from being used encrypt data, or prevent a public key from being used with 4148// an encryption algorithm that is not supported by AWS KMS. You can also avoid 4149// errors, such as using the wrong signing algorithm in a verification operation. 4150// 4151// The CMK that you use for this operation must be in a compatible key state. 4152// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4153// in the AWS Key Management Service Developer Guide. 4154// 4155// Cross-account use: Yes. To perform this operation with a CMK in a different 4156// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 4157// 4158// Required permissions: kms:GetPublicKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 4159// (key policy) 4160// 4161// Related operations: CreateKey 4162// 4163// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4164// with awserr.Error's Code and Message methods to get detailed information about 4165// the error. 4166// 4167// See the AWS API reference guide for AWS Key Management Service's 4168// API operation GetPublicKey for usage and error information. 4169// 4170// Returned Error Types: 4171// * NotFoundException 4172// The request was rejected because the specified entity or resource could not 4173// be found. 4174// 4175// * DisabledException 4176// The request was rejected because the specified CMK is not enabled. 4177// 4178// * KeyUnavailableException 4179// The request was rejected because the specified CMK was not available. You 4180// can retry the request. 4181// 4182// * DependencyTimeoutException 4183// The system timed out while trying to fulfill the request. The request can 4184// be retried. 4185// 4186// * UnsupportedOperationException 4187// The request was rejected because a specified parameter is not supported or 4188// a specified resource is not valid for this operation. 4189// 4190// * InvalidArnException 4191// The request was rejected because a specified ARN, or an ARN in a key policy, 4192// is not valid. 4193// 4194// * InvalidGrantTokenException 4195// The request was rejected because the specified grant token is not valid. 4196// 4197// * InvalidKeyUsageException 4198// The request was rejected for one of the following reasons: 4199// 4200// * The KeyUsage value of the CMK is incompatible with the API operation. 4201// 4202// * The encryption algorithm or signing algorithm specified for the operation 4203// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 4204// 4205// For encrypting, decrypting, re-encrypting, and generating data keys, the 4206// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 4207// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 4208// 4209// To find the encryption or signing algorithms supported for a particular CMK, 4210// use the DescribeKey operation. 4211// 4212// * InternalException 4213// The request was rejected because an internal exception occurred. The request 4214// can be retried. 4215// 4216// * InvalidStateException 4217// The request was rejected because the state of the specified resource is not 4218// valid for this request. 4219// 4220// For more information about how key state affects the use of a CMK, see How 4221// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4222// in the AWS Key Management Service Developer Guide . 4223// 4224// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey 4225func (c *KMS) GetPublicKey(input *GetPublicKeyInput) (*GetPublicKeyOutput, error) { 4226 req, out := c.GetPublicKeyRequest(input) 4227 return out, req.Send() 4228} 4229 4230// GetPublicKeyWithContext is the same as GetPublicKey with the addition of 4231// the ability to pass a context and additional request options. 4232// 4233// See GetPublicKey for details on how to use this API operation. 4234// 4235// The context must be non-nil and will be used for request cancellation. If 4236// the context is nil a panic will occur. In the future the SDK may create 4237// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4238// for more information on using Contexts. 4239func (c *KMS) GetPublicKeyWithContext(ctx aws.Context, input *GetPublicKeyInput, opts ...request.Option) (*GetPublicKeyOutput, error) { 4240 req, out := c.GetPublicKeyRequest(input) 4241 req.SetContext(ctx) 4242 req.ApplyOptions(opts...) 4243 return out, req.Send() 4244} 4245 4246const opImportKeyMaterial = "ImportKeyMaterial" 4247 4248// ImportKeyMaterialRequest generates a "aws/request.Request" representing the 4249// client's request for the ImportKeyMaterial operation. The "output" return 4250// value will be populated with the request's response once the request completes 4251// successfully. 4252// 4253// Use "Send" method on the returned Request to send the API call to the service. 4254// the "output" return value is not valid until after Send returns without error. 4255// 4256// See ImportKeyMaterial for more information on using the ImportKeyMaterial 4257// API call, and error handling. 4258// 4259// This method is useful when you want to inject custom logic or configuration 4260// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4261// 4262// 4263// // Example sending a request using the ImportKeyMaterialRequest method. 4264// req, resp := client.ImportKeyMaterialRequest(params) 4265// 4266// err := req.Send() 4267// if err == nil { // resp is now filled 4268// fmt.Println(resp) 4269// } 4270// 4271// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial 4272func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *request.Request, output *ImportKeyMaterialOutput) { 4273 op := &request.Operation{ 4274 Name: opImportKeyMaterial, 4275 HTTPMethod: "POST", 4276 HTTPPath: "/", 4277 } 4278 4279 if input == nil { 4280 input = &ImportKeyMaterialInput{} 4281 } 4282 4283 output = &ImportKeyMaterialOutput{} 4284 req = c.newRequest(op, input, output) 4285 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 4286 return 4287} 4288 4289// ImportKeyMaterial API operation for AWS Key Management Service. 4290// 4291// Imports key material into an existing symmetric AWS KMS customer master key 4292// (CMK) that was created without key material. After you successfully import 4293// key material into a CMK, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) 4294// into that CMK, but you cannot import different key material. 4295// 4296// You cannot perform this operation on an asymmetric CMK or on any CMK in a 4297// different AWS account. For more information about creating CMKs with no key 4298// material and then importing key material, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 4299// in the AWS Key Management Service Developer Guide. 4300// 4301// Before using this operation, call GetParametersForImport. Its response includes 4302// a public key and an import token. Use the public key to encrypt the key material. 4303// Then, submit the import token from the same GetParametersForImport response. 4304// 4305// When calling this operation, you must specify the following values: 4306// 4307// * The key ID or key ARN of a CMK with no key material. Its Origin must 4308// be EXTERNAL. To create a CMK with no key material, call CreateKey and 4309// set the value of its Origin parameter to EXTERNAL. To get the Origin of 4310// a CMK, call DescribeKey.) 4311// 4312// * The encrypted key material. To get the public key to encrypt the key 4313// material, call GetParametersForImport. 4314// 4315// * The import token that GetParametersForImport returned. You must use 4316// a public key and token from the same GetParametersForImport response. 4317// 4318// * Whether the key material expires and if so, when. If you set an expiration 4319// date, AWS KMS deletes the key material from the CMK on the specified date, 4320// and the CMK becomes unusable. To use the CMK again, you must reimport 4321// the same key material. The only way to change an expiration date is by 4322// reimporting the same key material and specifying a new expiration date. 4323// 4324// When this operation is successful, the key state of the CMK changes from 4325// PendingImport to Enabled, and you can use the CMK. 4326// 4327// If this operation fails, use the exception to help determine the problem. 4328// If the error is related to the key material, the import token, or wrapping 4329// key, use GetParametersForImport to get a new public key and import token 4330// for the CMK and repeat the import procedure. For help, see How To Import 4331// Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview) 4332// in the AWS Key Management Service Developer Guide. 4333// 4334// The CMK that you use for this operation must be in a compatible key state. 4335// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4336// in the AWS Key Management Service Developer Guide. 4337// 4338// Cross-account use: No. You cannot perform this operation on a CMK in a different 4339// AWS account. 4340// 4341// Required permissions: kms:ImportKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 4342// (key policy) 4343// 4344// Related operations: 4345// 4346// * DeleteImportedKeyMaterial 4347// 4348// * GetParametersForImport 4349// 4350// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4351// with awserr.Error's Code and Message methods to get detailed information about 4352// the error. 4353// 4354// See the AWS API reference guide for AWS Key Management Service's 4355// API operation ImportKeyMaterial for usage and error information. 4356// 4357// Returned Error Types: 4358// * InvalidArnException 4359// The request was rejected because a specified ARN, or an ARN in a key policy, 4360// is not valid. 4361// 4362// * UnsupportedOperationException 4363// The request was rejected because a specified parameter is not supported or 4364// a specified resource is not valid for this operation. 4365// 4366// * DependencyTimeoutException 4367// The system timed out while trying to fulfill the request. The request can 4368// be retried. 4369// 4370// * NotFoundException 4371// The request was rejected because the specified entity or resource could not 4372// be found. 4373// 4374// * InternalException 4375// The request was rejected because an internal exception occurred. The request 4376// can be retried. 4377// 4378// * InvalidStateException 4379// The request was rejected because the state of the specified resource is not 4380// valid for this request. 4381// 4382// For more information about how key state affects the use of a CMK, see How 4383// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4384// in the AWS Key Management Service Developer Guide . 4385// 4386// * InvalidCiphertextException 4387// From the Decrypt or ReEncrypt operation, the request was rejected because 4388// the specified ciphertext, or additional authenticated data incorporated into 4389// the ciphertext, such as the encryption context, is corrupted, missing, or 4390// otherwise invalid. 4391// 4392// From the ImportKeyMaterial operation, the request was rejected because AWS 4393// KMS could not decrypt the encrypted (wrapped) key material. 4394// 4395// * IncorrectKeyMaterialException 4396// The request was rejected because the key material in the request is, expired, 4397// invalid, or is not the same key material that was previously imported into 4398// this customer master key (CMK). 4399// 4400// * ExpiredImportTokenException 4401// The request was rejected because the specified import token is expired. Use 4402// GetParametersForImport to get a new import token and public key, use the 4403// new public key to encrypt the key material, and then try the request again. 4404// 4405// * InvalidImportTokenException 4406// The request was rejected because the provided import token is invalid or 4407// is associated with a different customer master key (CMK). 4408// 4409// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial 4410func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) { 4411 req, out := c.ImportKeyMaterialRequest(input) 4412 return out, req.Send() 4413} 4414 4415// ImportKeyMaterialWithContext is the same as ImportKeyMaterial with the addition of 4416// the ability to pass a context and additional request options. 4417// 4418// See ImportKeyMaterial for details on how to use this API operation. 4419// 4420// The context must be non-nil and will be used for request cancellation. If 4421// the context is nil a panic will occur. In the future the SDK may create 4422// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4423// for more information on using Contexts. 4424func (c *KMS) ImportKeyMaterialWithContext(ctx aws.Context, input *ImportKeyMaterialInput, opts ...request.Option) (*ImportKeyMaterialOutput, error) { 4425 req, out := c.ImportKeyMaterialRequest(input) 4426 req.SetContext(ctx) 4427 req.ApplyOptions(opts...) 4428 return out, req.Send() 4429} 4430 4431const opListAliases = "ListAliases" 4432 4433// ListAliasesRequest generates a "aws/request.Request" representing the 4434// client's request for the ListAliases operation. The "output" return 4435// value will be populated with the request's response once the request completes 4436// successfully. 4437// 4438// Use "Send" method on the returned Request to send the API call to the service. 4439// the "output" return value is not valid until after Send returns without error. 4440// 4441// See ListAliases for more information on using the ListAliases 4442// API call, and error handling. 4443// 4444// This method is useful when you want to inject custom logic or configuration 4445// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4446// 4447// 4448// // Example sending a request using the ListAliasesRequest method. 4449// req, resp := client.ListAliasesRequest(params) 4450// 4451// err := req.Send() 4452// if err == nil { // resp is now filled 4453// fmt.Println(resp) 4454// } 4455// 4456// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases 4457func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, output *ListAliasesOutput) { 4458 op := &request.Operation{ 4459 Name: opListAliases, 4460 HTTPMethod: "POST", 4461 HTTPPath: "/", 4462 Paginator: &request.Paginator{ 4463 InputTokens: []string{"Marker"}, 4464 OutputTokens: []string{"NextMarker"}, 4465 LimitToken: "Limit", 4466 TruncationToken: "Truncated", 4467 }, 4468 } 4469 4470 if input == nil { 4471 input = &ListAliasesInput{} 4472 } 4473 4474 output = &ListAliasesOutput{} 4475 req = c.newRequest(op, input, output) 4476 return 4477} 4478 4479// ListAliases API operation for AWS Key Management Service. 4480// 4481// Gets a list of aliases in the caller's AWS account and region. For more information 4482// about aliases, see CreateAlias. 4483// 4484// By default, the ListAliases operation returns all aliases in the account 4485// and region. To get only the aliases associated with a particular customer 4486// master key (CMK), use the KeyId parameter. 4487// 4488// The ListAliases response can include aliases that you created and associated 4489// with your customer managed CMKs, and aliases that AWS created and associated 4490// with AWS managed CMKs in your account. You can recognize AWS aliases because 4491// their names have the format aws/<service-name>, such as aws/dynamodb. 4492// 4493// The response might also include aliases that have no TargetKeyId field. These 4494// are predefined aliases that AWS has created but has not yet associated with 4495// a CMK. Aliases that AWS creates in your account, including predefined aliases, 4496// do not count against your AWS KMS aliases quota (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit). 4497// 4498// Cross-account use: No. ListAliases does not return aliases in other AWS accounts. 4499// 4500// Required permissions: kms:ListAliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 4501// (IAM policy) 4502// 4503// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) 4504// in the AWS Key Management Service Developer Guide. 4505// 4506// Related operations: 4507// 4508// * CreateAlias 4509// 4510// * DeleteAlias 4511// 4512// * UpdateAlias 4513// 4514// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4515// with awserr.Error's Code and Message methods to get detailed information about 4516// the error. 4517// 4518// See the AWS API reference guide for AWS Key Management Service's 4519// API operation ListAliases for usage and error information. 4520// 4521// Returned Error Types: 4522// * DependencyTimeoutException 4523// The system timed out while trying to fulfill the request. The request can 4524// be retried. 4525// 4526// * InvalidMarkerException 4527// The request was rejected because the marker that specifies where pagination 4528// should next begin is not valid. 4529// 4530// * InternalException 4531// The request was rejected because an internal exception occurred. The request 4532// can be retried. 4533// 4534// * InvalidArnException 4535// The request was rejected because a specified ARN, or an ARN in a key policy, 4536// is not valid. 4537// 4538// * NotFoundException 4539// The request was rejected because the specified entity or resource could not 4540// be found. 4541// 4542// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases 4543func (c *KMS) ListAliases(input *ListAliasesInput) (*ListAliasesOutput, error) { 4544 req, out := c.ListAliasesRequest(input) 4545 return out, req.Send() 4546} 4547 4548// ListAliasesWithContext is the same as ListAliases with the addition of 4549// the ability to pass a context and additional request options. 4550// 4551// See ListAliases for details on how to use this API operation. 4552// 4553// The context must be non-nil and will be used for request cancellation. If 4554// the context is nil a panic will occur. In the future the SDK may create 4555// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4556// for more information on using Contexts. 4557func (c *KMS) ListAliasesWithContext(ctx aws.Context, input *ListAliasesInput, opts ...request.Option) (*ListAliasesOutput, error) { 4558 req, out := c.ListAliasesRequest(input) 4559 req.SetContext(ctx) 4560 req.ApplyOptions(opts...) 4561 return out, req.Send() 4562} 4563 4564// ListAliasesPages iterates over the pages of a ListAliases operation, 4565// calling the "fn" function with the response data for each page. To stop 4566// iterating, return false from the fn function. 4567// 4568// See ListAliases method for more information on how to use this operation. 4569// 4570// Note: This operation can generate multiple requests to a service. 4571// 4572// // Example iterating over at most 3 pages of a ListAliases operation. 4573// pageNum := 0 4574// err := client.ListAliasesPages(params, 4575// func(page *kms.ListAliasesOutput, lastPage bool) bool { 4576// pageNum++ 4577// fmt.Println(page) 4578// return pageNum <= 3 4579// }) 4580// 4581func (c *KMS) ListAliasesPages(input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool) error { 4582 return c.ListAliasesPagesWithContext(aws.BackgroundContext(), input, fn) 4583} 4584 4585// ListAliasesPagesWithContext same as ListAliasesPages except 4586// it takes a Context and allows setting request options on the pages. 4587// 4588// The context must be non-nil and will be used for request cancellation. If 4589// the context is nil a panic will occur. In the future the SDK may create 4590// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4591// for more information on using Contexts. 4592func (c *KMS) ListAliasesPagesWithContext(ctx aws.Context, input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool, opts ...request.Option) error { 4593 p := request.Pagination{ 4594 NewRequest: func() (*request.Request, error) { 4595 var inCpy *ListAliasesInput 4596 if input != nil { 4597 tmp := *input 4598 inCpy = &tmp 4599 } 4600 req, _ := c.ListAliasesRequest(inCpy) 4601 req.SetContext(ctx) 4602 req.ApplyOptions(opts...) 4603 return req, nil 4604 }, 4605 } 4606 4607 for p.Next() { 4608 if !fn(p.Page().(*ListAliasesOutput), !p.HasNextPage()) { 4609 break 4610 } 4611 } 4612 4613 return p.Err() 4614} 4615 4616const opListGrants = "ListGrants" 4617 4618// ListGrantsRequest generates a "aws/request.Request" representing the 4619// client's request for the ListGrants operation. The "output" return 4620// value will be populated with the request's response once the request completes 4621// successfully. 4622// 4623// Use "Send" method on the returned Request to send the API call to the service. 4624// the "output" return value is not valid until after Send returns without error. 4625// 4626// See ListGrants for more information on using the ListGrants 4627// API call, and error handling. 4628// 4629// This method is useful when you want to inject custom logic or configuration 4630// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4631// 4632// 4633// // Example sending a request using the ListGrantsRequest method. 4634// req, resp := client.ListGrantsRequest(params) 4635// 4636// err := req.Send() 4637// if err == nil { // resp is now filled 4638// fmt.Println(resp) 4639// } 4640// 4641// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants 4642func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, output *ListGrantsResponse) { 4643 op := &request.Operation{ 4644 Name: opListGrants, 4645 HTTPMethod: "POST", 4646 HTTPPath: "/", 4647 Paginator: &request.Paginator{ 4648 InputTokens: []string{"Marker"}, 4649 OutputTokens: []string{"NextMarker"}, 4650 LimitToken: "Limit", 4651 TruncationToken: "Truncated", 4652 }, 4653 } 4654 4655 if input == nil { 4656 input = &ListGrantsInput{} 4657 } 4658 4659 output = &ListGrantsResponse{} 4660 req = c.newRequest(op, input, output) 4661 return 4662} 4663 4664// ListGrants API operation for AWS Key Management Service. 4665// 4666// Gets a list of all grants for the specified customer master key (CMK). 4667// 4668// You must specify the CMK in all requests. You can filter the grant list by 4669// grant ID or grantee principal. 4670// 4671// The GranteePrincipal field in the ListGrants response usually contains the 4672// user or role designated as the grantee principal in the grant. However, when 4673// the grantee principal in the grant is an AWS service, the GranteePrincipal 4674// field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), 4675// which might represent several different grantee principals. 4676// 4677// Cross-account use: Yes. To perform this operation on a CMK in a different 4678// AWS account, specify the key ARN in the value of the KeyId parameter. 4679// 4680// Required permissions: kms:ListGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 4681// (key policy) 4682// 4683// Related operations: 4684// 4685// * CreateGrant 4686// 4687// * ListRetirableGrants 4688// 4689// * RetireGrant 4690// 4691// * RevokeGrant 4692// 4693// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4694// with awserr.Error's Code and Message methods to get detailed information about 4695// the error. 4696// 4697// See the AWS API reference guide for AWS Key Management Service's 4698// API operation ListGrants for usage and error information. 4699// 4700// Returned Error Types: 4701// * NotFoundException 4702// The request was rejected because the specified entity or resource could not 4703// be found. 4704// 4705// * DependencyTimeoutException 4706// The system timed out while trying to fulfill the request. The request can 4707// be retried. 4708// 4709// * InvalidMarkerException 4710// The request was rejected because the marker that specifies where pagination 4711// should next begin is not valid. 4712// 4713// * InvalidGrantIdException 4714// The request was rejected because the specified GrantId is not valid. 4715// 4716// * InvalidArnException 4717// The request was rejected because a specified ARN, or an ARN in a key policy, 4718// is not valid. 4719// 4720// * InternalException 4721// The request was rejected because an internal exception occurred. The request 4722// can be retried. 4723// 4724// * InvalidStateException 4725// The request was rejected because the state of the specified resource is not 4726// valid for this request. 4727// 4728// For more information about how key state affects the use of a CMK, see How 4729// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4730// in the AWS Key Management Service Developer Guide . 4731// 4732// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants 4733func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) { 4734 req, out := c.ListGrantsRequest(input) 4735 return out, req.Send() 4736} 4737 4738// ListGrantsWithContext is the same as ListGrants with the addition of 4739// the ability to pass a context and additional request options. 4740// 4741// See ListGrants for details on how to use this API operation. 4742// 4743// The context must be non-nil and will be used for request cancellation. If 4744// the context is nil a panic will occur. In the future the SDK may create 4745// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4746// for more information on using Contexts. 4747func (c *KMS) ListGrantsWithContext(ctx aws.Context, input *ListGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { 4748 req, out := c.ListGrantsRequest(input) 4749 req.SetContext(ctx) 4750 req.ApplyOptions(opts...) 4751 return out, req.Send() 4752} 4753 4754// ListGrantsPages iterates over the pages of a ListGrants operation, 4755// calling the "fn" function with the response data for each page. To stop 4756// iterating, return false from the fn function. 4757// 4758// See ListGrants method for more information on how to use this operation. 4759// 4760// Note: This operation can generate multiple requests to a service. 4761// 4762// // Example iterating over at most 3 pages of a ListGrants operation. 4763// pageNum := 0 4764// err := client.ListGrantsPages(params, 4765// func(page *kms.ListGrantsResponse, lastPage bool) bool { 4766// pageNum++ 4767// fmt.Println(page) 4768// return pageNum <= 3 4769// }) 4770// 4771func (c *KMS) ListGrantsPages(input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool) error { 4772 return c.ListGrantsPagesWithContext(aws.BackgroundContext(), input, fn) 4773} 4774 4775// ListGrantsPagesWithContext same as ListGrantsPages except 4776// it takes a Context and allows setting request options on the pages. 4777// 4778// The context must be non-nil and will be used for request cancellation. If 4779// the context is nil a panic will occur. In the future the SDK may create 4780// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4781// for more information on using Contexts. 4782func (c *KMS) ListGrantsPagesWithContext(ctx aws.Context, input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool, opts ...request.Option) error { 4783 p := request.Pagination{ 4784 NewRequest: func() (*request.Request, error) { 4785 var inCpy *ListGrantsInput 4786 if input != nil { 4787 tmp := *input 4788 inCpy = &tmp 4789 } 4790 req, _ := c.ListGrantsRequest(inCpy) 4791 req.SetContext(ctx) 4792 req.ApplyOptions(opts...) 4793 return req, nil 4794 }, 4795 } 4796 4797 for p.Next() { 4798 if !fn(p.Page().(*ListGrantsResponse), !p.HasNextPage()) { 4799 break 4800 } 4801 } 4802 4803 return p.Err() 4804} 4805 4806const opListKeyPolicies = "ListKeyPolicies" 4807 4808// ListKeyPoliciesRequest generates a "aws/request.Request" representing the 4809// client's request for the ListKeyPolicies operation. The "output" return 4810// value will be populated with the request's response once the request completes 4811// successfully. 4812// 4813// Use "Send" method on the returned Request to send the API call to the service. 4814// the "output" return value is not valid until after Send returns without error. 4815// 4816// See ListKeyPolicies for more information on using the ListKeyPolicies 4817// API call, and error handling. 4818// 4819// This method is useful when you want to inject custom logic or configuration 4820// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4821// 4822// 4823// // Example sending a request using the ListKeyPoliciesRequest method. 4824// req, resp := client.ListKeyPoliciesRequest(params) 4825// 4826// err := req.Send() 4827// if err == nil { // resp is now filled 4828// fmt.Println(resp) 4829// } 4830// 4831// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies 4832func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.Request, output *ListKeyPoliciesOutput) { 4833 op := &request.Operation{ 4834 Name: opListKeyPolicies, 4835 HTTPMethod: "POST", 4836 HTTPPath: "/", 4837 Paginator: &request.Paginator{ 4838 InputTokens: []string{"Marker"}, 4839 OutputTokens: []string{"NextMarker"}, 4840 LimitToken: "Limit", 4841 TruncationToken: "Truncated", 4842 }, 4843 } 4844 4845 if input == nil { 4846 input = &ListKeyPoliciesInput{} 4847 } 4848 4849 output = &ListKeyPoliciesOutput{} 4850 req = c.newRequest(op, input, output) 4851 return 4852} 4853 4854// ListKeyPolicies API operation for AWS Key Management Service. 4855// 4856// Gets the names of the key policies that are attached to a customer master 4857// key (CMK). This operation is designed to get policy names that you can use 4858// in a GetKeyPolicy operation. However, the only valid policy name is default. 4859// 4860// Cross-account use: No. You cannot perform this operation on a CMK in a different 4861// AWS account. 4862// 4863// Required permissions: kms:ListKeyPolicies (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 4864// (key policy) 4865// 4866// Related operations: 4867// 4868// * GetKeyPolicy 4869// 4870// * PutKeyPolicy 4871// 4872// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 4873// with awserr.Error's Code and Message methods to get detailed information about 4874// the error. 4875// 4876// See the AWS API reference guide for AWS Key Management Service's 4877// API operation ListKeyPolicies for usage and error information. 4878// 4879// Returned Error Types: 4880// * NotFoundException 4881// The request was rejected because the specified entity or resource could not 4882// be found. 4883// 4884// * InvalidArnException 4885// The request was rejected because a specified ARN, or an ARN in a key policy, 4886// is not valid. 4887// 4888// * DependencyTimeoutException 4889// The system timed out while trying to fulfill the request. The request can 4890// be retried. 4891// 4892// * InternalException 4893// The request was rejected because an internal exception occurred. The request 4894// can be retried. 4895// 4896// * InvalidStateException 4897// The request was rejected because the state of the specified resource is not 4898// valid for this request. 4899// 4900// For more information about how key state affects the use of a CMK, see How 4901// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 4902// in the AWS Key Management Service Developer Guide . 4903// 4904// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies 4905func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) { 4906 req, out := c.ListKeyPoliciesRequest(input) 4907 return out, req.Send() 4908} 4909 4910// ListKeyPoliciesWithContext is the same as ListKeyPolicies with the addition of 4911// the ability to pass a context and additional request options. 4912// 4913// See ListKeyPolicies for details on how to use this API operation. 4914// 4915// The context must be non-nil and will be used for request cancellation. If 4916// the context is nil a panic will occur. In the future the SDK may create 4917// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4918// for more information on using Contexts. 4919func (c *KMS) ListKeyPoliciesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, opts ...request.Option) (*ListKeyPoliciesOutput, error) { 4920 req, out := c.ListKeyPoliciesRequest(input) 4921 req.SetContext(ctx) 4922 req.ApplyOptions(opts...) 4923 return out, req.Send() 4924} 4925 4926// ListKeyPoliciesPages iterates over the pages of a ListKeyPolicies operation, 4927// calling the "fn" function with the response data for each page. To stop 4928// iterating, return false from the fn function. 4929// 4930// See ListKeyPolicies method for more information on how to use this operation. 4931// 4932// Note: This operation can generate multiple requests to a service. 4933// 4934// // Example iterating over at most 3 pages of a ListKeyPolicies operation. 4935// pageNum := 0 4936// err := client.ListKeyPoliciesPages(params, 4937// func(page *kms.ListKeyPoliciesOutput, lastPage bool) bool { 4938// pageNum++ 4939// fmt.Println(page) 4940// return pageNum <= 3 4941// }) 4942// 4943func (c *KMS) ListKeyPoliciesPages(input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool) error { 4944 return c.ListKeyPoliciesPagesWithContext(aws.BackgroundContext(), input, fn) 4945} 4946 4947// ListKeyPoliciesPagesWithContext same as ListKeyPoliciesPages except 4948// it takes a Context and allows setting request options on the pages. 4949// 4950// The context must be non-nil and will be used for request cancellation. If 4951// the context is nil a panic will occur. In the future the SDK may create 4952// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 4953// for more information on using Contexts. 4954func (c *KMS) ListKeyPoliciesPagesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool, opts ...request.Option) error { 4955 p := request.Pagination{ 4956 NewRequest: func() (*request.Request, error) { 4957 var inCpy *ListKeyPoliciesInput 4958 if input != nil { 4959 tmp := *input 4960 inCpy = &tmp 4961 } 4962 req, _ := c.ListKeyPoliciesRequest(inCpy) 4963 req.SetContext(ctx) 4964 req.ApplyOptions(opts...) 4965 return req, nil 4966 }, 4967 } 4968 4969 for p.Next() { 4970 if !fn(p.Page().(*ListKeyPoliciesOutput), !p.HasNextPage()) { 4971 break 4972 } 4973 } 4974 4975 return p.Err() 4976} 4977 4978const opListKeys = "ListKeys" 4979 4980// ListKeysRequest generates a "aws/request.Request" representing the 4981// client's request for the ListKeys operation. The "output" return 4982// value will be populated with the request's response once the request completes 4983// successfully. 4984// 4985// Use "Send" method on the returned Request to send the API call to the service. 4986// the "output" return value is not valid until after Send returns without error. 4987// 4988// See ListKeys for more information on using the ListKeys 4989// API call, and error handling. 4990// 4991// This method is useful when you want to inject custom logic or configuration 4992// into the SDK's request lifecycle. Such as custom headers, or retry logic. 4993// 4994// 4995// // Example sending a request using the ListKeysRequest method. 4996// req, resp := client.ListKeysRequest(params) 4997// 4998// err := req.Send() 4999// if err == nil { // resp is now filled 5000// fmt.Println(resp) 5001// } 5002// 5003// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys 5004func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, output *ListKeysOutput) { 5005 op := &request.Operation{ 5006 Name: opListKeys, 5007 HTTPMethod: "POST", 5008 HTTPPath: "/", 5009 Paginator: &request.Paginator{ 5010 InputTokens: []string{"Marker"}, 5011 OutputTokens: []string{"NextMarker"}, 5012 LimitToken: "Limit", 5013 TruncationToken: "Truncated", 5014 }, 5015 } 5016 5017 if input == nil { 5018 input = &ListKeysInput{} 5019 } 5020 5021 output = &ListKeysOutput{} 5022 req = c.newRequest(op, input, output) 5023 return 5024} 5025 5026// ListKeys API operation for AWS Key Management Service. 5027// 5028// Gets a list of all customer master keys (CMKs) in the caller's AWS account 5029// and Region. 5030// 5031// Cross-account use: No. You cannot perform this operation on a CMK in a different 5032// AWS account. 5033// 5034// Required permissions: kms:ListKeys (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 5035// (IAM policy) 5036// 5037// Related operations: 5038// 5039// * CreateKey 5040// 5041// * DescribeKey 5042// 5043// * ListAliases 5044// 5045// * ListResourceTags 5046// 5047// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5048// with awserr.Error's Code and Message methods to get detailed information about 5049// the error. 5050// 5051// See the AWS API reference guide for AWS Key Management Service's 5052// API operation ListKeys for usage and error information. 5053// 5054// Returned Error Types: 5055// * DependencyTimeoutException 5056// The system timed out while trying to fulfill the request. The request can 5057// be retried. 5058// 5059// * InternalException 5060// The request was rejected because an internal exception occurred. The request 5061// can be retried. 5062// 5063// * InvalidMarkerException 5064// The request was rejected because the marker that specifies where pagination 5065// should next begin is not valid. 5066// 5067// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys 5068func (c *KMS) ListKeys(input *ListKeysInput) (*ListKeysOutput, error) { 5069 req, out := c.ListKeysRequest(input) 5070 return out, req.Send() 5071} 5072 5073// ListKeysWithContext is the same as ListKeys with the addition of 5074// the ability to pass a context and additional request options. 5075// 5076// See ListKeys for details on how to use this API operation. 5077// 5078// The context must be non-nil and will be used for request cancellation. If 5079// the context is nil a panic will occur. In the future the SDK may create 5080// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5081// for more information on using Contexts. 5082func (c *KMS) ListKeysWithContext(ctx aws.Context, input *ListKeysInput, opts ...request.Option) (*ListKeysOutput, error) { 5083 req, out := c.ListKeysRequest(input) 5084 req.SetContext(ctx) 5085 req.ApplyOptions(opts...) 5086 return out, req.Send() 5087} 5088 5089// ListKeysPages iterates over the pages of a ListKeys operation, 5090// calling the "fn" function with the response data for each page. To stop 5091// iterating, return false from the fn function. 5092// 5093// See ListKeys method for more information on how to use this operation. 5094// 5095// Note: This operation can generate multiple requests to a service. 5096// 5097// // Example iterating over at most 3 pages of a ListKeys operation. 5098// pageNum := 0 5099// err := client.ListKeysPages(params, 5100// func(page *kms.ListKeysOutput, lastPage bool) bool { 5101// pageNum++ 5102// fmt.Println(page) 5103// return pageNum <= 3 5104// }) 5105// 5106func (c *KMS) ListKeysPages(input *ListKeysInput, fn func(*ListKeysOutput, bool) bool) error { 5107 return c.ListKeysPagesWithContext(aws.BackgroundContext(), input, fn) 5108} 5109 5110// ListKeysPagesWithContext same as ListKeysPages except 5111// it takes a Context and allows setting request options on the pages. 5112// 5113// The context must be non-nil and will be used for request cancellation. If 5114// the context is nil a panic will occur. In the future the SDK may create 5115// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5116// for more information on using Contexts. 5117func (c *KMS) ListKeysPagesWithContext(ctx aws.Context, input *ListKeysInput, fn func(*ListKeysOutput, bool) bool, opts ...request.Option) error { 5118 p := request.Pagination{ 5119 NewRequest: func() (*request.Request, error) { 5120 var inCpy *ListKeysInput 5121 if input != nil { 5122 tmp := *input 5123 inCpy = &tmp 5124 } 5125 req, _ := c.ListKeysRequest(inCpy) 5126 req.SetContext(ctx) 5127 req.ApplyOptions(opts...) 5128 return req, nil 5129 }, 5130 } 5131 5132 for p.Next() { 5133 if !fn(p.Page().(*ListKeysOutput), !p.HasNextPage()) { 5134 break 5135 } 5136 } 5137 5138 return p.Err() 5139} 5140 5141const opListResourceTags = "ListResourceTags" 5142 5143// ListResourceTagsRequest generates a "aws/request.Request" representing the 5144// client's request for the ListResourceTags operation. The "output" return 5145// value will be populated with the request's response once the request completes 5146// successfully. 5147// 5148// Use "Send" method on the returned Request to send the API call to the service. 5149// the "output" return value is not valid until after Send returns without error. 5150// 5151// See ListResourceTags for more information on using the ListResourceTags 5152// API call, and error handling. 5153// 5154// This method is useful when you want to inject custom logic or configuration 5155// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5156// 5157// 5158// // Example sending a request using the ListResourceTagsRequest method. 5159// req, resp := client.ListResourceTagsRequest(params) 5160// 5161// err := req.Send() 5162// if err == nil { // resp is now filled 5163// fmt.Println(resp) 5164// } 5165// 5166// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags 5167func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *request.Request, output *ListResourceTagsOutput) { 5168 op := &request.Operation{ 5169 Name: opListResourceTags, 5170 HTTPMethod: "POST", 5171 HTTPPath: "/", 5172 } 5173 5174 if input == nil { 5175 input = &ListResourceTagsInput{} 5176 } 5177 5178 output = &ListResourceTagsOutput{} 5179 req = c.newRequest(op, input, output) 5180 return 5181} 5182 5183// ListResourceTags API operation for AWS Key Management Service. 5184// 5185// Returns all tags on the specified customer master key (CMK). 5186// 5187// For general information about tags, including the format and syntax, see 5188// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) 5189// in the Amazon Web Services General Reference. For information about using 5190// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). 5191// 5192// Cross-account use: No. You cannot perform this operation on a CMK in a different 5193// AWS account. 5194// 5195// Required permissions: kms:ListResourceTags (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 5196// (key policy) 5197// 5198// Related operations: 5199// 5200// * CreateKey 5201// 5202// * ReplicateKey 5203// 5204// * TagResource 5205// 5206// * UntagResource 5207// 5208// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5209// with awserr.Error's Code and Message methods to get detailed information about 5210// the error. 5211// 5212// See the AWS API reference guide for AWS Key Management Service's 5213// API operation ListResourceTags for usage and error information. 5214// 5215// Returned Error Types: 5216// * InternalException 5217// The request was rejected because an internal exception occurred. The request 5218// can be retried. 5219// 5220// * NotFoundException 5221// The request was rejected because the specified entity or resource could not 5222// be found. 5223// 5224// * InvalidArnException 5225// The request was rejected because a specified ARN, or an ARN in a key policy, 5226// is not valid. 5227// 5228// * InvalidMarkerException 5229// The request was rejected because the marker that specifies where pagination 5230// should next begin is not valid. 5231// 5232// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags 5233func (c *KMS) ListResourceTags(input *ListResourceTagsInput) (*ListResourceTagsOutput, error) { 5234 req, out := c.ListResourceTagsRequest(input) 5235 return out, req.Send() 5236} 5237 5238// ListResourceTagsWithContext is the same as ListResourceTags with the addition of 5239// the ability to pass a context and additional request options. 5240// 5241// See ListResourceTags for details on how to use this API operation. 5242// 5243// The context must be non-nil and will be used for request cancellation. If 5244// the context is nil a panic will occur. In the future the SDK may create 5245// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5246// for more information on using Contexts. 5247func (c *KMS) ListResourceTagsWithContext(ctx aws.Context, input *ListResourceTagsInput, opts ...request.Option) (*ListResourceTagsOutput, error) { 5248 req, out := c.ListResourceTagsRequest(input) 5249 req.SetContext(ctx) 5250 req.ApplyOptions(opts...) 5251 return out, req.Send() 5252} 5253 5254const opListRetirableGrants = "ListRetirableGrants" 5255 5256// ListRetirableGrantsRequest generates a "aws/request.Request" representing the 5257// client's request for the ListRetirableGrants operation. The "output" return 5258// value will be populated with the request's response once the request completes 5259// successfully. 5260// 5261// Use "Send" method on the returned Request to send the API call to the service. 5262// the "output" return value is not valid until after Send returns without error. 5263// 5264// See ListRetirableGrants for more information on using the ListRetirableGrants 5265// API call, and error handling. 5266// 5267// This method is useful when you want to inject custom logic or configuration 5268// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5269// 5270// 5271// // Example sending a request using the ListRetirableGrantsRequest method. 5272// req, resp := client.ListRetirableGrantsRequest(params) 5273// 5274// err := req.Send() 5275// if err == nil { // resp is now filled 5276// fmt.Println(resp) 5277// } 5278// 5279// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants 5280func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *request.Request, output *ListGrantsResponse) { 5281 op := &request.Operation{ 5282 Name: opListRetirableGrants, 5283 HTTPMethod: "POST", 5284 HTTPPath: "/", 5285 } 5286 5287 if input == nil { 5288 input = &ListRetirableGrantsInput{} 5289 } 5290 5291 output = &ListGrantsResponse{} 5292 req = c.newRequest(op, input, output) 5293 return 5294} 5295 5296// ListRetirableGrants API operation for AWS Key Management Service. 5297// 5298// Returns information about all grants in the AWS account and Region that have 5299// the specified retiring principal. For more information about grants, see 5300// Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) 5301// in the AWS Key Management Service Developer Guide . 5302// 5303// You can specify any principal in your AWS account. The grants that are returned 5304// include grants for CMKs in your AWS account and other AWS accounts. 5305// 5306// You might use this operation to determine which grants you may retire. To 5307// retire a grant, use the RetireGrant operation. 5308// 5309// Cross-account use: You must specify a principal in your AWS account. However, 5310// this operation can return grants in any AWS account. You do not need kms:ListRetirableGrants 5311// permission (or any other additional permission) in any AWS account other 5312// than your own. 5313// 5314// Required permissions: kms:ListRetirableGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 5315// (IAM policy) in your AWS account. 5316// 5317// Related operations: 5318// 5319// * CreateGrant 5320// 5321// * ListGrants 5322// 5323// * RetireGrant 5324// 5325// * RevokeGrant 5326// 5327// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5328// with awserr.Error's Code and Message methods to get detailed information about 5329// the error. 5330// 5331// See the AWS API reference guide for AWS Key Management Service's 5332// API operation ListRetirableGrants for usage and error information. 5333// 5334// Returned Error Types: 5335// * DependencyTimeoutException 5336// The system timed out while trying to fulfill the request. The request can 5337// be retried. 5338// 5339// * InvalidMarkerException 5340// The request was rejected because the marker that specifies where pagination 5341// should next begin is not valid. 5342// 5343// * InvalidArnException 5344// The request was rejected because a specified ARN, or an ARN in a key policy, 5345// is not valid. 5346// 5347// * NotFoundException 5348// The request was rejected because the specified entity or resource could not 5349// be found. 5350// 5351// * InternalException 5352// The request was rejected because an internal exception occurred. The request 5353// can be retried. 5354// 5355// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants 5356func (c *KMS) ListRetirableGrants(input *ListRetirableGrantsInput) (*ListGrantsResponse, error) { 5357 req, out := c.ListRetirableGrantsRequest(input) 5358 return out, req.Send() 5359} 5360 5361// ListRetirableGrantsWithContext is the same as ListRetirableGrants with the addition of 5362// the ability to pass a context and additional request options. 5363// 5364// See ListRetirableGrants for details on how to use this API operation. 5365// 5366// The context must be non-nil and will be used for request cancellation. If 5367// the context is nil a panic will occur. In the future the SDK may create 5368// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5369// for more information on using Contexts. 5370func (c *KMS) ListRetirableGrantsWithContext(ctx aws.Context, input *ListRetirableGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { 5371 req, out := c.ListRetirableGrantsRequest(input) 5372 req.SetContext(ctx) 5373 req.ApplyOptions(opts...) 5374 return out, req.Send() 5375} 5376 5377const opPutKeyPolicy = "PutKeyPolicy" 5378 5379// PutKeyPolicyRequest generates a "aws/request.Request" representing the 5380// client's request for the PutKeyPolicy operation. The "output" return 5381// value will be populated with the request's response once the request completes 5382// successfully. 5383// 5384// Use "Send" method on the returned Request to send the API call to the service. 5385// the "output" return value is not valid until after Send returns without error. 5386// 5387// See PutKeyPolicy for more information on using the PutKeyPolicy 5388// API call, and error handling. 5389// 5390// This method is useful when you want to inject custom logic or configuration 5391// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5392// 5393// 5394// // Example sending a request using the PutKeyPolicyRequest method. 5395// req, resp := client.PutKeyPolicyRequest(params) 5396// 5397// err := req.Send() 5398// if err == nil { // resp is now filled 5399// fmt.Println(resp) 5400// } 5401// 5402// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy 5403func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Request, output *PutKeyPolicyOutput) { 5404 op := &request.Operation{ 5405 Name: opPutKeyPolicy, 5406 HTTPMethod: "POST", 5407 HTTPPath: "/", 5408 } 5409 5410 if input == nil { 5411 input = &PutKeyPolicyInput{} 5412 } 5413 5414 output = &PutKeyPolicyOutput{} 5415 req = c.newRequest(op, input, output) 5416 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5417 return 5418} 5419 5420// PutKeyPolicy API operation for AWS Key Management Service. 5421// 5422// Attaches a key policy to the specified customer master key (CMK). 5423// 5424// For more information about key policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) 5425// in the AWS Key Management Service Developer Guide. For help writing and formatting 5426// a JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) 5427// in the IAM User Guide . For examples of adding a key policy in multiple programming 5428// languages, see Setting a key policy (https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy) 5429// in the AWS Key Management Service Developer Guide. 5430// 5431// Cross-account use: No. You cannot perform this operation on a CMK in a different 5432// AWS account. 5433// 5434// Required permissions: kms:PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 5435// (key policy) 5436// 5437// Related operations: GetKeyPolicy 5438// 5439// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5440// with awserr.Error's Code and Message methods to get detailed information about 5441// the error. 5442// 5443// See the AWS API reference guide for AWS Key Management Service's 5444// API operation PutKeyPolicy for usage and error information. 5445// 5446// Returned Error Types: 5447// * NotFoundException 5448// The request was rejected because the specified entity or resource could not 5449// be found. 5450// 5451// * InvalidArnException 5452// The request was rejected because a specified ARN, or an ARN in a key policy, 5453// is not valid. 5454// 5455// * MalformedPolicyDocumentException 5456// The request was rejected because the specified policy is not syntactically 5457// or semantically correct. 5458// 5459// * DependencyTimeoutException 5460// The system timed out while trying to fulfill the request. The request can 5461// be retried. 5462// 5463// * UnsupportedOperationException 5464// The request was rejected because a specified parameter is not supported or 5465// a specified resource is not valid for this operation. 5466// 5467// * InternalException 5468// The request was rejected because an internal exception occurred. The request 5469// can be retried. 5470// 5471// * LimitExceededException 5472// The request was rejected because a quota was exceeded. For more information, 5473// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 5474// in the AWS Key Management Service Developer Guide. 5475// 5476// * InvalidStateException 5477// The request was rejected because the state of the specified resource is not 5478// valid for this request. 5479// 5480// For more information about how key state affects the use of a CMK, see How 5481// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5482// in the AWS Key Management Service Developer Guide . 5483// 5484// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy 5485func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) { 5486 req, out := c.PutKeyPolicyRequest(input) 5487 return out, req.Send() 5488} 5489 5490// PutKeyPolicyWithContext is the same as PutKeyPolicy with the addition of 5491// the ability to pass a context and additional request options. 5492// 5493// See PutKeyPolicy for details on how to use this API operation. 5494// 5495// The context must be non-nil and will be used for request cancellation. If 5496// the context is nil a panic will occur. In the future the SDK may create 5497// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5498// for more information on using Contexts. 5499func (c *KMS) PutKeyPolicyWithContext(ctx aws.Context, input *PutKeyPolicyInput, opts ...request.Option) (*PutKeyPolicyOutput, error) { 5500 req, out := c.PutKeyPolicyRequest(input) 5501 req.SetContext(ctx) 5502 req.ApplyOptions(opts...) 5503 return out, req.Send() 5504} 5505 5506const opReEncrypt = "ReEncrypt" 5507 5508// ReEncryptRequest generates a "aws/request.Request" representing the 5509// client's request for the ReEncrypt operation. The "output" return 5510// value will be populated with the request's response once the request completes 5511// successfully. 5512// 5513// Use "Send" method on the returned Request to send the API call to the service. 5514// the "output" return value is not valid until after Send returns without error. 5515// 5516// See ReEncrypt for more information on using the ReEncrypt 5517// API call, and error handling. 5518// 5519// This method is useful when you want to inject custom logic or configuration 5520// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5521// 5522// 5523// // Example sending a request using the ReEncryptRequest method. 5524// req, resp := client.ReEncryptRequest(params) 5525// 5526// err := req.Send() 5527// if err == nil { // resp is now filled 5528// fmt.Println(resp) 5529// } 5530// 5531// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt 5532func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, output *ReEncryptOutput) { 5533 op := &request.Operation{ 5534 Name: opReEncrypt, 5535 HTTPMethod: "POST", 5536 HTTPPath: "/", 5537 } 5538 5539 if input == nil { 5540 input = &ReEncryptInput{} 5541 } 5542 5543 output = &ReEncryptOutput{} 5544 req = c.newRequest(op, input, output) 5545 return 5546} 5547 5548// ReEncrypt API operation for AWS Key Management Service. 5549// 5550// Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can 5551// use this operation to change the customer master key (CMK) under which data 5552// is encrypted, such as when you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) 5553// a CMK or change the CMK that protects a ciphertext. You can also use it to 5554// reencrypt ciphertext under the same CMK, such as to change the encryption 5555// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 5556// of a ciphertext. 5557// 5558// The ReEncrypt operation can decrypt ciphertext that was encrypted by using 5559// an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. 5560// It can also decrypt ciphertext that was encrypted by using the public key 5561// of an asymmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) 5562// outside of AWS KMS. However, it cannot decrypt ciphertext produced by other 5563// libraries, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) 5564// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). 5565// These libraries return a ciphertext format that is incompatible with AWS 5566// KMS. 5567// 5568// When you use the ReEncrypt operation, you need to provide information for 5569// the decrypt operation and the subsequent encrypt operation. 5570// 5571// * If your ciphertext was encrypted under an asymmetric CMK, you must use 5572// the SourceKeyId parameter to identify the CMK that encrypted the ciphertext. 5573// You must also supply the encryption algorithm that was used. This information 5574// is required to decrypt the data. 5575// 5576// * If your ciphertext was encrypted under a symmetric CMK, the SourceKeyId 5577// parameter is optional. AWS KMS can get this information from metadata 5578// that it adds to the symmetric ciphertext blob. This feature adds durability 5579// to your implementation by ensuring that authorized users can decrypt ciphertext 5580// decades after it was encrypted, even if they've lost track of the CMK 5581// ID. However, specifying the source CMK is always recommended as a best 5582// practice. When you use the SourceKeyId parameter to specify a CMK, AWS 5583// KMS uses only the CMK you specify. If the ciphertext was encrypted under 5584// a different CMK, the ReEncrypt operation fails. This practice ensures 5585// that you use the CMK that you intend. 5586// 5587// * To reencrypt the data, you must use the DestinationKeyId parameter specify 5588// the CMK that re-encrypts the data after it is decrypted. You can select 5589// a symmetric or asymmetric CMK. If the destination CMK is an asymmetric 5590// CMK, you must also provide the encryption algorithm. The algorithm that 5591// you choose must be compatible with the CMK. When you use an asymmetric 5592// CMK to encrypt or reencrypt data, be sure to record the CMK and encryption 5593// algorithm that you choose. You will be required to provide the same CMK 5594// and encryption algorithm when you decrypt the data. If the CMK and algorithm 5595// do not match the values used to encrypt the data, the decrypt operation 5596// fails. You are not required to supply the CMK ID and encryption algorithm 5597// when you decrypt with symmetric CMKs because AWS KMS stores this information 5598// in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated 5599// with asymmetric keys. The standard format for asymmetric key ciphertext 5600// does not include configurable fields. 5601// 5602// The CMK that you use for this operation must be in a compatible key state. 5603// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5604// in the AWS Key Management Service Developer Guide. 5605// 5606// Cross-account use: Yes. The source CMK and destination CMK can be in different 5607// AWS accounts. Either or both CMKs can be in a different account than the 5608// caller. 5609// 5610// Required permissions: 5611// 5612// * kms:ReEncryptFrom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 5613// permission on the source CMK (key policy) 5614// 5615// * kms:ReEncryptTo (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 5616// permission on the destination CMK (key policy) 5617// 5618// To permit reencryption from or to a CMK, include the "kms:ReEncrypt*" permission 5619// in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). 5620// This permission is automatically included in the key policy when you use 5621// the console to create a CMK. But you must include it manually when you create 5622// a CMK programmatically or when you use the PutKeyPolicy operation to set 5623// a key policy. 5624// 5625// Related operations: 5626// 5627// * Decrypt 5628// 5629// * Encrypt 5630// 5631// * GenerateDataKey 5632// 5633// * GenerateDataKeyPair 5634// 5635// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5636// with awserr.Error's Code and Message methods to get detailed information about 5637// the error. 5638// 5639// See the AWS API reference guide for AWS Key Management Service's 5640// API operation ReEncrypt for usage and error information. 5641// 5642// Returned Error Types: 5643// * NotFoundException 5644// The request was rejected because the specified entity or resource could not 5645// be found. 5646// 5647// * DisabledException 5648// The request was rejected because the specified CMK is not enabled. 5649// 5650// * InvalidCiphertextException 5651// From the Decrypt or ReEncrypt operation, the request was rejected because 5652// the specified ciphertext, or additional authenticated data incorporated into 5653// the ciphertext, such as the encryption context, is corrupted, missing, or 5654// otherwise invalid. 5655// 5656// From the ImportKeyMaterial operation, the request was rejected because AWS 5657// KMS could not decrypt the encrypted (wrapped) key material. 5658// 5659// * KeyUnavailableException 5660// The request was rejected because the specified CMK was not available. You 5661// can retry the request. 5662// 5663// * IncorrectKeyException 5664// The request was rejected because the specified CMK cannot decrypt the data. 5665// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request 5666// must identify the same CMK that was used to encrypt the ciphertext. 5667// 5668// * DependencyTimeoutException 5669// The system timed out while trying to fulfill the request. The request can 5670// be retried. 5671// 5672// * InvalidKeyUsageException 5673// The request was rejected for one of the following reasons: 5674// 5675// * The KeyUsage value of the CMK is incompatible with the API operation. 5676// 5677// * The encryption algorithm or signing algorithm specified for the operation 5678// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 5679// 5680// For encrypting, decrypting, re-encrypting, and generating data keys, the 5681// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 5682// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 5683// 5684// To find the encryption or signing algorithms supported for a particular CMK, 5685// use the DescribeKey operation. 5686// 5687// * InvalidGrantTokenException 5688// The request was rejected because the specified grant token is not valid. 5689// 5690// * InternalException 5691// The request was rejected because an internal exception occurred. The request 5692// can be retried. 5693// 5694// * InvalidStateException 5695// The request was rejected because the state of the specified resource is not 5696// valid for this request. 5697// 5698// For more information about how key state affects the use of a CMK, see How 5699// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5700// in the AWS Key Management Service Developer Guide . 5701// 5702// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt 5703func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) { 5704 req, out := c.ReEncryptRequest(input) 5705 return out, req.Send() 5706} 5707 5708// ReEncryptWithContext is the same as ReEncrypt with the addition of 5709// the ability to pass a context and additional request options. 5710// 5711// See ReEncrypt for details on how to use this API operation. 5712// 5713// The context must be non-nil and will be used for request cancellation. If 5714// the context is nil a panic will occur. In the future the SDK may create 5715// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5716// for more information on using Contexts. 5717func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts ...request.Option) (*ReEncryptOutput, error) { 5718 req, out := c.ReEncryptRequest(input) 5719 req.SetContext(ctx) 5720 req.ApplyOptions(opts...) 5721 return out, req.Send() 5722} 5723 5724const opReplicateKey = "ReplicateKey" 5725 5726// ReplicateKeyRequest generates a "aws/request.Request" representing the 5727// client's request for the ReplicateKey operation. The "output" return 5728// value will be populated with the request's response once the request completes 5729// successfully. 5730// 5731// Use "Send" method on the returned Request to send the API call to the service. 5732// the "output" return value is not valid until after Send returns without error. 5733// 5734// See ReplicateKey for more information on using the ReplicateKey 5735// API call, and error handling. 5736// 5737// This method is useful when you want to inject custom logic or configuration 5738// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5739// 5740// 5741// // Example sending a request using the ReplicateKeyRequest method. 5742// req, resp := client.ReplicateKeyRequest(params) 5743// 5744// err := req.Send() 5745// if err == nil { // resp is now filled 5746// fmt.Println(resp) 5747// } 5748// 5749// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey 5750func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Request, output *ReplicateKeyOutput) { 5751 op := &request.Operation{ 5752 Name: opReplicateKey, 5753 HTTPMethod: "POST", 5754 HTTPPath: "/", 5755 } 5756 5757 if input == nil { 5758 input = &ReplicateKeyInput{} 5759 } 5760 5761 output = &ReplicateKeyOutput{} 5762 req = c.newRequest(op, input, output) 5763 return 5764} 5765 5766// ReplicateKey API operation for AWS Key Management Service. 5767// 5768// Replicates a multi-Region key into the specified Region. This operation creates 5769// a multi-Region replica key based on a multi-Region primary key in a different 5770// Region of the same AWS partition. You can create multiple replicas of a primary 5771// key, but each must be in a different Region. To create a multi-Region primary 5772// key, use the CreateKey operation. 5773// 5774// This operation supports multi-Region keys, an AWS KMS feature that lets you 5775// create multiple interoperable CMKs in different AWS Regions. Because these 5776// CMKs have the same key ID, key material, and other metadata, you can use 5777// them to encrypt data in one AWS Region and decrypt it in a different AWS 5778// Region without making a cross-Region call or exposing the plaintext data. 5779// For more information about multi-Region keys, see Using multi-Region keys 5780// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) 5781// in the AWS Key Management Service Developer Guide. 5782// 5783// A replica key is a fully-functional CMK that can be used independently of 5784// its primary and peer replica keys. A primary key and its replica keys share 5785// properties that make them interoperable. They have the same key ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) 5786// and key material. They also have the same key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec), 5787// key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage), 5788// key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin), 5789// and automatic key rotation status (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). 5790// AWS KMS automatically synchronizes these shared properties among related 5791// multi-Region keys. All other properties of a replica key can differ, including 5792// its key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), 5793// tags (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html), 5794// aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html), 5795// and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). 5796// AWS KMS pricing and quotas for CMKs apply to each primary key and replica 5797// key. 5798// 5799// When this operation completes, the new replica key has a transient key state 5800// of Creating. This key state changes to Enabled (or PendingImport) after a 5801// few seconds when the process of creating the new replica key is complete. 5802// While the key state is Creating, you can manage key, but you cannot yet use 5803// it in cryptographic operations. If you are creating and using the replica 5804// key programmatically, retry on KMSInvalidStateException or call DescribeKey 5805// to check its KeyState value before using it. For details about the Creating 5806// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html) 5807// in the AWS Key Management Service Developer Guide. 5808// 5809// The AWS CloudTrail log of a ReplicateKey operation records a ReplicateKey 5810// operation in the primary key's Region and a CreateKey operation in the replica 5811// key's Region. 5812// 5813// If you replicate a multi-Region primary key with imported key material, the 5814// replica key is created with no key material. You must import the same key 5815// material that you imported into the primary key. For details, see Importing 5816// key material into multi-Region keys (kms/latest/developerguide/multi-region-keys-import.html) 5817// in the AWS Key Management Service Developer Guide. 5818// 5819// To convert a replica key to a primary key, use the UpdatePrimaryRegion operation. 5820// 5821// ReplicateKey uses different default values for the KeyPolicy and Tags parameters 5822// than those used in the AWS KMS console. For details, see the parameter descriptions. 5823// 5824// Cross-account use: No. You cannot use this operation to create a CMK in a 5825// different AWS account. 5826// 5827// Required permissions: 5828// 5829// * kms:ReplicateKey on the primary CMK (in the primary CMK's Region). Include 5830// this permission in the primary CMK's key policy. 5831// 5832// * kms:CreateKey in an IAM policy in the replica Region. 5833// 5834// * To use the Tags parameter, kms:TagResource in an IAM policy in the replica 5835// Region. 5836// 5837// Related operations 5838// 5839// * CreateKey 5840// 5841// * UpdatePrimaryRegion 5842// 5843// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5844// with awserr.Error's Code and Message methods to get detailed information about 5845// the error. 5846// 5847// See the AWS API reference guide for AWS Key Management Service's 5848// API operation ReplicateKey for usage and error information. 5849// 5850// Returned Error Types: 5851// * AlreadyExistsException 5852// The request was rejected because it attempted to create a resource that already 5853// exists. 5854// 5855// * DisabledException 5856// The request was rejected because the specified CMK is not enabled. 5857// 5858// * InvalidArnException 5859// The request was rejected because a specified ARN, or an ARN in a key policy, 5860// is not valid. 5861// 5862// * InvalidStateException 5863// The request was rejected because the state of the specified resource is not 5864// valid for this request. 5865// 5866// For more information about how key state affects the use of a CMK, see How 5867// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 5868// in the AWS Key Management Service Developer Guide . 5869// 5870// * InternalException 5871// The request was rejected because an internal exception occurred. The request 5872// can be retried. 5873// 5874// * LimitExceededException 5875// The request was rejected because a quota was exceeded. For more information, 5876// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 5877// in the AWS Key Management Service Developer Guide. 5878// 5879// * MalformedPolicyDocumentException 5880// The request was rejected because the specified policy is not syntactically 5881// or semantically correct. 5882// 5883// * NotFoundException 5884// The request was rejected because the specified entity or resource could not 5885// be found. 5886// 5887// * TagException 5888// The request was rejected because one or more tags are not valid. 5889// 5890// * UnsupportedOperationException 5891// The request was rejected because a specified parameter is not supported or 5892// a specified resource is not valid for this operation. 5893// 5894// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey 5895func (c *KMS) ReplicateKey(input *ReplicateKeyInput) (*ReplicateKeyOutput, error) { 5896 req, out := c.ReplicateKeyRequest(input) 5897 return out, req.Send() 5898} 5899 5900// ReplicateKeyWithContext is the same as ReplicateKey with the addition of 5901// the ability to pass a context and additional request options. 5902// 5903// See ReplicateKey for details on how to use this API operation. 5904// 5905// The context must be non-nil and will be used for request cancellation. If 5906// the context is nil a panic will occur. In the future the SDK may create 5907// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 5908// for more information on using Contexts. 5909func (c *KMS) ReplicateKeyWithContext(ctx aws.Context, input *ReplicateKeyInput, opts ...request.Option) (*ReplicateKeyOutput, error) { 5910 req, out := c.ReplicateKeyRequest(input) 5911 req.SetContext(ctx) 5912 req.ApplyOptions(opts...) 5913 return out, req.Send() 5914} 5915 5916const opRetireGrant = "RetireGrant" 5917 5918// RetireGrantRequest generates a "aws/request.Request" representing the 5919// client's request for the RetireGrant operation. The "output" return 5920// value will be populated with the request's response once the request completes 5921// successfully. 5922// 5923// Use "Send" method on the returned Request to send the API call to the service. 5924// the "output" return value is not valid until after Send returns without error. 5925// 5926// See RetireGrant for more information on using the RetireGrant 5927// API call, and error handling. 5928// 5929// This method is useful when you want to inject custom logic or configuration 5930// into the SDK's request lifecycle. Such as custom headers, or retry logic. 5931// 5932// 5933// // Example sending a request using the RetireGrantRequest method. 5934// req, resp := client.RetireGrantRequest(params) 5935// 5936// err := req.Send() 5937// if err == nil { // resp is now filled 5938// fmt.Println(resp) 5939// } 5940// 5941// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant 5942func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, output *RetireGrantOutput) { 5943 op := &request.Operation{ 5944 Name: opRetireGrant, 5945 HTTPMethod: "POST", 5946 HTTPPath: "/", 5947 } 5948 5949 if input == nil { 5950 input = &RetireGrantInput{} 5951 } 5952 5953 output = &RetireGrantOutput{} 5954 req = c.newRequest(op, input, output) 5955 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 5956 return 5957} 5958 5959// RetireGrant API operation for AWS Key Management Service. 5960// 5961// Deletes a grant. Typically, you retire a grant when you no longer need its 5962// permissions. To identify the grant to retire, use a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token), 5963// or both the grant ID and a key identifier (key ID or key ARN) of the customer 5964// master key (CMK). The CreateGrant operation returns both values. 5965// 5966// This operation can be called by the retiring principal for a grant, by the 5967// grantee principal if the grant allows the RetireGrant operation, and by the 5968// AWS account (root user) in which the grant is created. It can also be called 5969// by principals to whom permission for retiring a grant is delegated. For details, 5970// see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) 5971// in the AWS Key Management Service Developer Guide. 5972// 5973// For detailed information about grants, including grant terminology, see Using 5974// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) 5975// in the AWS Key Management Service Developer Guide . For examples of working 5976// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). 5977// 5978// Cross-account use: Yes. You can retire a grant on a CMK in a different AWS 5979// account. 5980// 5981// Required permissions::Permission to retire a grant is determined primarily 5982// by the grant. For details, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) 5983// in the AWS Key Management Service Developer Guide. 5984// 5985// Related operations: 5986// 5987// * CreateGrant 5988// 5989// * ListGrants 5990// 5991// * ListRetirableGrants 5992// 5993// * RevokeGrant 5994// 5995// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 5996// with awserr.Error's Code and Message methods to get detailed information about 5997// the error. 5998// 5999// See the AWS API reference guide for AWS Key Management Service's 6000// API operation RetireGrant for usage and error information. 6001// 6002// Returned Error Types: 6003// * InvalidArnException 6004// The request was rejected because a specified ARN, or an ARN in a key policy, 6005// is not valid. 6006// 6007// * InvalidGrantTokenException 6008// The request was rejected because the specified grant token is not valid. 6009// 6010// * InvalidGrantIdException 6011// The request was rejected because the specified GrantId is not valid. 6012// 6013// * NotFoundException 6014// The request was rejected because the specified entity or resource could not 6015// be found. 6016// 6017// * DependencyTimeoutException 6018// The system timed out while trying to fulfill the request. The request can 6019// be retried. 6020// 6021// * InternalException 6022// The request was rejected because an internal exception occurred. The request 6023// can be retried. 6024// 6025// * InvalidStateException 6026// The request was rejected because the state of the specified resource is not 6027// valid for this request. 6028// 6029// For more information about how key state affects the use of a CMK, see How 6030// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6031// in the AWS Key Management Service Developer Guide . 6032// 6033// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant 6034func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) { 6035 req, out := c.RetireGrantRequest(input) 6036 return out, req.Send() 6037} 6038 6039// RetireGrantWithContext is the same as RetireGrant with the addition of 6040// the ability to pass a context and additional request options. 6041// 6042// See RetireGrant for details on how to use this API operation. 6043// 6044// The context must be non-nil and will be used for request cancellation. If 6045// the context is nil a panic will occur. In the future the SDK may create 6046// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6047// for more information on using Contexts. 6048func (c *KMS) RetireGrantWithContext(ctx aws.Context, input *RetireGrantInput, opts ...request.Option) (*RetireGrantOutput, error) { 6049 req, out := c.RetireGrantRequest(input) 6050 req.SetContext(ctx) 6051 req.ApplyOptions(opts...) 6052 return out, req.Send() 6053} 6054 6055const opRevokeGrant = "RevokeGrant" 6056 6057// RevokeGrantRequest generates a "aws/request.Request" representing the 6058// client's request for the RevokeGrant operation. The "output" return 6059// value will be populated with the request's response once the request completes 6060// successfully. 6061// 6062// Use "Send" method on the returned Request to send the API call to the service. 6063// the "output" return value is not valid until after Send returns without error. 6064// 6065// See RevokeGrant for more information on using the RevokeGrant 6066// API call, and error handling. 6067// 6068// This method is useful when you want to inject custom logic or configuration 6069// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6070// 6071// 6072// // Example sending a request using the RevokeGrantRequest method. 6073// req, resp := client.RevokeGrantRequest(params) 6074// 6075// err := req.Send() 6076// if err == nil { // resp is now filled 6077// fmt.Println(resp) 6078// } 6079// 6080// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant 6081func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, output *RevokeGrantOutput) { 6082 op := &request.Operation{ 6083 Name: opRevokeGrant, 6084 HTTPMethod: "POST", 6085 HTTPPath: "/", 6086 } 6087 6088 if input == nil { 6089 input = &RevokeGrantInput{} 6090 } 6091 6092 output = &RevokeGrantOutput{} 6093 req = c.newRequest(op, input, output) 6094 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6095 return 6096} 6097 6098// RevokeGrant API operation for AWS Key Management Service. 6099// 6100// Deletes the specified grant. You revoke a grant to terminate the permissions 6101// that the grant allows. For more information, see Retiring and revoking grants 6102// (https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete) 6103// in the AWS Key Management Service Developer Guide . 6104// 6105// When you create, retire, or revoke a grant, there might be a brief delay, 6106// usually less than five minutes, until the grant is available throughout AWS 6107// KMS. This state is known as eventual consistency. For details, see Eventual 6108// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) 6109// in the AWS Key Management Service Developer Guide . 6110// 6111// Cross-account use: Yes. To perform this operation on a CMK in a different 6112// AWS account, specify the key ARN in the value of the KeyId parameter. 6113// 6114// Required permissions: kms:RevokeGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6115// (key policy). 6116// 6117// Related operations: 6118// 6119// * CreateGrant 6120// 6121// * ListGrants 6122// 6123// * ListRetirableGrants 6124// 6125// * RetireGrant 6126// 6127// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6128// with awserr.Error's Code and Message methods to get detailed information about 6129// the error. 6130// 6131// See the AWS API reference guide for AWS Key Management Service's 6132// API operation RevokeGrant for usage and error information. 6133// 6134// Returned Error Types: 6135// * NotFoundException 6136// The request was rejected because the specified entity or resource could not 6137// be found. 6138// 6139// * DependencyTimeoutException 6140// The system timed out while trying to fulfill the request. The request can 6141// be retried. 6142// 6143// * InvalidArnException 6144// The request was rejected because a specified ARN, or an ARN in a key policy, 6145// is not valid. 6146// 6147// * InvalidGrantIdException 6148// The request was rejected because the specified GrantId is not valid. 6149// 6150// * InternalException 6151// The request was rejected because an internal exception occurred. The request 6152// can be retried. 6153// 6154// * InvalidStateException 6155// The request was rejected because the state of the specified resource is not 6156// valid for this request. 6157// 6158// For more information about how key state affects the use of a CMK, see How 6159// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6160// in the AWS Key Management Service Developer Guide . 6161// 6162// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant 6163func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) { 6164 req, out := c.RevokeGrantRequest(input) 6165 return out, req.Send() 6166} 6167 6168// RevokeGrantWithContext is the same as RevokeGrant with the addition of 6169// the ability to pass a context and additional request options. 6170// 6171// See RevokeGrant for details on how to use this API operation. 6172// 6173// The context must be non-nil and will be used for request cancellation. If 6174// the context is nil a panic will occur. In the future the SDK may create 6175// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6176// for more information on using Contexts. 6177func (c *KMS) RevokeGrantWithContext(ctx aws.Context, input *RevokeGrantInput, opts ...request.Option) (*RevokeGrantOutput, error) { 6178 req, out := c.RevokeGrantRequest(input) 6179 req.SetContext(ctx) 6180 req.ApplyOptions(opts...) 6181 return out, req.Send() 6182} 6183 6184const opScheduleKeyDeletion = "ScheduleKeyDeletion" 6185 6186// ScheduleKeyDeletionRequest generates a "aws/request.Request" representing the 6187// client's request for the ScheduleKeyDeletion operation. The "output" return 6188// value will be populated with the request's response once the request completes 6189// successfully. 6190// 6191// Use "Send" method on the returned Request to send the API call to the service. 6192// the "output" return value is not valid until after Send returns without error. 6193// 6194// See ScheduleKeyDeletion for more information on using the ScheduleKeyDeletion 6195// API call, and error handling. 6196// 6197// This method is useful when you want to inject custom logic or configuration 6198// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6199// 6200// 6201// // Example sending a request using the ScheduleKeyDeletionRequest method. 6202// req, resp := client.ScheduleKeyDeletionRequest(params) 6203// 6204// err := req.Send() 6205// if err == nil { // resp is now filled 6206// fmt.Println(resp) 6207// } 6208// 6209// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion 6210func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *request.Request, output *ScheduleKeyDeletionOutput) { 6211 op := &request.Operation{ 6212 Name: opScheduleKeyDeletion, 6213 HTTPMethod: "POST", 6214 HTTPPath: "/", 6215 } 6216 6217 if input == nil { 6218 input = &ScheduleKeyDeletionInput{} 6219 } 6220 6221 output = &ScheduleKeyDeletionOutput{} 6222 req = c.newRequest(op, input, output) 6223 return 6224} 6225 6226// ScheduleKeyDeletion API operation for AWS Key Management Service. 6227// 6228// Schedules the deletion of a customer master key (CMK). By default, AWS KMS 6229// applies a waiting period of 30 days, but you can specify a waiting period 6230// of 7-30 days. When this operation is successful, the key state of the CMK 6231// changes to PendingDeletion and the key can't be used in any cryptographic 6232// operations. It remains in this state for the duration of the waiting period. 6233// Before the waiting period ends, you can use CancelKeyDeletion to cancel the 6234// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK, 6235// its key material, and all AWS KMS data associated with it, including all 6236// aliases that refer to it. 6237// 6238// Deleting a CMK is a destructive and potentially dangerous operation. When 6239// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. 6240// (The only exception is a multi-Region replica key.) To prevent the use of 6241// a CMK without deleting it, use DisableKey. 6242// 6243// If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 6244// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from 6245// AWS KMS. Then AWS KMS makes a best effort to delete the key material from 6246// the associated AWS CloudHSM cluster. However, you might need to manually 6247// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) 6248// from the cluster and its backups. 6249// 6250// You can schedule the deletion of a multi-Region primary key and its replica 6251// keys at any time. However, AWS KMS will not delete a multi-Region primary 6252// key with existing replica keys. If you schedule the deletion of a primary 6253// key with replicas, its key state changes to PendingReplicaDeletion and it 6254// cannot be replicated or used in cryptographic operations. This status can 6255// continue indefinitely. When the last of its replicas keys is deleted (not 6256// just scheduled), the key state of the primary key changes to PendingDeletion 6257// and its waiting period (PendingWindowInDays) begins. For details, see Deleting 6258// multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) 6259// in the AWS Key Management Service Developer Guide. 6260// 6261// For more information about scheduling a CMK for deletion, see Deleting Customer 6262// Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) 6263// in the AWS Key Management Service Developer Guide. 6264// 6265// The CMK that you use for this operation must be in a compatible key state. 6266// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6267// in the AWS Key Management Service Developer Guide. 6268// 6269// Cross-account use: No. You cannot perform this operation on a CMK in a different 6270// AWS account. 6271// 6272// Required permissions: kms:ScheduleKeyDeletion (key policy) 6273// 6274// Related operations 6275// 6276// * CancelKeyDeletion 6277// 6278// * DisableKey 6279// 6280// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6281// with awserr.Error's Code and Message methods to get detailed information about 6282// the error. 6283// 6284// See the AWS API reference guide for AWS Key Management Service's 6285// API operation ScheduleKeyDeletion for usage and error information. 6286// 6287// Returned Error Types: 6288// * NotFoundException 6289// The request was rejected because the specified entity or resource could not 6290// be found. 6291// 6292// * InvalidArnException 6293// The request was rejected because a specified ARN, or an ARN in a key policy, 6294// is not valid. 6295// 6296// * DependencyTimeoutException 6297// The system timed out while trying to fulfill the request. The request can 6298// be retried. 6299// 6300// * InternalException 6301// The request was rejected because an internal exception occurred. The request 6302// can be retried. 6303// 6304// * InvalidStateException 6305// The request was rejected because the state of the specified resource is not 6306// valid for this request. 6307// 6308// For more information about how key state affects the use of a CMK, see How 6309// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6310// in the AWS Key Management Service Developer Guide . 6311// 6312// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion 6313func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) { 6314 req, out := c.ScheduleKeyDeletionRequest(input) 6315 return out, req.Send() 6316} 6317 6318// ScheduleKeyDeletionWithContext is the same as ScheduleKeyDeletion with the addition of 6319// the ability to pass a context and additional request options. 6320// 6321// See ScheduleKeyDeletion for details on how to use this API operation. 6322// 6323// The context must be non-nil and will be used for request cancellation. If 6324// the context is nil a panic will occur. In the future the SDK may create 6325// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6326// for more information on using Contexts. 6327func (c *KMS) ScheduleKeyDeletionWithContext(ctx aws.Context, input *ScheduleKeyDeletionInput, opts ...request.Option) (*ScheduleKeyDeletionOutput, error) { 6328 req, out := c.ScheduleKeyDeletionRequest(input) 6329 req.SetContext(ctx) 6330 req.ApplyOptions(opts...) 6331 return out, req.Send() 6332} 6333 6334const opSign = "Sign" 6335 6336// SignRequest generates a "aws/request.Request" representing the 6337// client's request for the Sign operation. The "output" return 6338// value will be populated with the request's response once the request completes 6339// successfully. 6340// 6341// Use "Send" method on the returned Request to send the API call to the service. 6342// the "output" return value is not valid until after Send returns without error. 6343// 6344// See Sign for more information on using the Sign 6345// API call, and error handling. 6346// 6347// This method is useful when you want to inject custom logic or configuration 6348// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6349// 6350// 6351// // Example sending a request using the SignRequest method. 6352// req, resp := client.SignRequest(params) 6353// 6354// err := req.Send() 6355// if err == nil { // resp is now filled 6356// fmt.Println(resp) 6357// } 6358// 6359// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign 6360func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignOutput) { 6361 op := &request.Operation{ 6362 Name: opSign, 6363 HTTPMethod: "POST", 6364 HTTPPath: "/", 6365 } 6366 6367 if input == nil { 6368 input = &SignInput{} 6369 } 6370 6371 output = &SignOutput{} 6372 req = c.newRequest(op, input, output) 6373 return 6374} 6375 6376// Sign API operation for AWS Key Management Service. 6377// 6378// Creates a digital signature (https://en.wikipedia.org/wiki/Digital_signature) 6379// for a message or message digest by using the private key in an asymmetric 6380// CMK. To verify the signature, use the Verify operation, or use the public 6381// key in the same asymmetric CMK outside of AWS KMS. For information about 6382// symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 6383// in the AWS Key Management Service Developer Guide. 6384// 6385// Digital signatures are generated and verified by using asymmetric key pair, 6386// such as an RSA or ECC pair that is represented by an asymmetric customer 6387// master key (CMK). The key owner (or an authorized user) uses their private 6388// key to sign a message. Anyone with the public key can verify that the message 6389// was signed with that particular private key and that the message hasn't changed 6390// since it was signed. 6391// 6392// To use the Sign operation, provide the following information: 6393// 6394// * Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage 6395// value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey 6396// operation. The caller must have kms:Sign permission on the CMK. 6397// 6398// * Use the Message parameter to specify the message or message digest to 6399// sign. You can submit messages of up to 4096 bytes. To sign a larger message, 6400// generate a hash digest of the message, and then provide the hash digest 6401// in the Message parameter. To indicate whether the message is a full message 6402// or a digest, use the MessageType parameter. 6403// 6404// * Choose a signing algorithm that is compatible with the CMK. 6405// 6406// When signing a message, be sure to record the CMK and the signing algorithm. 6407// This information is required to verify the signature. 6408// 6409// To verify the signature that this operation generates, use the Verify operation. 6410// Or use the GetPublicKey operation to download the public key and then use 6411// the public key to verify the signature outside of AWS KMS. 6412// 6413// The CMK that you use for this operation must be in a compatible key state. 6414// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6415// in the AWS Key Management Service Developer Guide. 6416// 6417// Cross-account use: Yes. To perform this operation with a CMK in a different 6418// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 6419// 6420// Required permissions: kms:Sign (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6421// (key policy) 6422// 6423// Related operations: Verify 6424// 6425// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6426// with awserr.Error's Code and Message methods to get detailed information about 6427// the error. 6428// 6429// See the AWS API reference guide for AWS Key Management Service's 6430// API operation Sign for usage and error information. 6431// 6432// Returned Error Types: 6433// * NotFoundException 6434// The request was rejected because the specified entity or resource could not 6435// be found. 6436// 6437// * DisabledException 6438// The request was rejected because the specified CMK is not enabled. 6439// 6440// * KeyUnavailableException 6441// The request was rejected because the specified CMK was not available. You 6442// can retry the request. 6443// 6444// * DependencyTimeoutException 6445// The system timed out while trying to fulfill the request. The request can 6446// be retried. 6447// 6448// * InvalidKeyUsageException 6449// The request was rejected for one of the following reasons: 6450// 6451// * The KeyUsage value of the CMK is incompatible with the API operation. 6452// 6453// * The encryption algorithm or signing algorithm specified for the operation 6454// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 6455// 6456// For encrypting, decrypting, re-encrypting, and generating data keys, the 6457// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 6458// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 6459// 6460// To find the encryption or signing algorithms supported for a particular CMK, 6461// use the DescribeKey operation. 6462// 6463// * InvalidGrantTokenException 6464// The request was rejected because the specified grant token is not valid. 6465// 6466// * InternalException 6467// The request was rejected because an internal exception occurred. The request 6468// can be retried. 6469// 6470// * InvalidStateException 6471// The request was rejected because the state of the specified resource is not 6472// valid for this request. 6473// 6474// For more information about how key state affects the use of a CMK, see How 6475// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6476// in the AWS Key Management Service Developer Guide . 6477// 6478// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign 6479func (c *KMS) Sign(input *SignInput) (*SignOutput, error) { 6480 req, out := c.SignRequest(input) 6481 return out, req.Send() 6482} 6483 6484// SignWithContext is the same as Sign with the addition of 6485// the ability to pass a context and additional request options. 6486// 6487// See Sign for details on how to use this API operation. 6488// 6489// The context must be non-nil and will be used for request cancellation. If 6490// the context is nil a panic will occur. In the future the SDK may create 6491// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6492// for more information on using Contexts. 6493func (c *KMS) SignWithContext(ctx aws.Context, input *SignInput, opts ...request.Option) (*SignOutput, error) { 6494 req, out := c.SignRequest(input) 6495 req.SetContext(ctx) 6496 req.ApplyOptions(opts...) 6497 return out, req.Send() 6498} 6499 6500const opTagResource = "TagResource" 6501 6502// TagResourceRequest generates a "aws/request.Request" representing the 6503// client's request for the TagResource operation. The "output" return 6504// value will be populated with the request's response once the request completes 6505// successfully. 6506// 6507// Use "Send" method on the returned Request to send the API call to the service. 6508// the "output" return value is not valid until after Send returns without error. 6509// 6510// See TagResource for more information on using the TagResource 6511// API call, and error handling. 6512// 6513// This method is useful when you want to inject custom logic or configuration 6514// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6515// 6516// 6517// // Example sending a request using the TagResourceRequest method. 6518// req, resp := client.TagResourceRequest(params) 6519// 6520// err := req.Send() 6521// if err == nil { // resp is now filled 6522// fmt.Println(resp) 6523// } 6524// 6525// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource 6526func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) { 6527 op := &request.Operation{ 6528 Name: opTagResource, 6529 HTTPMethod: "POST", 6530 HTTPPath: "/", 6531 } 6532 6533 if input == nil { 6534 input = &TagResourceInput{} 6535 } 6536 6537 output = &TagResourceOutput{} 6538 req = c.newRequest(op, input, output) 6539 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6540 return 6541} 6542 6543// TagResource API operation for AWS Key Management Service. 6544// 6545// Adds or edits tags on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). 6546// 6547// Tagging or untagging a CMK can allow or deny permission to the CMK. For details, 6548// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 6549// in the AWS Key Management Service Developer Guide. 6550// 6551// Each tag consists of a tag key and a tag value, both of which are case-sensitive 6552// strings. The tag value can be an empty (null) string. To add a tag, specify 6553// a new tag key and a tag value. To edit a tag, specify an existing tag key 6554// and a new tag value. 6555// 6556// You can use this operation to tag a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk), 6557// but you cannot tag an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk), 6558// an AWS owned CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk), 6559// a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept), 6560// or an alias (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept). 6561// 6562// You can also add tags to a CMK while creating it (CreateKey) or replicating 6563// it (ReplicateKey). 6564// 6565// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). 6566// For general information about tags, including the format and syntax, see 6567// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) 6568// in the Amazon Web Services General Reference. 6569// 6570// The CMK that you use for this operation must be in a compatible key state. 6571// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6572// in the AWS Key Management Service Developer Guide. 6573// 6574// Cross-account use: No. You cannot perform this operation on a CMK in a different 6575// AWS account. 6576// 6577// Required permissions: kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6578// (key policy) 6579// 6580// Related operations 6581// 6582// * CreateKey 6583// 6584// * ListResourceTags 6585// 6586// * ReplicateKey 6587// 6588// * UntagResource 6589// 6590// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6591// with awserr.Error's Code and Message methods to get detailed information about 6592// the error. 6593// 6594// See the AWS API reference guide for AWS Key Management Service's 6595// API operation TagResource for usage and error information. 6596// 6597// Returned Error Types: 6598// * InternalException 6599// The request was rejected because an internal exception occurred. The request 6600// can be retried. 6601// 6602// * NotFoundException 6603// The request was rejected because the specified entity or resource could not 6604// be found. 6605// 6606// * InvalidArnException 6607// The request was rejected because a specified ARN, or an ARN in a key policy, 6608// is not valid. 6609// 6610// * InvalidStateException 6611// The request was rejected because the state of the specified resource is not 6612// valid for this request. 6613// 6614// For more information about how key state affects the use of a CMK, see How 6615// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6616// in the AWS Key Management Service Developer Guide . 6617// 6618// * LimitExceededException 6619// The request was rejected because a quota was exceeded. For more information, 6620// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 6621// in the AWS Key Management Service Developer Guide. 6622// 6623// * TagException 6624// The request was rejected because one or more tags are not valid. 6625// 6626// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource 6627func (c *KMS) TagResource(input *TagResourceInput) (*TagResourceOutput, error) { 6628 req, out := c.TagResourceRequest(input) 6629 return out, req.Send() 6630} 6631 6632// TagResourceWithContext is the same as TagResource with the addition of 6633// the ability to pass a context and additional request options. 6634// 6635// See TagResource for details on how to use this API operation. 6636// 6637// The context must be non-nil and will be used for request cancellation. If 6638// the context is nil a panic will occur. In the future the SDK may create 6639// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6640// for more information on using Contexts. 6641func (c *KMS) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) { 6642 req, out := c.TagResourceRequest(input) 6643 req.SetContext(ctx) 6644 req.ApplyOptions(opts...) 6645 return out, req.Send() 6646} 6647 6648const opUntagResource = "UntagResource" 6649 6650// UntagResourceRequest generates a "aws/request.Request" representing the 6651// client's request for the UntagResource operation. The "output" return 6652// value will be populated with the request's response once the request completes 6653// successfully. 6654// 6655// Use "Send" method on the returned Request to send the API call to the service. 6656// the "output" return value is not valid until after Send returns without error. 6657// 6658// See UntagResource for more information on using the UntagResource 6659// API call, and error handling. 6660// 6661// This method is useful when you want to inject custom logic or configuration 6662// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6663// 6664// 6665// // Example sending a request using the UntagResourceRequest method. 6666// req, resp := client.UntagResourceRequest(params) 6667// 6668// err := req.Send() 6669// if err == nil { // resp is now filled 6670// fmt.Println(resp) 6671// } 6672// 6673// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource 6674func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) { 6675 op := &request.Operation{ 6676 Name: opUntagResource, 6677 HTTPMethod: "POST", 6678 HTTPPath: "/", 6679 } 6680 6681 if input == nil { 6682 input = &UntagResourceInput{} 6683 } 6684 6685 output = &UntagResourceOutput{} 6686 req = c.newRequest(op, input, output) 6687 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6688 return 6689} 6690 6691// UntagResource API operation for AWS Key Management Service. 6692// 6693// Deletes tags from a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). 6694// To delete a tag, specify the tag key and the CMK. 6695// 6696// Tagging or untagging a CMK can allow or deny permission to the CMK. For details, 6697// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 6698// in the AWS Key Management Service Developer Guide. 6699// 6700// When it succeeds, the UntagResource operation doesn't return any output. 6701// Also, if the specified tag key isn't found on the CMK, it doesn't throw an 6702// exception or return a response. To confirm that the operation worked, use 6703// the ListResourceTags operation. 6704// 6705// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). 6706// For general information about tags, including the format and syntax, see 6707// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) 6708// in the Amazon Web Services General Reference. 6709// 6710// The CMK that you use for this operation must be in a compatible key state. 6711// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6712// in the AWS Key Management Service Developer Guide. 6713// 6714// Cross-account use: No. You cannot perform this operation on a CMK in a different 6715// AWS account. 6716// 6717// Required permissions: kms:UntagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6718// (key policy) 6719// 6720// Related operations 6721// 6722// * CreateKey 6723// 6724// * ListResourceTags 6725// 6726// * ReplicateKey 6727// 6728// * TagResource 6729// 6730// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6731// with awserr.Error's Code and Message methods to get detailed information about 6732// the error. 6733// 6734// See the AWS API reference guide for AWS Key Management Service's 6735// API operation UntagResource for usage and error information. 6736// 6737// Returned Error Types: 6738// * InternalException 6739// The request was rejected because an internal exception occurred. The request 6740// can be retried. 6741// 6742// * NotFoundException 6743// The request was rejected because the specified entity or resource could not 6744// be found. 6745// 6746// * InvalidArnException 6747// The request was rejected because a specified ARN, or an ARN in a key policy, 6748// is not valid. 6749// 6750// * InvalidStateException 6751// The request was rejected because the state of the specified resource is not 6752// valid for this request. 6753// 6754// For more information about how key state affects the use of a CMK, see How 6755// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6756// in the AWS Key Management Service Developer Guide . 6757// 6758// * TagException 6759// The request was rejected because one or more tags are not valid. 6760// 6761// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource 6762func (c *KMS) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) { 6763 req, out := c.UntagResourceRequest(input) 6764 return out, req.Send() 6765} 6766 6767// UntagResourceWithContext is the same as UntagResource with the addition of 6768// the ability to pass a context and additional request options. 6769// 6770// See UntagResource for details on how to use this API operation. 6771// 6772// The context must be non-nil and will be used for request cancellation. If 6773// the context is nil a panic will occur. In the future the SDK may create 6774// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6775// for more information on using Contexts. 6776func (c *KMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) { 6777 req, out := c.UntagResourceRequest(input) 6778 req.SetContext(ctx) 6779 req.ApplyOptions(opts...) 6780 return out, req.Send() 6781} 6782 6783const opUpdateAlias = "UpdateAlias" 6784 6785// UpdateAliasRequest generates a "aws/request.Request" representing the 6786// client's request for the UpdateAlias operation. The "output" return 6787// value will be populated with the request's response once the request completes 6788// successfully. 6789// 6790// Use "Send" method on the returned Request to send the API call to the service. 6791// the "output" return value is not valid until after Send returns without error. 6792// 6793// See UpdateAlias for more information on using the UpdateAlias 6794// API call, and error handling. 6795// 6796// This method is useful when you want to inject custom logic or configuration 6797// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6798// 6799// 6800// // Example sending a request using the UpdateAliasRequest method. 6801// req, resp := client.UpdateAliasRequest(params) 6802// 6803// err := req.Send() 6804// if err == nil { // resp is now filled 6805// fmt.Println(resp) 6806// } 6807// 6808// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias 6809func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, output *UpdateAliasOutput) { 6810 op := &request.Operation{ 6811 Name: opUpdateAlias, 6812 HTTPMethod: "POST", 6813 HTTPPath: "/", 6814 } 6815 6816 if input == nil { 6817 input = &UpdateAliasInput{} 6818 } 6819 6820 output = &UpdateAliasOutput{} 6821 req = c.newRequest(op, input, output) 6822 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6823 return 6824} 6825 6826// UpdateAlias API operation for AWS Key Management Service. 6827// 6828// Associates an existing AWS KMS alias with a different customer master key 6829// (CMK). Each alias is associated with only one CMK at a time, although a CMK 6830// can have multiple aliases. The alias and the CMK must be in the same AWS 6831// account and Region. 6832// 6833// Adding, deleting, or updating an alias can allow or deny permission to the 6834// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 6835// in the AWS Key Management Service Developer Guide. 6836// 6837// The current and new CMK must be the same type (both symmetric or both asymmetric), 6838// and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This 6839// restriction prevents errors in code that uses aliases. If you must assign 6840// an alias to a different type of CMK, use DeleteAlias to delete the old alias 6841// and CreateAlias to create a new alias. 6842// 6843// You cannot use UpdateAlias to change an alias name. To change an alias name, 6844// use DeleteAlias to delete the old alias and CreateAlias to create a new alias. 6845// 6846// Because an alias is not a property of a CMK, you can create, update, and 6847// delete the aliases of a CMK without affecting the CMK. Also, aliases do not 6848// appear in the response from the DescribeKey operation. To get the aliases 6849// of all CMKs in the account, use the ListAliases operation. 6850// 6851// The CMK that you use for this operation must be in a compatible key state. 6852// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6853// in the AWS Key Management Service Developer Guide. 6854// 6855// Cross-account use: No. You cannot perform this operation on a CMK in a different 6856// AWS account. 6857// 6858// Required permissions 6859// 6860// * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6861// on the alias (IAM policy). 6862// 6863// * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6864// on the current CMK (key policy). 6865// 6866// * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 6867// on the new CMK (key policy). 6868// 6869// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) 6870// in the AWS Key Management Service Developer Guide. 6871// 6872// Related operations: 6873// 6874// * CreateAlias 6875// 6876// * DeleteAlias 6877// 6878// * ListAliases 6879// 6880// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 6881// with awserr.Error's Code and Message methods to get detailed information about 6882// the error. 6883// 6884// See the AWS API reference guide for AWS Key Management Service's 6885// API operation UpdateAlias for usage and error information. 6886// 6887// Returned Error Types: 6888// * DependencyTimeoutException 6889// The system timed out while trying to fulfill the request. The request can 6890// be retried. 6891// 6892// * NotFoundException 6893// The request was rejected because the specified entity or resource could not 6894// be found. 6895// 6896// * InternalException 6897// The request was rejected because an internal exception occurred. The request 6898// can be retried. 6899// 6900// * LimitExceededException 6901// The request was rejected because a quota was exceeded. For more information, 6902// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 6903// in the AWS Key Management Service Developer Guide. 6904// 6905// * InvalidStateException 6906// The request was rejected because the state of the specified resource is not 6907// valid for this request. 6908// 6909// For more information about how key state affects the use of a CMK, see How 6910// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 6911// in the AWS Key Management Service Developer Guide . 6912// 6913// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias 6914func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) { 6915 req, out := c.UpdateAliasRequest(input) 6916 return out, req.Send() 6917} 6918 6919// UpdateAliasWithContext is the same as UpdateAlias with the addition of 6920// the ability to pass a context and additional request options. 6921// 6922// See UpdateAlias for details on how to use this API operation. 6923// 6924// The context must be non-nil and will be used for request cancellation. If 6925// the context is nil a panic will occur. In the future the SDK may create 6926// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 6927// for more information on using Contexts. 6928func (c *KMS) UpdateAliasWithContext(ctx aws.Context, input *UpdateAliasInput, opts ...request.Option) (*UpdateAliasOutput, error) { 6929 req, out := c.UpdateAliasRequest(input) 6930 req.SetContext(ctx) 6931 req.ApplyOptions(opts...) 6932 return out, req.Send() 6933} 6934 6935const opUpdateCustomKeyStore = "UpdateCustomKeyStore" 6936 6937// UpdateCustomKeyStoreRequest generates a "aws/request.Request" representing the 6938// client's request for the UpdateCustomKeyStore operation. The "output" return 6939// value will be populated with the request's response once the request completes 6940// successfully. 6941// 6942// Use "Send" method on the returned Request to send the API call to the service. 6943// the "output" return value is not valid until after Send returns without error. 6944// 6945// See UpdateCustomKeyStore for more information on using the UpdateCustomKeyStore 6946// API call, and error handling. 6947// 6948// This method is useful when you want to inject custom logic or configuration 6949// into the SDK's request lifecycle. Such as custom headers, or retry logic. 6950// 6951// 6952// // Example sending a request using the UpdateCustomKeyStoreRequest method. 6953// req, resp := client.UpdateCustomKeyStoreRequest(params) 6954// 6955// err := req.Send() 6956// if err == nil { // resp is now filled 6957// fmt.Println(resp) 6958// } 6959// 6960// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore 6961func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req *request.Request, output *UpdateCustomKeyStoreOutput) { 6962 op := &request.Operation{ 6963 Name: opUpdateCustomKeyStore, 6964 HTTPMethod: "POST", 6965 HTTPPath: "/", 6966 } 6967 6968 if input == nil { 6969 input = &UpdateCustomKeyStoreInput{} 6970 } 6971 6972 output = &UpdateCustomKeyStoreOutput{} 6973 req = c.newRequest(op, input, output) 6974 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 6975 return 6976} 6977 6978// UpdateCustomKeyStore API operation for AWS Key Management Service. 6979// 6980// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter 6981// to identify the custom key store you want to edit. Use the remaining parameters 6982// to change the properties of the custom key store. 6983// 6984// You can only update a custom key store that is disconnected. To disconnect 6985// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom 6986// key store after the update completes, use ConnectCustomKeyStore. To find 6987// the connection state of a custom key store, use the DescribeCustomKeyStores 6988// operation. 6989// 6990// Use the parameters of UpdateCustomKeyStore to edit your keystore settings. 6991// 6992// * Use the NewCustomKeyStoreName parameter to change the friendly name 6993// of the custom key store to the value that you specify. 6994// 6995// * Use the KeyStorePassword parameter tell AWS KMS the current password 6996// of the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) 6997// in the associated AWS CloudHSM cluster. You can use this parameter to 6998// fix connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password) 6999// that occur when AWS KMS cannot log into the associated cluster because 7000// the kmsuser password has changed. This value does not change the password 7001// in the AWS CloudHSM cluster. 7002// 7003// * Use the CloudHsmClusterId parameter to associate the custom key store 7004// with a different, but related, AWS CloudHSM cluster. You can use this 7005// parameter to repair a custom key store if its AWS CloudHSM cluster becomes 7006// corrupted or is deleted, or when you need to create or restore a cluster 7007// from a backup. 7008// 7009// If the operation succeeds, it returns a JSON object with no properties. 7010// 7011// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 7012// feature in AWS KMS, which combines the convenience and extensive integration 7013// of AWS KMS with the isolation and control of a single-tenant key store. 7014// 7015// Cross-account use: No. You cannot perform this operation on a custom key 7016// store in a different AWS account. 7017// 7018// Required permissions: kms:UpdateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 7019// (IAM policy) 7020// 7021// Related operations: 7022// 7023// * ConnectCustomKeyStore 7024// 7025// * CreateCustomKeyStore 7026// 7027// * DeleteCustomKeyStore 7028// 7029// * DescribeCustomKeyStores 7030// 7031// * DisconnectCustomKeyStore 7032// 7033// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 7034// with awserr.Error's Code and Message methods to get detailed information about 7035// the error. 7036// 7037// See the AWS API reference guide for AWS Key Management Service's 7038// API operation UpdateCustomKeyStore for usage and error information. 7039// 7040// Returned Error Types: 7041// * CustomKeyStoreNotFoundException 7042// The request was rejected because AWS KMS cannot find a custom key store with 7043// the specified key store name or ID. 7044// 7045// * CustomKeyStoreNameInUseException 7046// The request was rejected because the specified custom key store name is already 7047// assigned to another custom key store in the account. Try again with a custom 7048// key store name that is unique in the account. 7049// 7050// * CloudHsmClusterNotFoundException 7051// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster 7052// with the specified cluster ID. Retry the request with a different cluster 7053// ID. 7054// 7055// * CloudHsmClusterNotRelatedException 7056// The request was rejected because the specified AWS CloudHSM cluster has a 7057// different cluster certificate than the original cluster. You cannot use the 7058// operation to specify an unrelated cluster. 7059// 7060// Specify a cluster that shares a backup history with the original cluster. 7061// This includes clusters that were created from a backup of the current cluster, 7062// and clusters that were created from the same backup that produced the current 7063// cluster. 7064// 7065// Clusters that share a backup history have the same cluster certificate. To 7066// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 7067// operation. 7068// 7069// * CustomKeyStoreInvalidStateException 7070// The request was rejected because of the ConnectionState of the custom key 7071// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 7072// operation. 7073// 7074// This exception is thrown under the following conditions: 7075// 7076// * You requested the CreateKey or GenerateRandom operation in a custom 7077// key store that is not connected. These operations are valid only when 7078// the custom key store ConnectionState is CONNECTED. 7079// 7080// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 7081// on a custom key store that is not disconnected. This operation is valid 7082// only when the custom key store ConnectionState is DISCONNECTED. 7083// 7084// * You requested the ConnectCustomKeyStore operation on a custom key store 7085// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 7086// for all other ConnectionState values. 7087// 7088// * InternalException 7089// The request was rejected because an internal exception occurred. The request 7090// can be retried. 7091// 7092// * CloudHsmClusterNotActiveException 7093// The request was rejected because the AWS CloudHSM cluster that is associated 7094// with the custom key store is not active. Initialize and activate the cluster 7095// and try the command again. For detailed instructions, see Getting Started 7096// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 7097// in the AWS CloudHSM User Guide. 7098// 7099// * CloudHsmClusterInvalidConfigurationException 7100// The request was rejected because the associated AWS CloudHSM cluster did 7101// not meet the configuration requirements for a custom key store. 7102// 7103// * The cluster must be configured with private subnets in at least two 7104// different Availability Zones in the Region. 7105// 7106// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 7107// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 7108// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 7109// rules and the Destination in the outbound rules must match the security 7110// group ID. These rules are set by default when you create the cluster. 7111// Do not delete or change them. To get information about a particular security 7112// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 7113// operation. 7114// 7115// * The cluster must contain at least as many HSMs as the operation requires. 7116// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 7117// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 7118// operations, the AWS CloudHSM cluster must have at least two active HSMs, 7119// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 7120// the AWS CloudHSM must contain at least one active HSM. 7121// 7122// For information about the requirements for an AWS CloudHSM cluster that is 7123// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 7124// in the AWS Key Management Service Developer Guide. For information about 7125// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 7126// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 7127// in the AWS CloudHSM User Guide. For information about cluster security groups, 7128// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 7129// in the AWS CloudHSM User Guide . 7130// 7131// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore 7132func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) { 7133 req, out := c.UpdateCustomKeyStoreRequest(input) 7134 return out, req.Send() 7135} 7136 7137// UpdateCustomKeyStoreWithContext is the same as UpdateCustomKeyStore with the addition of 7138// the ability to pass a context and additional request options. 7139// 7140// See UpdateCustomKeyStore for details on how to use this API operation. 7141// 7142// The context must be non-nil and will be used for request cancellation. If 7143// the context is nil a panic will occur. In the future the SDK may create 7144// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 7145// for more information on using Contexts. 7146func (c *KMS) UpdateCustomKeyStoreWithContext(ctx aws.Context, input *UpdateCustomKeyStoreInput, opts ...request.Option) (*UpdateCustomKeyStoreOutput, error) { 7147 req, out := c.UpdateCustomKeyStoreRequest(input) 7148 req.SetContext(ctx) 7149 req.ApplyOptions(opts...) 7150 return out, req.Send() 7151} 7152 7153const opUpdateKeyDescription = "UpdateKeyDescription" 7154 7155// UpdateKeyDescriptionRequest generates a "aws/request.Request" representing the 7156// client's request for the UpdateKeyDescription operation. The "output" return 7157// value will be populated with the request's response once the request completes 7158// successfully. 7159// 7160// Use "Send" method on the returned Request to send the API call to the service. 7161// the "output" return value is not valid until after Send returns without error. 7162// 7163// See UpdateKeyDescription for more information on using the UpdateKeyDescription 7164// API call, and error handling. 7165// 7166// This method is useful when you want to inject custom logic or configuration 7167// into the SDK's request lifecycle. Such as custom headers, or retry logic. 7168// 7169// 7170// // Example sending a request using the UpdateKeyDescriptionRequest method. 7171// req, resp := client.UpdateKeyDescriptionRequest(params) 7172// 7173// err := req.Send() 7174// if err == nil { // resp is now filled 7175// fmt.Println(resp) 7176// } 7177// 7178// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription 7179func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req *request.Request, output *UpdateKeyDescriptionOutput) { 7180 op := &request.Operation{ 7181 Name: opUpdateKeyDescription, 7182 HTTPMethod: "POST", 7183 HTTPPath: "/", 7184 } 7185 7186 if input == nil { 7187 input = &UpdateKeyDescriptionInput{} 7188 } 7189 7190 output = &UpdateKeyDescriptionOutput{} 7191 req = c.newRequest(op, input, output) 7192 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 7193 return 7194} 7195 7196// UpdateKeyDescription API operation for AWS Key Management Service. 7197// 7198// Updates the description of a customer master key (CMK). To see the description 7199// of a CMK, use DescribeKey. 7200// 7201// The CMK that you use for this operation must be in a compatible key state. 7202// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 7203// in the AWS Key Management Service Developer Guide. 7204// 7205// Cross-account use: No. You cannot perform this operation on a CMK in a different 7206// AWS account. 7207// 7208// Required permissions: kms:UpdateKeyDescription (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 7209// (key policy) 7210// 7211// Related operations 7212// 7213// * CreateKey 7214// 7215// * DescribeKey 7216// 7217// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 7218// with awserr.Error's Code and Message methods to get detailed information about 7219// the error. 7220// 7221// See the AWS API reference guide for AWS Key Management Service's 7222// API operation UpdateKeyDescription for usage and error information. 7223// 7224// Returned Error Types: 7225// * NotFoundException 7226// The request was rejected because the specified entity or resource could not 7227// be found. 7228// 7229// * InvalidArnException 7230// The request was rejected because a specified ARN, or an ARN in a key policy, 7231// is not valid. 7232// 7233// * DependencyTimeoutException 7234// The system timed out while trying to fulfill the request. The request can 7235// be retried. 7236// 7237// * InternalException 7238// The request was rejected because an internal exception occurred. The request 7239// can be retried. 7240// 7241// * InvalidStateException 7242// The request was rejected because the state of the specified resource is not 7243// valid for this request. 7244// 7245// For more information about how key state affects the use of a CMK, see How 7246// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 7247// in the AWS Key Management Service Developer Guide . 7248// 7249// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription 7250func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) { 7251 req, out := c.UpdateKeyDescriptionRequest(input) 7252 return out, req.Send() 7253} 7254 7255// UpdateKeyDescriptionWithContext is the same as UpdateKeyDescription with the addition of 7256// the ability to pass a context and additional request options. 7257// 7258// See UpdateKeyDescription for details on how to use this API operation. 7259// 7260// The context must be non-nil and will be used for request cancellation. If 7261// the context is nil a panic will occur. In the future the SDK may create 7262// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 7263// for more information on using Contexts. 7264func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyDescriptionInput, opts ...request.Option) (*UpdateKeyDescriptionOutput, error) { 7265 req, out := c.UpdateKeyDescriptionRequest(input) 7266 req.SetContext(ctx) 7267 req.ApplyOptions(opts...) 7268 return out, req.Send() 7269} 7270 7271const opUpdatePrimaryRegion = "UpdatePrimaryRegion" 7272 7273// UpdatePrimaryRegionRequest generates a "aws/request.Request" representing the 7274// client's request for the UpdatePrimaryRegion operation. The "output" return 7275// value will be populated with the request's response once the request completes 7276// successfully. 7277// 7278// Use "Send" method on the returned Request to send the API call to the service. 7279// the "output" return value is not valid until after Send returns without error. 7280// 7281// See UpdatePrimaryRegion for more information on using the UpdatePrimaryRegion 7282// API call, and error handling. 7283// 7284// This method is useful when you want to inject custom logic or configuration 7285// into the SDK's request lifecycle. Such as custom headers, or retry logic. 7286// 7287// 7288// // Example sending a request using the UpdatePrimaryRegionRequest method. 7289// req, resp := client.UpdatePrimaryRegionRequest(params) 7290// 7291// err := req.Send() 7292// if err == nil { // resp is now filled 7293// fmt.Println(resp) 7294// } 7295// 7296// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion 7297func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req *request.Request, output *UpdatePrimaryRegionOutput) { 7298 op := &request.Operation{ 7299 Name: opUpdatePrimaryRegion, 7300 HTTPMethod: "POST", 7301 HTTPPath: "/", 7302 } 7303 7304 if input == nil { 7305 input = &UpdatePrimaryRegionInput{} 7306 } 7307 7308 output = &UpdatePrimaryRegionOutput{} 7309 req = c.newRequest(op, input, output) 7310 req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) 7311 return 7312} 7313 7314// UpdatePrimaryRegion API operation for AWS Key Management Service. 7315// 7316// Changes the primary key of a multi-Region key. 7317// 7318// This operation changes the replica key in the specified Region to a primary 7319// key and changes the former primary key to a replica key. For example, suppose 7320// you have a primary key in us-east-1 and a replica key in eu-west-2. If you 7321// run UpdatePrimaryRegion with a PrimaryRegion value of eu-west-2, the primary 7322// key is now the key in eu-west-2, and the key in us-east-1 becomes a replica 7323// key. For details, see 7324// 7325// This operation supports multi-Region keys, an AWS KMS feature that lets you 7326// create multiple interoperable CMKs in different AWS Regions. Because these 7327// CMKs have the same key ID, key material, and other metadata, you can use 7328// them to encrypt data in one AWS Region and decrypt it in a different AWS 7329// Region without making a cross-Region call or exposing the plaintext data. 7330// For more information about multi-Region keys, see Using multi-Region keys 7331// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) 7332// in the AWS Key Management Service Developer Guide. 7333// 7334// The primary key of a multi-Region key is the source for properties that are 7335// always shared by primary and replica keys, including the key material, key 7336// ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id), 7337// key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec), 7338// key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage), 7339// key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin), 7340// and automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). 7341// It's the only key that can be replicated. You cannot delete the primary key 7342// (https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) 7343// until all replicas are deleted. 7344// 7345// The key ID and primary Region that you specify uniquely identify the replica 7346// key that will become the primary key. The primary Region must already have 7347// a replica key. This operation does not create a CMK in the specified Region. 7348// To find the replica keys, use the DescribeKey operation on the primary key 7349// or any replica key. To create a replica key, use the ReplicateKey operation. 7350// 7351// You can run this operation while using the affected multi-Region keys in 7352// cryptographic operations. This operation should not delay, interrupt, or 7353// cause failures in cryptographic operations. 7354// 7355// Even after this operation completes, the process of updating the primary 7356// Region might still be in progress for a few more seconds. Operations such 7357// as DescribeKey might display both the old and new primary keys as replicas. 7358// The old and new primary keys have a transient key state of Updating. The 7359// original key state is restored when the update is complete. While the key 7360// state is Updating, you can use the keys in cryptographic operations, but 7361// you cannot replicate the new primary key or perform certain management operations, 7362// such as enabling or disabling these keys. For details about the Updating 7363// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html) 7364// in the AWS Key Management Service Developer Guide. 7365// 7366// This operation does not return any output. To verify that primary key is 7367// changed, use the DescribeKey operation. 7368// 7369// Cross-account use: No. You cannot use this operation in a different AWS account. 7370// 7371// Required permissions: 7372// 7373// * kms:UpdatePrimaryRegion on the current primary CMK (in the primary CMK's 7374// Region). Include this permission primary CMK's key policy. 7375// 7376// * kms:UpdatePrimaryRegion on the current replica CMK (in the replica CMK's 7377// Region). Include this permission in the replica CMK's key policy. 7378// 7379// Related operations 7380// 7381// * CreateKey 7382// 7383// * ReplicateKey 7384// 7385// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 7386// with awserr.Error's Code and Message methods to get detailed information about 7387// the error. 7388// 7389// See the AWS API reference guide for AWS Key Management Service's 7390// API operation UpdatePrimaryRegion for usage and error information. 7391// 7392// Returned Error Types: 7393// * DisabledException 7394// The request was rejected because the specified CMK is not enabled. 7395// 7396// * InvalidArnException 7397// The request was rejected because a specified ARN, or an ARN in a key policy, 7398// is not valid. 7399// 7400// * InvalidStateException 7401// The request was rejected because the state of the specified resource is not 7402// valid for this request. 7403// 7404// For more information about how key state affects the use of a CMK, see How 7405// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 7406// in the AWS Key Management Service Developer Guide . 7407// 7408// * InternalException 7409// The request was rejected because an internal exception occurred. The request 7410// can be retried. 7411// 7412// * NotFoundException 7413// The request was rejected because the specified entity or resource could not 7414// be found. 7415// 7416// * UnsupportedOperationException 7417// The request was rejected because a specified parameter is not supported or 7418// a specified resource is not valid for this operation. 7419// 7420// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion 7421func (c *KMS) UpdatePrimaryRegion(input *UpdatePrimaryRegionInput) (*UpdatePrimaryRegionOutput, error) { 7422 req, out := c.UpdatePrimaryRegionRequest(input) 7423 return out, req.Send() 7424} 7425 7426// UpdatePrimaryRegionWithContext is the same as UpdatePrimaryRegion with the addition of 7427// the ability to pass a context and additional request options. 7428// 7429// See UpdatePrimaryRegion for details on how to use this API operation. 7430// 7431// The context must be non-nil and will be used for request cancellation. If 7432// the context is nil a panic will occur. In the future the SDK may create 7433// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 7434// for more information on using Contexts. 7435func (c *KMS) UpdatePrimaryRegionWithContext(ctx aws.Context, input *UpdatePrimaryRegionInput, opts ...request.Option) (*UpdatePrimaryRegionOutput, error) { 7436 req, out := c.UpdatePrimaryRegionRequest(input) 7437 req.SetContext(ctx) 7438 req.ApplyOptions(opts...) 7439 return out, req.Send() 7440} 7441 7442const opVerify = "Verify" 7443 7444// VerifyRequest generates a "aws/request.Request" representing the 7445// client's request for the Verify operation. The "output" return 7446// value will be populated with the request's response once the request completes 7447// successfully. 7448// 7449// Use "Send" method on the returned Request to send the API call to the service. 7450// the "output" return value is not valid until after Send returns without error. 7451// 7452// See Verify for more information on using the Verify 7453// API call, and error handling. 7454// 7455// This method is useful when you want to inject custom logic or configuration 7456// into the SDK's request lifecycle. Such as custom headers, or retry logic. 7457// 7458// 7459// // Example sending a request using the VerifyRequest method. 7460// req, resp := client.VerifyRequest(params) 7461// 7462// err := req.Send() 7463// if err == nil { // resp is now filled 7464// fmt.Println(resp) 7465// } 7466// 7467// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify 7468func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *VerifyOutput) { 7469 op := &request.Operation{ 7470 Name: opVerify, 7471 HTTPMethod: "POST", 7472 HTTPPath: "/", 7473 } 7474 7475 if input == nil { 7476 input = &VerifyInput{} 7477 } 7478 7479 output = &VerifyOutput{} 7480 req = c.newRequest(op, input, output) 7481 return 7482} 7483 7484// Verify API operation for AWS Key Management Service. 7485// 7486// Verifies a digital signature that was generated by the Sign operation. 7487// 7488// Verification confirms that an authorized user signed the message with the 7489// specified CMK and signing algorithm, and the message hasn't changed since 7490// it was signed. If the signature is verified, the value of the SignatureValid 7491// field in the response is True. If the signature verification fails, the Verify 7492// operation fails with an KMSInvalidSignatureException exception. 7493// 7494// A digital signature is generated by using the private key in an asymmetric 7495// CMK. The signature is verified by using the public key in the same asymmetric 7496// CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric 7497// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) 7498// in the AWS Key Management Service Developer Guide. 7499// 7500// To verify a digital signature, you can use the Verify operation. Specify 7501// the same asymmetric CMK, message, and signing algorithm that were used to 7502// produce the signature. 7503// 7504// You can also verify the digital signature by using the public key of the 7505// CMK outside of AWS KMS. Use the GetPublicKey operation to download the public 7506// key in the asymmetric CMK and then use the public key to verify the signature 7507// outside of AWS KMS. The advantage of using the Verify operation is that it 7508// is performed within AWS KMS. As a result, it's easy to call, the operation 7509// is performed within the FIPS boundary, it is logged in AWS CloudTrail, and 7510// you can use key policy and IAM policy to determine who is authorized to use 7511// the CMK to verify signatures. 7512// 7513// The CMK that you use for this operation must be in a compatible key state. 7514// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 7515// in the AWS Key Management Service Developer Guide. 7516// 7517// Cross-account use: Yes. To perform this operation with a CMK in a different 7518// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. 7519// 7520// Required permissions: kms:Verify (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 7521// (key policy) 7522// 7523// Related operations: Sign 7524// 7525// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 7526// with awserr.Error's Code and Message methods to get detailed information about 7527// the error. 7528// 7529// See the AWS API reference guide for AWS Key Management Service's 7530// API operation Verify for usage and error information. 7531// 7532// Returned Error Types: 7533// * NotFoundException 7534// The request was rejected because the specified entity or resource could not 7535// be found. 7536// 7537// * DisabledException 7538// The request was rejected because the specified CMK is not enabled. 7539// 7540// * KeyUnavailableException 7541// The request was rejected because the specified CMK was not available. You 7542// can retry the request. 7543// 7544// * DependencyTimeoutException 7545// The system timed out while trying to fulfill the request. The request can 7546// be retried. 7547// 7548// * InvalidKeyUsageException 7549// The request was rejected for one of the following reasons: 7550// 7551// * The KeyUsage value of the CMK is incompatible with the API operation. 7552// 7553// * The encryption algorithm or signing algorithm specified for the operation 7554// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 7555// 7556// For encrypting, decrypting, re-encrypting, and generating data keys, the 7557// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 7558// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 7559// 7560// To find the encryption or signing algorithms supported for a particular CMK, 7561// use the DescribeKey operation. 7562// 7563// * InvalidGrantTokenException 7564// The request was rejected because the specified grant token is not valid. 7565// 7566// * InternalException 7567// The request was rejected because an internal exception occurred. The request 7568// can be retried. 7569// 7570// * InvalidStateException 7571// The request was rejected because the state of the specified resource is not 7572// valid for this request. 7573// 7574// For more information about how key state affects the use of a CMK, see How 7575// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 7576// in the AWS Key Management Service Developer Guide . 7577// 7578// * KMSInvalidSignatureException 7579// The request was rejected because the signature verification failed. Signature 7580// verification fails when it cannot confirm that signature was produced by 7581// signing the specified message with the specified CMK and signing algorithm. 7582// 7583// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify 7584func (c *KMS) Verify(input *VerifyInput) (*VerifyOutput, error) { 7585 req, out := c.VerifyRequest(input) 7586 return out, req.Send() 7587} 7588 7589// VerifyWithContext is the same as Verify with the addition of 7590// the ability to pass a context and additional request options. 7591// 7592// See Verify for details on how to use this API operation. 7593// 7594// The context must be non-nil and will be used for request cancellation. If 7595// the context is nil a panic will occur. In the future the SDK may create 7596// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 7597// for more information on using Contexts. 7598func (c *KMS) VerifyWithContext(ctx aws.Context, input *VerifyInput, opts ...request.Option) (*VerifyOutput, error) { 7599 req, out := c.VerifyRequest(input) 7600 req.SetContext(ctx) 7601 req.ApplyOptions(opts...) 7602 return out, req.Send() 7603} 7604 7605// Contains information about an alias. 7606type AliasListEntry struct { 7607 _ struct{} `type:"structure"` 7608 7609 // String that contains the key ARN. 7610 AliasArn *string `min:"20" type:"string"` 7611 7612 // String that contains the alias. This value begins with alias/. 7613 AliasName *string `min:"1" type:"string"` 7614 7615 // Date and time that the alias was most recently created in the account and 7616 // Region. Formatted as Unix time. 7617 CreationDate *time.Time `type:"timestamp"` 7618 7619 // Date and time that the alias was most recently associated with a CMK in the 7620 // account and Region. Formatted as Unix time. 7621 LastUpdatedDate *time.Time `type:"timestamp"` 7622 7623 // String that contains the key identifier of the CMK associated with the alias. 7624 TargetKeyId *string `min:"1" type:"string"` 7625} 7626 7627// String returns the string representation 7628func (s AliasListEntry) String() string { 7629 return awsutil.Prettify(s) 7630} 7631 7632// GoString returns the string representation 7633func (s AliasListEntry) GoString() string { 7634 return s.String() 7635} 7636 7637// SetAliasArn sets the AliasArn field's value. 7638func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry { 7639 s.AliasArn = &v 7640 return s 7641} 7642 7643// SetAliasName sets the AliasName field's value. 7644func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry { 7645 s.AliasName = &v 7646 return s 7647} 7648 7649// SetCreationDate sets the CreationDate field's value. 7650func (s *AliasListEntry) SetCreationDate(v time.Time) *AliasListEntry { 7651 s.CreationDate = &v 7652 return s 7653} 7654 7655// SetLastUpdatedDate sets the LastUpdatedDate field's value. 7656func (s *AliasListEntry) SetLastUpdatedDate(v time.Time) *AliasListEntry { 7657 s.LastUpdatedDate = &v 7658 return s 7659} 7660 7661// SetTargetKeyId sets the TargetKeyId field's value. 7662func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry { 7663 s.TargetKeyId = &v 7664 return s 7665} 7666 7667// The request was rejected because it attempted to create a resource that already 7668// exists. 7669type AlreadyExistsException struct { 7670 _ struct{} `type:"structure"` 7671 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 7672 7673 Message_ *string `locationName:"message" type:"string"` 7674} 7675 7676// String returns the string representation 7677func (s AlreadyExistsException) String() string { 7678 return awsutil.Prettify(s) 7679} 7680 7681// GoString returns the string representation 7682func (s AlreadyExistsException) GoString() string { 7683 return s.String() 7684} 7685 7686func newErrorAlreadyExistsException(v protocol.ResponseMetadata) error { 7687 return &AlreadyExistsException{ 7688 RespMetadata: v, 7689 } 7690} 7691 7692// Code returns the exception type name. 7693func (s *AlreadyExistsException) Code() string { 7694 return "AlreadyExistsException" 7695} 7696 7697// Message returns the exception's message. 7698func (s *AlreadyExistsException) Message() string { 7699 if s.Message_ != nil { 7700 return *s.Message_ 7701 } 7702 return "" 7703} 7704 7705// OrigErr always returns nil, satisfies awserr.Error interface. 7706func (s *AlreadyExistsException) OrigErr() error { 7707 return nil 7708} 7709 7710func (s *AlreadyExistsException) Error() string { 7711 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 7712} 7713 7714// Status code returns the HTTP status code for the request's response error. 7715func (s *AlreadyExistsException) StatusCode() int { 7716 return s.RespMetadata.StatusCode 7717} 7718 7719// RequestID returns the service's response RequestID for request. 7720func (s *AlreadyExistsException) RequestID() string { 7721 return s.RespMetadata.RequestID 7722} 7723 7724type CancelKeyDeletionInput struct { 7725 _ struct{} `type:"structure"` 7726 7727 // Identifies the customer master key (CMK) whose deletion is being canceled. 7728 // 7729 // Specify the key ID or key ARN of the CMK. 7730 // 7731 // For example: 7732 // 7733 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 7734 // 7735 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 7736 // 7737 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 7738 // 7739 // KeyId is a required field 7740 KeyId *string `min:"1" type:"string" required:"true"` 7741} 7742 7743// String returns the string representation 7744func (s CancelKeyDeletionInput) String() string { 7745 return awsutil.Prettify(s) 7746} 7747 7748// GoString returns the string representation 7749func (s CancelKeyDeletionInput) GoString() string { 7750 return s.String() 7751} 7752 7753// Validate inspects the fields of the type to determine if they are valid. 7754func (s *CancelKeyDeletionInput) Validate() error { 7755 invalidParams := request.ErrInvalidParams{Context: "CancelKeyDeletionInput"} 7756 if s.KeyId == nil { 7757 invalidParams.Add(request.NewErrParamRequired("KeyId")) 7758 } 7759 if s.KeyId != nil && len(*s.KeyId) < 1 { 7760 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 7761 } 7762 7763 if invalidParams.Len() > 0 { 7764 return invalidParams 7765 } 7766 return nil 7767} 7768 7769// SetKeyId sets the KeyId field's value. 7770func (s *CancelKeyDeletionInput) SetKeyId(v string) *CancelKeyDeletionInput { 7771 s.KeyId = &v 7772 return s 7773} 7774 7775type CancelKeyDeletionOutput struct { 7776 _ struct{} `type:"structure"` 7777 7778 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 7779 // of the CMK whose deletion is canceled. 7780 KeyId *string `min:"1" type:"string"` 7781} 7782 7783// String returns the string representation 7784func (s CancelKeyDeletionOutput) String() string { 7785 return awsutil.Prettify(s) 7786} 7787 7788// GoString returns the string representation 7789func (s CancelKeyDeletionOutput) GoString() string { 7790 return s.String() 7791} 7792 7793// SetKeyId sets the KeyId field's value. 7794func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput { 7795 s.KeyId = &v 7796 return s 7797} 7798 7799// The request was rejected because the specified AWS CloudHSM cluster is already 7800// associated with a custom key store or it shares a backup history with a cluster 7801// that is associated with a custom key store. Each custom key store must be 7802// associated with a different AWS CloudHSM cluster. 7803// 7804// Clusters that share a backup history have the same cluster certificate. To 7805// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 7806// operation. 7807type CloudHsmClusterInUseException struct { 7808 _ struct{} `type:"structure"` 7809 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 7810 7811 Message_ *string `locationName:"message" type:"string"` 7812} 7813 7814// String returns the string representation 7815func (s CloudHsmClusterInUseException) String() string { 7816 return awsutil.Prettify(s) 7817} 7818 7819// GoString returns the string representation 7820func (s CloudHsmClusterInUseException) GoString() string { 7821 return s.String() 7822} 7823 7824func newErrorCloudHsmClusterInUseException(v protocol.ResponseMetadata) error { 7825 return &CloudHsmClusterInUseException{ 7826 RespMetadata: v, 7827 } 7828} 7829 7830// Code returns the exception type name. 7831func (s *CloudHsmClusterInUseException) Code() string { 7832 return "CloudHsmClusterInUseException" 7833} 7834 7835// Message returns the exception's message. 7836func (s *CloudHsmClusterInUseException) Message() string { 7837 if s.Message_ != nil { 7838 return *s.Message_ 7839 } 7840 return "" 7841} 7842 7843// OrigErr always returns nil, satisfies awserr.Error interface. 7844func (s *CloudHsmClusterInUseException) OrigErr() error { 7845 return nil 7846} 7847 7848func (s *CloudHsmClusterInUseException) Error() string { 7849 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 7850} 7851 7852// Status code returns the HTTP status code for the request's response error. 7853func (s *CloudHsmClusterInUseException) StatusCode() int { 7854 return s.RespMetadata.StatusCode 7855} 7856 7857// RequestID returns the service's response RequestID for request. 7858func (s *CloudHsmClusterInUseException) RequestID() string { 7859 return s.RespMetadata.RequestID 7860} 7861 7862// The request was rejected because the associated AWS CloudHSM cluster did 7863// not meet the configuration requirements for a custom key store. 7864// 7865// * The cluster must be configured with private subnets in at least two 7866// different Availability Zones in the Region. 7867// 7868// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 7869// (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound 7870// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound 7871// rules and the Destination in the outbound rules must match the security 7872// group ID. These rules are set by default when you create the cluster. 7873// Do not delete or change them. To get information about a particular security 7874// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) 7875// operation. 7876// 7877// * The cluster must contain at least as many HSMs as the operation requires. 7878// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) 7879// operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey 7880// operations, the AWS CloudHSM cluster must have at least two active HSMs, 7881// each in a different Availability Zone. For the ConnectCustomKeyStore operation, 7882// the AWS CloudHSM must contain at least one active HSM. 7883// 7884// For information about the requirements for an AWS CloudHSM cluster that is 7885// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 7886// in the AWS Key Management Service Developer Guide. For information about 7887// creating a private subnet for an AWS CloudHSM cluster, see Create a Private 7888// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) 7889// in the AWS CloudHSM User Guide. For information about cluster security groups, 7890// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) 7891// in the AWS CloudHSM User Guide . 7892type CloudHsmClusterInvalidConfigurationException struct { 7893 _ struct{} `type:"structure"` 7894 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 7895 7896 Message_ *string `locationName:"message" type:"string"` 7897} 7898 7899// String returns the string representation 7900func (s CloudHsmClusterInvalidConfigurationException) String() string { 7901 return awsutil.Prettify(s) 7902} 7903 7904// GoString returns the string representation 7905func (s CloudHsmClusterInvalidConfigurationException) GoString() string { 7906 return s.String() 7907} 7908 7909func newErrorCloudHsmClusterInvalidConfigurationException(v protocol.ResponseMetadata) error { 7910 return &CloudHsmClusterInvalidConfigurationException{ 7911 RespMetadata: v, 7912 } 7913} 7914 7915// Code returns the exception type name. 7916func (s *CloudHsmClusterInvalidConfigurationException) Code() string { 7917 return "CloudHsmClusterInvalidConfigurationException" 7918} 7919 7920// Message returns the exception's message. 7921func (s *CloudHsmClusterInvalidConfigurationException) Message() string { 7922 if s.Message_ != nil { 7923 return *s.Message_ 7924 } 7925 return "" 7926} 7927 7928// OrigErr always returns nil, satisfies awserr.Error interface. 7929func (s *CloudHsmClusterInvalidConfigurationException) OrigErr() error { 7930 return nil 7931} 7932 7933func (s *CloudHsmClusterInvalidConfigurationException) Error() string { 7934 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 7935} 7936 7937// Status code returns the HTTP status code for the request's response error. 7938func (s *CloudHsmClusterInvalidConfigurationException) StatusCode() int { 7939 return s.RespMetadata.StatusCode 7940} 7941 7942// RequestID returns the service's response RequestID for request. 7943func (s *CloudHsmClusterInvalidConfigurationException) RequestID() string { 7944 return s.RespMetadata.RequestID 7945} 7946 7947// The request was rejected because the AWS CloudHSM cluster that is associated 7948// with the custom key store is not active. Initialize and activate the cluster 7949// and try the command again. For detailed instructions, see Getting Started 7950// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) 7951// in the AWS CloudHSM User Guide. 7952type CloudHsmClusterNotActiveException struct { 7953 _ struct{} `type:"structure"` 7954 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 7955 7956 Message_ *string `locationName:"message" type:"string"` 7957} 7958 7959// String returns the string representation 7960func (s CloudHsmClusterNotActiveException) String() string { 7961 return awsutil.Prettify(s) 7962} 7963 7964// GoString returns the string representation 7965func (s CloudHsmClusterNotActiveException) GoString() string { 7966 return s.String() 7967} 7968 7969func newErrorCloudHsmClusterNotActiveException(v protocol.ResponseMetadata) error { 7970 return &CloudHsmClusterNotActiveException{ 7971 RespMetadata: v, 7972 } 7973} 7974 7975// Code returns the exception type name. 7976func (s *CloudHsmClusterNotActiveException) Code() string { 7977 return "CloudHsmClusterNotActiveException" 7978} 7979 7980// Message returns the exception's message. 7981func (s *CloudHsmClusterNotActiveException) Message() string { 7982 if s.Message_ != nil { 7983 return *s.Message_ 7984 } 7985 return "" 7986} 7987 7988// OrigErr always returns nil, satisfies awserr.Error interface. 7989func (s *CloudHsmClusterNotActiveException) OrigErr() error { 7990 return nil 7991} 7992 7993func (s *CloudHsmClusterNotActiveException) Error() string { 7994 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 7995} 7996 7997// Status code returns the HTTP status code for the request's response error. 7998func (s *CloudHsmClusterNotActiveException) StatusCode() int { 7999 return s.RespMetadata.StatusCode 8000} 8001 8002// RequestID returns the service's response RequestID for request. 8003func (s *CloudHsmClusterNotActiveException) RequestID() string { 8004 return s.RespMetadata.RequestID 8005} 8006 8007// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster 8008// with the specified cluster ID. Retry the request with a different cluster 8009// ID. 8010type CloudHsmClusterNotFoundException struct { 8011 _ struct{} `type:"structure"` 8012 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 8013 8014 Message_ *string `locationName:"message" type:"string"` 8015} 8016 8017// String returns the string representation 8018func (s CloudHsmClusterNotFoundException) String() string { 8019 return awsutil.Prettify(s) 8020} 8021 8022// GoString returns the string representation 8023func (s CloudHsmClusterNotFoundException) GoString() string { 8024 return s.String() 8025} 8026 8027func newErrorCloudHsmClusterNotFoundException(v protocol.ResponseMetadata) error { 8028 return &CloudHsmClusterNotFoundException{ 8029 RespMetadata: v, 8030 } 8031} 8032 8033// Code returns the exception type name. 8034func (s *CloudHsmClusterNotFoundException) Code() string { 8035 return "CloudHsmClusterNotFoundException" 8036} 8037 8038// Message returns the exception's message. 8039func (s *CloudHsmClusterNotFoundException) Message() string { 8040 if s.Message_ != nil { 8041 return *s.Message_ 8042 } 8043 return "" 8044} 8045 8046// OrigErr always returns nil, satisfies awserr.Error interface. 8047func (s *CloudHsmClusterNotFoundException) OrigErr() error { 8048 return nil 8049} 8050 8051func (s *CloudHsmClusterNotFoundException) Error() string { 8052 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 8053} 8054 8055// Status code returns the HTTP status code for the request's response error. 8056func (s *CloudHsmClusterNotFoundException) StatusCode() int { 8057 return s.RespMetadata.StatusCode 8058} 8059 8060// RequestID returns the service's response RequestID for request. 8061func (s *CloudHsmClusterNotFoundException) RequestID() string { 8062 return s.RespMetadata.RequestID 8063} 8064 8065// The request was rejected because the specified AWS CloudHSM cluster has a 8066// different cluster certificate than the original cluster. You cannot use the 8067// operation to specify an unrelated cluster. 8068// 8069// Specify a cluster that shares a backup history with the original cluster. 8070// This includes clusters that were created from a backup of the current cluster, 8071// and clusters that were created from the same backup that produced the current 8072// cluster. 8073// 8074// Clusters that share a backup history have the same cluster certificate. To 8075// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 8076// operation. 8077type CloudHsmClusterNotRelatedException struct { 8078 _ struct{} `type:"structure"` 8079 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 8080 8081 Message_ *string `locationName:"message" type:"string"` 8082} 8083 8084// String returns the string representation 8085func (s CloudHsmClusterNotRelatedException) String() string { 8086 return awsutil.Prettify(s) 8087} 8088 8089// GoString returns the string representation 8090func (s CloudHsmClusterNotRelatedException) GoString() string { 8091 return s.String() 8092} 8093 8094func newErrorCloudHsmClusterNotRelatedException(v protocol.ResponseMetadata) error { 8095 return &CloudHsmClusterNotRelatedException{ 8096 RespMetadata: v, 8097 } 8098} 8099 8100// Code returns the exception type name. 8101func (s *CloudHsmClusterNotRelatedException) Code() string { 8102 return "CloudHsmClusterNotRelatedException" 8103} 8104 8105// Message returns the exception's message. 8106func (s *CloudHsmClusterNotRelatedException) Message() string { 8107 if s.Message_ != nil { 8108 return *s.Message_ 8109 } 8110 return "" 8111} 8112 8113// OrigErr always returns nil, satisfies awserr.Error interface. 8114func (s *CloudHsmClusterNotRelatedException) OrigErr() error { 8115 return nil 8116} 8117 8118func (s *CloudHsmClusterNotRelatedException) Error() string { 8119 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 8120} 8121 8122// Status code returns the HTTP status code for the request's response error. 8123func (s *CloudHsmClusterNotRelatedException) StatusCode() int { 8124 return s.RespMetadata.StatusCode 8125} 8126 8127// RequestID returns the service's response RequestID for request. 8128func (s *CloudHsmClusterNotRelatedException) RequestID() string { 8129 return s.RespMetadata.RequestID 8130} 8131 8132type ConnectCustomKeyStoreInput struct { 8133 _ struct{} `type:"structure"` 8134 8135 // Enter the key store ID of the custom key store that you want to connect. 8136 // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. 8137 // 8138 // CustomKeyStoreId is a required field 8139 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 8140} 8141 8142// String returns the string representation 8143func (s ConnectCustomKeyStoreInput) String() string { 8144 return awsutil.Prettify(s) 8145} 8146 8147// GoString returns the string representation 8148func (s ConnectCustomKeyStoreInput) GoString() string { 8149 return s.String() 8150} 8151 8152// Validate inspects the fields of the type to determine if they are valid. 8153func (s *ConnectCustomKeyStoreInput) Validate() error { 8154 invalidParams := request.ErrInvalidParams{Context: "ConnectCustomKeyStoreInput"} 8155 if s.CustomKeyStoreId == nil { 8156 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 8157 } 8158 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 8159 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 8160 } 8161 8162 if invalidParams.Len() > 0 { 8163 return invalidParams 8164 } 8165 return nil 8166} 8167 8168// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 8169func (s *ConnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *ConnectCustomKeyStoreInput { 8170 s.CustomKeyStoreId = &v 8171 return s 8172} 8173 8174type ConnectCustomKeyStoreOutput struct { 8175 _ struct{} `type:"structure"` 8176} 8177 8178// String returns the string representation 8179func (s ConnectCustomKeyStoreOutput) String() string { 8180 return awsutil.Prettify(s) 8181} 8182 8183// GoString returns the string representation 8184func (s ConnectCustomKeyStoreOutput) GoString() string { 8185 return s.String() 8186} 8187 8188type CreateAliasInput struct { 8189 _ struct{} `type:"structure"` 8190 8191 // Specifies the alias name. This value must begin with alias/ followed by a 8192 // name, such as alias/ExampleAlias. 8193 // 8194 // The AliasName value must be string of 1-256 characters. It can contain only 8195 // alphanumeric characters, forward slashes (/), underscores (_), and dashes 8196 // (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is 8197 // reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). 8198 // 8199 // AliasName is a required field 8200 AliasName *string `min:"1" type:"string" required:"true"` 8201 8202 // Associates the alias with the specified customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). 8203 // The CMK must be in the same AWS Region. 8204 // 8205 // A valid CMK ID is required. If you supply a null or empty string value, this 8206 // operation returns an error. 8207 // 8208 // For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) 8209 // in the AWS Key Management Service Developer Guide. 8210 // 8211 // Specify the key ID or key ARN of the CMK. 8212 // 8213 // For example: 8214 // 8215 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8216 // 8217 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8218 // 8219 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 8220 // 8221 // TargetKeyId is a required field 8222 TargetKeyId *string `min:"1" type:"string" required:"true"` 8223} 8224 8225// String returns the string representation 8226func (s CreateAliasInput) String() string { 8227 return awsutil.Prettify(s) 8228} 8229 8230// GoString returns the string representation 8231func (s CreateAliasInput) GoString() string { 8232 return s.String() 8233} 8234 8235// Validate inspects the fields of the type to determine if they are valid. 8236func (s *CreateAliasInput) Validate() error { 8237 invalidParams := request.ErrInvalidParams{Context: "CreateAliasInput"} 8238 if s.AliasName == nil { 8239 invalidParams.Add(request.NewErrParamRequired("AliasName")) 8240 } 8241 if s.AliasName != nil && len(*s.AliasName) < 1 { 8242 invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) 8243 } 8244 if s.TargetKeyId == nil { 8245 invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) 8246 } 8247 if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { 8248 invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) 8249 } 8250 8251 if invalidParams.Len() > 0 { 8252 return invalidParams 8253 } 8254 return nil 8255} 8256 8257// SetAliasName sets the AliasName field's value. 8258func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput { 8259 s.AliasName = &v 8260 return s 8261} 8262 8263// SetTargetKeyId sets the TargetKeyId field's value. 8264func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput { 8265 s.TargetKeyId = &v 8266 return s 8267} 8268 8269type CreateAliasOutput struct { 8270 _ struct{} `type:"structure"` 8271} 8272 8273// String returns the string representation 8274func (s CreateAliasOutput) String() string { 8275 return awsutil.Prettify(s) 8276} 8277 8278// GoString returns the string representation 8279func (s CreateAliasOutput) GoString() string { 8280 return s.String() 8281} 8282 8283type CreateCustomKeyStoreInput struct { 8284 _ struct{} `type:"structure"` 8285 8286 // Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster 8287 // ID of any active AWS CloudHSM cluster that is not already associated with 8288 // a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 8289 // operation. 8290 // 8291 // CloudHsmClusterId is a required field 8292 CloudHsmClusterId *string `min:"19" type:"string" required:"true"` 8293 8294 // Specifies a friendly name for the custom key store. The name must be unique 8295 // in your AWS account. 8296 // 8297 // CustomKeyStoreName is a required field 8298 CustomKeyStoreName *string `min:"1" type:"string" required:"true"` 8299 8300 // Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) 8301 // in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this 8302 // user to manage key material on your behalf. 8303 // 8304 // The password must be a string of 7 to 32 characters. Its value is case sensitive. 8305 // 8306 // This parameter tells AWS KMS the kmsuser account password; it does not change 8307 // the password in the AWS CloudHSM cluster. 8308 // 8309 // KeyStorePassword is a required field 8310 KeyStorePassword *string `min:"7" type:"string" required:"true" sensitive:"true"` 8311 8312 // Enter the content of the trust anchor certificate for the cluster. This is 8313 // the content of the customerCA.crt file that you created when you initialized 8314 // the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html). 8315 // 8316 // TrustAnchorCertificate is a required field 8317 TrustAnchorCertificate *string `min:"1" type:"string" required:"true"` 8318} 8319 8320// String returns the string representation 8321func (s CreateCustomKeyStoreInput) String() string { 8322 return awsutil.Prettify(s) 8323} 8324 8325// GoString returns the string representation 8326func (s CreateCustomKeyStoreInput) GoString() string { 8327 return s.String() 8328} 8329 8330// Validate inspects the fields of the type to determine if they are valid. 8331func (s *CreateCustomKeyStoreInput) Validate() error { 8332 invalidParams := request.ErrInvalidParams{Context: "CreateCustomKeyStoreInput"} 8333 if s.CloudHsmClusterId == nil { 8334 invalidParams.Add(request.NewErrParamRequired("CloudHsmClusterId")) 8335 } 8336 if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { 8337 invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) 8338 } 8339 if s.CustomKeyStoreName == nil { 8340 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreName")) 8341 } 8342 if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { 8343 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) 8344 } 8345 if s.KeyStorePassword == nil { 8346 invalidParams.Add(request.NewErrParamRequired("KeyStorePassword")) 8347 } 8348 if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 7 { 8349 invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 7)) 8350 } 8351 if s.TrustAnchorCertificate == nil { 8352 invalidParams.Add(request.NewErrParamRequired("TrustAnchorCertificate")) 8353 } 8354 if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 { 8355 invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1)) 8356 } 8357 8358 if invalidParams.Len() > 0 { 8359 return invalidParams 8360 } 8361 return nil 8362} 8363 8364// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 8365func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput { 8366 s.CloudHsmClusterId = &v 8367 return s 8368} 8369 8370// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. 8371func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput { 8372 s.CustomKeyStoreName = &v 8373 return s 8374} 8375 8376// SetKeyStorePassword sets the KeyStorePassword field's value. 8377func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput { 8378 s.KeyStorePassword = &v 8379 return s 8380} 8381 8382// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. 8383func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput { 8384 s.TrustAnchorCertificate = &v 8385 return s 8386} 8387 8388type CreateCustomKeyStoreOutput struct { 8389 _ struct{} `type:"structure"` 8390 8391 // A unique identifier for the new custom key store. 8392 CustomKeyStoreId *string `min:"1" type:"string"` 8393} 8394 8395// String returns the string representation 8396func (s CreateCustomKeyStoreOutput) String() string { 8397 return awsutil.Prettify(s) 8398} 8399 8400// GoString returns the string representation 8401func (s CreateCustomKeyStoreOutput) GoString() string { 8402 return s.String() 8403} 8404 8405// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 8406func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustomKeyStoreOutput { 8407 s.CustomKeyStoreId = &v 8408 return s 8409} 8410 8411type CreateGrantInput struct { 8412 _ struct{} `type:"structure"` 8413 8414 // Specifies a grant constraint. 8415 // 8416 // AWS KMS supports the EncryptionContextEquals and EncryptionContextSubset 8417 // grant constraints. Each constraint value can include up to 8 encryption context 8418 // pairs. The encryption context value in each constraint cannot exceed 384 8419 // characters. 8420 // 8421 // These grant constraints allow a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 8422 // only when the encryption context in the request matches (EncryptionContextEquals) 8423 // or includes (EncryptionContextSubset) the encryption context specified in 8424 // this structure. For more information about encryption context, see Encryption 8425 // Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 8426 // in the AWS Key Management Service Developer Guide . For information about 8427 // grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) 8428 // in the AWS Key Management Service Developer Guide. 8429 // 8430 // The encryption context grant constraints are supported only on operations 8431 // that include an encryption context. You cannot use an encryption context 8432 // grant constraint for cryptographic operations with asymmetric CMKs or for 8433 // management operations, such as DescribeKey or RetireGrant. 8434 Constraints *GrantConstraints `type:"structure"` 8435 8436 // A list of grant tokens. 8437 // 8438 // Use a grant token when your permission to call this operation comes from 8439 // a new grant that has not yet achieved eventual consistency. For more information, 8440 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 8441 // in the AWS Key Management Service Developer Guide. 8442 GrantTokens []*string `type:"list"` 8443 8444 // The identity that gets the permissions specified in the grant. 8445 // 8446 // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 8447 // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM 8448 // users, IAM roles, federated users, and assumed role users. For examples of 8449 // the ARN syntax to use for specifying a principal, see AWS Identity and Access 8450 // Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) 8451 // in the Example ARNs section of the AWS General Reference. 8452 // 8453 // GranteePrincipal is a required field 8454 GranteePrincipal *string `min:"1" type:"string" required:"true"` 8455 8456 // Identifies the customer master key (CMK) for the grant. The grant gives principals 8457 // permission to use this CMK. 8458 // 8459 // Specify the key ID or key ARN of the CMK. To specify a CMK in a different 8460 // AWS account, you must use the key ARN. 8461 // 8462 // For example: 8463 // 8464 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 8465 // 8466 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 8467 // 8468 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 8469 // 8470 // KeyId is a required field 8471 KeyId *string `min:"1" type:"string" required:"true"` 8472 8473 // A friendly name for the grant. Use this value to prevent the unintended creation 8474 // of duplicate grants when retrying this request. 8475 // 8476 // When this value is absent, all CreateGrant requests result in a new grant 8477 // with a unique GrantId even if all the supplied parameters are identical. 8478 // This can result in unintended duplicates when you retry the CreateGrant request. 8479 // 8480 // When this value is present, you can retry a CreateGrant request with identical 8481 // parameters; if the grant already exists, the original GrantId is returned 8482 // without creating a new grant. Note that the returned grant token is unique 8483 // with every CreateGrant request, even when a duplicate GrantId is returned. 8484 // All grant tokens for the same grant ID can be used interchangeably. 8485 Name *string `min:"1" type:"string"` 8486 8487 // A list of operations that the grant permits. 8488 // 8489 // The operation must be supported on the CMK. For example, you cannot create 8490 // a grant for a symmetric CMK that allows the Sign operation, or a grant for 8491 // an asymmetric CMK that allows the GenerateDataKey operation. If you try, 8492 // AWS KMS returns a ValidationError exception. For details, see Grant operations 8493 // (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) 8494 // in the AWS Key Management Service Developer Guide. 8495 // 8496 // Operations is a required field 8497 Operations []*string `type:"list" required:"true"` 8498 8499 // The principal that is given permission to retire the grant by using RetireGrant 8500 // operation. 8501 // 8502 // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 8503 // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM 8504 // users, federated users, and assumed role users. For examples of the ARN syntax 8505 // to use for specifying a principal, see AWS Identity and Access Management 8506 // (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) 8507 // in the Example ARNs section of the AWS General Reference. 8508 RetiringPrincipal *string `min:"1" type:"string"` 8509} 8510 8511// String returns the string representation 8512func (s CreateGrantInput) String() string { 8513 return awsutil.Prettify(s) 8514} 8515 8516// GoString returns the string representation 8517func (s CreateGrantInput) GoString() string { 8518 return s.String() 8519} 8520 8521// Validate inspects the fields of the type to determine if they are valid. 8522func (s *CreateGrantInput) Validate() error { 8523 invalidParams := request.ErrInvalidParams{Context: "CreateGrantInput"} 8524 if s.GranteePrincipal == nil { 8525 invalidParams.Add(request.NewErrParamRequired("GranteePrincipal")) 8526 } 8527 if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 { 8528 invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1)) 8529 } 8530 if s.KeyId == nil { 8531 invalidParams.Add(request.NewErrParamRequired("KeyId")) 8532 } 8533 if s.KeyId != nil && len(*s.KeyId) < 1 { 8534 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 8535 } 8536 if s.Name != nil && len(*s.Name) < 1 { 8537 invalidParams.Add(request.NewErrParamMinLen("Name", 1)) 8538 } 8539 if s.Operations == nil { 8540 invalidParams.Add(request.NewErrParamRequired("Operations")) 8541 } 8542 if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { 8543 invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) 8544 } 8545 8546 if invalidParams.Len() > 0 { 8547 return invalidParams 8548 } 8549 return nil 8550} 8551 8552// SetConstraints sets the Constraints field's value. 8553func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput { 8554 s.Constraints = v 8555 return s 8556} 8557 8558// SetGrantTokens sets the GrantTokens field's value. 8559func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput { 8560 s.GrantTokens = v 8561 return s 8562} 8563 8564// SetGranteePrincipal sets the GranteePrincipal field's value. 8565func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput { 8566 s.GranteePrincipal = &v 8567 return s 8568} 8569 8570// SetKeyId sets the KeyId field's value. 8571func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput { 8572 s.KeyId = &v 8573 return s 8574} 8575 8576// SetName sets the Name field's value. 8577func (s *CreateGrantInput) SetName(v string) *CreateGrantInput { 8578 s.Name = &v 8579 return s 8580} 8581 8582// SetOperations sets the Operations field's value. 8583func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput { 8584 s.Operations = v 8585 return s 8586} 8587 8588// SetRetiringPrincipal sets the RetiringPrincipal field's value. 8589func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput { 8590 s.RetiringPrincipal = &v 8591 return s 8592} 8593 8594type CreateGrantOutput struct { 8595 _ struct{} `type:"structure"` 8596 8597 // The unique identifier for the grant. 8598 // 8599 // You can use the GrantId in a ListGrants, RetireGrant, or RevokeGrant operation. 8600 GrantId *string `min:"1" type:"string"` 8601 8602 // The grant token. 8603 // 8604 // Use a grant token when your permission to call this operation comes from 8605 // a new grant that has not yet achieved eventual consistency. For more information, 8606 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 8607 // in the AWS Key Management Service Developer Guide. 8608 GrantToken *string `min:"1" type:"string"` 8609} 8610 8611// String returns the string representation 8612func (s CreateGrantOutput) String() string { 8613 return awsutil.Prettify(s) 8614} 8615 8616// GoString returns the string representation 8617func (s CreateGrantOutput) GoString() string { 8618 return s.String() 8619} 8620 8621// SetGrantId sets the GrantId field's value. 8622func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput { 8623 s.GrantId = &v 8624 return s 8625} 8626 8627// SetGrantToken sets the GrantToken field's value. 8628func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput { 8629 s.GrantToken = &v 8630 return s 8631} 8632 8633type CreateKeyInput struct { 8634 _ struct{} `type:"structure"` 8635 8636 // A flag to indicate whether to bypass the key policy lockout safety check. 8637 // 8638 // Setting this value to true increases the risk that the CMK becomes unmanageable. 8639 // Do not set this value to true indiscriminately. 8640 // 8641 // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 8642 // section in the AWS Key Management Service Developer Guide . 8643 // 8644 // Use this parameter only when you include a policy in the request and you 8645 // intend to prevent the principal that is making the request from making a 8646 // subsequent PutKeyPolicy request on the CMK. 8647 // 8648 // The default value is false. 8649 BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` 8650 8651 // Creates the CMK in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 8652 // and the key material in its associated AWS CloudHSM cluster. To create a 8653 // CMK in a custom key store, you must also specify the Origin parameter with 8654 // a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with 8655 // the custom key store must have at least two active HSMs, each in a different 8656 // Availability Zone in the Region. 8657 // 8658 // This parameter is valid only for symmetric CMKs and regional CMKs. You cannot 8659 // create an asymmetric CMK or a multi-Region CMK in a custom key store. 8660 // 8661 // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. 8662 // 8663 // The response includes the custom key store ID and the ID of the AWS CloudHSM 8664 // cluster. 8665 // 8666 // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 8667 // feature in AWS KMS, which combines the convenience and extensive integration 8668 // of AWS KMS with the isolation and control of a single-tenant key store. 8669 CustomKeyStoreId *string `min:"1" type:"string"` 8670 8671 // Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, 8672 // creates a CMK with a 256-bit symmetric key for encryption and decryption. 8673 // For help choosing a key spec for your CMK, see How to Choose Your CMK Configuration 8674 // (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) 8675 // in the AWS Key Management Service Developer Guide. 8676 // 8677 // The CustomerMasterKeySpec determines whether the CMK contains a symmetric 8678 // key or an asymmetric key pair. It also determines the encryption algorithms 8679 // or signing algorithms that the CMK supports. You can't change the CustomerMasterKeySpec 8680 // after the CMK is created. To further restrict the algorithms that can be 8681 // used with the CMK, use a condition key in its key policy or IAM policy. For 8682 // more information, see kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm) 8683 // or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm) 8684 // in the AWS Key Management Service Developer Guide. 8685 // 8686 // AWS services that are integrated with AWS KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) 8687 // use symmetric CMKs to protect your data. These services do not support asymmetric 8688 // CMKs. For help determining whether a CMK is symmetric or asymmetric, see 8689 // Identifying Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) 8690 // in the AWS Key Management Service Developer Guide. 8691 // 8692 // AWS KMS supports the following key specs for CMKs: 8693 // 8694 // * Symmetric key (default) SYMMETRIC_DEFAULT (AES-256-GCM) 8695 // 8696 // * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096 8697 // 8698 // * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1) 8699 // ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1) 8700 // 8701 // * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1), 8702 // commonly used for cryptocurrencies. 8703 CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` 8704 8705 // A description of the CMK. 8706 // 8707 // Use a description that helps you decide whether the CMK is appropriate for 8708 // a task. The default value is an empty string (no description). 8709 Description *string `type:"string"` 8710 8711 // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 8712 // for which you can use the CMK. The default value is ENCRYPT_DECRYPT. This 8713 // parameter is required only for asymmetric CMKs. You can't change the KeyUsage 8714 // value after the CMK is created. 8715 // 8716 // Select only one valid value. 8717 // 8718 // * For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT. 8719 // 8720 // * For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or 8721 // SIGN_VERIFY. 8722 // 8723 // * For asymmetric CMKs with ECC key material, specify SIGN_VERIFY. 8724 KeyUsage *string `type:"string" enum:"KeyUsageType"` 8725 8726 // Creates a multi-Region primary key that you can replicate into other AWS 8727 // Regions. You cannot change this value after you create the CMK. 8728 // 8729 // For a multi-Region key, set this parameter to True. For a single-Region CMK, 8730 // omit this parameter or set it to False. The default value is False. 8731 // 8732 // This operation supports multi-Region keys, an AWS KMS feature that lets you 8733 // create multiple interoperable CMKs in different AWS Regions. Because these 8734 // CMKs have the same key ID, key material, and other metadata, you can use 8735 // them to encrypt data in one AWS Region and decrypt it in a different AWS 8736 // Region without making a cross-Region call or exposing the plaintext data. 8737 // For more information about multi-Region keys, see Using multi-Region keys 8738 // (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) 8739 // in the AWS Key Management Service Developer Guide. 8740 // 8741 // This value creates a primary key, not a replica. To create a replica key, 8742 // use the ReplicateKey operation. 8743 // 8744 // You can create a symmetric or asymmetric multi-Region CMK, and you can create 8745 // a multi-Region CMK with imported key material. However, you cannot create 8746 // a multi-Region CMK in a custom key store. 8747 MultiRegion *bool `type:"boolean"` 8748 8749 // The source of the key material for the CMK. You cannot change the origin 8750 // after you create the CMK. The default is AWS_KMS, which means that AWS KMS 8751 // creates the key material. 8752 // 8753 // To create a CMK with no key material (for imported key material), set the 8754 // value to EXTERNAL. For more information about importing key material into 8755 // AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) 8756 // in the AWS Key Management Service Developer Guide. This value is valid only 8757 // for symmetric CMKs. 8758 // 8759 // To create a CMK in an AWS KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 8760 // and create its key material in the associated AWS CloudHSM cluster, set this 8761 // value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to 8762 // identify the custom key store. This value is valid only for symmetric CMKs. 8763 Origin *string `type:"string" enum:"OriginType"` 8764 8765 // The key policy to attach to the CMK. 8766 // 8767 // If you provide a key policy, it must meet the following criteria: 8768 // 8769 // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy 8770 // must allow the principal that is making the CreateKey request to make 8771 // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that 8772 // the CMK becomes unmanageable. For more information, refer to the scenario 8773 // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 8774 // section of the AWS Key Management Service Developer Guide . 8775 // 8776 // * Each statement in the key policy must contain one or more principals. 8777 // The principals in the key policy must exist and be visible to AWS KMS. 8778 // When you create a new AWS principal (for example, an IAM user or role), 8779 // you might need to enforce a delay before including the new principal in 8780 // a key policy because the new principal might not be immediately visible 8781 // to AWS KMS. For more information, see Changes that I make are not always 8782 // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) 8783 // in the AWS Identity and Access Management User Guide. 8784 // 8785 // If you do not provide a key policy, AWS KMS attaches a default key policy 8786 // to the CMK. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) 8787 // in the AWS Key Management Service Developer Guide. 8788 // 8789 // The key policy size quota is 32 kilobytes (32768 bytes). 8790 // 8791 // For help writing and formatting a JSON policy document, see the IAM JSON 8792 // Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) 8793 // in the IAM User Guide . 8794 Policy *string `min:"1" type:"string"` 8795 8796 // Assigns one or more tags to the CMK. Use this parameter to tag the CMK when 8797 // it is created. To tag an existing CMK, use the TagResource operation. 8798 // 8799 // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, 8800 // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 8801 // in the AWS Key Management Service Developer Guide. 8802 // 8803 // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 8804 // permission in an IAM policy. 8805 // 8806 // Each tag consists of a tag key and a tag value. Both the tag key and the 8807 // tag value are required, but the tag value can be an empty (null) string. 8808 // You cannot have more than one tag on a CMK with the same tag key. If you 8809 // specify an existing tag key with a different tag value, AWS KMS replaces 8810 // the current tag value with the specified one. 8811 // 8812 // When you assign tags to an AWS resource, AWS generates a cost allocation 8813 // report with usage and costs aggregated by tags. Tags can also be used to 8814 // control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). 8815 Tags []*Tag `type:"list"` 8816} 8817 8818// String returns the string representation 8819func (s CreateKeyInput) String() string { 8820 return awsutil.Prettify(s) 8821} 8822 8823// GoString returns the string representation 8824func (s CreateKeyInput) GoString() string { 8825 return s.String() 8826} 8827 8828// Validate inspects the fields of the type to determine if they are valid. 8829func (s *CreateKeyInput) Validate() error { 8830 invalidParams := request.ErrInvalidParams{Context: "CreateKeyInput"} 8831 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 8832 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 8833 } 8834 if s.Policy != nil && len(*s.Policy) < 1 { 8835 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 8836 } 8837 if s.Tags != nil { 8838 for i, v := range s.Tags { 8839 if v == nil { 8840 continue 8841 } 8842 if err := v.Validate(); err != nil { 8843 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 8844 } 8845 } 8846 } 8847 8848 if invalidParams.Len() > 0 { 8849 return invalidParams 8850 } 8851 return nil 8852} 8853 8854// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. 8855func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput { 8856 s.BypassPolicyLockoutSafetyCheck = &v 8857 return s 8858} 8859 8860// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 8861func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput { 8862 s.CustomKeyStoreId = &v 8863 return s 8864} 8865 8866// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. 8867func (s *CreateKeyInput) SetCustomerMasterKeySpec(v string) *CreateKeyInput { 8868 s.CustomerMasterKeySpec = &v 8869 return s 8870} 8871 8872// SetDescription sets the Description field's value. 8873func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput { 8874 s.Description = &v 8875 return s 8876} 8877 8878// SetKeyUsage sets the KeyUsage field's value. 8879func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput { 8880 s.KeyUsage = &v 8881 return s 8882} 8883 8884// SetMultiRegion sets the MultiRegion field's value. 8885func (s *CreateKeyInput) SetMultiRegion(v bool) *CreateKeyInput { 8886 s.MultiRegion = &v 8887 return s 8888} 8889 8890// SetOrigin sets the Origin field's value. 8891func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput { 8892 s.Origin = &v 8893 return s 8894} 8895 8896// SetPolicy sets the Policy field's value. 8897func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput { 8898 s.Policy = &v 8899 return s 8900} 8901 8902// SetTags sets the Tags field's value. 8903func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput { 8904 s.Tags = v 8905 return s 8906} 8907 8908type CreateKeyOutput struct { 8909 _ struct{} `type:"structure"` 8910 8911 // Metadata associated with the CMK. 8912 KeyMetadata *KeyMetadata `type:"structure"` 8913} 8914 8915// String returns the string representation 8916func (s CreateKeyOutput) String() string { 8917 return awsutil.Prettify(s) 8918} 8919 8920// GoString returns the string representation 8921func (s CreateKeyOutput) GoString() string { 8922 return s.String() 8923} 8924 8925// SetKeyMetadata sets the KeyMetadata field's value. 8926func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput { 8927 s.KeyMetadata = v 8928 return s 8929} 8930 8931// The request was rejected because the custom key store contains AWS KMS customer 8932// master keys (CMKs). After verifying that you do not need to use the CMKs, 8933// use the ScheduleKeyDeletion operation to delete the CMKs. After they are 8934// deleted, you can delete the custom key store. 8935type CustomKeyStoreHasCMKsException struct { 8936 _ struct{} `type:"structure"` 8937 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 8938 8939 Message_ *string `locationName:"message" type:"string"` 8940} 8941 8942// String returns the string representation 8943func (s CustomKeyStoreHasCMKsException) String() string { 8944 return awsutil.Prettify(s) 8945} 8946 8947// GoString returns the string representation 8948func (s CustomKeyStoreHasCMKsException) GoString() string { 8949 return s.String() 8950} 8951 8952func newErrorCustomKeyStoreHasCMKsException(v protocol.ResponseMetadata) error { 8953 return &CustomKeyStoreHasCMKsException{ 8954 RespMetadata: v, 8955 } 8956} 8957 8958// Code returns the exception type name. 8959func (s *CustomKeyStoreHasCMKsException) Code() string { 8960 return "CustomKeyStoreHasCMKsException" 8961} 8962 8963// Message returns the exception's message. 8964func (s *CustomKeyStoreHasCMKsException) Message() string { 8965 if s.Message_ != nil { 8966 return *s.Message_ 8967 } 8968 return "" 8969} 8970 8971// OrigErr always returns nil, satisfies awserr.Error interface. 8972func (s *CustomKeyStoreHasCMKsException) OrigErr() error { 8973 return nil 8974} 8975 8976func (s *CustomKeyStoreHasCMKsException) Error() string { 8977 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 8978} 8979 8980// Status code returns the HTTP status code for the request's response error. 8981func (s *CustomKeyStoreHasCMKsException) StatusCode() int { 8982 return s.RespMetadata.StatusCode 8983} 8984 8985// RequestID returns the service's response RequestID for request. 8986func (s *CustomKeyStoreHasCMKsException) RequestID() string { 8987 return s.RespMetadata.RequestID 8988} 8989 8990// The request was rejected because of the ConnectionState of the custom key 8991// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores 8992// operation. 8993// 8994// This exception is thrown under the following conditions: 8995// 8996// * You requested the CreateKey or GenerateRandom operation in a custom 8997// key store that is not connected. These operations are valid only when 8998// the custom key store ConnectionState is CONNECTED. 8999// 9000// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation 9001// on a custom key store that is not disconnected. This operation is valid 9002// only when the custom key store ConnectionState is DISCONNECTED. 9003// 9004// * You requested the ConnectCustomKeyStore operation on a custom key store 9005// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid 9006// for all other ConnectionState values. 9007type CustomKeyStoreInvalidStateException struct { 9008 _ struct{} `type:"structure"` 9009 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 9010 9011 Message_ *string `locationName:"message" type:"string"` 9012} 9013 9014// String returns the string representation 9015func (s CustomKeyStoreInvalidStateException) String() string { 9016 return awsutil.Prettify(s) 9017} 9018 9019// GoString returns the string representation 9020func (s CustomKeyStoreInvalidStateException) GoString() string { 9021 return s.String() 9022} 9023 9024func newErrorCustomKeyStoreInvalidStateException(v protocol.ResponseMetadata) error { 9025 return &CustomKeyStoreInvalidStateException{ 9026 RespMetadata: v, 9027 } 9028} 9029 9030// Code returns the exception type name. 9031func (s *CustomKeyStoreInvalidStateException) Code() string { 9032 return "CustomKeyStoreInvalidStateException" 9033} 9034 9035// Message returns the exception's message. 9036func (s *CustomKeyStoreInvalidStateException) Message() string { 9037 if s.Message_ != nil { 9038 return *s.Message_ 9039 } 9040 return "" 9041} 9042 9043// OrigErr always returns nil, satisfies awserr.Error interface. 9044func (s *CustomKeyStoreInvalidStateException) OrigErr() error { 9045 return nil 9046} 9047 9048func (s *CustomKeyStoreInvalidStateException) Error() string { 9049 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 9050} 9051 9052// Status code returns the HTTP status code for the request's response error. 9053func (s *CustomKeyStoreInvalidStateException) StatusCode() int { 9054 return s.RespMetadata.StatusCode 9055} 9056 9057// RequestID returns the service's response RequestID for request. 9058func (s *CustomKeyStoreInvalidStateException) RequestID() string { 9059 return s.RespMetadata.RequestID 9060} 9061 9062// The request was rejected because the specified custom key store name is already 9063// assigned to another custom key store in the account. Try again with a custom 9064// key store name that is unique in the account. 9065type CustomKeyStoreNameInUseException struct { 9066 _ struct{} `type:"structure"` 9067 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 9068 9069 Message_ *string `locationName:"message" type:"string"` 9070} 9071 9072// String returns the string representation 9073func (s CustomKeyStoreNameInUseException) String() string { 9074 return awsutil.Prettify(s) 9075} 9076 9077// GoString returns the string representation 9078func (s CustomKeyStoreNameInUseException) GoString() string { 9079 return s.String() 9080} 9081 9082func newErrorCustomKeyStoreNameInUseException(v protocol.ResponseMetadata) error { 9083 return &CustomKeyStoreNameInUseException{ 9084 RespMetadata: v, 9085 } 9086} 9087 9088// Code returns the exception type name. 9089func (s *CustomKeyStoreNameInUseException) Code() string { 9090 return "CustomKeyStoreNameInUseException" 9091} 9092 9093// Message returns the exception's message. 9094func (s *CustomKeyStoreNameInUseException) Message() string { 9095 if s.Message_ != nil { 9096 return *s.Message_ 9097 } 9098 return "" 9099} 9100 9101// OrigErr always returns nil, satisfies awserr.Error interface. 9102func (s *CustomKeyStoreNameInUseException) OrigErr() error { 9103 return nil 9104} 9105 9106func (s *CustomKeyStoreNameInUseException) Error() string { 9107 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 9108} 9109 9110// Status code returns the HTTP status code for the request's response error. 9111func (s *CustomKeyStoreNameInUseException) StatusCode() int { 9112 return s.RespMetadata.StatusCode 9113} 9114 9115// RequestID returns the service's response RequestID for request. 9116func (s *CustomKeyStoreNameInUseException) RequestID() string { 9117 return s.RespMetadata.RequestID 9118} 9119 9120// The request was rejected because AWS KMS cannot find a custom key store with 9121// the specified key store name or ID. 9122type CustomKeyStoreNotFoundException struct { 9123 _ struct{} `type:"structure"` 9124 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 9125 9126 Message_ *string `locationName:"message" type:"string"` 9127} 9128 9129// String returns the string representation 9130func (s CustomKeyStoreNotFoundException) String() string { 9131 return awsutil.Prettify(s) 9132} 9133 9134// GoString returns the string representation 9135func (s CustomKeyStoreNotFoundException) GoString() string { 9136 return s.String() 9137} 9138 9139func newErrorCustomKeyStoreNotFoundException(v protocol.ResponseMetadata) error { 9140 return &CustomKeyStoreNotFoundException{ 9141 RespMetadata: v, 9142 } 9143} 9144 9145// Code returns the exception type name. 9146func (s *CustomKeyStoreNotFoundException) Code() string { 9147 return "CustomKeyStoreNotFoundException" 9148} 9149 9150// Message returns the exception's message. 9151func (s *CustomKeyStoreNotFoundException) Message() string { 9152 if s.Message_ != nil { 9153 return *s.Message_ 9154 } 9155 return "" 9156} 9157 9158// OrigErr always returns nil, satisfies awserr.Error interface. 9159func (s *CustomKeyStoreNotFoundException) OrigErr() error { 9160 return nil 9161} 9162 9163func (s *CustomKeyStoreNotFoundException) Error() string { 9164 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 9165} 9166 9167// Status code returns the HTTP status code for the request's response error. 9168func (s *CustomKeyStoreNotFoundException) StatusCode() int { 9169 return s.RespMetadata.StatusCode 9170} 9171 9172// RequestID returns the service's response RequestID for request. 9173func (s *CustomKeyStoreNotFoundException) RequestID() string { 9174 return s.RespMetadata.RequestID 9175} 9176 9177// Contains information about each custom key store in the custom key store 9178// list. 9179type CustomKeyStoresListEntry struct { 9180 _ struct{} `type:"structure"` 9181 9182 // A unique identifier for the AWS CloudHSM cluster that is associated with 9183 // the custom key store. 9184 CloudHsmClusterId *string `min:"19" type:"string"` 9185 9186 // Describes the connection error. This field appears in the response only when 9187 // the ConnectionState is FAILED. For help resolving these errors, see How to 9188 // Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) 9189 // in AWS Key Management Service Developer Guide. 9190 // 9191 // Valid values are: 9192 // 9193 // * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with 9194 // the specified cluster ID. 9195 // 9196 // * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does 9197 // not contain any active HSMs. To connect a custom key store to its AWS 9198 // CloudHSM cluster, the cluster must contain at least one active HSM. 9199 // 9200 // * INTERNAL_ERROR - AWS KMS could not complete the request due to an internal 9201 // error. Retry the request. For ConnectCustomKeyStore requests, disconnect 9202 // the custom key store before trying to connect again. 9203 // 9204 // * INVALID_CREDENTIALS - AWS KMS does not have the correct password for 9205 // the kmsuser crypto user in the AWS CloudHSM cluster. Before you can connect 9206 // your custom key store to its AWS CloudHSM cluster, you must change the 9207 // kmsuser account password and update the key store password value for the 9208 // custom key store. 9209 // 9210 // * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting 9211 // to the custom key store. 9212 // 9213 // * SUBNET_NOT_FOUND - A subnet in the AWS CloudHSM cluster configuration 9214 // was deleted. If AWS KMS cannot find all of the subnets in the cluster 9215 // configuration, attempts to connect the custom key store to the AWS CloudHSM 9216 // cluster fail. To fix this error, create a cluster from a recent backup 9217 // and associate it with your custom key store. (This process creates a new 9218 // cluster configuration with a VPC and private subnets.) For details, see 9219 // How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) 9220 // in the AWS Key Management Service Developer Guide. 9221 // 9222 // * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated 9223 // AWS CloudHSM cluster due to too many failed password attempts. Before 9224 // you can connect your custom key store to its AWS CloudHSM cluster, you 9225 // must change the kmsuser account password and update the key store password 9226 // value for the custom key store. 9227 // 9228 // * USER_LOGGED_IN - The kmsuser CU account is logged into the the associated 9229 // AWS CloudHSM cluster. This prevents AWS KMS from rotating the kmsuser 9230 // account password and logging into the cluster. Before you can connect 9231 // your custom key store to its AWS CloudHSM cluster, you must log the kmsuser 9232 // CU out of the cluster. If you changed the kmsuser password to log into 9233 // the cluster, you must also and update the key store password value for 9234 // the custom key store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2) 9235 // in the AWS Key Management Service Developer Guide. 9236 // 9237 // * USER_NOT_FOUND - AWS KMS cannot find a kmsuser CU account in the associated 9238 // AWS CloudHSM cluster. Before you can connect your custom key store to 9239 // its AWS CloudHSM cluster, you must create a kmsuser CU account in the 9240 // cluster, and then update the key store password value for the custom key 9241 // store. 9242 ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"` 9243 9244 // Indicates whether the custom key store is connected to its AWS CloudHSM cluster. 9245 // 9246 // You can create and use CMKs in your custom key stores only when its connection 9247 // state is CONNECTED. 9248 // 9249 // The value is DISCONNECTED if the key store has never been connected or you 9250 // use the DisconnectCustomKeyStore operation to disconnect it. If the value 9251 // is CONNECTED but you are having trouble using the custom key store, make 9252 // sure that its associated AWS CloudHSM cluster is active and contains at least 9253 // one active HSM. 9254 // 9255 // A value of FAILED indicates that an attempt to connect was unsuccessful. 9256 // The ConnectionErrorCode field in the response indicates the cause of the 9257 // failure. For help resolving a connection failure, see Troubleshooting a Custom 9258 // Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) 9259 // in the AWS Key Management Service Developer Guide. 9260 ConnectionState *string `type:"string" enum:"ConnectionStateType"` 9261 9262 // The date and time when the custom key store was created. 9263 CreationDate *time.Time `type:"timestamp"` 9264 9265 // A unique identifier for the custom key store. 9266 CustomKeyStoreId *string `min:"1" type:"string"` 9267 9268 // The user-specified friendly name for the custom key store. 9269 CustomKeyStoreName *string `min:"1" type:"string"` 9270 9271 // The trust anchor certificate of the associated AWS CloudHSM cluster. When 9272 // you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), 9273 // you create this certificate and save it in the customerCA.crt file. 9274 TrustAnchorCertificate *string `min:"1" type:"string"` 9275} 9276 9277// String returns the string representation 9278func (s CustomKeyStoresListEntry) String() string { 9279 return awsutil.Prettify(s) 9280} 9281 9282// GoString returns the string representation 9283func (s CustomKeyStoresListEntry) GoString() string { 9284 return s.String() 9285} 9286 9287// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 9288func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry { 9289 s.CloudHsmClusterId = &v 9290 return s 9291} 9292 9293// SetConnectionErrorCode sets the ConnectionErrorCode field's value. 9294func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry { 9295 s.ConnectionErrorCode = &v 9296 return s 9297} 9298 9299// SetConnectionState sets the ConnectionState field's value. 9300func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry { 9301 s.ConnectionState = &v 9302 return s 9303} 9304 9305// SetCreationDate sets the CreationDate field's value. 9306func (s *CustomKeyStoresListEntry) SetCreationDate(v time.Time) *CustomKeyStoresListEntry { 9307 s.CreationDate = &v 9308 return s 9309} 9310 9311// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 9312func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry { 9313 s.CustomKeyStoreId = &v 9314 return s 9315} 9316 9317// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. 9318func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry { 9319 s.CustomKeyStoreName = &v 9320 return s 9321} 9322 9323// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. 9324func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry { 9325 s.TrustAnchorCertificate = &v 9326 return s 9327} 9328 9329type DecryptInput struct { 9330 _ struct{} `type:"structure"` 9331 9332 // Ciphertext to be decrypted. The blob includes metadata. 9333 // 9334 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 9335 // 9336 // CiphertextBlob is a required field 9337 CiphertextBlob []byte `min:"1" type:"blob" required:"true"` 9338 9339 // Specifies the encryption algorithm that will be used to decrypt the ciphertext. 9340 // Specify the same algorithm that was used to encrypt the data. If you specify 9341 // a different algorithm, the Decrypt operation fails. 9342 // 9343 // This parameter is required only when the ciphertext was encrypted under an 9344 // asymmetric CMK. The default value, SYMMETRIC_DEFAULT, represents the only 9345 // supported algorithm that is valid for symmetric CMKs. 9346 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 9347 9348 // Specifies the encryption context to use when decrypting the data. An encryption 9349 // context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 9350 // with a symmetric CMK. The standard asymmetric encryption algorithms that 9351 // AWS KMS uses do not support an encryption context. 9352 // 9353 // An encryption context is a collection of non-secret key-value pairs that 9354 // represents additional authenticated data. When you use an encryption context 9355 // to encrypt data, you must specify the same (an exact case-sensitive match) 9356 // encryption context to decrypt the data. An encryption context is optional 9357 // when encrypting with a symmetric CMK, but it is highly recommended. 9358 // 9359 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 9360 // in the AWS Key Management Service Developer Guide. 9361 EncryptionContext map[string]*string `type:"map"` 9362 9363 // A list of grant tokens. 9364 // 9365 // Use a grant token when your permission to call this operation comes from 9366 // a newly created grant that has not yet achieved eventual consistency. Use 9367 // a grant token when your permission to call this operation comes from a new 9368 // grant that has not yet achieved eventual consistency. For more information, 9369 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 9370 // in the AWS Key Management Service Developer Guide. 9371 GrantTokens []*string `type:"list"` 9372 9373 // Specifies the customer master key (CMK) that AWS KMS uses to decrypt the 9374 // ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext. 9375 // 9376 // This parameter is required only when the ciphertext was encrypted under an 9377 // asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from 9378 // metadata that it adds to the symmetric ciphertext blob. However, it is always 9379 // recommended as a best practice. This practice ensures that you use the CMK 9380 // that you intend. 9381 // 9382 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 9383 // using an alias name, prefix it with "alias/". To specify a CMK in a different 9384 // AWS account, you must use the key ARN or alias ARN. 9385 // 9386 // For example: 9387 // 9388 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9389 // 9390 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9391 // 9392 // * Alias name: alias/ExampleAlias 9393 // 9394 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 9395 // 9396 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 9397 // get the alias name and alias ARN, use ListAliases. 9398 KeyId *string `min:"1" type:"string"` 9399} 9400 9401// String returns the string representation 9402func (s DecryptInput) String() string { 9403 return awsutil.Prettify(s) 9404} 9405 9406// GoString returns the string representation 9407func (s DecryptInput) GoString() string { 9408 return s.String() 9409} 9410 9411// Validate inspects the fields of the type to determine if they are valid. 9412func (s *DecryptInput) Validate() error { 9413 invalidParams := request.ErrInvalidParams{Context: "DecryptInput"} 9414 if s.CiphertextBlob == nil { 9415 invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) 9416 } 9417 if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { 9418 invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) 9419 } 9420 if s.KeyId != nil && len(*s.KeyId) < 1 { 9421 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9422 } 9423 9424 if invalidParams.Len() > 0 { 9425 return invalidParams 9426 } 9427 return nil 9428} 9429 9430// SetCiphertextBlob sets the CiphertextBlob field's value. 9431func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput { 9432 s.CiphertextBlob = v 9433 return s 9434} 9435 9436// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 9437func (s *DecryptInput) SetEncryptionAlgorithm(v string) *DecryptInput { 9438 s.EncryptionAlgorithm = &v 9439 return s 9440} 9441 9442// SetEncryptionContext sets the EncryptionContext field's value. 9443func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput { 9444 s.EncryptionContext = v 9445 return s 9446} 9447 9448// SetGrantTokens sets the GrantTokens field's value. 9449func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput { 9450 s.GrantTokens = v 9451 return s 9452} 9453 9454// SetKeyId sets the KeyId field's value. 9455func (s *DecryptInput) SetKeyId(v string) *DecryptInput { 9456 s.KeyId = &v 9457 return s 9458} 9459 9460type DecryptOutput struct { 9461 _ struct{} `type:"structure"` 9462 9463 // The encryption algorithm that was used to decrypt the ciphertext. 9464 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 9465 9466 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 9467 // of the CMK that was used to decrypt the ciphertext. 9468 KeyId *string `min:"1" type:"string"` 9469 9470 // Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value 9471 // is Base64-encoded. Otherwise, it is not Base64-encoded. 9472 // 9473 // Plaintext is automatically base64 encoded/decoded by the SDK. 9474 Plaintext []byte `min:"1" type:"blob" sensitive:"true"` 9475} 9476 9477// String returns the string representation 9478func (s DecryptOutput) String() string { 9479 return awsutil.Prettify(s) 9480} 9481 9482// GoString returns the string representation 9483func (s DecryptOutput) GoString() string { 9484 return s.String() 9485} 9486 9487// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 9488func (s *DecryptOutput) SetEncryptionAlgorithm(v string) *DecryptOutput { 9489 s.EncryptionAlgorithm = &v 9490 return s 9491} 9492 9493// SetKeyId sets the KeyId field's value. 9494func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput { 9495 s.KeyId = &v 9496 return s 9497} 9498 9499// SetPlaintext sets the Plaintext field's value. 9500func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput { 9501 s.Plaintext = v 9502 return s 9503} 9504 9505type DeleteAliasInput struct { 9506 _ struct{} `type:"structure"` 9507 9508 // The alias to be deleted. The alias name must begin with alias/ followed by 9509 // the alias name, such as alias/ExampleAlias. 9510 // 9511 // AliasName is a required field 9512 AliasName *string `min:"1" type:"string" required:"true"` 9513} 9514 9515// String returns the string representation 9516func (s DeleteAliasInput) String() string { 9517 return awsutil.Prettify(s) 9518} 9519 9520// GoString returns the string representation 9521func (s DeleteAliasInput) GoString() string { 9522 return s.String() 9523} 9524 9525// Validate inspects the fields of the type to determine if they are valid. 9526func (s *DeleteAliasInput) Validate() error { 9527 invalidParams := request.ErrInvalidParams{Context: "DeleteAliasInput"} 9528 if s.AliasName == nil { 9529 invalidParams.Add(request.NewErrParamRequired("AliasName")) 9530 } 9531 if s.AliasName != nil && len(*s.AliasName) < 1 { 9532 invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) 9533 } 9534 9535 if invalidParams.Len() > 0 { 9536 return invalidParams 9537 } 9538 return nil 9539} 9540 9541// SetAliasName sets the AliasName field's value. 9542func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput { 9543 s.AliasName = &v 9544 return s 9545} 9546 9547type DeleteAliasOutput struct { 9548 _ struct{} `type:"structure"` 9549} 9550 9551// String returns the string representation 9552func (s DeleteAliasOutput) String() string { 9553 return awsutil.Prettify(s) 9554} 9555 9556// GoString returns the string representation 9557func (s DeleteAliasOutput) GoString() string { 9558 return s.String() 9559} 9560 9561type DeleteCustomKeyStoreInput struct { 9562 _ struct{} `type:"structure"` 9563 9564 // Enter the ID of the custom key store you want to delete. To find the ID of 9565 // a custom key store, use the DescribeCustomKeyStores operation. 9566 // 9567 // CustomKeyStoreId is a required field 9568 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 9569} 9570 9571// String returns the string representation 9572func (s DeleteCustomKeyStoreInput) String() string { 9573 return awsutil.Prettify(s) 9574} 9575 9576// GoString returns the string representation 9577func (s DeleteCustomKeyStoreInput) GoString() string { 9578 return s.String() 9579} 9580 9581// Validate inspects the fields of the type to determine if they are valid. 9582func (s *DeleteCustomKeyStoreInput) Validate() error { 9583 invalidParams := request.ErrInvalidParams{Context: "DeleteCustomKeyStoreInput"} 9584 if s.CustomKeyStoreId == nil { 9585 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 9586 } 9587 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 9588 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 9589 } 9590 9591 if invalidParams.Len() > 0 { 9592 return invalidParams 9593 } 9594 return nil 9595} 9596 9597// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 9598func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput { 9599 s.CustomKeyStoreId = &v 9600 return s 9601} 9602 9603type DeleteCustomKeyStoreOutput struct { 9604 _ struct{} `type:"structure"` 9605} 9606 9607// String returns the string representation 9608func (s DeleteCustomKeyStoreOutput) String() string { 9609 return awsutil.Prettify(s) 9610} 9611 9612// GoString returns the string representation 9613func (s DeleteCustomKeyStoreOutput) GoString() string { 9614 return s.String() 9615} 9616 9617type DeleteImportedKeyMaterialInput struct { 9618 _ struct{} `type:"structure"` 9619 9620 // Identifies the CMK from which you are deleting imported key material. The 9621 // Origin of the CMK must be EXTERNAL. 9622 // 9623 // Specify the key ID or key ARN of the CMK. 9624 // 9625 // For example: 9626 // 9627 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9628 // 9629 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9630 // 9631 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 9632 // 9633 // KeyId is a required field 9634 KeyId *string `min:"1" type:"string" required:"true"` 9635} 9636 9637// String returns the string representation 9638func (s DeleteImportedKeyMaterialInput) String() string { 9639 return awsutil.Prettify(s) 9640} 9641 9642// GoString returns the string representation 9643func (s DeleteImportedKeyMaterialInput) GoString() string { 9644 return s.String() 9645} 9646 9647// Validate inspects the fields of the type to determine if they are valid. 9648func (s *DeleteImportedKeyMaterialInput) Validate() error { 9649 invalidParams := request.ErrInvalidParams{Context: "DeleteImportedKeyMaterialInput"} 9650 if s.KeyId == nil { 9651 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9652 } 9653 if s.KeyId != nil && len(*s.KeyId) < 1 { 9654 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9655 } 9656 9657 if invalidParams.Len() > 0 { 9658 return invalidParams 9659 } 9660 return nil 9661} 9662 9663// SetKeyId sets the KeyId field's value. 9664func (s *DeleteImportedKeyMaterialInput) SetKeyId(v string) *DeleteImportedKeyMaterialInput { 9665 s.KeyId = &v 9666 return s 9667} 9668 9669type DeleteImportedKeyMaterialOutput struct { 9670 _ struct{} `type:"structure"` 9671} 9672 9673// String returns the string representation 9674func (s DeleteImportedKeyMaterialOutput) String() string { 9675 return awsutil.Prettify(s) 9676} 9677 9678// GoString returns the string representation 9679func (s DeleteImportedKeyMaterialOutput) GoString() string { 9680 return s.String() 9681} 9682 9683// The system timed out while trying to fulfill the request. The request can 9684// be retried. 9685type DependencyTimeoutException struct { 9686 _ struct{} `type:"structure"` 9687 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 9688 9689 Message_ *string `locationName:"message" type:"string"` 9690} 9691 9692// String returns the string representation 9693func (s DependencyTimeoutException) String() string { 9694 return awsutil.Prettify(s) 9695} 9696 9697// GoString returns the string representation 9698func (s DependencyTimeoutException) GoString() string { 9699 return s.String() 9700} 9701 9702func newErrorDependencyTimeoutException(v protocol.ResponseMetadata) error { 9703 return &DependencyTimeoutException{ 9704 RespMetadata: v, 9705 } 9706} 9707 9708// Code returns the exception type name. 9709func (s *DependencyTimeoutException) Code() string { 9710 return "DependencyTimeoutException" 9711} 9712 9713// Message returns the exception's message. 9714func (s *DependencyTimeoutException) Message() string { 9715 if s.Message_ != nil { 9716 return *s.Message_ 9717 } 9718 return "" 9719} 9720 9721// OrigErr always returns nil, satisfies awserr.Error interface. 9722func (s *DependencyTimeoutException) OrigErr() error { 9723 return nil 9724} 9725 9726func (s *DependencyTimeoutException) Error() string { 9727 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 9728} 9729 9730// Status code returns the HTTP status code for the request's response error. 9731func (s *DependencyTimeoutException) StatusCode() int { 9732 return s.RespMetadata.StatusCode 9733} 9734 9735// RequestID returns the service's response RequestID for request. 9736func (s *DependencyTimeoutException) RequestID() string { 9737 return s.RespMetadata.RequestID 9738} 9739 9740type DescribeCustomKeyStoresInput struct { 9741 _ struct{} `type:"structure"` 9742 9743 // Gets only information about the specified custom key store. Enter the key 9744 // store ID. 9745 // 9746 // By default, this operation gets information about all custom key stores in 9747 // the account and Region. To limit the output to a particular custom key store, 9748 // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, 9749 // but not both. 9750 CustomKeyStoreId *string `min:"1" type:"string"` 9751 9752 // Gets only information about the specified custom key store. Enter the friendly 9753 // name of the custom key store. 9754 // 9755 // By default, this operation gets information about all custom key stores in 9756 // the account and Region. To limit the output to a particular custom key store, 9757 // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, 9758 // but not both. 9759 CustomKeyStoreName *string `min:"1" type:"string"` 9760 9761 // Use this parameter to specify the maximum number of items to return. When 9762 // this value is present, AWS KMS does not return more than the specified number 9763 // of items, but it might return fewer. 9764 Limit *int64 `min:"1" type:"integer"` 9765 9766 // Use this parameter in a subsequent request after you receive a response with 9767 // truncated results. Set it to the value of NextMarker from the truncated response 9768 // you just received. 9769 Marker *string `min:"1" type:"string"` 9770} 9771 9772// String returns the string representation 9773func (s DescribeCustomKeyStoresInput) String() string { 9774 return awsutil.Prettify(s) 9775} 9776 9777// GoString returns the string representation 9778func (s DescribeCustomKeyStoresInput) GoString() string { 9779 return s.String() 9780} 9781 9782// Validate inspects the fields of the type to determine if they are valid. 9783func (s *DescribeCustomKeyStoresInput) Validate() error { 9784 invalidParams := request.ErrInvalidParams{Context: "DescribeCustomKeyStoresInput"} 9785 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 9786 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 9787 } 9788 if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { 9789 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) 9790 } 9791 if s.Limit != nil && *s.Limit < 1 { 9792 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 9793 } 9794 if s.Marker != nil && len(*s.Marker) < 1 { 9795 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 9796 } 9797 9798 if invalidParams.Len() > 0 { 9799 return invalidParams 9800 } 9801 return nil 9802} 9803 9804// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 9805func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreId(v string) *DescribeCustomKeyStoresInput { 9806 s.CustomKeyStoreId = &v 9807 return s 9808} 9809 9810// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. 9811func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreName(v string) *DescribeCustomKeyStoresInput { 9812 s.CustomKeyStoreName = &v 9813 return s 9814} 9815 9816// SetLimit sets the Limit field's value. 9817func (s *DescribeCustomKeyStoresInput) SetLimit(v int64) *DescribeCustomKeyStoresInput { 9818 s.Limit = &v 9819 return s 9820} 9821 9822// SetMarker sets the Marker field's value. 9823func (s *DescribeCustomKeyStoresInput) SetMarker(v string) *DescribeCustomKeyStoresInput { 9824 s.Marker = &v 9825 return s 9826} 9827 9828type DescribeCustomKeyStoresOutput struct { 9829 _ struct{} `type:"structure"` 9830 9831 // Contains metadata about each custom key store. 9832 CustomKeyStores []*CustomKeyStoresListEntry `type:"list"` 9833 9834 // When Truncated is true, this element is present and contains the value to 9835 // use for the Marker parameter in a subsequent request. 9836 NextMarker *string `min:"1" type:"string"` 9837 9838 // A flag that indicates whether there are more items in the list. When this 9839 // value is true, the list in this response is truncated. To get more items, 9840 // pass the value of the NextMarker element in thisresponse to the Marker parameter 9841 // in a subsequent request. 9842 Truncated *bool `type:"boolean"` 9843} 9844 9845// String returns the string representation 9846func (s DescribeCustomKeyStoresOutput) String() string { 9847 return awsutil.Prettify(s) 9848} 9849 9850// GoString returns the string representation 9851func (s DescribeCustomKeyStoresOutput) GoString() string { 9852 return s.String() 9853} 9854 9855// SetCustomKeyStores sets the CustomKeyStores field's value. 9856func (s *DescribeCustomKeyStoresOutput) SetCustomKeyStores(v []*CustomKeyStoresListEntry) *DescribeCustomKeyStoresOutput { 9857 s.CustomKeyStores = v 9858 return s 9859} 9860 9861// SetNextMarker sets the NextMarker field's value. 9862func (s *DescribeCustomKeyStoresOutput) SetNextMarker(v string) *DescribeCustomKeyStoresOutput { 9863 s.NextMarker = &v 9864 return s 9865} 9866 9867// SetTruncated sets the Truncated field's value. 9868func (s *DescribeCustomKeyStoresOutput) SetTruncated(v bool) *DescribeCustomKeyStoresOutput { 9869 s.Truncated = &v 9870 return s 9871} 9872 9873type DescribeKeyInput struct { 9874 _ struct{} `type:"structure"` 9875 9876 // A list of grant tokens. 9877 // 9878 // Use a grant token when your permission to call this operation comes from 9879 // a new grant that has not yet achieved eventual consistency. For more information, 9880 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 9881 // in the AWS Key Management Service Developer Guide. 9882 GrantTokens []*string `type:"list"` 9883 9884 // Describes the specified customer master key (CMK). 9885 // 9886 // If you specify a predefined AWS alias (an AWS alias with no key ID), KMS 9887 // associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) 9888 // and returns its KeyId and Arn in the response. 9889 // 9890 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 9891 // using an alias name, prefix it with "alias/". To specify a CMK in a different 9892 // AWS account, you must use the key ARN or alias ARN. 9893 // 9894 // For example: 9895 // 9896 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9897 // 9898 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9899 // 9900 // * Alias name: alias/ExampleAlias 9901 // 9902 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 9903 // 9904 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 9905 // get the alias name and alias ARN, use ListAliases. 9906 // 9907 // KeyId is a required field 9908 KeyId *string `min:"1" type:"string" required:"true"` 9909} 9910 9911// String returns the string representation 9912func (s DescribeKeyInput) String() string { 9913 return awsutil.Prettify(s) 9914} 9915 9916// GoString returns the string representation 9917func (s DescribeKeyInput) GoString() string { 9918 return s.String() 9919} 9920 9921// Validate inspects the fields of the type to determine if they are valid. 9922func (s *DescribeKeyInput) Validate() error { 9923 invalidParams := request.ErrInvalidParams{Context: "DescribeKeyInput"} 9924 if s.KeyId == nil { 9925 invalidParams.Add(request.NewErrParamRequired("KeyId")) 9926 } 9927 if s.KeyId != nil && len(*s.KeyId) < 1 { 9928 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 9929 } 9930 9931 if invalidParams.Len() > 0 { 9932 return invalidParams 9933 } 9934 return nil 9935} 9936 9937// SetGrantTokens sets the GrantTokens field's value. 9938func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput { 9939 s.GrantTokens = v 9940 return s 9941} 9942 9943// SetKeyId sets the KeyId field's value. 9944func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput { 9945 s.KeyId = &v 9946 return s 9947} 9948 9949type DescribeKeyOutput struct { 9950 _ struct{} `type:"structure"` 9951 9952 // Metadata associated with the key. 9953 KeyMetadata *KeyMetadata `type:"structure"` 9954} 9955 9956// String returns the string representation 9957func (s DescribeKeyOutput) String() string { 9958 return awsutil.Prettify(s) 9959} 9960 9961// GoString returns the string representation 9962func (s DescribeKeyOutput) GoString() string { 9963 return s.String() 9964} 9965 9966// SetKeyMetadata sets the KeyMetadata field's value. 9967func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput { 9968 s.KeyMetadata = v 9969 return s 9970} 9971 9972type DisableKeyInput struct { 9973 _ struct{} `type:"structure"` 9974 9975 // Identifies the customer master key (CMK) to disable. 9976 // 9977 // Specify the key ID or key ARN of the CMK. 9978 // 9979 // For example: 9980 // 9981 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 9982 // 9983 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 9984 // 9985 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 9986 // 9987 // KeyId is a required field 9988 KeyId *string `min:"1" type:"string" required:"true"` 9989} 9990 9991// String returns the string representation 9992func (s DisableKeyInput) String() string { 9993 return awsutil.Prettify(s) 9994} 9995 9996// GoString returns the string representation 9997func (s DisableKeyInput) GoString() string { 9998 return s.String() 9999} 10000 10001// Validate inspects the fields of the type to determine if they are valid. 10002func (s *DisableKeyInput) Validate() error { 10003 invalidParams := request.ErrInvalidParams{Context: "DisableKeyInput"} 10004 if s.KeyId == nil { 10005 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10006 } 10007 if s.KeyId != nil && len(*s.KeyId) < 1 { 10008 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10009 } 10010 10011 if invalidParams.Len() > 0 { 10012 return invalidParams 10013 } 10014 return nil 10015} 10016 10017// SetKeyId sets the KeyId field's value. 10018func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput { 10019 s.KeyId = &v 10020 return s 10021} 10022 10023type DisableKeyOutput struct { 10024 _ struct{} `type:"structure"` 10025} 10026 10027// String returns the string representation 10028func (s DisableKeyOutput) String() string { 10029 return awsutil.Prettify(s) 10030} 10031 10032// GoString returns the string representation 10033func (s DisableKeyOutput) GoString() string { 10034 return s.String() 10035} 10036 10037type DisableKeyRotationInput struct { 10038 _ struct{} `type:"structure"` 10039 10040 // Identifies a symmetric customer master key (CMK). You cannot enable or disable 10041 // automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks), 10042 // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 10043 // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 10044 // 10045 // Specify the key ID or key ARN of the CMK. 10046 // 10047 // For example: 10048 // 10049 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10050 // 10051 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10052 // 10053 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10054 // 10055 // KeyId is a required field 10056 KeyId *string `min:"1" type:"string" required:"true"` 10057} 10058 10059// String returns the string representation 10060func (s DisableKeyRotationInput) String() string { 10061 return awsutil.Prettify(s) 10062} 10063 10064// GoString returns the string representation 10065func (s DisableKeyRotationInput) GoString() string { 10066 return s.String() 10067} 10068 10069// Validate inspects the fields of the type to determine if they are valid. 10070func (s *DisableKeyRotationInput) Validate() error { 10071 invalidParams := request.ErrInvalidParams{Context: "DisableKeyRotationInput"} 10072 if s.KeyId == nil { 10073 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10074 } 10075 if s.KeyId != nil && len(*s.KeyId) < 1 { 10076 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10077 } 10078 10079 if invalidParams.Len() > 0 { 10080 return invalidParams 10081 } 10082 return nil 10083} 10084 10085// SetKeyId sets the KeyId field's value. 10086func (s *DisableKeyRotationInput) SetKeyId(v string) *DisableKeyRotationInput { 10087 s.KeyId = &v 10088 return s 10089} 10090 10091type DisableKeyRotationOutput struct { 10092 _ struct{} `type:"structure"` 10093} 10094 10095// String returns the string representation 10096func (s DisableKeyRotationOutput) String() string { 10097 return awsutil.Prettify(s) 10098} 10099 10100// GoString returns the string representation 10101func (s DisableKeyRotationOutput) GoString() string { 10102 return s.String() 10103} 10104 10105// The request was rejected because the specified CMK is not enabled. 10106type DisabledException struct { 10107 _ struct{} `type:"structure"` 10108 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 10109 10110 Message_ *string `locationName:"message" type:"string"` 10111} 10112 10113// String returns the string representation 10114func (s DisabledException) String() string { 10115 return awsutil.Prettify(s) 10116} 10117 10118// GoString returns the string representation 10119func (s DisabledException) GoString() string { 10120 return s.String() 10121} 10122 10123func newErrorDisabledException(v protocol.ResponseMetadata) error { 10124 return &DisabledException{ 10125 RespMetadata: v, 10126 } 10127} 10128 10129// Code returns the exception type name. 10130func (s *DisabledException) Code() string { 10131 return "DisabledException" 10132} 10133 10134// Message returns the exception's message. 10135func (s *DisabledException) Message() string { 10136 if s.Message_ != nil { 10137 return *s.Message_ 10138 } 10139 return "" 10140} 10141 10142// OrigErr always returns nil, satisfies awserr.Error interface. 10143func (s *DisabledException) OrigErr() error { 10144 return nil 10145} 10146 10147func (s *DisabledException) Error() string { 10148 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 10149} 10150 10151// Status code returns the HTTP status code for the request's response error. 10152func (s *DisabledException) StatusCode() int { 10153 return s.RespMetadata.StatusCode 10154} 10155 10156// RequestID returns the service's response RequestID for request. 10157func (s *DisabledException) RequestID() string { 10158 return s.RespMetadata.RequestID 10159} 10160 10161type DisconnectCustomKeyStoreInput struct { 10162 _ struct{} `type:"structure"` 10163 10164 // Enter the ID of the custom key store you want to disconnect. To find the 10165 // ID of a custom key store, use the DescribeCustomKeyStores operation. 10166 // 10167 // CustomKeyStoreId is a required field 10168 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 10169} 10170 10171// String returns the string representation 10172func (s DisconnectCustomKeyStoreInput) String() string { 10173 return awsutil.Prettify(s) 10174} 10175 10176// GoString returns the string representation 10177func (s DisconnectCustomKeyStoreInput) GoString() string { 10178 return s.String() 10179} 10180 10181// Validate inspects the fields of the type to determine if they are valid. 10182func (s *DisconnectCustomKeyStoreInput) Validate() error { 10183 invalidParams := request.ErrInvalidParams{Context: "DisconnectCustomKeyStoreInput"} 10184 if s.CustomKeyStoreId == nil { 10185 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 10186 } 10187 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 10188 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 10189 } 10190 10191 if invalidParams.Len() > 0 { 10192 return invalidParams 10193 } 10194 return nil 10195} 10196 10197// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 10198func (s *DisconnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DisconnectCustomKeyStoreInput { 10199 s.CustomKeyStoreId = &v 10200 return s 10201} 10202 10203type DisconnectCustomKeyStoreOutput struct { 10204 _ struct{} `type:"structure"` 10205} 10206 10207// String returns the string representation 10208func (s DisconnectCustomKeyStoreOutput) String() string { 10209 return awsutil.Prettify(s) 10210} 10211 10212// GoString returns the string representation 10213func (s DisconnectCustomKeyStoreOutput) GoString() string { 10214 return s.String() 10215} 10216 10217type EnableKeyInput struct { 10218 _ struct{} `type:"structure"` 10219 10220 // Identifies the customer master key (CMK) to enable. 10221 // 10222 // Specify the key ID or key ARN of the CMK. 10223 // 10224 // For example: 10225 // 10226 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10227 // 10228 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10229 // 10230 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10231 // 10232 // KeyId is a required field 10233 KeyId *string `min:"1" type:"string" required:"true"` 10234} 10235 10236// String returns the string representation 10237func (s EnableKeyInput) String() string { 10238 return awsutil.Prettify(s) 10239} 10240 10241// GoString returns the string representation 10242func (s EnableKeyInput) GoString() string { 10243 return s.String() 10244} 10245 10246// Validate inspects the fields of the type to determine if they are valid. 10247func (s *EnableKeyInput) Validate() error { 10248 invalidParams := request.ErrInvalidParams{Context: "EnableKeyInput"} 10249 if s.KeyId == nil { 10250 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10251 } 10252 if s.KeyId != nil && len(*s.KeyId) < 1 { 10253 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10254 } 10255 10256 if invalidParams.Len() > 0 { 10257 return invalidParams 10258 } 10259 return nil 10260} 10261 10262// SetKeyId sets the KeyId field's value. 10263func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput { 10264 s.KeyId = &v 10265 return s 10266} 10267 10268type EnableKeyOutput struct { 10269 _ struct{} `type:"structure"` 10270} 10271 10272// String returns the string representation 10273func (s EnableKeyOutput) String() string { 10274 return awsutil.Prettify(s) 10275} 10276 10277// GoString returns the string representation 10278func (s EnableKeyOutput) GoString() string { 10279 return s.String() 10280} 10281 10282type EnableKeyRotationInput struct { 10283 _ struct{} `type:"structure"` 10284 10285 // Identifies a symmetric customer master key (CMK). You cannot enable automatic 10286 // rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), 10287 // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), 10288 // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 10289 // To enable or disable automatic rotation of a set of related multi-Region 10290 // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), 10291 // set the property on the primary key. 10292 // 10293 // Specify the key ID or key ARN of the CMK. 10294 // 10295 // For example: 10296 // 10297 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10298 // 10299 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10300 // 10301 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 10302 // 10303 // KeyId is a required field 10304 KeyId *string `min:"1" type:"string" required:"true"` 10305} 10306 10307// String returns the string representation 10308func (s EnableKeyRotationInput) String() string { 10309 return awsutil.Prettify(s) 10310} 10311 10312// GoString returns the string representation 10313func (s EnableKeyRotationInput) GoString() string { 10314 return s.String() 10315} 10316 10317// Validate inspects the fields of the type to determine if they are valid. 10318func (s *EnableKeyRotationInput) Validate() error { 10319 invalidParams := request.ErrInvalidParams{Context: "EnableKeyRotationInput"} 10320 if s.KeyId == nil { 10321 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10322 } 10323 if s.KeyId != nil && len(*s.KeyId) < 1 { 10324 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10325 } 10326 10327 if invalidParams.Len() > 0 { 10328 return invalidParams 10329 } 10330 return nil 10331} 10332 10333// SetKeyId sets the KeyId field's value. 10334func (s *EnableKeyRotationInput) SetKeyId(v string) *EnableKeyRotationInput { 10335 s.KeyId = &v 10336 return s 10337} 10338 10339type EnableKeyRotationOutput struct { 10340 _ struct{} `type:"structure"` 10341} 10342 10343// String returns the string representation 10344func (s EnableKeyRotationOutput) String() string { 10345 return awsutil.Prettify(s) 10346} 10347 10348// GoString returns the string representation 10349func (s EnableKeyRotationOutput) GoString() string { 10350 return s.String() 10351} 10352 10353type EncryptInput struct { 10354 _ struct{} `type:"structure"` 10355 10356 // Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext 10357 // message. The algorithm must be compatible with the CMK that you specify. 10358 // 10359 // This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, 10360 // is the algorithm used for symmetric CMKs. If you are using an asymmetric 10361 // CMK, we recommend RSAES_OAEP_SHA_256. 10362 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 10363 10364 // Specifies the encryption context that will be used to encrypt the data. An 10365 // encryption context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 10366 // with a symmetric CMK. The standard asymmetric encryption algorithms that 10367 // AWS KMS uses do not support an encryption context. 10368 // 10369 // An encryption context is a collection of non-secret key-value pairs that 10370 // represents additional authenticated data. When you use an encryption context 10371 // to encrypt data, you must specify the same (an exact case-sensitive match) 10372 // encryption context to decrypt the data. An encryption context is optional 10373 // when encrypting with a symmetric CMK, but it is highly recommended. 10374 // 10375 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 10376 // in the AWS Key Management Service Developer Guide. 10377 EncryptionContext map[string]*string `type:"map"` 10378 10379 // A list of grant tokens. 10380 // 10381 // Use a grant token when your permission to call this operation comes from 10382 // a new grant that has not yet achieved eventual consistency. For more information, 10383 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 10384 // in the AWS Key Management Service Developer Guide. 10385 GrantTokens []*string `type:"list"` 10386 10387 // Identifies the customer master key (CMK) to use in the encryption operation. 10388 // 10389 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 10390 // using an alias name, prefix it with "alias/". To specify a CMK in a different 10391 // AWS account, you must use the key ARN or alias ARN. 10392 // 10393 // For example: 10394 // 10395 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10396 // 10397 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10398 // 10399 // * Alias name: alias/ExampleAlias 10400 // 10401 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 10402 // 10403 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 10404 // get the alias name and alias ARN, use ListAliases. 10405 // 10406 // KeyId is a required field 10407 KeyId *string `min:"1" type:"string" required:"true"` 10408 10409 // Data to be encrypted. 10410 // 10411 // Plaintext is automatically base64 encoded/decoded by the SDK. 10412 // 10413 // Plaintext is a required field 10414 Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"` 10415} 10416 10417// String returns the string representation 10418func (s EncryptInput) String() string { 10419 return awsutil.Prettify(s) 10420} 10421 10422// GoString returns the string representation 10423func (s EncryptInput) GoString() string { 10424 return s.String() 10425} 10426 10427// Validate inspects the fields of the type to determine if they are valid. 10428func (s *EncryptInput) Validate() error { 10429 invalidParams := request.ErrInvalidParams{Context: "EncryptInput"} 10430 if s.KeyId == nil { 10431 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10432 } 10433 if s.KeyId != nil && len(*s.KeyId) < 1 { 10434 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10435 } 10436 if s.Plaintext == nil { 10437 invalidParams.Add(request.NewErrParamRequired("Plaintext")) 10438 } 10439 if s.Plaintext != nil && len(s.Plaintext) < 1 { 10440 invalidParams.Add(request.NewErrParamMinLen("Plaintext", 1)) 10441 } 10442 10443 if invalidParams.Len() > 0 { 10444 return invalidParams 10445 } 10446 return nil 10447} 10448 10449// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 10450func (s *EncryptInput) SetEncryptionAlgorithm(v string) *EncryptInput { 10451 s.EncryptionAlgorithm = &v 10452 return s 10453} 10454 10455// SetEncryptionContext sets the EncryptionContext field's value. 10456func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput { 10457 s.EncryptionContext = v 10458 return s 10459} 10460 10461// SetGrantTokens sets the GrantTokens field's value. 10462func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput { 10463 s.GrantTokens = v 10464 return s 10465} 10466 10467// SetKeyId sets the KeyId field's value. 10468func (s *EncryptInput) SetKeyId(v string) *EncryptInput { 10469 s.KeyId = &v 10470 return s 10471} 10472 10473// SetPlaintext sets the Plaintext field's value. 10474func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput { 10475 s.Plaintext = v 10476 return s 10477} 10478 10479type EncryptOutput struct { 10480 _ struct{} `type:"structure"` 10481 10482 // The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value 10483 // is Base64-encoded. Otherwise, it is not Base64-encoded. 10484 // 10485 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 10486 CiphertextBlob []byte `min:"1" type:"blob"` 10487 10488 // The encryption algorithm that was used to encrypt the plaintext. 10489 EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 10490 10491 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 10492 // of the CMK that was used to encrypt the plaintext. 10493 KeyId *string `min:"1" type:"string"` 10494} 10495 10496// String returns the string representation 10497func (s EncryptOutput) String() string { 10498 return awsutil.Prettify(s) 10499} 10500 10501// GoString returns the string representation 10502func (s EncryptOutput) GoString() string { 10503 return s.String() 10504} 10505 10506// SetCiphertextBlob sets the CiphertextBlob field's value. 10507func (s *EncryptOutput) SetCiphertextBlob(v []byte) *EncryptOutput { 10508 s.CiphertextBlob = v 10509 return s 10510} 10511 10512// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value. 10513func (s *EncryptOutput) SetEncryptionAlgorithm(v string) *EncryptOutput { 10514 s.EncryptionAlgorithm = &v 10515 return s 10516} 10517 10518// SetKeyId sets the KeyId field's value. 10519func (s *EncryptOutput) SetKeyId(v string) *EncryptOutput { 10520 s.KeyId = &v 10521 return s 10522} 10523 10524// The request was rejected because the specified import token is expired. Use 10525// GetParametersForImport to get a new import token and public key, use the 10526// new public key to encrypt the key material, and then try the request again. 10527type ExpiredImportTokenException struct { 10528 _ struct{} `type:"structure"` 10529 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 10530 10531 Message_ *string `locationName:"message" type:"string"` 10532} 10533 10534// String returns the string representation 10535func (s ExpiredImportTokenException) String() string { 10536 return awsutil.Prettify(s) 10537} 10538 10539// GoString returns the string representation 10540func (s ExpiredImportTokenException) GoString() string { 10541 return s.String() 10542} 10543 10544func newErrorExpiredImportTokenException(v protocol.ResponseMetadata) error { 10545 return &ExpiredImportTokenException{ 10546 RespMetadata: v, 10547 } 10548} 10549 10550// Code returns the exception type name. 10551func (s *ExpiredImportTokenException) Code() string { 10552 return "ExpiredImportTokenException" 10553} 10554 10555// Message returns the exception's message. 10556func (s *ExpiredImportTokenException) Message() string { 10557 if s.Message_ != nil { 10558 return *s.Message_ 10559 } 10560 return "" 10561} 10562 10563// OrigErr always returns nil, satisfies awserr.Error interface. 10564func (s *ExpiredImportTokenException) OrigErr() error { 10565 return nil 10566} 10567 10568func (s *ExpiredImportTokenException) Error() string { 10569 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 10570} 10571 10572// Status code returns the HTTP status code for the request's response error. 10573func (s *ExpiredImportTokenException) StatusCode() int { 10574 return s.RespMetadata.StatusCode 10575} 10576 10577// RequestID returns the service's response RequestID for request. 10578func (s *ExpiredImportTokenException) RequestID() string { 10579 return s.RespMetadata.RequestID 10580} 10581 10582type GenerateDataKeyInput struct { 10583 _ struct{} `type:"structure"` 10584 10585 // Specifies the encryption context that will be used when encrypting the data 10586 // key. 10587 // 10588 // An encryption context is a collection of non-secret key-value pairs that 10589 // represents additional authenticated data. When you use an encryption context 10590 // to encrypt data, you must specify the same (an exact case-sensitive match) 10591 // encryption context to decrypt the data. An encryption context is optional 10592 // when encrypting with a symmetric CMK, but it is highly recommended. 10593 // 10594 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 10595 // in the AWS Key Management Service Developer Guide. 10596 EncryptionContext map[string]*string `type:"map"` 10597 10598 // A list of grant tokens. 10599 // 10600 // Use a grant token when your permission to call this operation comes from 10601 // a new grant that has not yet achieved eventual consistency. For more information, 10602 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 10603 // in the AWS Key Management Service Developer Guide. 10604 GrantTokens []*string `type:"list"` 10605 10606 // Identifies the symmetric CMK that encrypts the data key. 10607 // 10608 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 10609 // using an alias name, prefix it with "alias/". To specify a CMK in a different 10610 // AWS account, you must use the key ARN or alias ARN. 10611 // 10612 // For example: 10613 // 10614 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10615 // 10616 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10617 // 10618 // * Alias name: alias/ExampleAlias 10619 // 10620 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 10621 // 10622 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 10623 // get the alias name and alias ARN, use ListAliases. 10624 // 10625 // KeyId is a required field 10626 KeyId *string `min:"1" type:"string" required:"true"` 10627 10628 // Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric 10629 // key, or AES_256 to generate a 256-bit symmetric key. 10630 // 10631 // You must specify either the KeySpec or the NumberOfBytes parameter (but not 10632 // both) in every GenerateDataKey request. 10633 KeySpec *string `type:"string" enum:"DataKeySpec"` 10634 10635 // Specifies the length of the data key in bytes. For example, use the value 10636 // 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte) 10637 // and 256-bit (32-byte) data keys, use the KeySpec parameter. 10638 // 10639 // You must specify either the KeySpec or the NumberOfBytes parameter (but not 10640 // both) in every GenerateDataKey request. 10641 NumberOfBytes *int64 `min:"1" type:"integer"` 10642} 10643 10644// String returns the string representation 10645func (s GenerateDataKeyInput) String() string { 10646 return awsutil.Prettify(s) 10647} 10648 10649// GoString returns the string representation 10650func (s GenerateDataKeyInput) GoString() string { 10651 return s.String() 10652} 10653 10654// Validate inspects the fields of the type to determine if they are valid. 10655func (s *GenerateDataKeyInput) Validate() error { 10656 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyInput"} 10657 if s.KeyId == nil { 10658 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10659 } 10660 if s.KeyId != nil && len(*s.KeyId) < 1 { 10661 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10662 } 10663 if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { 10664 invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) 10665 } 10666 10667 if invalidParams.Len() > 0 { 10668 return invalidParams 10669 } 10670 return nil 10671} 10672 10673// SetEncryptionContext sets the EncryptionContext field's value. 10674func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput { 10675 s.EncryptionContext = v 10676 return s 10677} 10678 10679// SetGrantTokens sets the GrantTokens field's value. 10680func (s *GenerateDataKeyInput) SetGrantTokens(v []*string) *GenerateDataKeyInput { 10681 s.GrantTokens = v 10682 return s 10683} 10684 10685// SetKeyId sets the KeyId field's value. 10686func (s *GenerateDataKeyInput) SetKeyId(v string) *GenerateDataKeyInput { 10687 s.KeyId = &v 10688 return s 10689} 10690 10691// SetKeySpec sets the KeySpec field's value. 10692func (s *GenerateDataKeyInput) SetKeySpec(v string) *GenerateDataKeyInput { 10693 s.KeySpec = &v 10694 return s 10695} 10696 10697// SetNumberOfBytes sets the NumberOfBytes field's value. 10698func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput { 10699 s.NumberOfBytes = &v 10700 return s 10701} 10702 10703type GenerateDataKeyOutput struct { 10704 _ struct{} `type:"structure"` 10705 10706 // The encrypted copy of the data key. When you use the HTTP API or the AWS 10707 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 10708 // 10709 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 10710 CiphertextBlob []byte `min:"1" type:"blob"` 10711 10712 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 10713 // of the CMK that encrypted the data key. 10714 KeyId *string `min:"1" type:"string"` 10715 10716 // The plaintext data key. When you use the HTTP API or the AWS CLI, the value 10717 // is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key 10718 // to encrypt your data outside of KMS. Then, remove it from memory as soon 10719 // as possible. 10720 // 10721 // Plaintext is automatically base64 encoded/decoded by the SDK. 10722 Plaintext []byte `min:"1" type:"blob" sensitive:"true"` 10723} 10724 10725// String returns the string representation 10726func (s GenerateDataKeyOutput) String() string { 10727 return awsutil.Prettify(s) 10728} 10729 10730// GoString returns the string representation 10731func (s GenerateDataKeyOutput) GoString() string { 10732 return s.String() 10733} 10734 10735// SetCiphertextBlob sets the CiphertextBlob field's value. 10736func (s *GenerateDataKeyOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyOutput { 10737 s.CiphertextBlob = v 10738 return s 10739} 10740 10741// SetKeyId sets the KeyId field's value. 10742func (s *GenerateDataKeyOutput) SetKeyId(v string) *GenerateDataKeyOutput { 10743 s.KeyId = &v 10744 return s 10745} 10746 10747// SetPlaintext sets the Plaintext field's value. 10748func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput { 10749 s.Plaintext = v 10750 return s 10751} 10752 10753type GenerateDataKeyPairInput struct { 10754 _ struct{} `type:"structure"` 10755 10756 // Specifies the encryption context that will be used when encrypting the private 10757 // key in the data key pair. 10758 // 10759 // An encryption context is a collection of non-secret key-value pairs that 10760 // represents additional authenticated data. When you use an encryption context 10761 // to encrypt data, you must specify the same (an exact case-sensitive match) 10762 // encryption context to decrypt the data. An encryption context is optional 10763 // when encrypting with a symmetric CMK, but it is highly recommended. 10764 // 10765 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 10766 // in the AWS Key Management Service Developer Guide. 10767 EncryptionContext map[string]*string `type:"map"` 10768 10769 // A list of grant tokens. 10770 // 10771 // Use a grant token when your permission to call this operation comes from 10772 // a new grant that has not yet achieved eventual consistency. For more information, 10773 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 10774 // in the AWS Key Management Service Developer Guide. 10775 GrantTokens []*string `type:"list"` 10776 10777 // Specifies the symmetric CMK that encrypts the private key in the data key 10778 // pair. You cannot specify an asymmetric CMK or a CMK in a custom key store. 10779 // To get the type and origin of your CMK, use the DescribeKey operation. 10780 // 10781 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 10782 // using an alias name, prefix it with "alias/". To specify a CMK in a different 10783 // AWS account, you must use the key ARN or alias ARN. 10784 // 10785 // For example: 10786 // 10787 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10788 // 10789 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10790 // 10791 // * Alias name: alias/ExampleAlias 10792 // 10793 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 10794 // 10795 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 10796 // get the alias name and alias ARN, use ListAliases. 10797 // 10798 // KeyId is a required field 10799 KeyId *string `min:"1" type:"string" required:"true"` 10800 10801 // Determines the type of data key pair that is generated. 10802 // 10803 // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt 10804 // and decrypt or to sign and verify (but not both), and the rule that permits 10805 // you to use ECC CMKs only to sign and verify, are not effective outside of 10806 // AWS KMS. 10807 // 10808 // KeyPairSpec is a required field 10809 KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` 10810} 10811 10812// String returns the string representation 10813func (s GenerateDataKeyPairInput) String() string { 10814 return awsutil.Prettify(s) 10815} 10816 10817// GoString returns the string representation 10818func (s GenerateDataKeyPairInput) GoString() string { 10819 return s.String() 10820} 10821 10822// Validate inspects the fields of the type to determine if they are valid. 10823func (s *GenerateDataKeyPairInput) Validate() error { 10824 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairInput"} 10825 if s.KeyId == nil { 10826 invalidParams.Add(request.NewErrParamRequired("KeyId")) 10827 } 10828 if s.KeyId != nil && len(*s.KeyId) < 1 { 10829 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 10830 } 10831 if s.KeyPairSpec == nil { 10832 invalidParams.Add(request.NewErrParamRequired("KeyPairSpec")) 10833 } 10834 10835 if invalidParams.Len() > 0 { 10836 return invalidParams 10837 } 10838 return nil 10839} 10840 10841// SetEncryptionContext sets the EncryptionContext field's value. 10842func (s *GenerateDataKeyPairInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairInput { 10843 s.EncryptionContext = v 10844 return s 10845} 10846 10847// SetGrantTokens sets the GrantTokens field's value. 10848func (s *GenerateDataKeyPairInput) SetGrantTokens(v []*string) *GenerateDataKeyPairInput { 10849 s.GrantTokens = v 10850 return s 10851} 10852 10853// SetKeyId sets the KeyId field's value. 10854func (s *GenerateDataKeyPairInput) SetKeyId(v string) *GenerateDataKeyPairInput { 10855 s.KeyId = &v 10856 return s 10857} 10858 10859// SetKeyPairSpec sets the KeyPairSpec field's value. 10860func (s *GenerateDataKeyPairInput) SetKeyPairSpec(v string) *GenerateDataKeyPairInput { 10861 s.KeyPairSpec = &v 10862 return s 10863} 10864 10865type GenerateDataKeyPairOutput struct { 10866 _ struct{} `type:"structure"` 10867 10868 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 10869 // of the CMK that encrypted the private key. 10870 KeyId *string `min:"1" type:"string"` 10871 10872 // The type of data key pair that was generated. 10873 KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` 10874 10875 // The encrypted copy of the private key. When you use the HTTP API or the AWS 10876 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 10877 // 10878 // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. 10879 PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` 10880 10881 // The plaintext copy of the private key. When you use the HTTP API or the AWS 10882 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 10883 // 10884 // PrivateKeyPlaintext is automatically base64 encoded/decoded by the SDK. 10885 PrivateKeyPlaintext []byte `min:"1" type:"blob" sensitive:"true"` 10886 10887 // The public key (in plaintext). 10888 // 10889 // PublicKey is automatically base64 encoded/decoded by the SDK. 10890 PublicKey []byte `min:"1" type:"blob"` 10891} 10892 10893// String returns the string representation 10894func (s GenerateDataKeyPairOutput) String() string { 10895 return awsutil.Prettify(s) 10896} 10897 10898// GoString returns the string representation 10899func (s GenerateDataKeyPairOutput) GoString() string { 10900 return s.String() 10901} 10902 10903// SetKeyId sets the KeyId field's value. 10904func (s *GenerateDataKeyPairOutput) SetKeyId(v string) *GenerateDataKeyPairOutput { 10905 s.KeyId = &v 10906 return s 10907} 10908 10909// SetKeyPairSpec sets the KeyPairSpec field's value. 10910func (s *GenerateDataKeyPairOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairOutput { 10911 s.KeyPairSpec = &v 10912 return s 10913} 10914 10915// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value. 10916func (s *GenerateDataKeyPairOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairOutput { 10917 s.PrivateKeyCiphertextBlob = v 10918 return s 10919} 10920 10921// SetPrivateKeyPlaintext sets the PrivateKeyPlaintext field's value. 10922func (s *GenerateDataKeyPairOutput) SetPrivateKeyPlaintext(v []byte) *GenerateDataKeyPairOutput { 10923 s.PrivateKeyPlaintext = v 10924 return s 10925} 10926 10927// SetPublicKey sets the PublicKey field's value. 10928func (s *GenerateDataKeyPairOutput) SetPublicKey(v []byte) *GenerateDataKeyPairOutput { 10929 s.PublicKey = v 10930 return s 10931} 10932 10933type GenerateDataKeyPairWithoutPlaintextInput struct { 10934 _ struct{} `type:"structure"` 10935 10936 // Specifies the encryption context that will be used when encrypting the private 10937 // key in the data key pair. 10938 // 10939 // An encryption context is a collection of non-secret key-value pairs that 10940 // represents additional authenticated data. When you use an encryption context 10941 // to encrypt data, you must specify the same (an exact case-sensitive match) 10942 // encryption context to decrypt the data. An encryption context is optional 10943 // when encrypting with a symmetric CMK, but it is highly recommended. 10944 // 10945 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 10946 // in the AWS Key Management Service Developer Guide. 10947 EncryptionContext map[string]*string `type:"map"` 10948 10949 // A list of grant tokens. 10950 // 10951 // Use a grant token when your permission to call this operation comes from 10952 // a new grant that has not yet achieved eventual consistency. For more information, 10953 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 10954 // in the AWS Key Management Service Developer Guide. 10955 GrantTokens []*string `type:"list"` 10956 10957 // Specifies the CMK that encrypts the private key in the data key pair. You 10958 // must specify a symmetric CMK. You cannot use an asymmetric CMK or a CMK in 10959 // a custom key store. To get the type and origin of your CMK, use the DescribeKey 10960 // operation. 10961 // 10962 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 10963 // using an alias name, prefix it with "alias/". To specify a CMK in a different 10964 // AWS account, you must use the key ARN or alias ARN. 10965 // 10966 // For example: 10967 // 10968 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 10969 // 10970 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 10971 // 10972 // * Alias name: alias/ExampleAlias 10973 // 10974 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 10975 // 10976 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 10977 // get the alias name and alias ARN, use ListAliases. 10978 // 10979 // KeyId is a required field 10980 KeyId *string `min:"1" type:"string" required:"true"` 10981 10982 // Determines the type of data key pair that is generated. 10983 // 10984 // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt 10985 // and decrypt or to sign and verify (but not both), and the rule that permits 10986 // you to use ECC CMKs only to sign and verify, are not effective outside of 10987 // AWS KMS. 10988 // 10989 // KeyPairSpec is a required field 10990 KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` 10991} 10992 10993// String returns the string representation 10994func (s GenerateDataKeyPairWithoutPlaintextInput) String() string { 10995 return awsutil.Prettify(s) 10996} 10997 10998// GoString returns the string representation 10999func (s GenerateDataKeyPairWithoutPlaintextInput) GoString() string { 11000 return s.String() 11001} 11002 11003// Validate inspects the fields of the type to determine if they are valid. 11004func (s *GenerateDataKeyPairWithoutPlaintextInput) Validate() error { 11005 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairWithoutPlaintextInput"} 11006 if s.KeyId == nil { 11007 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11008 } 11009 if s.KeyId != nil && len(*s.KeyId) < 1 { 11010 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11011 } 11012 if s.KeyPairSpec == nil { 11013 invalidParams.Add(request.NewErrParamRequired("KeyPairSpec")) 11014 } 11015 11016 if invalidParams.Len() > 0 { 11017 return invalidParams 11018 } 11019 return nil 11020} 11021 11022// SetEncryptionContext sets the EncryptionContext field's value. 11023func (s *GenerateDataKeyPairWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairWithoutPlaintextInput { 11024 s.EncryptionContext = v 11025 return s 11026} 11027 11028// SetGrantTokens sets the GrantTokens field's value. 11029func (s *GenerateDataKeyPairWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyPairWithoutPlaintextInput { 11030 s.GrantTokens = v 11031 return s 11032} 11033 11034// SetKeyId sets the KeyId field's value. 11035func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextInput { 11036 s.KeyId = &v 11037 return s 11038} 11039 11040// SetKeyPairSpec sets the KeyPairSpec field's value. 11041func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextInput { 11042 s.KeyPairSpec = &v 11043 return s 11044} 11045 11046type GenerateDataKeyPairWithoutPlaintextOutput struct { 11047 _ struct{} `type:"structure"` 11048 11049 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 11050 // of the CMK that encrypted the private key. 11051 KeyId *string `min:"1" type:"string"` 11052 11053 // The type of data key pair that was generated. 11054 KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` 11055 11056 // The encrypted copy of the private key. When you use the HTTP API or the AWS 11057 // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. 11058 // 11059 // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. 11060 PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` 11061 11062 // The public key (in plaintext). 11063 // 11064 // PublicKey is automatically base64 encoded/decoded by the SDK. 11065 PublicKey []byte `min:"1" type:"blob"` 11066} 11067 11068// String returns the string representation 11069func (s GenerateDataKeyPairWithoutPlaintextOutput) String() string { 11070 return awsutil.Prettify(s) 11071} 11072 11073// GoString returns the string representation 11074func (s GenerateDataKeyPairWithoutPlaintextOutput) GoString() string { 11075 return s.String() 11076} 11077 11078// SetKeyId sets the KeyId field's value. 11079func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextOutput { 11080 s.KeyId = &v 11081 return s 11082} 11083 11084// SetKeyPairSpec sets the KeyPairSpec field's value. 11085func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextOutput { 11086 s.KeyPairSpec = &v 11087 return s 11088} 11089 11090// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value. 11091func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput { 11092 s.PrivateKeyCiphertextBlob = v 11093 return s 11094} 11095 11096// SetPublicKey sets the PublicKey field's value. 11097func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPublicKey(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput { 11098 s.PublicKey = v 11099 return s 11100} 11101 11102type GenerateDataKeyWithoutPlaintextInput struct { 11103 _ struct{} `type:"structure"` 11104 11105 // Specifies the encryption context that will be used when encrypting the data 11106 // key. 11107 // 11108 // An encryption context is a collection of non-secret key-value pairs that 11109 // represents additional authenticated data. When you use an encryption context 11110 // to encrypt data, you must specify the same (an exact case-sensitive match) 11111 // encryption context to decrypt the data. An encryption context is optional 11112 // when encrypting with a symmetric CMK, but it is highly recommended. 11113 // 11114 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 11115 // in the AWS Key Management Service Developer Guide. 11116 EncryptionContext map[string]*string `type:"map"` 11117 11118 // A list of grant tokens. 11119 // 11120 // Use a grant token when your permission to call this operation comes from 11121 // a new grant that has not yet achieved eventual consistency. For more information, 11122 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 11123 // in the AWS Key Management Service Developer Guide. 11124 GrantTokens []*string `type:"list"` 11125 11126 // The identifier of the symmetric customer master key (CMK) that encrypts the 11127 // data key. 11128 // 11129 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 11130 // using an alias name, prefix it with "alias/". To specify a CMK in a different 11131 // AWS account, you must use the key ARN or alias ARN. 11132 // 11133 // For example: 11134 // 11135 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11136 // 11137 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11138 // 11139 // * Alias name: alias/ExampleAlias 11140 // 11141 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 11142 // 11143 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 11144 // get the alias name and alias ARN, use ListAliases. 11145 // 11146 // KeyId is a required field 11147 KeyId *string `min:"1" type:"string" required:"true"` 11148 11149 // The length of the data key. Use AES_128 to generate a 128-bit symmetric key, 11150 // or AES_256 to generate a 256-bit symmetric key. 11151 KeySpec *string `type:"string" enum:"DataKeySpec"` 11152 11153 // The length of the data key in bytes. For example, use the value 64 to generate 11154 // a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit 11155 // and 256-bit symmetric keys), we recommend that you use the KeySpec field 11156 // instead of this one. 11157 NumberOfBytes *int64 `min:"1" type:"integer"` 11158} 11159 11160// String returns the string representation 11161func (s GenerateDataKeyWithoutPlaintextInput) String() string { 11162 return awsutil.Prettify(s) 11163} 11164 11165// GoString returns the string representation 11166func (s GenerateDataKeyWithoutPlaintextInput) GoString() string { 11167 return s.String() 11168} 11169 11170// Validate inspects the fields of the type to determine if they are valid. 11171func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error { 11172 invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyWithoutPlaintextInput"} 11173 if s.KeyId == nil { 11174 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11175 } 11176 if s.KeyId != nil && len(*s.KeyId) < 1 { 11177 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11178 } 11179 if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { 11180 invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) 11181 } 11182 11183 if invalidParams.Len() > 0 { 11184 return invalidParams 11185 } 11186 return nil 11187} 11188 11189// SetEncryptionContext sets the EncryptionContext field's value. 11190func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput { 11191 s.EncryptionContext = v 11192 return s 11193} 11194 11195// SetGrantTokens sets the GrantTokens field's value. 11196func (s *GenerateDataKeyWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyWithoutPlaintextInput { 11197 s.GrantTokens = v 11198 return s 11199} 11200 11201// SetKeyId sets the KeyId field's value. 11202func (s *GenerateDataKeyWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextInput { 11203 s.KeyId = &v 11204 return s 11205} 11206 11207// SetKeySpec sets the KeySpec field's value. 11208func (s *GenerateDataKeyWithoutPlaintextInput) SetKeySpec(v string) *GenerateDataKeyWithoutPlaintextInput { 11209 s.KeySpec = &v 11210 return s 11211} 11212 11213// SetNumberOfBytes sets the NumberOfBytes field's value. 11214func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *GenerateDataKeyWithoutPlaintextInput { 11215 s.NumberOfBytes = &v 11216 return s 11217} 11218 11219type GenerateDataKeyWithoutPlaintextOutput struct { 11220 _ struct{} `type:"structure"` 11221 11222 // The encrypted data key. When you use the HTTP API or the AWS CLI, the value 11223 // is Base64-encoded. Otherwise, it is not Base64-encoded. 11224 // 11225 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 11226 CiphertextBlob []byte `min:"1" type:"blob"` 11227 11228 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 11229 // of the CMK that encrypted the data key. 11230 KeyId *string `min:"1" type:"string"` 11231} 11232 11233// String returns the string representation 11234func (s GenerateDataKeyWithoutPlaintextOutput) String() string { 11235 return awsutil.Prettify(s) 11236} 11237 11238// GoString returns the string representation 11239func (s GenerateDataKeyWithoutPlaintextOutput) GoString() string { 11240 return s.String() 11241} 11242 11243// SetCiphertextBlob sets the CiphertextBlob field's value. 11244func (s *GenerateDataKeyWithoutPlaintextOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyWithoutPlaintextOutput { 11245 s.CiphertextBlob = v 11246 return s 11247} 11248 11249// SetKeyId sets the KeyId field's value. 11250func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextOutput { 11251 s.KeyId = &v 11252 return s 11253} 11254 11255type GenerateRandomInput struct { 11256 _ struct{} `type:"structure"` 11257 11258 // Generates the random byte string in the AWS CloudHSM cluster that is associated 11259 // with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). 11260 // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. 11261 CustomKeyStoreId *string `min:"1" type:"string"` 11262 11263 // The length of the byte string. 11264 NumberOfBytes *int64 `min:"1" type:"integer"` 11265} 11266 11267// String returns the string representation 11268func (s GenerateRandomInput) String() string { 11269 return awsutil.Prettify(s) 11270} 11271 11272// GoString returns the string representation 11273func (s GenerateRandomInput) GoString() string { 11274 return s.String() 11275} 11276 11277// Validate inspects the fields of the type to determine if they are valid. 11278func (s *GenerateRandomInput) Validate() error { 11279 invalidParams := request.ErrInvalidParams{Context: "GenerateRandomInput"} 11280 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 11281 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 11282 } 11283 if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { 11284 invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) 11285 } 11286 11287 if invalidParams.Len() > 0 { 11288 return invalidParams 11289 } 11290 return nil 11291} 11292 11293// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 11294func (s *GenerateRandomInput) SetCustomKeyStoreId(v string) *GenerateRandomInput { 11295 s.CustomKeyStoreId = &v 11296 return s 11297} 11298 11299// SetNumberOfBytes sets the NumberOfBytes field's value. 11300func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput { 11301 s.NumberOfBytes = &v 11302 return s 11303} 11304 11305type GenerateRandomOutput struct { 11306 _ struct{} `type:"structure"` 11307 11308 // The random byte string. When you use the HTTP API or the AWS CLI, the value 11309 // is Base64-encoded. Otherwise, it is not Base64-encoded. 11310 // 11311 // Plaintext is automatically base64 encoded/decoded by the SDK. 11312 Plaintext []byte `min:"1" type:"blob" sensitive:"true"` 11313} 11314 11315// String returns the string representation 11316func (s GenerateRandomOutput) String() string { 11317 return awsutil.Prettify(s) 11318} 11319 11320// GoString returns the string representation 11321func (s GenerateRandomOutput) GoString() string { 11322 return s.String() 11323} 11324 11325// SetPlaintext sets the Plaintext field's value. 11326func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput { 11327 s.Plaintext = v 11328 return s 11329} 11330 11331type GetKeyPolicyInput struct { 11332 _ struct{} `type:"structure"` 11333 11334 // Gets the key policy for the specified customer master key (CMK). 11335 // 11336 // Specify the key ID or key ARN of the CMK. 11337 // 11338 // For example: 11339 // 11340 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11341 // 11342 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11343 // 11344 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11345 // 11346 // KeyId is a required field 11347 KeyId *string `min:"1" type:"string" required:"true"` 11348 11349 // Specifies the name of the key policy. The only valid name is default. To 11350 // get the names of key policies, use ListKeyPolicies. 11351 // 11352 // PolicyName is a required field 11353 PolicyName *string `min:"1" type:"string" required:"true"` 11354} 11355 11356// String returns the string representation 11357func (s GetKeyPolicyInput) String() string { 11358 return awsutil.Prettify(s) 11359} 11360 11361// GoString returns the string representation 11362func (s GetKeyPolicyInput) GoString() string { 11363 return s.String() 11364} 11365 11366// Validate inspects the fields of the type to determine if they are valid. 11367func (s *GetKeyPolicyInput) Validate() error { 11368 invalidParams := request.ErrInvalidParams{Context: "GetKeyPolicyInput"} 11369 if s.KeyId == nil { 11370 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11371 } 11372 if s.KeyId != nil && len(*s.KeyId) < 1 { 11373 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11374 } 11375 if s.PolicyName == nil { 11376 invalidParams.Add(request.NewErrParamRequired("PolicyName")) 11377 } 11378 if s.PolicyName != nil && len(*s.PolicyName) < 1 { 11379 invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) 11380 } 11381 11382 if invalidParams.Len() > 0 { 11383 return invalidParams 11384 } 11385 return nil 11386} 11387 11388// SetKeyId sets the KeyId field's value. 11389func (s *GetKeyPolicyInput) SetKeyId(v string) *GetKeyPolicyInput { 11390 s.KeyId = &v 11391 return s 11392} 11393 11394// SetPolicyName sets the PolicyName field's value. 11395func (s *GetKeyPolicyInput) SetPolicyName(v string) *GetKeyPolicyInput { 11396 s.PolicyName = &v 11397 return s 11398} 11399 11400type GetKeyPolicyOutput struct { 11401 _ struct{} `type:"structure"` 11402 11403 // A key policy document in JSON format. 11404 Policy *string `min:"1" type:"string"` 11405} 11406 11407// String returns the string representation 11408func (s GetKeyPolicyOutput) String() string { 11409 return awsutil.Prettify(s) 11410} 11411 11412// GoString returns the string representation 11413func (s GetKeyPolicyOutput) GoString() string { 11414 return s.String() 11415} 11416 11417// SetPolicy sets the Policy field's value. 11418func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput { 11419 s.Policy = &v 11420 return s 11421} 11422 11423type GetKeyRotationStatusInput struct { 11424 _ struct{} `type:"structure"` 11425 11426 // Gets the rotation status for the specified customer master key (CMK). 11427 // 11428 // Specify the key ID or key ARN of the CMK. To specify a CMK in a different 11429 // AWS account, you must use the key ARN. 11430 // 11431 // For example: 11432 // 11433 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11434 // 11435 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11436 // 11437 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11438 // 11439 // KeyId is a required field 11440 KeyId *string `min:"1" type:"string" required:"true"` 11441} 11442 11443// String returns the string representation 11444func (s GetKeyRotationStatusInput) String() string { 11445 return awsutil.Prettify(s) 11446} 11447 11448// GoString returns the string representation 11449func (s GetKeyRotationStatusInput) GoString() string { 11450 return s.String() 11451} 11452 11453// Validate inspects the fields of the type to determine if they are valid. 11454func (s *GetKeyRotationStatusInput) Validate() error { 11455 invalidParams := request.ErrInvalidParams{Context: "GetKeyRotationStatusInput"} 11456 if s.KeyId == nil { 11457 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11458 } 11459 if s.KeyId != nil && len(*s.KeyId) < 1 { 11460 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11461 } 11462 11463 if invalidParams.Len() > 0 { 11464 return invalidParams 11465 } 11466 return nil 11467} 11468 11469// SetKeyId sets the KeyId field's value. 11470func (s *GetKeyRotationStatusInput) SetKeyId(v string) *GetKeyRotationStatusInput { 11471 s.KeyId = &v 11472 return s 11473} 11474 11475type GetKeyRotationStatusOutput struct { 11476 _ struct{} `type:"structure"` 11477 11478 // A Boolean value that specifies whether key rotation is enabled. 11479 KeyRotationEnabled *bool `type:"boolean"` 11480} 11481 11482// String returns the string representation 11483func (s GetKeyRotationStatusOutput) String() string { 11484 return awsutil.Prettify(s) 11485} 11486 11487// GoString returns the string representation 11488func (s GetKeyRotationStatusOutput) GoString() string { 11489 return s.String() 11490} 11491 11492// SetKeyRotationEnabled sets the KeyRotationEnabled field's value. 11493func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotationStatusOutput { 11494 s.KeyRotationEnabled = &v 11495 return s 11496} 11497 11498type GetParametersForImportInput struct { 11499 _ struct{} `type:"structure"` 11500 11501 // The identifier of the symmetric CMK into which you will import key material. 11502 // The Origin of the CMK must be EXTERNAL. 11503 // 11504 // Specify the key ID or key ARN of the CMK. 11505 // 11506 // For example: 11507 // 11508 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11509 // 11510 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11511 // 11512 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 11513 // 11514 // KeyId is a required field 11515 KeyId *string `min:"1" type:"string" required:"true"` 11516 11517 // The algorithm you will use to encrypt the key material before importing it 11518 // with ImportKeyMaterial. For more information, see Encrypt the Key Material 11519 // (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html) 11520 // in the AWS Key Management Service Developer Guide. 11521 // 11522 // WrappingAlgorithm is a required field 11523 WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"` 11524 11525 // The type of wrapping key (public key) to return in the response. Only 2048-bit 11526 // RSA public keys are supported. 11527 // 11528 // WrappingKeySpec is a required field 11529 WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"` 11530} 11531 11532// String returns the string representation 11533func (s GetParametersForImportInput) String() string { 11534 return awsutil.Prettify(s) 11535} 11536 11537// GoString returns the string representation 11538func (s GetParametersForImportInput) GoString() string { 11539 return s.String() 11540} 11541 11542// Validate inspects the fields of the type to determine if they are valid. 11543func (s *GetParametersForImportInput) Validate() error { 11544 invalidParams := request.ErrInvalidParams{Context: "GetParametersForImportInput"} 11545 if s.KeyId == nil { 11546 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11547 } 11548 if s.KeyId != nil && len(*s.KeyId) < 1 { 11549 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11550 } 11551 if s.WrappingAlgorithm == nil { 11552 invalidParams.Add(request.NewErrParamRequired("WrappingAlgorithm")) 11553 } 11554 if s.WrappingKeySpec == nil { 11555 invalidParams.Add(request.NewErrParamRequired("WrappingKeySpec")) 11556 } 11557 11558 if invalidParams.Len() > 0 { 11559 return invalidParams 11560 } 11561 return nil 11562} 11563 11564// SetKeyId sets the KeyId field's value. 11565func (s *GetParametersForImportInput) SetKeyId(v string) *GetParametersForImportInput { 11566 s.KeyId = &v 11567 return s 11568} 11569 11570// SetWrappingAlgorithm sets the WrappingAlgorithm field's value. 11571func (s *GetParametersForImportInput) SetWrappingAlgorithm(v string) *GetParametersForImportInput { 11572 s.WrappingAlgorithm = &v 11573 return s 11574} 11575 11576// SetWrappingKeySpec sets the WrappingKeySpec field's value. 11577func (s *GetParametersForImportInput) SetWrappingKeySpec(v string) *GetParametersForImportInput { 11578 s.WrappingKeySpec = &v 11579 return s 11580} 11581 11582type GetParametersForImportOutput struct { 11583 _ struct{} `type:"structure"` 11584 11585 // The import token to send in a subsequent ImportKeyMaterial request. 11586 // 11587 // ImportToken is automatically base64 encoded/decoded by the SDK. 11588 ImportToken []byte `min:"1" type:"blob"` 11589 11590 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 11591 // of the CMK to use in a subsequent ImportKeyMaterial request. This is the 11592 // same CMK specified in the GetParametersForImport request. 11593 KeyId *string `min:"1" type:"string"` 11594 11595 // The time at which the import token and public key are no longer valid. After 11596 // this time, you cannot use them to make an ImportKeyMaterial request and you 11597 // must send another GetParametersForImport request to get new ones. 11598 ParametersValidTo *time.Time `type:"timestamp"` 11599 11600 // The public key to use to encrypt the key material before importing it with 11601 // ImportKeyMaterial. 11602 // 11603 // PublicKey is automatically base64 encoded/decoded by the SDK. 11604 PublicKey []byte `min:"1" type:"blob" sensitive:"true"` 11605} 11606 11607// String returns the string representation 11608func (s GetParametersForImportOutput) String() string { 11609 return awsutil.Prettify(s) 11610} 11611 11612// GoString returns the string representation 11613func (s GetParametersForImportOutput) GoString() string { 11614 return s.String() 11615} 11616 11617// SetImportToken sets the ImportToken field's value. 11618func (s *GetParametersForImportOutput) SetImportToken(v []byte) *GetParametersForImportOutput { 11619 s.ImportToken = v 11620 return s 11621} 11622 11623// SetKeyId sets the KeyId field's value. 11624func (s *GetParametersForImportOutput) SetKeyId(v string) *GetParametersForImportOutput { 11625 s.KeyId = &v 11626 return s 11627} 11628 11629// SetParametersValidTo sets the ParametersValidTo field's value. 11630func (s *GetParametersForImportOutput) SetParametersValidTo(v time.Time) *GetParametersForImportOutput { 11631 s.ParametersValidTo = &v 11632 return s 11633} 11634 11635// SetPublicKey sets the PublicKey field's value. 11636func (s *GetParametersForImportOutput) SetPublicKey(v []byte) *GetParametersForImportOutput { 11637 s.PublicKey = v 11638 return s 11639} 11640 11641type GetPublicKeyInput struct { 11642 _ struct{} `type:"structure"` 11643 11644 // A list of grant tokens. 11645 // 11646 // Use a grant token when your permission to call this operation comes from 11647 // a new grant that has not yet achieved eventual consistency. For more information, 11648 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 11649 // in the AWS Key Management Service Developer Guide. 11650 GrantTokens []*string `type:"list"` 11651 11652 // Identifies the asymmetric CMK that includes the public key. 11653 // 11654 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 11655 // using an alias name, prefix it with "alias/". To specify a CMK in a different 11656 // AWS account, you must use the key ARN or alias ARN. 11657 // 11658 // For example: 11659 // 11660 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 11661 // 11662 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 11663 // 11664 // * Alias name: alias/ExampleAlias 11665 // 11666 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 11667 // 11668 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 11669 // get the alias name and alias ARN, use ListAliases. 11670 // 11671 // KeyId is a required field 11672 KeyId *string `min:"1" type:"string" required:"true"` 11673} 11674 11675// String returns the string representation 11676func (s GetPublicKeyInput) String() string { 11677 return awsutil.Prettify(s) 11678} 11679 11680// GoString returns the string representation 11681func (s GetPublicKeyInput) GoString() string { 11682 return s.String() 11683} 11684 11685// Validate inspects the fields of the type to determine if they are valid. 11686func (s *GetPublicKeyInput) Validate() error { 11687 invalidParams := request.ErrInvalidParams{Context: "GetPublicKeyInput"} 11688 if s.KeyId == nil { 11689 invalidParams.Add(request.NewErrParamRequired("KeyId")) 11690 } 11691 if s.KeyId != nil && len(*s.KeyId) < 1 { 11692 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 11693 } 11694 11695 if invalidParams.Len() > 0 { 11696 return invalidParams 11697 } 11698 return nil 11699} 11700 11701// SetGrantTokens sets the GrantTokens field's value. 11702func (s *GetPublicKeyInput) SetGrantTokens(v []*string) *GetPublicKeyInput { 11703 s.GrantTokens = v 11704 return s 11705} 11706 11707// SetKeyId sets the KeyId field's value. 11708func (s *GetPublicKeyInput) SetKeyId(v string) *GetPublicKeyInput { 11709 s.KeyId = &v 11710 return s 11711} 11712 11713type GetPublicKeyOutput struct { 11714 _ struct{} `type:"structure"` 11715 11716 // The type of the of the public key that was downloaded. 11717 CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` 11718 11719 // The encryption algorithms that AWS KMS supports for this key. 11720 // 11721 // This information is critical. If a public key encrypts data outside of AWS 11722 // KMS by using an unsupported encryption algorithm, the ciphertext cannot be 11723 // decrypted. 11724 // 11725 // This field appears in the response only when the KeyUsage of the public key 11726 // is ENCRYPT_DECRYPT. 11727 EncryptionAlgorithms []*string `type:"list"` 11728 11729 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 11730 // of the asymmetric CMK from which the public key was downloaded. 11731 KeyId *string `min:"1" type:"string"` 11732 11733 // The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or 11734 // SIGN_VERIFY. 11735 // 11736 // This information is critical. If a public key with SIGN_VERIFY key usage 11737 // encrypts data outside of AWS KMS, the ciphertext cannot be decrypted. 11738 KeyUsage *string `type:"string" enum:"KeyUsageType"` 11739 11740 // The exported public key. 11741 // 11742 // The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo 11743 // (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280). When 11744 // you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, 11745 // it is not Base64-encoded. 11746 // 11747 // PublicKey is automatically base64 encoded/decoded by the SDK. 11748 PublicKey []byte `min:"1" type:"blob"` 11749 11750 // The signing algorithms that AWS KMS supports for this key. 11751 // 11752 // This field appears in the response only when the KeyUsage of the public key 11753 // is SIGN_VERIFY. 11754 SigningAlgorithms []*string `type:"list"` 11755} 11756 11757// String returns the string representation 11758func (s GetPublicKeyOutput) String() string { 11759 return awsutil.Prettify(s) 11760} 11761 11762// GoString returns the string representation 11763func (s GetPublicKeyOutput) GoString() string { 11764 return s.String() 11765} 11766 11767// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. 11768func (s *GetPublicKeyOutput) SetCustomerMasterKeySpec(v string) *GetPublicKeyOutput { 11769 s.CustomerMasterKeySpec = &v 11770 return s 11771} 11772 11773// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value. 11774func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyOutput { 11775 s.EncryptionAlgorithms = v 11776 return s 11777} 11778 11779// SetKeyId sets the KeyId field's value. 11780func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput { 11781 s.KeyId = &v 11782 return s 11783} 11784 11785// SetKeyUsage sets the KeyUsage field's value. 11786func (s *GetPublicKeyOutput) SetKeyUsage(v string) *GetPublicKeyOutput { 11787 s.KeyUsage = &v 11788 return s 11789} 11790 11791// SetPublicKey sets the PublicKey field's value. 11792func (s *GetPublicKeyOutput) SetPublicKey(v []byte) *GetPublicKeyOutput { 11793 s.PublicKey = v 11794 return s 11795} 11796 11797// SetSigningAlgorithms sets the SigningAlgorithms field's value. 11798func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutput { 11799 s.SigningAlgorithms = v 11800 return s 11801} 11802 11803// Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 11804// in the grant only when the operation request includes the specified encryption 11805// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). 11806// 11807// AWS KMS applies the grant constraints only to cryptographic operations that 11808// support an encryption context, that is, all cryptographic operations with 11809// a symmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). 11810// Grant constraints are not applied to operations that do not support an encryption 11811// context, such as cryptographic operations with asymmetric CMKs and management 11812// operations, such as DescribeKey or RetireGrant. 11813// 11814// In a cryptographic operation, the encryption context in the decryption operation 11815// must be an exact, case-sensitive match for the keys and values in the encryption 11816// context of the encryption operation. Only the order of the pairs can vary. 11817// 11818// However, in a grant constraint, the key in each key-value pair is not case 11819// sensitive, but the value is case sensitive. 11820// 11821// To avoid confusion, do not use multiple encryption context pairs that differ 11822// only by case. To require a fully case-sensitive encryption context, use the 11823// kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM 11824// or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) 11825// in the AWS Key Management Service Developer Guide . 11826type GrantConstraints struct { 11827 _ struct{} `type:"structure"` 11828 11829 // A list of key-value pairs that must match the encryption context in the cryptographic 11830 // operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 11831 // request. The grant allows the operation only when the encryption context 11832 // in the request is the same as the encryption context specified in this constraint. 11833 EncryptionContextEquals map[string]*string `type:"map"` 11834 11835 // A list of key-value pairs that must be included in the encryption context 11836 // of the cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 11837 // request. The grant allows the cryptographic operation only when the encryption 11838 // context in the request includes the key-value pairs specified in this constraint, 11839 // although it can include additional key-value pairs. 11840 EncryptionContextSubset map[string]*string `type:"map"` 11841} 11842 11843// String returns the string representation 11844func (s GrantConstraints) String() string { 11845 return awsutil.Prettify(s) 11846} 11847 11848// GoString returns the string representation 11849func (s GrantConstraints) GoString() string { 11850 return s.String() 11851} 11852 11853// SetEncryptionContextEquals sets the EncryptionContextEquals field's value. 11854func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints { 11855 s.EncryptionContextEquals = v 11856 return s 11857} 11858 11859// SetEncryptionContextSubset sets the EncryptionContextSubset field's value. 11860func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints { 11861 s.EncryptionContextSubset = v 11862 return s 11863} 11864 11865// Contains information about a grant. 11866type GrantListEntry struct { 11867 _ struct{} `type:"structure"` 11868 11869 // A list of key-value pairs that must be present in the encryption context 11870 // of certain subsequent operations that the grant allows. 11871 Constraints *GrantConstraints `type:"structure"` 11872 11873 // The date and time when the grant was created. 11874 CreationDate *time.Time `type:"timestamp"` 11875 11876 // The unique identifier for the grant. 11877 GrantId *string `min:"1" type:"string"` 11878 11879 // The identity that gets the permissions in the grant. 11880 // 11881 // The GranteePrincipal field in the ListGrants response usually contains the 11882 // user or role designated as the grantee principal in the grant. However, when 11883 // the grantee principal in the grant is an AWS service, the GranteePrincipal 11884 // field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), 11885 // which might represent several different grantee principals. 11886 GranteePrincipal *string `min:"1" type:"string"` 11887 11888 // The AWS account under which the grant was issued. 11889 IssuingAccount *string `min:"1" type:"string"` 11890 11891 // The unique identifier for the customer master key (CMK) to which the grant 11892 // applies. 11893 KeyId *string `min:"1" type:"string"` 11894 11895 // The friendly name that identifies the grant. If a name was provided in the 11896 // CreateGrant request, that name is returned. Otherwise this value is null. 11897 Name *string `min:"1" type:"string"` 11898 11899 // The list of operations permitted by the grant. 11900 Operations []*string `type:"list"` 11901 11902 // The principal that can retire the grant. 11903 RetiringPrincipal *string `min:"1" type:"string"` 11904} 11905 11906// String returns the string representation 11907func (s GrantListEntry) String() string { 11908 return awsutil.Prettify(s) 11909} 11910 11911// GoString returns the string representation 11912func (s GrantListEntry) GoString() string { 11913 return s.String() 11914} 11915 11916// SetConstraints sets the Constraints field's value. 11917func (s *GrantListEntry) SetConstraints(v *GrantConstraints) *GrantListEntry { 11918 s.Constraints = v 11919 return s 11920} 11921 11922// SetCreationDate sets the CreationDate field's value. 11923func (s *GrantListEntry) SetCreationDate(v time.Time) *GrantListEntry { 11924 s.CreationDate = &v 11925 return s 11926} 11927 11928// SetGrantId sets the GrantId field's value. 11929func (s *GrantListEntry) SetGrantId(v string) *GrantListEntry { 11930 s.GrantId = &v 11931 return s 11932} 11933 11934// SetGranteePrincipal sets the GranteePrincipal field's value. 11935func (s *GrantListEntry) SetGranteePrincipal(v string) *GrantListEntry { 11936 s.GranteePrincipal = &v 11937 return s 11938} 11939 11940// SetIssuingAccount sets the IssuingAccount field's value. 11941func (s *GrantListEntry) SetIssuingAccount(v string) *GrantListEntry { 11942 s.IssuingAccount = &v 11943 return s 11944} 11945 11946// SetKeyId sets the KeyId field's value. 11947func (s *GrantListEntry) SetKeyId(v string) *GrantListEntry { 11948 s.KeyId = &v 11949 return s 11950} 11951 11952// SetName sets the Name field's value. 11953func (s *GrantListEntry) SetName(v string) *GrantListEntry { 11954 s.Name = &v 11955 return s 11956} 11957 11958// SetOperations sets the Operations field's value. 11959func (s *GrantListEntry) SetOperations(v []*string) *GrantListEntry { 11960 s.Operations = v 11961 return s 11962} 11963 11964// SetRetiringPrincipal sets the RetiringPrincipal field's value. 11965func (s *GrantListEntry) SetRetiringPrincipal(v string) *GrantListEntry { 11966 s.RetiringPrincipal = &v 11967 return s 11968} 11969 11970type ImportKeyMaterialInput struct { 11971 _ struct{} `type:"structure"` 11972 11973 // The encrypted key material to import. The key material must be encrypted 11974 // with the public wrapping key that GetParametersForImport returned, using 11975 // the wrapping algorithm that you specified in the same GetParametersForImport 11976 // request. 11977 // 11978 // EncryptedKeyMaterial is automatically base64 encoded/decoded by the SDK. 11979 // 11980 // EncryptedKeyMaterial is a required field 11981 EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"` 11982 11983 // Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES, 11984 // in which case you must include the ValidTo parameter. When this parameter 11985 // is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter. 11986 ExpirationModel *string `type:"string" enum:"ExpirationModelType"` 11987 11988 // The import token that you received in the response to a previous GetParametersForImport 11989 // request. It must be from the same response that contained the public key 11990 // that you used to encrypt the key material. 11991 // 11992 // ImportToken is automatically base64 encoded/decoded by the SDK. 11993 // 11994 // ImportToken is a required field 11995 ImportToken []byte `min:"1" type:"blob" required:"true"` 11996 11997 // The identifier of the symmetric CMK that receives the imported key material. 11998 // The CMK's Origin must be EXTERNAL. This must be the same CMK specified in 11999 // the KeyID parameter of the corresponding GetParametersForImport request. 12000 // 12001 // Specify the key ID or key ARN of the CMK. 12002 // 12003 // For example: 12004 // 12005 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 12006 // 12007 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 12008 // 12009 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 12010 // 12011 // KeyId is a required field 12012 KeyId *string `min:"1" type:"string" required:"true"` 12013 12014 // The time at which the imported key material expires. When the key material 12015 // expires, AWS KMS deletes the key material and the CMK becomes unusable. You 12016 // must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. 12017 // Otherwise it is required. 12018 ValidTo *time.Time `type:"timestamp"` 12019} 12020 12021// String returns the string representation 12022func (s ImportKeyMaterialInput) String() string { 12023 return awsutil.Prettify(s) 12024} 12025 12026// GoString returns the string representation 12027func (s ImportKeyMaterialInput) GoString() string { 12028 return s.String() 12029} 12030 12031// Validate inspects the fields of the type to determine if they are valid. 12032func (s *ImportKeyMaterialInput) Validate() error { 12033 invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterialInput"} 12034 if s.EncryptedKeyMaterial == nil { 12035 invalidParams.Add(request.NewErrParamRequired("EncryptedKeyMaterial")) 12036 } 12037 if s.EncryptedKeyMaterial != nil && len(s.EncryptedKeyMaterial) < 1 { 12038 invalidParams.Add(request.NewErrParamMinLen("EncryptedKeyMaterial", 1)) 12039 } 12040 if s.ImportToken == nil { 12041 invalidParams.Add(request.NewErrParamRequired("ImportToken")) 12042 } 12043 if s.ImportToken != nil && len(s.ImportToken) < 1 { 12044 invalidParams.Add(request.NewErrParamMinLen("ImportToken", 1)) 12045 } 12046 if s.KeyId == nil { 12047 invalidParams.Add(request.NewErrParamRequired("KeyId")) 12048 } 12049 if s.KeyId != nil && len(*s.KeyId) < 1 { 12050 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 12051 } 12052 12053 if invalidParams.Len() > 0 { 12054 return invalidParams 12055 } 12056 return nil 12057} 12058 12059// SetEncryptedKeyMaterial sets the EncryptedKeyMaterial field's value. 12060func (s *ImportKeyMaterialInput) SetEncryptedKeyMaterial(v []byte) *ImportKeyMaterialInput { 12061 s.EncryptedKeyMaterial = v 12062 return s 12063} 12064 12065// SetExpirationModel sets the ExpirationModel field's value. 12066func (s *ImportKeyMaterialInput) SetExpirationModel(v string) *ImportKeyMaterialInput { 12067 s.ExpirationModel = &v 12068 return s 12069} 12070 12071// SetImportToken sets the ImportToken field's value. 12072func (s *ImportKeyMaterialInput) SetImportToken(v []byte) *ImportKeyMaterialInput { 12073 s.ImportToken = v 12074 return s 12075} 12076 12077// SetKeyId sets the KeyId field's value. 12078func (s *ImportKeyMaterialInput) SetKeyId(v string) *ImportKeyMaterialInput { 12079 s.KeyId = &v 12080 return s 12081} 12082 12083// SetValidTo sets the ValidTo field's value. 12084func (s *ImportKeyMaterialInput) SetValidTo(v time.Time) *ImportKeyMaterialInput { 12085 s.ValidTo = &v 12086 return s 12087} 12088 12089type ImportKeyMaterialOutput struct { 12090 _ struct{} `type:"structure"` 12091} 12092 12093// String returns the string representation 12094func (s ImportKeyMaterialOutput) String() string { 12095 return awsutil.Prettify(s) 12096} 12097 12098// GoString returns the string representation 12099func (s ImportKeyMaterialOutput) GoString() string { 12100 return s.String() 12101} 12102 12103// The request was rejected because the specified CMK cannot decrypt the data. 12104// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request 12105// must identify the same CMK that was used to encrypt the ciphertext. 12106type IncorrectKeyException struct { 12107 _ struct{} `type:"structure"` 12108 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12109 12110 Message_ *string `locationName:"message" type:"string"` 12111} 12112 12113// String returns the string representation 12114func (s IncorrectKeyException) String() string { 12115 return awsutil.Prettify(s) 12116} 12117 12118// GoString returns the string representation 12119func (s IncorrectKeyException) GoString() string { 12120 return s.String() 12121} 12122 12123func newErrorIncorrectKeyException(v protocol.ResponseMetadata) error { 12124 return &IncorrectKeyException{ 12125 RespMetadata: v, 12126 } 12127} 12128 12129// Code returns the exception type name. 12130func (s *IncorrectKeyException) Code() string { 12131 return "IncorrectKeyException" 12132} 12133 12134// Message returns the exception's message. 12135func (s *IncorrectKeyException) Message() string { 12136 if s.Message_ != nil { 12137 return *s.Message_ 12138 } 12139 return "" 12140} 12141 12142// OrigErr always returns nil, satisfies awserr.Error interface. 12143func (s *IncorrectKeyException) OrigErr() error { 12144 return nil 12145} 12146 12147func (s *IncorrectKeyException) Error() string { 12148 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12149} 12150 12151// Status code returns the HTTP status code for the request's response error. 12152func (s *IncorrectKeyException) StatusCode() int { 12153 return s.RespMetadata.StatusCode 12154} 12155 12156// RequestID returns the service's response RequestID for request. 12157func (s *IncorrectKeyException) RequestID() string { 12158 return s.RespMetadata.RequestID 12159} 12160 12161// The request was rejected because the key material in the request is, expired, 12162// invalid, or is not the same key material that was previously imported into 12163// this customer master key (CMK). 12164type IncorrectKeyMaterialException struct { 12165 _ struct{} `type:"structure"` 12166 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12167 12168 Message_ *string `locationName:"message" type:"string"` 12169} 12170 12171// String returns the string representation 12172func (s IncorrectKeyMaterialException) String() string { 12173 return awsutil.Prettify(s) 12174} 12175 12176// GoString returns the string representation 12177func (s IncorrectKeyMaterialException) GoString() string { 12178 return s.String() 12179} 12180 12181func newErrorIncorrectKeyMaterialException(v protocol.ResponseMetadata) error { 12182 return &IncorrectKeyMaterialException{ 12183 RespMetadata: v, 12184 } 12185} 12186 12187// Code returns the exception type name. 12188func (s *IncorrectKeyMaterialException) Code() string { 12189 return "IncorrectKeyMaterialException" 12190} 12191 12192// Message returns the exception's message. 12193func (s *IncorrectKeyMaterialException) Message() string { 12194 if s.Message_ != nil { 12195 return *s.Message_ 12196 } 12197 return "" 12198} 12199 12200// OrigErr always returns nil, satisfies awserr.Error interface. 12201func (s *IncorrectKeyMaterialException) OrigErr() error { 12202 return nil 12203} 12204 12205func (s *IncorrectKeyMaterialException) Error() string { 12206 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12207} 12208 12209// Status code returns the HTTP status code for the request's response error. 12210func (s *IncorrectKeyMaterialException) StatusCode() int { 12211 return s.RespMetadata.StatusCode 12212} 12213 12214// RequestID returns the service's response RequestID for request. 12215func (s *IncorrectKeyMaterialException) RequestID() string { 12216 return s.RespMetadata.RequestID 12217} 12218 12219// The request was rejected because the trust anchor certificate in the request 12220// is not the trust anchor certificate for the specified AWS CloudHSM cluster. 12221// 12222// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), 12223// you create the trust anchor certificate and save it in the customerCA.crt 12224// file. 12225type IncorrectTrustAnchorException struct { 12226 _ struct{} `type:"structure"` 12227 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12228 12229 Message_ *string `locationName:"message" type:"string"` 12230} 12231 12232// String returns the string representation 12233func (s IncorrectTrustAnchorException) String() string { 12234 return awsutil.Prettify(s) 12235} 12236 12237// GoString returns the string representation 12238func (s IncorrectTrustAnchorException) GoString() string { 12239 return s.String() 12240} 12241 12242func newErrorIncorrectTrustAnchorException(v protocol.ResponseMetadata) error { 12243 return &IncorrectTrustAnchorException{ 12244 RespMetadata: v, 12245 } 12246} 12247 12248// Code returns the exception type name. 12249func (s *IncorrectTrustAnchorException) Code() string { 12250 return "IncorrectTrustAnchorException" 12251} 12252 12253// Message returns the exception's message. 12254func (s *IncorrectTrustAnchorException) Message() string { 12255 if s.Message_ != nil { 12256 return *s.Message_ 12257 } 12258 return "" 12259} 12260 12261// OrigErr always returns nil, satisfies awserr.Error interface. 12262func (s *IncorrectTrustAnchorException) OrigErr() error { 12263 return nil 12264} 12265 12266func (s *IncorrectTrustAnchorException) Error() string { 12267 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12268} 12269 12270// Status code returns the HTTP status code for the request's response error. 12271func (s *IncorrectTrustAnchorException) StatusCode() int { 12272 return s.RespMetadata.StatusCode 12273} 12274 12275// RequestID returns the service's response RequestID for request. 12276func (s *IncorrectTrustAnchorException) RequestID() string { 12277 return s.RespMetadata.RequestID 12278} 12279 12280// The request was rejected because an internal exception occurred. The request 12281// can be retried. 12282type InternalException struct { 12283 _ struct{} `type:"structure"` 12284 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12285 12286 Message_ *string `locationName:"message" type:"string"` 12287} 12288 12289// String returns the string representation 12290func (s InternalException) String() string { 12291 return awsutil.Prettify(s) 12292} 12293 12294// GoString returns the string representation 12295func (s InternalException) GoString() string { 12296 return s.String() 12297} 12298 12299func newErrorInternalException(v protocol.ResponseMetadata) error { 12300 return &InternalException{ 12301 RespMetadata: v, 12302 } 12303} 12304 12305// Code returns the exception type name. 12306func (s *InternalException) Code() string { 12307 return "KMSInternalException" 12308} 12309 12310// Message returns the exception's message. 12311func (s *InternalException) Message() string { 12312 if s.Message_ != nil { 12313 return *s.Message_ 12314 } 12315 return "" 12316} 12317 12318// OrigErr always returns nil, satisfies awserr.Error interface. 12319func (s *InternalException) OrigErr() error { 12320 return nil 12321} 12322 12323func (s *InternalException) Error() string { 12324 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12325} 12326 12327// Status code returns the HTTP status code for the request's response error. 12328func (s *InternalException) StatusCode() int { 12329 return s.RespMetadata.StatusCode 12330} 12331 12332// RequestID returns the service's response RequestID for request. 12333func (s *InternalException) RequestID() string { 12334 return s.RespMetadata.RequestID 12335} 12336 12337// The request was rejected because the specified alias name is not valid. 12338type InvalidAliasNameException struct { 12339 _ struct{} `type:"structure"` 12340 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12341 12342 Message_ *string `locationName:"message" type:"string"` 12343} 12344 12345// String returns the string representation 12346func (s InvalidAliasNameException) String() string { 12347 return awsutil.Prettify(s) 12348} 12349 12350// GoString returns the string representation 12351func (s InvalidAliasNameException) GoString() string { 12352 return s.String() 12353} 12354 12355func newErrorInvalidAliasNameException(v protocol.ResponseMetadata) error { 12356 return &InvalidAliasNameException{ 12357 RespMetadata: v, 12358 } 12359} 12360 12361// Code returns the exception type name. 12362func (s *InvalidAliasNameException) Code() string { 12363 return "InvalidAliasNameException" 12364} 12365 12366// Message returns the exception's message. 12367func (s *InvalidAliasNameException) Message() string { 12368 if s.Message_ != nil { 12369 return *s.Message_ 12370 } 12371 return "" 12372} 12373 12374// OrigErr always returns nil, satisfies awserr.Error interface. 12375func (s *InvalidAliasNameException) OrigErr() error { 12376 return nil 12377} 12378 12379func (s *InvalidAliasNameException) Error() string { 12380 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12381} 12382 12383// Status code returns the HTTP status code for the request's response error. 12384func (s *InvalidAliasNameException) StatusCode() int { 12385 return s.RespMetadata.StatusCode 12386} 12387 12388// RequestID returns the service's response RequestID for request. 12389func (s *InvalidAliasNameException) RequestID() string { 12390 return s.RespMetadata.RequestID 12391} 12392 12393// The request was rejected because a specified ARN, or an ARN in a key policy, 12394// is not valid. 12395type InvalidArnException struct { 12396 _ struct{} `type:"structure"` 12397 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12398 12399 Message_ *string `locationName:"message" type:"string"` 12400} 12401 12402// String returns the string representation 12403func (s InvalidArnException) String() string { 12404 return awsutil.Prettify(s) 12405} 12406 12407// GoString returns the string representation 12408func (s InvalidArnException) GoString() string { 12409 return s.String() 12410} 12411 12412func newErrorInvalidArnException(v protocol.ResponseMetadata) error { 12413 return &InvalidArnException{ 12414 RespMetadata: v, 12415 } 12416} 12417 12418// Code returns the exception type name. 12419func (s *InvalidArnException) Code() string { 12420 return "InvalidArnException" 12421} 12422 12423// Message returns the exception's message. 12424func (s *InvalidArnException) Message() string { 12425 if s.Message_ != nil { 12426 return *s.Message_ 12427 } 12428 return "" 12429} 12430 12431// OrigErr always returns nil, satisfies awserr.Error interface. 12432func (s *InvalidArnException) OrigErr() error { 12433 return nil 12434} 12435 12436func (s *InvalidArnException) Error() string { 12437 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12438} 12439 12440// Status code returns the HTTP status code for the request's response error. 12441func (s *InvalidArnException) StatusCode() int { 12442 return s.RespMetadata.StatusCode 12443} 12444 12445// RequestID returns the service's response RequestID for request. 12446func (s *InvalidArnException) RequestID() string { 12447 return s.RespMetadata.RequestID 12448} 12449 12450// From the Decrypt or ReEncrypt operation, the request was rejected because 12451// the specified ciphertext, or additional authenticated data incorporated into 12452// the ciphertext, such as the encryption context, is corrupted, missing, or 12453// otherwise invalid. 12454// 12455// From the ImportKeyMaterial operation, the request was rejected because AWS 12456// KMS could not decrypt the encrypted (wrapped) key material. 12457type InvalidCiphertextException struct { 12458 _ struct{} `type:"structure"` 12459 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12460 12461 Message_ *string `locationName:"message" type:"string"` 12462} 12463 12464// String returns the string representation 12465func (s InvalidCiphertextException) String() string { 12466 return awsutil.Prettify(s) 12467} 12468 12469// GoString returns the string representation 12470func (s InvalidCiphertextException) GoString() string { 12471 return s.String() 12472} 12473 12474func newErrorInvalidCiphertextException(v protocol.ResponseMetadata) error { 12475 return &InvalidCiphertextException{ 12476 RespMetadata: v, 12477 } 12478} 12479 12480// Code returns the exception type name. 12481func (s *InvalidCiphertextException) Code() string { 12482 return "InvalidCiphertextException" 12483} 12484 12485// Message returns the exception's message. 12486func (s *InvalidCiphertextException) Message() string { 12487 if s.Message_ != nil { 12488 return *s.Message_ 12489 } 12490 return "" 12491} 12492 12493// OrigErr always returns nil, satisfies awserr.Error interface. 12494func (s *InvalidCiphertextException) OrigErr() error { 12495 return nil 12496} 12497 12498func (s *InvalidCiphertextException) Error() string { 12499 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12500} 12501 12502// Status code returns the HTTP status code for the request's response error. 12503func (s *InvalidCiphertextException) StatusCode() int { 12504 return s.RespMetadata.StatusCode 12505} 12506 12507// RequestID returns the service's response RequestID for request. 12508func (s *InvalidCiphertextException) RequestID() string { 12509 return s.RespMetadata.RequestID 12510} 12511 12512// The request was rejected because the specified GrantId is not valid. 12513type InvalidGrantIdException struct { 12514 _ struct{} `type:"structure"` 12515 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12516 12517 Message_ *string `locationName:"message" type:"string"` 12518} 12519 12520// String returns the string representation 12521func (s InvalidGrantIdException) String() string { 12522 return awsutil.Prettify(s) 12523} 12524 12525// GoString returns the string representation 12526func (s InvalidGrantIdException) GoString() string { 12527 return s.String() 12528} 12529 12530func newErrorInvalidGrantIdException(v protocol.ResponseMetadata) error { 12531 return &InvalidGrantIdException{ 12532 RespMetadata: v, 12533 } 12534} 12535 12536// Code returns the exception type name. 12537func (s *InvalidGrantIdException) Code() string { 12538 return "InvalidGrantIdException" 12539} 12540 12541// Message returns the exception's message. 12542func (s *InvalidGrantIdException) Message() string { 12543 if s.Message_ != nil { 12544 return *s.Message_ 12545 } 12546 return "" 12547} 12548 12549// OrigErr always returns nil, satisfies awserr.Error interface. 12550func (s *InvalidGrantIdException) OrigErr() error { 12551 return nil 12552} 12553 12554func (s *InvalidGrantIdException) Error() string { 12555 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12556} 12557 12558// Status code returns the HTTP status code for the request's response error. 12559func (s *InvalidGrantIdException) StatusCode() int { 12560 return s.RespMetadata.StatusCode 12561} 12562 12563// RequestID returns the service's response RequestID for request. 12564func (s *InvalidGrantIdException) RequestID() string { 12565 return s.RespMetadata.RequestID 12566} 12567 12568// The request was rejected because the specified grant token is not valid. 12569type InvalidGrantTokenException struct { 12570 _ struct{} `type:"structure"` 12571 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12572 12573 Message_ *string `locationName:"message" type:"string"` 12574} 12575 12576// String returns the string representation 12577func (s InvalidGrantTokenException) String() string { 12578 return awsutil.Prettify(s) 12579} 12580 12581// GoString returns the string representation 12582func (s InvalidGrantTokenException) GoString() string { 12583 return s.String() 12584} 12585 12586func newErrorInvalidGrantTokenException(v protocol.ResponseMetadata) error { 12587 return &InvalidGrantTokenException{ 12588 RespMetadata: v, 12589 } 12590} 12591 12592// Code returns the exception type name. 12593func (s *InvalidGrantTokenException) Code() string { 12594 return "InvalidGrantTokenException" 12595} 12596 12597// Message returns the exception's message. 12598func (s *InvalidGrantTokenException) Message() string { 12599 if s.Message_ != nil { 12600 return *s.Message_ 12601 } 12602 return "" 12603} 12604 12605// OrigErr always returns nil, satisfies awserr.Error interface. 12606func (s *InvalidGrantTokenException) OrigErr() error { 12607 return nil 12608} 12609 12610func (s *InvalidGrantTokenException) Error() string { 12611 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12612} 12613 12614// Status code returns the HTTP status code for the request's response error. 12615func (s *InvalidGrantTokenException) StatusCode() int { 12616 return s.RespMetadata.StatusCode 12617} 12618 12619// RequestID returns the service's response RequestID for request. 12620func (s *InvalidGrantTokenException) RequestID() string { 12621 return s.RespMetadata.RequestID 12622} 12623 12624// The request was rejected because the provided import token is invalid or 12625// is associated with a different customer master key (CMK). 12626type InvalidImportTokenException struct { 12627 _ struct{} `type:"structure"` 12628 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12629 12630 Message_ *string `locationName:"message" type:"string"` 12631} 12632 12633// String returns the string representation 12634func (s InvalidImportTokenException) String() string { 12635 return awsutil.Prettify(s) 12636} 12637 12638// GoString returns the string representation 12639func (s InvalidImportTokenException) GoString() string { 12640 return s.String() 12641} 12642 12643func newErrorInvalidImportTokenException(v protocol.ResponseMetadata) error { 12644 return &InvalidImportTokenException{ 12645 RespMetadata: v, 12646 } 12647} 12648 12649// Code returns the exception type name. 12650func (s *InvalidImportTokenException) Code() string { 12651 return "InvalidImportTokenException" 12652} 12653 12654// Message returns the exception's message. 12655func (s *InvalidImportTokenException) Message() string { 12656 if s.Message_ != nil { 12657 return *s.Message_ 12658 } 12659 return "" 12660} 12661 12662// OrigErr always returns nil, satisfies awserr.Error interface. 12663func (s *InvalidImportTokenException) OrigErr() error { 12664 return nil 12665} 12666 12667func (s *InvalidImportTokenException) Error() string { 12668 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12669} 12670 12671// Status code returns the HTTP status code for the request's response error. 12672func (s *InvalidImportTokenException) StatusCode() int { 12673 return s.RespMetadata.StatusCode 12674} 12675 12676// RequestID returns the service's response RequestID for request. 12677func (s *InvalidImportTokenException) RequestID() string { 12678 return s.RespMetadata.RequestID 12679} 12680 12681// The request was rejected for one of the following reasons: 12682// 12683// * The KeyUsage value of the CMK is incompatible with the API operation. 12684// 12685// * The encryption algorithm or signing algorithm specified for the operation 12686// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). 12687// 12688// For encrypting, decrypting, re-encrypting, and generating data keys, the 12689// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage 12690// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. 12691// 12692// To find the encryption or signing algorithms supported for a particular CMK, 12693// use the DescribeKey operation. 12694type InvalidKeyUsageException struct { 12695 _ struct{} `type:"structure"` 12696 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12697 12698 Message_ *string `locationName:"message" type:"string"` 12699} 12700 12701// String returns the string representation 12702func (s InvalidKeyUsageException) String() string { 12703 return awsutil.Prettify(s) 12704} 12705 12706// GoString returns the string representation 12707func (s InvalidKeyUsageException) GoString() string { 12708 return s.String() 12709} 12710 12711func newErrorInvalidKeyUsageException(v protocol.ResponseMetadata) error { 12712 return &InvalidKeyUsageException{ 12713 RespMetadata: v, 12714 } 12715} 12716 12717// Code returns the exception type name. 12718func (s *InvalidKeyUsageException) Code() string { 12719 return "InvalidKeyUsageException" 12720} 12721 12722// Message returns the exception's message. 12723func (s *InvalidKeyUsageException) Message() string { 12724 if s.Message_ != nil { 12725 return *s.Message_ 12726 } 12727 return "" 12728} 12729 12730// OrigErr always returns nil, satisfies awserr.Error interface. 12731func (s *InvalidKeyUsageException) OrigErr() error { 12732 return nil 12733} 12734 12735func (s *InvalidKeyUsageException) Error() string { 12736 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12737} 12738 12739// Status code returns the HTTP status code for the request's response error. 12740func (s *InvalidKeyUsageException) StatusCode() int { 12741 return s.RespMetadata.StatusCode 12742} 12743 12744// RequestID returns the service's response RequestID for request. 12745func (s *InvalidKeyUsageException) RequestID() string { 12746 return s.RespMetadata.RequestID 12747} 12748 12749// The request was rejected because the marker that specifies where pagination 12750// should next begin is not valid. 12751type InvalidMarkerException struct { 12752 _ struct{} `type:"structure"` 12753 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12754 12755 Message_ *string `locationName:"message" type:"string"` 12756} 12757 12758// String returns the string representation 12759func (s InvalidMarkerException) String() string { 12760 return awsutil.Prettify(s) 12761} 12762 12763// GoString returns the string representation 12764func (s InvalidMarkerException) GoString() string { 12765 return s.String() 12766} 12767 12768func newErrorInvalidMarkerException(v protocol.ResponseMetadata) error { 12769 return &InvalidMarkerException{ 12770 RespMetadata: v, 12771 } 12772} 12773 12774// Code returns the exception type name. 12775func (s *InvalidMarkerException) Code() string { 12776 return "InvalidMarkerException" 12777} 12778 12779// Message returns the exception's message. 12780func (s *InvalidMarkerException) Message() string { 12781 if s.Message_ != nil { 12782 return *s.Message_ 12783 } 12784 return "" 12785} 12786 12787// OrigErr always returns nil, satisfies awserr.Error interface. 12788func (s *InvalidMarkerException) OrigErr() error { 12789 return nil 12790} 12791 12792func (s *InvalidMarkerException) Error() string { 12793 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12794} 12795 12796// Status code returns the HTTP status code for the request's response error. 12797func (s *InvalidMarkerException) StatusCode() int { 12798 return s.RespMetadata.StatusCode 12799} 12800 12801// RequestID returns the service's response RequestID for request. 12802func (s *InvalidMarkerException) RequestID() string { 12803 return s.RespMetadata.RequestID 12804} 12805 12806// The request was rejected because the state of the specified resource is not 12807// valid for this request. 12808// 12809// For more information about how key state affects the use of a CMK, see How 12810// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 12811// in the AWS Key Management Service Developer Guide . 12812type InvalidStateException struct { 12813 _ struct{} `type:"structure"` 12814 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12815 12816 Message_ *string `locationName:"message" type:"string"` 12817} 12818 12819// String returns the string representation 12820func (s InvalidStateException) String() string { 12821 return awsutil.Prettify(s) 12822} 12823 12824// GoString returns the string representation 12825func (s InvalidStateException) GoString() string { 12826 return s.String() 12827} 12828 12829func newErrorInvalidStateException(v protocol.ResponseMetadata) error { 12830 return &InvalidStateException{ 12831 RespMetadata: v, 12832 } 12833} 12834 12835// Code returns the exception type name. 12836func (s *InvalidStateException) Code() string { 12837 return "KMSInvalidStateException" 12838} 12839 12840// Message returns the exception's message. 12841func (s *InvalidStateException) Message() string { 12842 if s.Message_ != nil { 12843 return *s.Message_ 12844 } 12845 return "" 12846} 12847 12848// OrigErr always returns nil, satisfies awserr.Error interface. 12849func (s *InvalidStateException) OrigErr() error { 12850 return nil 12851} 12852 12853func (s *InvalidStateException) Error() string { 12854 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12855} 12856 12857// Status code returns the HTTP status code for the request's response error. 12858func (s *InvalidStateException) StatusCode() int { 12859 return s.RespMetadata.StatusCode 12860} 12861 12862// RequestID returns the service's response RequestID for request. 12863func (s *InvalidStateException) RequestID() string { 12864 return s.RespMetadata.RequestID 12865} 12866 12867// The request was rejected because the signature verification failed. Signature 12868// verification fails when it cannot confirm that signature was produced by 12869// signing the specified message with the specified CMK and signing algorithm. 12870type KMSInvalidSignatureException struct { 12871 _ struct{} `type:"structure"` 12872 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 12873 12874 Message_ *string `locationName:"message" type:"string"` 12875} 12876 12877// String returns the string representation 12878func (s KMSInvalidSignatureException) String() string { 12879 return awsutil.Prettify(s) 12880} 12881 12882// GoString returns the string representation 12883func (s KMSInvalidSignatureException) GoString() string { 12884 return s.String() 12885} 12886 12887func newErrorKMSInvalidSignatureException(v protocol.ResponseMetadata) error { 12888 return &KMSInvalidSignatureException{ 12889 RespMetadata: v, 12890 } 12891} 12892 12893// Code returns the exception type name. 12894func (s *KMSInvalidSignatureException) Code() string { 12895 return "KMSInvalidSignatureException" 12896} 12897 12898// Message returns the exception's message. 12899func (s *KMSInvalidSignatureException) Message() string { 12900 if s.Message_ != nil { 12901 return *s.Message_ 12902 } 12903 return "" 12904} 12905 12906// OrigErr always returns nil, satisfies awserr.Error interface. 12907func (s *KMSInvalidSignatureException) OrigErr() error { 12908 return nil 12909} 12910 12911func (s *KMSInvalidSignatureException) Error() string { 12912 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 12913} 12914 12915// Status code returns the HTTP status code for the request's response error. 12916func (s *KMSInvalidSignatureException) StatusCode() int { 12917 return s.RespMetadata.StatusCode 12918} 12919 12920// RequestID returns the service's response RequestID for request. 12921func (s *KMSInvalidSignatureException) RequestID() string { 12922 return s.RespMetadata.RequestID 12923} 12924 12925// Contains information about each entry in the key list. 12926type KeyListEntry struct { 12927 _ struct{} `type:"structure"` 12928 12929 // ARN of the key. 12930 KeyArn *string `min:"20" type:"string"` 12931 12932 // Unique identifier of the key. 12933 KeyId *string `min:"1" type:"string"` 12934} 12935 12936// String returns the string representation 12937func (s KeyListEntry) String() string { 12938 return awsutil.Prettify(s) 12939} 12940 12941// GoString returns the string representation 12942func (s KeyListEntry) GoString() string { 12943 return s.String() 12944} 12945 12946// SetKeyArn sets the KeyArn field's value. 12947func (s *KeyListEntry) SetKeyArn(v string) *KeyListEntry { 12948 s.KeyArn = &v 12949 return s 12950} 12951 12952// SetKeyId sets the KeyId field's value. 12953func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry { 12954 s.KeyId = &v 12955 return s 12956} 12957 12958// Contains metadata about a customer master key (CMK). 12959// 12960// This data type is used as a response element for the CreateKey and DescribeKey 12961// operations. 12962type KeyMetadata struct { 12963 _ struct{} `type:"structure"` 12964 12965 // The twelve-digit account ID of the AWS account that owns the CMK. 12966 AWSAccountId *string `type:"string"` 12967 12968 // The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management 12969 // Service (AWS KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) 12970 // in the Example ARNs section of the AWS General Reference. 12971 Arn *string `min:"20" type:"string"` 12972 12973 // The cluster ID of the AWS CloudHSM cluster that contains the key material 12974 // for the CMK. When you create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), 12975 // AWS KMS creates the key material for the CMK in the associated AWS CloudHSM 12976 // cluster. This value is present only when the CMK is created in a custom key 12977 // store. 12978 CloudHsmClusterId *string `min:"19" type:"string"` 12979 12980 // The date and time when the CMK was created. 12981 CreationDate *time.Time `type:"timestamp"` 12982 12983 // A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) 12984 // that contains the CMK. This value is present only when the CMK is created 12985 // in a custom key store. 12986 CustomKeyStoreId *string `min:"1" type:"string"` 12987 12988 // Describes the type of key material in the CMK. 12989 CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` 12990 12991 // The date and time after which AWS KMS deletes this CMK. This value is present 12992 // only when the CMK is scheduled for deletion, that is, when its KeyState is 12993 // PendingDeletion. 12994 // 12995 // When the primary key in a multi-Region key is scheduled for deletion but 12996 // still has replica keys, its key state is PendingReplicaDeletion and the length 12997 // of its waiting period is displayed in the PendingDeletionWindowInDays field. 12998 DeletionDate *time.Time `type:"timestamp"` 12999 13000 // The description of the CMK. 13001 Description *string `type:"string"` 13002 13003 // Specifies whether the CMK is enabled. When KeyState is Enabled this value 13004 // is true, otherwise it is false. 13005 Enabled *bool `type:"boolean"` 13006 13007 // The encryption algorithms that the CMK supports. You cannot use the CMK with 13008 // other encryption algorithms within AWS KMS. 13009 // 13010 // This value is present only when the KeyUsage of the CMK is ENCRYPT_DECRYPT. 13011 EncryptionAlgorithms []*string `type:"list"` 13012 13013 // Specifies whether the CMK's key material expires. This value is present only 13014 // when Origin is EXTERNAL, otherwise this value is omitted. 13015 ExpirationModel *string `type:"string" enum:"ExpirationModelType"` 13016 13017 // The globally unique identifier for the CMK. 13018 // 13019 // KeyId is a required field 13020 KeyId *string `min:"1" type:"string" required:"true"` 13021 13022 // The manager of the CMK. CMKs in your AWS account are either customer managed 13023 // or AWS managed. For more information about the difference, see Customer Master 13024 // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) 13025 // in the AWS Key Management Service Developer Guide. 13026 KeyManager *string `type:"string" enum:"KeyManagerType"` 13027 13028 // The current status of the CMK. 13029 // 13030 // For more information about how key state affects the use of a CMK, see Key 13031 // state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 13032 // in the AWS Key Management Service Developer Guide. 13033 KeyState *string `type:"string" enum:"KeyState"` 13034 13035 // The cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 13036 // for which you can use the CMK. 13037 KeyUsage *string `type:"string" enum:"KeyUsageType"` 13038 13039 // Indicates whether the CMK is a multi-Region (True) or regional (False) key. 13040 // This value is True for multi-Region primary and replica CMKs and False for 13041 // regional CMKs. 13042 // 13043 // For more information about multi-Region keys, see Using multi-Region keys 13044 // (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) 13045 // in the AWS Key Management Service Developer Guide. 13046 MultiRegion *bool `type:"boolean"` 13047 13048 // Lists the primary and replica CMKs in same multi-Region CMK. This field is 13049 // present only when the value of the MultiRegion field is True. 13050 // 13051 // For more information about any listed CMK, use the DescribeKey operation. 13052 // 13053 // * MultiRegionKeyType indicates whether the CMK is a PRIMARY or REPLICA 13054 // key. 13055 // 13056 // * PrimaryKey displays the key ARN and Region of the primary key. This 13057 // field displays the current CMK if it is the primary key. 13058 // 13059 // * ReplicaKeys displays the key ARNs and Regions of all replica keys. This 13060 // field includes the current CMK if it is a replica key. 13061 MultiRegionConfiguration *MultiRegionConfiguration `type:"structure"` 13062 13063 // The source of the CMK's key material. When this value is AWS_KMS, AWS KMS 13064 // created the key material. When this value is EXTERNAL, the key material was 13065 // imported from your existing key management infrastructure or the CMK lacks 13066 // key material. When this value is AWS_CLOUDHSM, the key material was created 13067 // in the AWS CloudHSM cluster associated with a custom key store. 13068 Origin *string `type:"string" enum:"OriginType"` 13069 13070 // The waiting period before the primary key in a multi-Region key is deleted. 13071 // This waiting period begins when the last of its replica keys is deleted. 13072 // This value is present only when the KeyState of the CMK is PendingReplicaDeletion. 13073 // That indicates that the CMK is the primary key in a multi-Region key, it 13074 // is scheduled for deletion, and it still has existing replica keys. 13075 // 13076 // When a regional CMK or a replica key in a multi-Region key is scheduled for 13077 // deletion, its deletion date is displayed in the DeletionDate field. However, 13078 // when the primary key in a multi-Region key is scheduled for deletion, its 13079 // waiting period doesn't begin until all of its replica keys are deleted. This 13080 // value displays that waiting period. When the last replica key in the multi-Region 13081 // key is deleted, the KeyState of the scheduled primary key changes from PendingReplicaDeletion 13082 // to PendingDeletion and the deletion date appears in the DeletionDate field. 13083 PendingDeletionWindowInDays *int64 `min:"1" type:"integer"` 13084 13085 // The signing algorithms that the CMK supports. You cannot use the CMK with 13086 // other signing algorithms within AWS KMS. 13087 // 13088 // This field appears only when the KeyUsage of the CMK is SIGN_VERIFY. 13089 SigningAlgorithms []*string `type:"list"` 13090 13091 // The time at which the imported key material expires. When the key material 13092 // expires, AWS KMS deletes the key material and the CMK becomes unusable. This 13093 // value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel 13094 // is KEY_MATERIAL_EXPIRES, otherwise this value is omitted. 13095 ValidTo *time.Time `type:"timestamp"` 13096} 13097 13098// String returns the string representation 13099func (s KeyMetadata) String() string { 13100 return awsutil.Prettify(s) 13101} 13102 13103// GoString returns the string representation 13104func (s KeyMetadata) GoString() string { 13105 return s.String() 13106} 13107 13108// SetAWSAccountId sets the AWSAccountId field's value. 13109func (s *KeyMetadata) SetAWSAccountId(v string) *KeyMetadata { 13110 s.AWSAccountId = &v 13111 return s 13112} 13113 13114// SetArn sets the Arn field's value. 13115func (s *KeyMetadata) SetArn(v string) *KeyMetadata { 13116 s.Arn = &v 13117 return s 13118} 13119 13120// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 13121func (s *KeyMetadata) SetCloudHsmClusterId(v string) *KeyMetadata { 13122 s.CloudHsmClusterId = &v 13123 return s 13124} 13125 13126// SetCreationDate sets the CreationDate field's value. 13127func (s *KeyMetadata) SetCreationDate(v time.Time) *KeyMetadata { 13128 s.CreationDate = &v 13129 return s 13130} 13131 13132// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 13133func (s *KeyMetadata) SetCustomKeyStoreId(v string) *KeyMetadata { 13134 s.CustomKeyStoreId = &v 13135 return s 13136} 13137 13138// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value. 13139func (s *KeyMetadata) SetCustomerMasterKeySpec(v string) *KeyMetadata { 13140 s.CustomerMasterKeySpec = &v 13141 return s 13142} 13143 13144// SetDeletionDate sets the DeletionDate field's value. 13145func (s *KeyMetadata) SetDeletionDate(v time.Time) *KeyMetadata { 13146 s.DeletionDate = &v 13147 return s 13148} 13149 13150// SetDescription sets the Description field's value. 13151func (s *KeyMetadata) SetDescription(v string) *KeyMetadata { 13152 s.Description = &v 13153 return s 13154} 13155 13156// SetEnabled sets the Enabled field's value. 13157func (s *KeyMetadata) SetEnabled(v bool) *KeyMetadata { 13158 s.Enabled = &v 13159 return s 13160} 13161 13162// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value. 13163func (s *KeyMetadata) SetEncryptionAlgorithms(v []*string) *KeyMetadata { 13164 s.EncryptionAlgorithms = v 13165 return s 13166} 13167 13168// SetExpirationModel sets the ExpirationModel field's value. 13169func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata { 13170 s.ExpirationModel = &v 13171 return s 13172} 13173 13174// SetKeyId sets the KeyId field's value. 13175func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata { 13176 s.KeyId = &v 13177 return s 13178} 13179 13180// SetKeyManager sets the KeyManager field's value. 13181func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata { 13182 s.KeyManager = &v 13183 return s 13184} 13185 13186// SetKeyState sets the KeyState field's value. 13187func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata { 13188 s.KeyState = &v 13189 return s 13190} 13191 13192// SetKeyUsage sets the KeyUsage field's value. 13193func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata { 13194 s.KeyUsage = &v 13195 return s 13196} 13197 13198// SetMultiRegion sets the MultiRegion field's value. 13199func (s *KeyMetadata) SetMultiRegion(v bool) *KeyMetadata { 13200 s.MultiRegion = &v 13201 return s 13202} 13203 13204// SetMultiRegionConfiguration sets the MultiRegionConfiguration field's value. 13205func (s *KeyMetadata) SetMultiRegionConfiguration(v *MultiRegionConfiguration) *KeyMetadata { 13206 s.MultiRegionConfiguration = v 13207 return s 13208} 13209 13210// SetOrigin sets the Origin field's value. 13211func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata { 13212 s.Origin = &v 13213 return s 13214} 13215 13216// SetPendingDeletionWindowInDays sets the PendingDeletionWindowInDays field's value. 13217func (s *KeyMetadata) SetPendingDeletionWindowInDays(v int64) *KeyMetadata { 13218 s.PendingDeletionWindowInDays = &v 13219 return s 13220} 13221 13222// SetSigningAlgorithms sets the SigningAlgorithms field's value. 13223func (s *KeyMetadata) SetSigningAlgorithms(v []*string) *KeyMetadata { 13224 s.SigningAlgorithms = v 13225 return s 13226} 13227 13228// SetValidTo sets the ValidTo field's value. 13229func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata { 13230 s.ValidTo = &v 13231 return s 13232} 13233 13234// The request was rejected because the specified CMK was not available. You 13235// can retry the request. 13236type KeyUnavailableException struct { 13237 _ struct{} `type:"structure"` 13238 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 13239 13240 Message_ *string `locationName:"message" type:"string"` 13241} 13242 13243// String returns the string representation 13244func (s KeyUnavailableException) String() string { 13245 return awsutil.Prettify(s) 13246} 13247 13248// GoString returns the string representation 13249func (s KeyUnavailableException) GoString() string { 13250 return s.String() 13251} 13252 13253func newErrorKeyUnavailableException(v protocol.ResponseMetadata) error { 13254 return &KeyUnavailableException{ 13255 RespMetadata: v, 13256 } 13257} 13258 13259// Code returns the exception type name. 13260func (s *KeyUnavailableException) Code() string { 13261 return "KeyUnavailableException" 13262} 13263 13264// Message returns the exception's message. 13265func (s *KeyUnavailableException) Message() string { 13266 if s.Message_ != nil { 13267 return *s.Message_ 13268 } 13269 return "" 13270} 13271 13272// OrigErr always returns nil, satisfies awserr.Error interface. 13273func (s *KeyUnavailableException) OrigErr() error { 13274 return nil 13275} 13276 13277func (s *KeyUnavailableException) Error() string { 13278 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 13279} 13280 13281// Status code returns the HTTP status code for the request's response error. 13282func (s *KeyUnavailableException) StatusCode() int { 13283 return s.RespMetadata.StatusCode 13284} 13285 13286// RequestID returns the service's response RequestID for request. 13287func (s *KeyUnavailableException) RequestID() string { 13288 return s.RespMetadata.RequestID 13289} 13290 13291// The request was rejected because a quota was exceeded. For more information, 13292// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) 13293// in the AWS Key Management Service Developer Guide. 13294type LimitExceededException struct { 13295 _ struct{} `type:"structure"` 13296 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 13297 13298 Message_ *string `locationName:"message" type:"string"` 13299} 13300 13301// String returns the string representation 13302func (s LimitExceededException) String() string { 13303 return awsutil.Prettify(s) 13304} 13305 13306// GoString returns the string representation 13307func (s LimitExceededException) GoString() string { 13308 return s.String() 13309} 13310 13311func newErrorLimitExceededException(v protocol.ResponseMetadata) error { 13312 return &LimitExceededException{ 13313 RespMetadata: v, 13314 } 13315} 13316 13317// Code returns the exception type name. 13318func (s *LimitExceededException) Code() string { 13319 return "LimitExceededException" 13320} 13321 13322// Message returns the exception's message. 13323func (s *LimitExceededException) Message() string { 13324 if s.Message_ != nil { 13325 return *s.Message_ 13326 } 13327 return "" 13328} 13329 13330// OrigErr always returns nil, satisfies awserr.Error interface. 13331func (s *LimitExceededException) OrigErr() error { 13332 return nil 13333} 13334 13335func (s *LimitExceededException) Error() string { 13336 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 13337} 13338 13339// Status code returns the HTTP status code for the request's response error. 13340func (s *LimitExceededException) StatusCode() int { 13341 return s.RespMetadata.StatusCode 13342} 13343 13344// RequestID returns the service's response RequestID for request. 13345func (s *LimitExceededException) RequestID() string { 13346 return s.RespMetadata.RequestID 13347} 13348 13349type ListAliasesInput struct { 13350 _ struct{} `type:"structure"` 13351 13352 // Lists only aliases that are associated with the specified CMK. Enter a CMK 13353 // in your AWS account. 13354 // 13355 // This parameter is optional. If you omit it, ListAliases returns all aliases 13356 // in the account and Region. 13357 // 13358 // Specify the key ID or key ARN of the CMK. 13359 // 13360 // For example: 13361 // 13362 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 13363 // 13364 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 13365 // 13366 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 13367 KeyId *string `min:"1" type:"string"` 13368 13369 // Use this parameter to specify the maximum number of items to return. When 13370 // this value is present, AWS KMS does not return more than the specified number 13371 // of items, but it might return fewer. 13372 // 13373 // This value is optional. If you include a value, it must be between 1 and 13374 // 100, inclusive. If you do not include a value, it defaults to 50. 13375 Limit *int64 `min:"1" type:"integer"` 13376 13377 // Use this parameter in a subsequent request after you receive a response with 13378 // truncated results. Set it to the value of NextMarker from the truncated response 13379 // you just received. 13380 Marker *string `min:"1" type:"string"` 13381} 13382 13383// String returns the string representation 13384func (s ListAliasesInput) String() string { 13385 return awsutil.Prettify(s) 13386} 13387 13388// GoString returns the string representation 13389func (s ListAliasesInput) GoString() string { 13390 return s.String() 13391} 13392 13393// Validate inspects the fields of the type to determine if they are valid. 13394func (s *ListAliasesInput) Validate() error { 13395 invalidParams := request.ErrInvalidParams{Context: "ListAliasesInput"} 13396 if s.KeyId != nil && len(*s.KeyId) < 1 { 13397 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 13398 } 13399 if s.Limit != nil && *s.Limit < 1 { 13400 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 13401 } 13402 if s.Marker != nil && len(*s.Marker) < 1 { 13403 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 13404 } 13405 13406 if invalidParams.Len() > 0 { 13407 return invalidParams 13408 } 13409 return nil 13410} 13411 13412// SetKeyId sets the KeyId field's value. 13413func (s *ListAliasesInput) SetKeyId(v string) *ListAliasesInput { 13414 s.KeyId = &v 13415 return s 13416} 13417 13418// SetLimit sets the Limit field's value. 13419func (s *ListAliasesInput) SetLimit(v int64) *ListAliasesInput { 13420 s.Limit = &v 13421 return s 13422} 13423 13424// SetMarker sets the Marker field's value. 13425func (s *ListAliasesInput) SetMarker(v string) *ListAliasesInput { 13426 s.Marker = &v 13427 return s 13428} 13429 13430type ListAliasesOutput struct { 13431 _ struct{} `type:"structure"` 13432 13433 // A list of aliases. 13434 Aliases []*AliasListEntry `type:"list"` 13435 13436 // When Truncated is true, this element is present and contains the value to 13437 // use for the Marker parameter in a subsequent request. 13438 NextMarker *string `min:"1" type:"string"` 13439 13440 // A flag that indicates whether there are more items in the list. When this 13441 // value is true, the list in this response is truncated. To get more items, 13442 // pass the value of the NextMarker element in thisresponse to the Marker parameter 13443 // in a subsequent request. 13444 Truncated *bool `type:"boolean"` 13445} 13446 13447// String returns the string representation 13448func (s ListAliasesOutput) String() string { 13449 return awsutil.Prettify(s) 13450} 13451 13452// GoString returns the string representation 13453func (s ListAliasesOutput) GoString() string { 13454 return s.String() 13455} 13456 13457// SetAliases sets the Aliases field's value. 13458func (s *ListAliasesOutput) SetAliases(v []*AliasListEntry) *ListAliasesOutput { 13459 s.Aliases = v 13460 return s 13461} 13462 13463// SetNextMarker sets the NextMarker field's value. 13464func (s *ListAliasesOutput) SetNextMarker(v string) *ListAliasesOutput { 13465 s.NextMarker = &v 13466 return s 13467} 13468 13469// SetTruncated sets the Truncated field's value. 13470func (s *ListAliasesOutput) SetTruncated(v bool) *ListAliasesOutput { 13471 s.Truncated = &v 13472 return s 13473} 13474 13475type ListGrantsInput struct { 13476 _ struct{} `type:"structure"` 13477 13478 // Returns only the grant with the specified grant ID. The grant ID uniquely 13479 // identifies the grant. 13480 GrantId *string `min:"1" type:"string"` 13481 13482 // Returns only grants where the specified principal is the grantee principal 13483 // for the grant. 13484 GranteePrincipal *string `min:"1" type:"string"` 13485 13486 // Returns only grants for the specified customer master key (CMK). This parameter 13487 // is required. 13488 // 13489 // Specify the key ID or key ARN of the CMK. To specify a CMK in a different 13490 // AWS account, you must use the key ARN. 13491 // 13492 // For example: 13493 // 13494 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 13495 // 13496 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 13497 // 13498 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 13499 // 13500 // KeyId is a required field 13501 KeyId *string `min:"1" type:"string" required:"true"` 13502 13503 // Use this parameter to specify the maximum number of items to return. When 13504 // this value is present, AWS KMS does not return more than the specified number 13505 // of items, but it might return fewer. 13506 // 13507 // This value is optional. If you include a value, it must be between 1 and 13508 // 100, inclusive. If you do not include a value, it defaults to 50. 13509 Limit *int64 `min:"1" type:"integer"` 13510 13511 // Use this parameter in a subsequent request after you receive a response with 13512 // truncated results. Set it to the value of NextMarker from the truncated response 13513 // you just received. 13514 Marker *string `min:"1" type:"string"` 13515} 13516 13517// String returns the string representation 13518func (s ListGrantsInput) String() string { 13519 return awsutil.Prettify(s) 13520} 13521 13522// GoString returns the string representation 13523func (s ListGrantsInput) GoString() string { 13524 return s.String() 13525} 13526 13527// Validate inspects the fields of the type to determine if they are valid. 13528func (s *ListGrantsInput) Validate() error { 13529 invalidParams := request.ErrInvalidParams{Context: "ListGrantsInput"} 13530 if s.GrantId != nil && len(*s.GrantId) < 1 { 13531 invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) 13532 } 13533 if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 { 13534 invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1)) 13535 } 13536 if s.KeyId == nil { 13537 invalidParams.Add(request.NewErrParamRequired("KeyId")) 13538 } 13539 if s.KeyId != nil && len(*s.KeyId) < 1 { 13540 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 13541 } 13542 if s.Limit != nil && *s.Limit < 1 { 13543 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 13544 } 13545 if s.Marker != nil && len(*s.Marker) < 1 { 13546 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 13547 } 13548 13549 if invalidParams.Len() > 0 { 13550 return invalidParams 13551 } 13552 return nil 13553} 13554 13555// SetGrantId sets the GrantId field's value. 13556func (s *ListGrantsInput) SetGrantId(v string) *ListGrantsInput { 13557 s.GrantId = &v 13558 return s 13559} 13560 13561// SetGranteePrincipal sets the GranteePrincipal field's value. 13562func (s *ListGrantsInput) SetGranteePrincipal(v string) *ListGrantsInput { 13563 s.GranteePrincipal = &v 13564 return s 13565} 13566 13567// SetKeyId sets the KeyId field's value. 13568func (s *ListGrantsInput) SetKeyId(v string) *ListGrantsInput { 13569 s.KeyId = &v 13570 return s 13571} 13572 13573// SetLimit sets the Limit field's value. 13574func (s *ListGrantsInput) SetLimit(v int64) *ListGrantsInput { 13575 s.Limit = &v 13576 return s 13577} 13578 13579// SetMarker sets the Marker field's value. 13580func (s *ListGrantsInput) SetMarker(v string) *ListGrantsInput { 13581 s.Marker = &v 13582 return s 13583} 13584 13585type ListGrantsResponse struct { 13586 _ struct{} `type:"structure"` 13587 13588 // A list of grants. 13589 Grants []*GrantListEntry `type:"list"` 13590 13591 // When Truncated is true, this element is present and contains the value to 13592 // use for the Marker parameter in a subsequent request. 13593 NextMarker *string `min:"1" type:"string"` 13594 13595 // A flag that indicates whether there are more items in the list. When this 13596 // value is true, the list in this response is truncated. To get more items, 13597 // pass the value of the NextMarker element in thisresponse to the Marker parameter 13598 // in a subsequent request. 13599 Truncated *bool `type:"boolean"` 13600} 13601 13602// String returns the string representation 13603func (s ListGrantsResponse) String() string { 13604 return awsutil.Prettify(s) 13605} 13606 13607// GoString returns the string representation 13608func (s ListGrantsResponse) GoString() string { 13609 return s.String() 13610} 13611 13612// SetGrants sets the Grants field's value. 13613func (s *ListGrantsResponse) SetGrants(v []*GrantListEntry) *ListGrantsResponse { 13614 s.Grants = v 13615 return s 13616} 13617 13618// SetNextMarker sets the NextMarker field's value. 13619func (s *ListGrantsResponse) SetNextMarker(v string) *ListGrantsResponse { 13620 s.NextMarker = &v 13621 return s 13622} 13623 13624// SetTruncated sets the Truncated field's value. 13625func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse { 13626 s.Truncated = &v 13627 return s 13628} 13629 13630type ListKeyPoliciesInput struct { 13631 _ struct{} `type:"structure"` 13632 13633 // Gets the names of key policies for the specified customer master key (CMK). 13634 // 13635 // Specify the key ID or key ARN of the CMK. 13636 // 13637 // For example: 13638 // 13639 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 13640 // 13641 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 13642 // 13643 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 13644 // 13645 // KeyId is a required field 13646 KeyId *string `min:"1" type:"string" required:"true"` 13647 13648 // Use this parameter to specify the maximum number of items to return. When 13649 // this value is present, AWS KMS does not return more than the specified number 13650 // of items, but it might return fewer. 13651 // 13652 // This value is optional. If you include a value, it must be between 1 and 13653 // 1000, inclusive. If you do not include a value, it defaults to 100. 13654 // 13655 // Only one policy can be attached to a key. 13656 Limit *int64 `min:"1" type:"integer"` 13657 13658 // Use this parameter in a subsequent request after you receive a response with 13659 // truncated results. Set it to the value of NextMarker from the truncated response 13660 // you just received. 13661 Marker *string `min:"1" type:"string"` 13662} 13663 13664// String returns the string representation 13665func (s ListKeyPoliciesInput) String() string { 13666 return awsutil.Prettify(s) 13667} 13668 13669// GoString returns the string representation 13670func (s ListKeyPoliciesInput) GoString() string { 13671 return s.String() 13672} 13673 13674// Validate inspects the fields of the type to determine if they are valid. 13675func (s *ListKeyPoliciesInput) Validate() error { 13676 invalidParams := request.ErrInvalidParams{Context: "ListKeyPoliciesInput"} 13677 if s.KeyId == nil { 13678 invalidParams.Add(request.NewErrParamRequired("KeyId")) 13679 } 13680 if s.KeyId != nil && len(*s.KeyId) < 1 { 13681 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 13682 } 13683 if s.Limit != nil && *s.Limit < 1 { 13684 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 13685 } 13686 if s.Marker != nil && len(*s.Marker) < 1 { 13687 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 13688 } 13689 13690 if invalidParams.Len() > 0 { 13691 return invalidParams 13692 } 13693 return nil 13694} 13695 13696// SetKeyId sets the KeyId field's value. 13697func (s *ListKeyPoliciesInput) SetKeyId(v string) *ListKeyPoliciesInput { 13698 s.KeyId = &v 13699 return s 13700} 13701 13702// SetLimit sets the Limit field's value. 13703func (s *ListKeyPoliciesInput) SetLimit(v int64) *ListKeyPoliciesInput { 13704 s.Limit = &v 13705 return s 13706} 13707 13708// SetMarker sets the Marker field's value. 13709func (s *ListKeyPoliciesInput) SetMarker(v string) *ListKeyPoliciesInput { 13710 s.Marker = &v 13711 return s 13712} 13713 13714type ListKeyPoliciesOutput struct { 13715 _ struct{} `type:"structure"` 13716 13717 // When Truncated is true, this element is present and contains the value to 13718 // use for the Marker parameter in a subsequent request. 13719 NextMarker *string `min:"1" type:"string"` 13720 13721 // A list of key policy names. The only valid value is default. 13722 PolicyNames []*string `type:"list"` 13723 13724 // A flag that indicates whether there are more items in the list. When this 13725 // value is true, the list in this response is truncated. To get more items, 13726 // pass the value of the NextMarker element in thisresponse to the Marker parameter 13727 // in a subsequent request. 13728 Truncated *bool `type:"boolean"` 13729} 13730 13731// String returns the string representation 13732func (s ListKeyPoliciesOutput) String() string { 13733 return awsutil.Prettify(s) 13734} 13735 13736// GoString returns the string representation 13737func (s ListKeyPoliciesOutput) GoString() string { 13738 return s.String() 13739} 13740 13741// SetNextMarker sets the NextMarker field's value. 13742func (s *ListKeyPoliciesOutput) SetNextMarker(v string) *ListKeyPoliciesOutput { 13743 s.NextMarker = &v 13744 return s 13745} 13746 13747// SetPolicyNames sets the PolicyNames field's value. 13748func (s *ListKeyPoliciesOutput) SetPolicyNames(v []*string) *ListKeyPoliciesOutput { 13749 s.PolicyNames = v 13750 return s 13751} 13752 13753// SetTruncated sets the Truncated field's value. 13754func (s *ListKeyPoliciesOutput) SetTruncated(v bool) *ListKeyPoliciesOutput { 13755 s.Truncated = &v 13756 return s 13757} 13758 13759type ListKeysInput struct { 13760 _ struct{} `type:"structure"` 13761 13762 // Use this parameter to specify the maximum number of items to return. When 13763 // this value is present, AWS KMS does not return more than the specified number 13764 // of items, but it might return fewer. 13765 // 13766 // This value is optional. If you include a value, it must be between 1 and 13767 // 1000, inclusive. If you do not include a value, it defaults to 100. 13768 Limit *int64 `min:"1" type:"integer"` 13769 13770 // Use this parameter in a subsequent request after you receive a response with 13771 // truncated results. Set it to the value of NextMarker from the truncated response 13772 // you just received. 13773 Marker *string `min:"1" type:"string"` 13774} 13775 13776// String returns the string representation 13777func (s ListKeysInput) String() string { 13778 return awsutil.Prettify(s) 13779} 13780 13781// GoString returns the string representation 13782func (s ListKeysInput) GoString() string { 13783 return s.String() 13784} 13785 13786// Validate inspects the fields of the type to determine if they are valid. 13787func (s *ListKeysInput) Validate() error { 13788 invalidParams := request.ErrInvalidParams{Context: "ListKeysInput"} 13789 if s.Limit != nil && *s.Limit < 1 { 13790 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 13791 } 13792 if s.Marker != nil && len(*s.Marker) < 1 { 13793 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 13794 } 13795 13796 if invalidParams.Len() > 0 { 13797 return invalidParams 13798 } 13799 return nil 13800} 13801 13802// SetLimit sets the Limit field's value. 13803func (s *ListKeysInput) SetLimit(v int64) *ListKeysInput { 13804 s.Limit = &v 13805 return s 13806} 13807 13808// SetMarker sets the Marker field's value. 13809func (s *ListKeysInput) SetMarker(v string) *ListKeysInput { 13810 s.Marker = &v 13811 return s 13812} 13813 13814type ListKeysOutput struct { 13815 _ struct{} `type:"structure"` 13816 13817 // A list of customer master keys (CMKs). 13818 Keys []*KeyListEntry `type:"list"` 13819 13820 // When Truncated is true, this element is present and contains the value to 13821 // use for the Marker parameter in a subsequent request. 13822 NextMarker *string `min:"1" type:"string"` 13823 13824 // A flag that indicates whether there are more items in the list. When this 13825 // value is true, the list in this response is truncated. To get more items, 13826 // pass the value of the NextMarker element in thisresponse to the Marker parameter 13827 // in a subsequent request. 13828 Truncated *bool `type:"boolean"` 13829} 13830 13831// String returns the string representation 13832func (s ListKeysOutput) String() string { 13833 return awsutil.Prettify(s) 13834} 13835 13836// GoString returns the string representation 13837func (s ListKeysOutput) GoString() string { 13838 return s.String() 13839} 13840 13841// SetKeys sets the Keys field's value. 13842func (s *ListKeysOutput) SetKeys(v []*KeyListEntry) *ListKeysOutput { 13843 s.Keys = v 13844 return s 13845} 13846 13847// SetNextMarker sets the NextMarker field's value. 13848func (s *ListKeysOutput) SetNextMarker(v string) *ListKeysOutput { 13849 s.NextMarker = &v 13850 return s 13851} 13852 13853// SetTruncated sets the Truncated field's value. 13854func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput { 13855 s.Truncated = &v 13856 return s 13857} 13858 13859type ListResourceTagsInput struct { 13860 _ struct{} `type:"structure"` 13861 13862 // Gets tags on the specified customer master key (CMK). 13863 // 13864 // Specify the key ID or key ARN of the CMK. 13865 // 13866 // For example: 13867 // 13868 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 13869 // 13870 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 13871 // 13872 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 13873 // 13874 // KeyId is a required field 13875 KeyId *string `min:"1" type:"string" required:"true"` 13876 13877 // Use this parameter to specify the maximum number of items to return. When 13878 // this value is present, AWS KMS does not return more than the specified number 13879 // of items, but it might return fewer. 13880 // 13881 // This value is optional. If you include a value, it must be between 1 and 13882 // 50, inclusive. If you do not include a value, it defaults to 50. 13883 Limit *int64 `min:"1" type:"integer"` 13884 13885 // Use this parameter in a subsequent request after you receive a response with 13886 // truncated results. Set it to the value of NextMarker from the truncated response 13887 // you just received. 13888 // 13889 // Do not attempt to construct this value. Use only the value of NextMarker 13890 // from the truncated response you just received. 13891 Marker *string `min:"1" type:"string"` 13892} 13893 13894// String returns the string representation 13895func (s ListResourceTagsInput) String() string { 13896 return awsutil.Prettify(s) 13897} 13898 13899// GoString returns the string representation 13900func (s ListResourceTagsInput) GoString() string { 13901 return s.String() 13902} 13903 13904// Validate inspects the fields of the type to determine if they are valid. 13905func (s *ListResourceTagsInput) Validate() error { 13906 invalidParams := request.ErrInvalidParams{Context: "ListResourceTagsInput"} 13907 if s.KeyId == nil { 13908 invalidParams.Add(request.NewErrParamRequired("KeyId")) 13909 } 13910 if s.KeyId != nil && len(*s.KeyId) < 1 { 13911 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 13912 } 13913 if s.Limit != nil && *s.Limit < 1 { 13914 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 13915 } 13916 if s.Marker != nil && len(*s.Marker) < 1 { 13917 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 13918 } 13919 13920 if invalidParams.Len() > 0 { 13921 return invalidParams 13922 } 13923 return nil 13924} 13925 13926// SetKeyId sets the KeyId field's value. 13927func (s *ListResourceTagsInput) SetKeyId(v string) *ListResourceTagsInput { 13928 s.KeyId = &v 13929 return s 13930} 13931 13932// SetLimit sets the Limit field's value. 13933func (s *ListResourceTagsInput) SetLimit(v int64) *ListResourceTagsInput { 13934 s.Limit = &v 13935 return s 13936} 13937 13938// SetMarker sets the Marker field's value. 13939func (s *ListResourceTagsInput) SetMarker(v string) *ListResourceTagsInput { 13940 s.Marker = &v 13941 return s 13942} 13943 13944type ListResourceTagsOutput struct { 13945 _ struct{} `type:"structure"` 13946 13947 // When Truncated is true, this element is present and contains the value to 13948 // use for the Marker parameter in a subsequent request. 13949 // 13950 // Do not assume or infer any information from this value. 13951 NextMarker *string `min:"1" type:"string"` 13952 13953 // A list of tags. Each tag consists of a tag key and a tag value. 13954 // 13955 // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, 13956 // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 13957 // in the AWS Key Management Service Developer Guide. 13958 Tags []*Tag `type:"list"` 13959 13960 // A flag that indicates whether there are more items in the list. When this 13961 // value is true, the list in this response is truncated. To get more items, 13962 // pass the value of the NextMarker element in thisresponse to the Marker parameter 13963 // in a subsequent request. 13964 Truncated *bool `type:"boolean"` 13965} 13966 13967// String returns the string representation 13968func (s ListResourceTagsOutput) String() string { 13969 return awsutil.Prettify(s) 13970} 13971 13972// GoString returns the string representation 13973func (s ListResourceTagsOutput) GoString() string { 13974 return s.String() 13975} 13976 13977// SetNextMarker sets the NextMarker field's value. 13978func (s *ListResourceTagsOutput) SetNextMarker(v string) *ListResourceTagsOutput { 13979 s.NextMarker = &v 13980 return s 13981} 13982 13983// SetTags sets the Tags field's value. 13984func (s *ListResourceTagsOutput) SetTags(v []*Tag) *ListResourceTagsOutput { 13985 s.Tags = v 13986 return s 13987} 13988 13989// SetTruncated sets the Truncated field's value. 13990func (s *ListResourceTagsOutput) SetTruncated(v bool) *ListResourceTagsOutput { 13991 s.Truncated = &v 13992 return s 13993} 13994 13995type ListRetirableGrantsInput struct { 13996 _ struct{} `type:"structure"` 13997 13998 // Use this parameter to specify the maximum number of items to return. When 13999 // this value is present, AWS KMS does not return more than the specified number 14000 // of items, but it might return fewer. 14001 // 14002 // This value is optional. If you include a value, it must be between 1 and 14003 // 100, inclusive. If you do not include a value, it defaults to 50. 14004 Limit *int64 `min:"1" type:"integer"` 14005 14006 // Use this parameter in a subsequent request after you receive a response with 14007 // truncated results. Set it to the value of NextMarker from the truncated response 14008 // you just received. 14009 Marker *string `min:"1" type:"string"` 14010 14011 // The retiring principal for which to list grants. Enter a principal in your 14012 // AWS account. 14013 // 14014 // To specify the retiring principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 14015 // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM 14016 // users, federated users, and assumed role users. For examples of the ARN syntax 14017 // for specifying a principal, see AWS Identity and Access Management (IAM) 14018 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) 14019 // in the Example ARNs section of the Amazon Web Services General Reference. 14020 // 14021 // RetiringPrincipal is a required field 14022 RetiringPrincipal *string `min:"1" type:"string" required:"true"` 14023} 14024 14025// String returns the string representation 14026func (s ListRetirableGrantsInput) String() string { 14027 return awsutil.Prettify(s) 14028} 14029 14030// GoString returns the string representation 14031func (s ListRetirableGrantsInput) GoString() string { 14032 return s.String() 14033} 14034 14035// Validate inspects the fields of the type to determine if they are valid. 14036func (s *ListRetirableGrantsInput) Validate() error { 14037 invalidParams := request.ErrInvalidParams{Context: "ListRetirableGrantsInput"} 14038 if s.Limit != nil && *s.Limit < 1 { 14039 invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) 14040 } 14041 if s.Marker != nil && len(*s.Marker) < 1 { 14042 invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) 14043 } 14044 if s.RetiringPrincipal == nil { 14045 invalidParams.Add(request.NewErrParamRequired("RetiringPrincipal")) 14046 } 14047 if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { 14048 invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) 14049 } 14050 14051 if invalidParams.Len() > 0 { 14052 return invalidParams 14053 } 14054 return nil 14055} 14056 14057// SetLimit sets the Limit field's value. 14058func (s *ListRetirableGrantsInput) SetLimit(v int64) *ListRetirableGrantsInput { 14059 s.Limit = &v 14060 return s 14061} 14062 14063// SetMarker sets the Marker field's value. 14064func (s *ListRetirableGrantsInput) SetMarker(v string) *ListRetirableGrantsInput { 14065 s.Marker = &v 14066 return s 14067} 14068 14069// SetRetiringPrincipal sets the RetiringPrincipal field's value. 14070func (s *ListRetirableGrantsInput) SetRetiringPrincipal(v string) *ListRetirableGrantsInput { 14071 s.RetiringPrincipal = &v 14072 return s 14073} 14074 14075// The request was rejected because the specified policy is not syntactically 14076// or semantically correct. 14077type MalformedPolicyDocumentException struct { 14078 _ struct{} `type:"structure"` 14079 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 14080 14081 Message_ *string `locationName:"message" type:"string"` 14082} 14083 14084// String returns the string representation 14085func (s MalformedPolicyDocumentException) String() string { 14086 return awsutil.Prettify(s) 14087} 14088 14089// GoString returns the string representation 14090func (s MalformedPolicyDocumentException) GoString() string { 14091 return s.String() 14092} 14093 14094func newErrorMalformedPolicyDocumentException(v protocol.ResponseMetadata) error { 14095 return &MalformedPolicyDocumentException{ 14096 RespMetadata: v, 14097 } 14098} 14099 14100// Code returns the exception type name. 14101func (s *MalformedPolicyDocumentException) Code() string { 14102 return "MalformedPolicyDocumentException" 14103} 14104 14105// Message returns the exception's message. 14106func (s *MalformedPolicyDocumentException) Message() string { 14107 if s.Message_ != nil { 14108 return *s.Message_ 14109 } 14110 return "" 14111} 14112 14113// OrigErr always returns nil, satisfies awserr.Error interface. 14114func (s *MalformedPolicyDocumentException) OrigErr() error { 14115 return nil 14116} 14117 14118func (s *MalformedPolicyDocumentException) Error() string { 14119 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 14120} 14121 14122// Status code returns the HTTP status code for the request's response error. 14123func (s *MalformedPolicyDocumentException) StatusCode() int { 14124 return s.RespMetadata.StatusCode 14125} 14126 14127// RequestID returns the service's response RequestID for request. 14128func (s *MalformedPolicyDocumentException) RequestID() string { 14129 return s.RespMetadata.RequestID 14130} 14131 14132// Describes the configuration of this multi-Region CMK. This field appears 14133// only when the CMK is a primary or replica of a multi-Region CMK. 14134// 14135// For more information about any listed CMK, use the DescribeKey operation. 14136type MultiRegionConfiguration struct { 14137 _ struct{} `type:"structure"` 14138 14139 // Indicates whether the CMK is a PRIMARY or REPLICA key. 14140 MultiRegionKeyType *string `type:"string" enum:"MultiRegionKeyType"` 14141 14142 // Displays the key ARN and Region of the primary key. This field includes the 14143 // current CMK if it is the primary key. 14144 PrimaryKey *MultiRegionKey `type:"structure"` 14145 14146 // displays the key ARNs and Regions of all replica keys. This field includes 14147 // the current CMK if it is a replica key. 14148 ReplicaKeys []*MultiRegionKey `type:"list"` 14149} 14150 14151// String returns the string representation 14152func (s MultiRegionConfiguration) String() string { 14153 return awsutil.Prettify(s) 14154} 14155 14156// GoString returns the string representation 14157func (s MultiRegionConfiguration) GoString() string { 14158 return s.String() 14159} 14160 14161// SetMultiRegionKeyType sets the MultiRegionKeyType field's value. 14162func (s *MultiRegionConfiguration) SetMultiRegionKeyType(v string) *MultiRegionConfiguration { 14163 s.MultiRegionKeyType = &v 14164 return s 14165} 14166 14167// SetPrimaryKey sets the PrimaryKey field's value. 14168func (s *MultiRegionConfiguration) SetPrimaryKey(v *MultiRegionKey) *MultiRegionConfiguration { 14169 s.PrimaryKey = v 14170 return s 14171} 14172 14173// SetReplicaKeys sets the ReplicaKeys field's value. 14174func (s *MultiRegionConfiguration) SetReplicaKeys(v []*MultiRegionKey) *MultiRegionConfiguration { 14175 s.ReplicaKeys = v 14176 return s 14177} 14178 14179// Describes the primary or replica key in a multi-Region key. 14180type MultiRegionKey struct { 14181 _ struct{} `type:"structure"` 14182 14183 // Displays the key ARN of a primary or replica key of a multi-Region key. 14184 Arn *string `min:"20" type:"string"` 14185 14186 // Displays the AWS Region of a primary or replica key in a multi-Region key. 14187 Region *string `min:"1" type:"string"` 14188} 14189 14190// String returns the string representation 14191func (s MultiRegionKey) String() string { 14192 return awsutil.Prettify(s) 14193} 14194 14195// GoString returns the string representation 14196func (s MultiRegionKey) GoString() string { 14197 return s.String() 14198} 14199 14200// SetArn sets the Arn field's value. 14201func (s *MultiRegionKey) SetArn(v string) *MultiRegionKey { 14202 s.Arn = &v 14203 return s 14204} 14205 14206// SetRegion sets the Region field's value. 14207func (s *MultiRegionKey) SetRegion(v string) *MultiRegionKey { 14208 s.Region = &v 14209 return s 14210} 14211 14212// The request was rejected because the specified entity or resource could not 14213// be found. 14214type NotFoundException struct { 14215 _ struct{} `type:"structure"` 14216 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 14217 14218 Message_ *string `locationName:"message" type:"string"` 14219} 14220 14221// String returns the string representation 14222func (s NotFoundException) String() string { 14223 return awsutil.Prettify(s) 14224} 14225 14226// GoString returns the string representation 14227func (s NotFoundException) GoString() string { 14228 return s.String() 14229} 14230 14231func newErrorNotFoundException(v protocol.ResponseMetadata) error { 14232 return &NotFoundException{ 14233 RespMetadata: v, 14234 } 14235} 14236 14237// Code returns the exception type name. 14238func (s *NotFoundException) Code() string { 14239 return "NotFoundException" 14240} 14241 14242// Message returns the exception's message. 14243func (s *NotFoundException) Message() string { 14244 if s.Message_ != nil { 14245 return *s.Message_ 14246 } 14247 return "" 14248} 14249 14250// OrigErr always returns nil, satisfies awserr.Error interface. 14251func (s *NotFoundException) OrigErr() error { 14252 return nil 14253} 14254 14255func (s *NotFoundException) Error() string { 14256 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 14257} 14258 14259// Status code returns the HTTP status code for the request's response error. 14260func (s *NotFoundException) StatusCode() int { 14261 return s.RespMetadata.StatusCode 14262} 14263 14264// RequestID returns the service's response RequestID for request. 14265func (s *NotFoundException) RequestID() string { 14266 return s.RespMetadata.RequestID 14267} 14268 14269type PutKeyPolicyInput struct { 14270 _ struct{} `type:"structure"` 14271 14272 // A flag to indicate whether to bypass the key policy lockout safety check. 14273 // 14274 // Setting this value to true increases the risk that the CMK becomes unmanageable. 14275 // Do not set this value to true indiscriminately. 14276 // 14277 // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 14278 // section in the AWS Key Management Service Developer Guide. 14279 // 14280 // Use this parameter only when you intend to prevent the principal that is 14281 // making the request from making a subsequent PutKeyPolicy request on the CMK. 14282 // 14283 // The default value is false. 14284 BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` 14285 14286 // Sets the key policy on the specified customer master key (CMK). 14287 // 14288 // Specify the key ID or key ARN of the CMK. 14289 // 14290 // For example: 14291 // 14292 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 14293 // 14294 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 14295 // 14296 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 14297 // 14298 // KeyId is a required field 14299 KeyId *string `min:"1" type:"string" required:"true"` 14300 14301 // The key policy to attach to the CMK. 14302 // 14303 // The key policy must meet the following criteria: 14304 // 14305 // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy 14306 // must allow the principal that is making the PutKeyPolicy request to make 14307 // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that 14308 // the CMK becomes unmanageable. For more information, refer to the scenario 14309 // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 14310 // section of the AWS Key Management Service Developer Guide. 14311 // 14312 // * Each statement in the key policy must contain one or more principals. 14313 // The principals in the key policy must exist and be visible to AWS KMS. 14314 // When you create a new AWS principal (for example, an IAM user or role), 14315 // you might need to enforce a delay before including the new principal in 14316 // a key policy because the new principal might not be immediately visible 14317 // to AWS KMS. For more information, see Changes that I make are not always 14318 // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) 14319 // in the AWS Identity and Access Management User Guide. 14320 // 14321 // The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, 14322 // see Resource Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html) 14323 // in the AWS Key Management Service Developer Guide. 14324 // 14325 // Policy is a required field 14326 Policy *string `min:"1" type:"string" required:"true"` 14327 14328 // The name of the key policy. The only valid value is default. 14329 // 14330 // PolicyName is a required field 14331 PolicyName *string `min:"1" type:"string" required:"true"` 14332} 14333 14334// String returns the string representation 14335func (s PutKeyPolicyInput) String() string { 14336 return awsutil.Prettify(s) 14337} 14338 14339// GoString returns the string representation 14340func (s PutKeyPolicyInput) GoString() string { 14341 return s.String() 14342} 14343 14344// Validate inspects the fields of the type to determine if they are valid. 14345func (s *PutKeyPolicyInput) Validate() error { 14346 invalidParams := request.ErrInvalidParams{Context: "PutKeyPolicyInput"} 14347 if s.KeyId == nil { 14348 invalidParams.Add(request.NewErrParamRequired("KeyId")) 14349 } 14350 if s.KeyId != nil && len(*s.KeyId) < 1 { 14351 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 14352 } 14353 if s.Policy == nil { 14354 invalidParams.Add(request.NewErrParamRequired("Policy")) 14355 } 14356 if s.Policy != nil && len(*s.Policy) < 1 { 14357 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 14358 } 14359 if s.PolicyName == nil { 14360 invalidParams.Add(request.NewErrParamRequired("PolicyName")) 14361 } 14362 if s.PolicyName != nil && len(*s.PolicyName) < 1 { 14363 invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) 14364 } 14365 14366 if invalidParams.Len() > 0 { 14367 return invalidParams 14368 } 14369 return nil 14370} 14371 14372// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. 14373func (s *PutKeyPolicyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *PutKeyPolicyInput { 14374 s.BypassPolicyLockoutSafetyCheck = &v 14375 return s 14376} 14377 14378// SetKeyId sets the KeyId field's value. 14379func (s *PutKeyPolicyInput) SetKeyId(v string) *PutKeyPolicyInput { 14380 s.KeyId = &v 14381 return s 14382} 14383 14384// SetPolicy sets the Policy field's value. 14385func (s *PutKeyPolicyInput) SetPolicy(v string) *PutKeyPolicyInput { 14386 s.Policy = &v 14387 return s 14388} 14389 14390// SetPolicyName sets the PolicyName field's value. 14391func (s *PutKeyPolicyInput) SetPolicyName(v string) *PutKeyPolicyInput { 14392 s.PolicyName = &v 14393 return s 14394} 14395 14396type PutKeyPolicyOutput struct { 14397 _ struct{} `type:"structure"` 14398} 14399 14400// String returns the string representation 14401func (s PutKeyPolicyOutput) String() string { 14402 return awsutil.Prettify(s) 14403} 14404 14405// GoString returns the string representation 14406func (s PutKeyPolicyOutput) GoString() string { 14407 return s.String() 14408} 14409 14410type ReEncryptInput struct { 14411 _ struct{} `type:"structure"` 14412 14413 // Ciphertext of the data to reencrypt. 14414 // 14415 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 14416 // 14417 // CiphertextBlob is a required field 14418 CiphertextBlob []byte `min:"1" type:"blob" required:"true"` 14419 14420 // Specifies the encryption algorithm that AWS KMS will use to reecrypt the 14421 // data after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents 14422 // the encryption algorithm used for symmetric CMKs. 14423 // 14424 // This parameter is required only when the destination CMK is an asymmetric 14425 // CMK. 14426 DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 14427 14428 // Specifies that encryption context to use when the reencrypting the data. 14429 // 14430 // A destination encryption context is valid only when the destination CMK is 14431 // a symmetric CMK. The standard ciphertext format for asymmetric CMKs does 14432 // not include fields for metadata. 14433 // 14434 // An encryption context is a collection of non-secret key-value pairs that 14435 // represents additional authenticated data. When you use an encryption context 14436 // to encrypt data, you must specify the same (an exact case-sensitive match) 14437 // encryption context to decrypt the data. An encryption context is optional 14438 // when encrypting with a symmetric CMK, but it is highly recommended. 14439 // 14440 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 14441 // in the AWS Key Management Service Developer Guide. 14442 DestinationEncryptionContext map[string]*string `type:"map"` 14443 14444 // A unique identifier for the CMK that is used to reencrypt the data. Specify 14445 // a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To 14446 // find the KeyUsage value of a CMK, use the DescribeKey operation. 14447 // 14448 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 14449 // using an alias name, prefix it with "alias/". To specify a CMK in a different 14450 // AWS account, you must use the key ARN or alias ARN. 14451 // 14452 // For example: 14453 // 14454 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 14455 // 14456 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 14457 // 14458 // * Alias name: alias/ExampleAlias 14459 // 14460 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 14461 // 14462 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 14463 // get the alias name and alias ARN, use ListAliases. 14464 // 14465 // DestinationKeyId is a required field 14466 DestinationKeyId *string `min:"1" type:"string" required:"true"` 14467 14468 // A list of grant tokens. 14469 // 14470 // Use a grant token when your permission to call this operation comes from 14471 // a new grant that has not yet achieved eventual consistency. For more information, 14472 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 14473 // in the AWS Key Management Service Developer Guide. 14474 GrantTokens []*string `type:"list"` 14475 14476 // Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext 14477 // before it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents 14478 // the algorithm used for symmetric CMKs. 14479 // 14480 // Specify the same algorithm that was used to encrypt the ciphertext. If you 14481 // specify a different algorithm, the decrypt attempt fails. 14482 // 14483 // This parameter is required only when the ciphertext was encrypted under an 14484 // asymmetric CMK. 14485 SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 14486 14487 // Specifies the encryption context to use to decrypt the ciphertext. Enter 14488 // the same encryption context that was used to encrypt the ciphertext. 14489 // 14490 // An encryption context is a collection of non-secret key-value pairs that 14491 // represents additional authenticated data. When you use an encryption context 14492 // to encrypt data, you must specify the same (an exact case-sensitive match) 14493 // encryption context to decrypt the data. An encryption context is optional 14494 // when encrypting with a symmetric CMK, but it is highly recommended. 14495 // 14496 // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) 14497 // in the AWS Key Management Service Developer Guide. 14498 SourceEncryptionContext map[string]*string `type:"map"` 14499 14500 // Specifies the customer master key (CMK) that AWS KMS will use to decrypt 14501 // the ciphertext before it is re-encrypted. Enter a key ID of the CMK that 14502 // was used to encrypt the ciphertext. 14503 // 14504 // This parameter is required only when the ciphertext was encrypted under an 14505 // asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from 14506 // metadata that it adds to the symmetric ciphertext blob. However, it is always 14507 // recommended as a best practice. This practice ensures that you use the CMK 14508 // that you intend. 14509 // 14510 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 14511 // using an alias name, prefix it with "alias/". To specify a CMK in a different 14512 // AWS account, you must use the key ARN or alias ARN. 14513 // 14514 // For example: 14515 // 14516 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 14517 // 14518 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 14519 // 14520 // * Alias name: alias/ExampleAlias 14521 // 14522 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 14523 // 14524 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 14525 // get the alias name and alias ARN, use ListAliases. 14526 SourceKeyId *string `min:"1" type:"string"` 14527} 14528 14529// String returns the string representation 14530func (s ReEncryptInput) String() string { 14531 return awsutil.Prettify(s) 14532} 14533 14534// GoString returns the string representation 14535func (s ReEncryptInput) GoString() string { 14536 return s.String() 14537} 14538 14539// Validate inspects the fields of the type to determine if they are valid. 14540func (s *ReEncryptInput) Validate() error { 14541 invalidParams := request.ErrInvalidParams{Context: "ReEncryptInput"} 14542 if s.CiphertextBlob == nil { 14543 invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) 14544 } 14545 if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { 14546 invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) 14547 } 14548 if s.DestinationKeyId == nil { 14549 invalidParams.Add(request.NewErrParamRequired("DestinationKeyId")) 14550 } 14551 if s.DestinationKeyId != nil && len(*s.DestinationKeyId) < 1 { 14552 invalidParams.Add(request.NewErrParamMinLen("DestinationKeyId", 1)) 14553 } 14554 if s.SourceKeyId != nil && len(*s.SourceKeyId) < 1 { 14555 invalidParams.Add(request.NewErrParamMinLen("SourceKeyId", 1)) 14556 } 14557 14558 if invalidParams.Len() > 0 { 14559 return invalidParams 14560 } 14561 return nil 14562} 14563 14564// SetCiphertextBlob sets the CiphertextBlob field's value. 14565func (s *ReEncryptInput) SetCiphertextBlob(v []byte) *ReEncryptInput { 14566 s.CiphertextBlob = v 14567 return s 14568} 14569 14570// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value. 14571func (s *ReEncryptInput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptInput { 14572 s.DestinationEncryptionAlgorithm = &v 14573 return s 14574} 14575 14576// SetDestinationEncryptionContext sets the DestinationEncryptionContext field's value. 14577func (s *ReEncryptInput) SetDestinationEncryptionContext(v map[string]*string) *ReEncryptInput { 14578 s.DestinationEncryptionContext = v 14579 return s 14580} 14581 14582// SetDestinationKeyId sets the DestinationKeyId field's value. 14583func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput { 14584 s.DestinationKeyId = &v 14585 return s 14586} 14587 14588// SetGrantTokens sets the GrantTokens field's value. 14589func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput { 14590 s.GrantTokens = v 14591 return s 14592} 14593 14594// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value. 14595func (s *ReEncryptInput) SetSourceEncryptionAlgorithm(v string) *ReEncryptInput { 14596 s.SourceEncryptionAlgorithm = &v 14597 return s 14598} 14599 14600// SetSourceEncryptionContext sets the SourceEncryptionContext field's value. 14601func (s *ReEncryptInput) SetSourceEncryptionContext(v map[string]*string) *ReEncryptInput { 14602 s.SourceEncryptionContext = v 14603 return s 14604} 14605 14606// SetSourceKeyId sets the SourceKeyId field's value. 14607func (s *ReEncryptInput) SetSourceKeyId(v string) *ReEncryptInput { 14608 s.SourceKeyId = &v 14609 return s 14610} 14611 14612type ReEncryptOutput struct { 14613 _ struct{} `type:"structure"` 14614 14615 // The reencrypted data. When you use the HTTP API or the AWS CLI, the value 14616 // is Base64-encoded. Otherwise, it is not Base64-encoded. 14617 // 14618 // CiphertextBlob is automatically base64 encoded/decoded by the SDK. 14619 CiphertextBlob []byte `min:"1" type:"blob"` 14620 14621 // The encryption algorithm that was used to reencrypt the data. 14622 DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 14623 14624 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 14625 // of the CMK that was used to reencrypt the data. 14626 KeyId *string `min:"1" type:"string"` 14627 14628 // The encryption algorithm that was used to decrypt the ciphertext before it 14629 // was reencrypted. 14630 SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` 14631 14632 // Unique identifier of the CMK used to originally encrypt the data. 14633 SourceKeyId *string `min:"1" type:"string"` 14634} 14635 14636// String returns the string representation 14637func (s ReEncryptOutput) String() string { 14638 return awsutil.Prettify(s) 14639} 14640 14641// GoString returns the string representation 14642func (s ReEncryptOutput) GoString() string { 14643 return s.String() 14644} 14645 14646// SetCiphertextBlob sets the CiphertextBlob field's value. 14647func (s *ReEncryptOutput) SetCiphertextBlob(v []byte) *ReEncryptOutput { 14648 s.CiphertextBlob = v 14649 return s 14650} 14651 14652// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value. 14653func (s *ReEncryptOutput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptOutput { 14654 s.DestinationEncryptionAlgorithm = &v 14655 return s 14656} 14657 14658// SetKeyId sets the KeyId field's value. 14659func (s *ReEncryptOutput) SetKeyId(v string) *ReEncryptOutput { 14660 s.KeyId = &v 14661 return s 14662} 14663 14664// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value. 14665func (s *ReEncryptOutput) SetSourceEncryptionAlgorithm(v string) *ReEncryptOutput { 14666 s.SourceEncryptionAlgorithm = &v 14667 return s 14668} 14669 14670// SetSourceKeyId sets the SourceKeyId field's value. 14671func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput { 14672 s.SourceKeyId = &v 14673 return s 14674} 14675 14676type ReplicateKeyInput struct { 14677 _ struct{} `type:"structure"` 14678 14679 // A flag to indicate whether to bypass the key policy lockout safety check. 14680 // 14681 // Setting this value to true increases the risk that the CMK becomes unmanageable. 14682 // Do not set this value to true indiscriminately. 14683 // 14684 // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 14685 // section in the AWS Key Management Service Developer Guide. 14686 // 14687 // Use this parameter only when you intend to prevent the principal that is 14688 // making the request from making a subsequent PutKeyPolicy request on the CMK. 14689 // 14690 // The default value is false. 14691 BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` 14692 14693 // A description of the CMK. Use a description that helps you decide whether 14694 // the CMK is appropriate for a task. The default value is an empty string (no 14695 // description). 14696 // 14697 // The description is not a shared property of multi-Region keys. You can specify 14698 // the same description or a different description for each key in a set of 14699 // related multi-Region keys. AWS KMS does not synchronize this property. 14700 Description *string `type:"string"` 14701 14702 // Identifies the multi-Region primary key that is being replicated. To determine 14703 // whether a CMK is a multi-Region primary key, use the DescribeKey operation 14704 // to check the value of the MultiRegionKeyType property. 14705 // 14706 // Specify the key ID or key ARN of a multi-Region primary key. 14707 // 14708 // For example: 14709 // 14710 // * Key ID: mrk-1234abcd12ab34cd56ef1234567890ab 14711 // 14712 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab 14713 // 14714 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 14715 // 14716 // KeyId is a required field 14717 KeyId *string `min:"1" type:"string" required:"true"` 14718 14719 // The key policy to attach to the CMK. This parameter is optional. If you do 14720 // not provide a key policy, AWS KMS attaches the default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) 14721 // to the CMK. 14722 // 14723 // The key policy is not a shared property of multi-Region keys. You can specify 14724 // the same key policy or a different key policy for each key in a set of related 14725 // multi-Region keys. AWS KMS does not synchronize this property. 14726 // 14727 // If you provide a key policy, it must meet the following criteria: 14728 // 14729 // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy 14730 // must give the caller kms:PutKeyPolicy permission on the replica CMK. This 14731 // reduces the risk that the CMK becomes unmanageable. For more information, 14732 // refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) 14733 // section of the AWS Key Management Service Developer Guide . 14734 // 14735 // * Each statement in the key policy must contain one or more principals. 14736 // The principals in the key policy must exist and be visible to AWS KMS. 14737 // When you create a new AWS principal (for example, an IAM user or role), 14738 // you might need to enforce a delay before including the new principal in 14739 // a key policy because the new principal might not be immediately visible 14740 // to AWS KMS. For more information, see Changes that I make are not always 14741 // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) 14742 // in the AWS Identity and Access Management User Guide. 14743 // 14744 // * The key policy size quota is 32 kilobytes (32768 bytes). 14745 Policy *string `min:"1" type:"string"` 14746 14747 // The Region ID of the AWS Region for this replica key. 14748 // 14749 // Enter the Region ID, such as us-east-1 or ap-southeast-2. For a list of AWS 14750 // Regions in which AWS KMS is supported, see AWS KMS service endpoints (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) 14751 // in the Amazon Web Services General Reference. 14752 // 14753 // The replica must be in a different AWS Region than its primary key and other 14754 // replicas of that primary key, but in the same AWS partition. AWS KMS must 14755 // be available in the replica Region. If the Region is not enabled by default, 14756 // the AWS account must be enabled in the Region. 14757 // 14758 // For information about AWS partitions, see Amazon Resource Names (ARNs) in 14759 // the Amazon Web Services General Reference. (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 14760 // For information about enabling and disabling Regions, see Enabling a Region 14761 // (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) 14762 // and Disabling a Region (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable) 14763 // in the Amazon Web Services General Reference. 14764 // 14765 // ReplicaRegion is a required field 14766 ReplicaRegion *string `min:"1" type:"string" required:"true"` 14767 14768 // Assigns one or more tags to the replica key. Use this parameter to tag the 14769 // CMK when it is created. To tag an existing CMK, use the TagResource operation. 14770 // 14771 // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, 14772 // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) 14773 // in the AWS Key Management Service Developer Guide. 14774 // 14775 // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) 14776 // permission in an IAM policy. 14777 // 14778 // Tags are not a shared property of multi-Region keys. You can specify the 14779 // same tags or different tags for each key in a set of related multi-Region 14780 // keys. AWS KMS does not synchronize this property. 14781 // 14782 // Each tag consists of a tag key and a tag value. Both the tag key and the 14783 // tag value are required, but the tag value can be an empty (null) string. 14784 // You cannot have more than one tag on a CMK with the same tag key. If you 14785 // specify an existing tag key with a different tag value, AWS KMS replaces 14786 // the current tag value with the specified one. 14787 // 14788 // When you assign tags to an AWS resource, AWS generates a cost allocation 14789 // report with usage and costs aggregated by tags. Tags can also be used to 14790 // control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). 14791 Tags []*Tag `type:"list"` 14792} 14793 14794// String returns the string representation 14795func (s ReplicateKeyInput) String() string { 14796 return awsutil.Prettify(s) 14797} 14798 14799// GoString returns the string representation 14800func (s ReplicateKeyInput) GoString() string { 14801 return s.String() 14802} 14803 14804// Validate inspects the fields of the type to determine if they are valid. 14805func (s *ReplicateKeyInput) Validate() error { 14806 invalidParams := request.ErrInvalidParams{Context: "ReplicateKeyInput"} 14807 if s.KeyId == nil { 14808 invalidParams.Add(request.NewErrParamRequired("KeyId")) 14809 } 14810 if s.KeyId != nil && len(*s.KeyId) < 1 { 14811 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 14812 } 14813 if s.Policy != nil && len(*s.Policy) < 1 { 14814 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 14815 } 14816 if s.ReplicaRegion == nil { 14817 invalidParams.Add(request.NewErrParamRequired("ReplicaRegion")) 14818 } 14819 if s.ReplicaRegion != nil && len(*s.ReplicaRegion) < 1 { 14820 invalidParams.Add(request.NewErrParamMinLen("ReplicaRegion", 1)) 14821 } 14822 if s.Tags != nil { 14823 for i, v := range s.Tags { 14824 if v == nil { 14825 continue 14826 } 14827 if err := v.Validate(); err != nil { 14828 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 14829 } 14830 } 14831 } 14832 14833 if invalidParams.Len() > 0 { 14834 return invalidParams 14835 } 14836 return nil 14837} 14838 14839// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. 14840func (s *ReplicateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *ReplicateKeyInput { 14841 s.BypassPolicyLockoutSafetyCheck = &v 14842 return s 14843} 14844 14845// SetDescription sets the Description field's value. 14846func (s *ReplicateKeyInput) SetDescription(v string) *ReplicateKeyInput { 14847 s.Description = &v 14848 return s 14849} 14850 14851// SetKeyId sets the KeyId field's value. 14852func (s *ReplicateKeyInput) SetKeyId(v string) *ReplicateKeyInput { 14853 s.KeyId = &v 14854 return s 14855} 14856 14857// SetPolicy sets the Policy field's value. 14858func (s *ReplicateKeyInput) SetPolicy(v string) *ReplicateKeyInput { 14859 s.Policy = &v 14860 return s 14861} 14862 14863// SetReplicaRegion sets the ReplicaRegion field's value. 14864func (s *ReplicateKeyInput) SetReplicaRegion(v string) *ReplicateKeyInput { 14865 s.ReplicaRegion = &v 14866 return s 14867} 14868 14869// SetTags sets the Tags field's value. 14870func (s *ReplicateKeyInput) SetTags(v []*Tag) *ReplicateKeyInput { 14871 s.Tags = v 14872 return s 14873} 14874 14875type ReplicateKeyOutput struct { 14876 _ struct{} `type:"structure"` 14877 14878 // Displays details about the new replica CMK, including its Amazon Resource 14879 // Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 14880 // and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). 14881 // It also includes the ARN and AWS Region of its primary key and other replica 14882 // keys. 14883 ReplicaKeyMetadata *KeyMetadata `type:"structure"` 14884 14885 // The key policy of the new replica key. The value is a key policy document 14886 // in JSON format. 14887 ReplicaPolicy *string `min:"1" type:"string"` 14888 14889 // The tags on the new replica key. The value is a list of tag key and tag value 14890 // pairs. 14891 ReplicaTags []*Tag `type:"list"` 14892} 14893 14894// String returns the string representation 14895func (s ReplicateKeyOutput) String() string { 14896 return awsutil.Prettify(s) 14897} 14898 14899// GoString returns the string representation 14900func (s ReplicateKeyOutput) GoString() string { 14901 return s.String() 14902} 14903 14904// SetReplicaKeyMetadata sets the ReplicaKeyMetadata field's value. 14905func (s *ReplicateKeyOutput) SetReplicaKeyMetadata(v *KeyMetadata) *ReplicateKeyOutput { 14906 s.ReplicaKeyMetadata = v 14907 return s 14908} 14909 14910// SetReplicaPolicy sets the ReplicaPolicy field's value. 14911func (s *ReplicateKeyOutput) SetReplicaPolicy(v string) *ReplicateKeyOutput { 14912 s.ReplicaPolicy = &v 14913 return s 14914} 14915 14916// SetReplicaTags sets the ReplicaTags field's value. 14917func (s *ReplicateKeyOutput) SetReplicaTags(v []*Tag) *ReplicateKeyOutput { 14918 s.ReplicaTags = v 14919 return s 14920} 14921 14922type RetireGrantInput struct { 14923 _ struct{} `type:"structure"` 14924 14925 // Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, 14926 // or ListRetirableGrants. 14927 // 14928 // * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123 14929 GrantId *string `min:"1" type:"string"` 14930 14931 // Identifies the grant to be retired. You can use a grant token to identify 14932 // a new grant even before it has achieved eventual consistency. 14933 // 14934 // Only the CreateGrant operation returns a grant token. For details, see Grant 14935 // token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) 14936 // and Eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) 14937 // in the AWS Key Management Service Developer Guide. 14938 GrantToken *string `min:"1" type:"string"` 14939 14940 // The key ARN CMK associated with the grant. To find the key ARN, use the ListKeys 14941 // operation. 14942 // 14943 // For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab 14944 KeyId *string `min:"1" type:"string"` 14945} 14946 14947// String returns the string representation 14948func (s RetireGrantInput) String() string { 14949 return awsutil.Prettify(s) 14950} 14951 14952// GoString returns the string representation 14953func (s RetireGrantInput) GoString() string { 14954 return s.String() 14955} 14956 14957// Validate inspects the fields of the type to determine if they are valid. 14958func (s *RetireGrantInput) Validate() error { 14959 invalidParams := request.ErrInvalidParams{Context: "RetireGrantInput"} 14960 if s.GrantId != nil && len(*s.GrantId) < 1 { 14961 invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) 14962 } 14963 if s.GrantToken != nil && len(*s.GrantToken) < 1 { 14964 invalidParams.Add(request.NewErrParamMinLen("GrantToken", 1)) 14965 } 14966 if s.KeyId != nil && len(*s.KeyId) < 1 { 14967 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 14968 } 14969 14970 if invalidParams.Len() > 0 { 14971 return invalidParams 14972 } 14973 return nil 14974} 14975 14976// SetGrantId sets the GrantId field's value. 14977func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput { 14978 s.GrantId = &v 14979 return s 14980} 14981 14982// SetGrantToken sets the GrantToken field's value. 14983func (s *RetireGrantInput) SetGrantToken(v string) *RetireGrantInput { 14984 s.GrantToken = &v 14985 return s 14986} 14987 14988// SetKeyId sets the KeyId field's value. 14989func (s *RetireGrantInput) SetKeyId(v string) *RetireGrantInput { 14990 s.KeyId = &v 14991 return s 14992} 14993 14994type RetireGrantOutput struct { 14995 _ struct{} `type:"structure"` 14996} 14997 14998// String returns the string representation 14999func (s RetireGrantOutput) String() string { 15000 return awsutil.Prettify(s) 15001} 15002 15003// GoString returns the string representation 15004func (s RetireGrantOutput) GoString() string { 15005 return s.String() 15006} 15007 15008type RevokeGrantInput struct { 15009 _ struct{} `type:"structure"` 15010 15011 // Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants, 15012 // or ListRetirableGrants. 15013 // 15014 // GrantId is a required field 15015 GrantId *string `min:"1" type:"string" required:"true"` 15016 15017 // A unique identifier for the customer master key (CMK) associated with the 15018 // grant. To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15019 // 15020 // Specify the key ID or key ARN of the CMK. To specify a CMK in a different 15021 // AWS account, you must use the key ARN. 15022 // 15023 // For example: 15024 // 15025 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15026 // 15027 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15028 // 15029 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15030 // 15031 // KeyId is a required field 15032 KeyId *string `min:"1" type:"string" required:"true"` 15033} 15034 15035// String returns the string representation 15036func (s RevokeGrantInput) String() string { 15037 return awsutil.Prettify(s) 15038} 15039 15040// GoString returns the string representation 15041func (s RevokeGrantInput) GoString() string { 15042 return s.String() 15043} 15044 15045// Validate inspects the fields of the type to determine if they are valid. 15046func (s *RevokeGrantInput) Validate() error { 15047 invalidParams := request.ErrInvalidParams{Context: "RevokeGrantInput"} 15048 if s.GrantId == nil { 15049 invalidParams.Add(request.NewErrParamRequired("GrantId")) 15050 } 15051 if s.GrantId != nil && len(*s.GrantId) < 1 { 15052 invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) 15053 } 15054 if s.KeyId == nil { 15055 invalidParams.Add(request.NewErrParamRequired("KeyId")) 15056 } 15057 if s.KeyId != nil && len(*s.KeyId) < 1 { 15058 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 15059 } 15060 15061 if invalidParams.Len() > 0 { 15062 return invalidParams 15063 } 15064 return nil 15065} 15066 15067// SetGrantId sets the GrantId field's value. 15068func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput { 15069 s.GrantId = &v 15070 return s 15071} 15072 15073// SetKeyId sets the KeyId field's value. 15074func (s *RevokeGrantInput) SetKeyId(v string) *RevokeGrantInput { 15075 s.KeyId = &v 15076 return s 15077} 15078 15079type RevokeGrantOutput struct { 15080 _ struct{} `type:"structure"` 15081} 15082 15083// String returns the string representation 15084func (s RevokeGrantOutput) String() string { 15085 return awsutil.Prettify(s) 15086} 15087 15088// GoString returns the string representation 15089func (s RevokeGrantOutput) GoString() string { 15090 return s.String() 15091} 15092 15093type ScheduleKeyDeletionInput struct { 15094 _ struct{} `type:"structure"` 15095 15096 // The unique identifier of the customer master key (CMK) to delete. 15097 // 15098 // Specify the key ID or key ARN of the CMK. 15099 // 15100 // For example: 15101 // 15102 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15103 // 15104 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15105 // 15106 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15107 // 15108 // KeyId is a required field 15109 KeyId *string `min:"1" type:"string" required:"true"` 15110 15111 // The waiting period, specified in number of days. After the waiting period 15112 // ends, AWS KMS deletes the customer master key (CMK). 15113 // 15114 // If the CMK is a multi-Region primary key with replicas, the waiting period 15115 // begins when the last of its replica keys is deleted. Otherwise, the waiting 15116 // period begins immediately. 15117 // 15118 // This value is optional. If you include a value, it must be between 7 and 15119 // 30, inclusive. If you do not include a value, it defaults to 30. 15120 PendingWindowInDays *int64 `min:"1" type:"integer"` 15121} 15122 15123// String returns the string representation 15124func (s ScheduleKeyDeletionInput) String() string { 15125 return awsutil.Prettify(s) 15126} 15127 15128// GoString returns the string representation 15129func (s ScheduleKeyDeletionInput) GoString() string { 15130 return s.String() 15131} 15132 15133// Validate inspects the fields of the type to determine if they are valid. 15134func (s *ScheduleKeyDeletionInput) Validate() error { 15135 invalidParams := request.ErrInvalidParams{Context: "ScheduleKeyDeletionInput"} 15136 if s.KeyId == nil { 15137 invalidParams.Add(request.NewErrParamRequired("KeyId")) 15138 } 15139 if s.KeyId != nil && len(*s.KeyId) < 1 { 15140 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 15141 } 15142 if s.PendingWindowInDays != nil && *s.PendingWindowInDays < 1 { 15143 invalidParams.Add(request.NewErrParamMinValue("PendingWindowInDays", 1)) 15144 } 15145 15146 if invalidParams.Len() > 0 { 15147 return invalidParams 15148 } 15149 return nil 15150} 15151 15152// SetKeyId sets the KeyId field's value. 15153func (s *ScheduleKeyDeletionInput) SetKeyId(v string) *ScheduleKeyDeletionInput { 15154 s.KeyId = &v 15155 return s 15156} 15157 15158// SetPendingWindowInDays sets the PendingWindowInDays field's value. 15159func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionInput { 15160 s.PendingWindowInDays = &v 15161 return s 15162} 15163 15164type ScheduleKeyDeletionOutput struct { 15165 _ struct{} `type:"structure"` 15166 15167 // The date and time after which AWS KMS deletes the customer master key (CMK). 15168 // 15169 // If the CMK is a multi-Region primary key with replica keys, this field does 15170 // not appear. The deletion date for the primary key isn't known until its last 15171 // replica key is deleted. 15172 DeletionDate *time.Time `type:"timestamp"` 15173 15174 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 15175 // of the CMK whose deletion is scheduled. 15176 KeyId *string `min:"1" type:"string"` 15177 15178 // The current status of the CMK. 15179 // 15180 // For more information about how key state affects the use of a CMK, see Key 15181 // state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) 15182 // in the AWS Key Management Service Developer Guide. 15183 KeyState *string `type:"string" enum:"KeyState"` 15184 15185 // The waiting period before the CMK is deleted. 15186 // 15187 // If the CMK is a multi-Region primary key with replicas, the waiting period 15188 // begins when the last of its replica keys is deleted. Otherwise, the waiting 15189 // period begins immediately. 15190 PendingWindowInDays *int64 `min:"1" type:"integer"` 15191} 15192 15193// String returns the string representation 15194func (s ScheduleKeyDeletionOutput) String() string { 15195 return awsutil.Prettify(s) 15196} 15197 15198// GoString returns the string representation 15199func (s ScheduleKeyDeletionOutput) GoString() string { 15200 return s.String() 15201} 15202 15203// SetDeletionDate sets the DeletionDate field's value. 15204func (s *ScheduleKeyDeletionOutput) SetDeletionDate(v time.Time) *ScheduleKeyDeletionOutput { 15205 s.DeletionDate = &v 15206 return s 15207} 15208 15209// SetKeyId sets the KeyId field's value. 15210func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutput { 15211 s.KeyId = &v 15212 return s 15213} 15214 15215// SetKeyState sets the KeyState field's value. 15216func (s *ScheduleKeyDeletionOutput) SetKeyState(v string) *ScheduleKeyDeletionOutput { 15217 s.KeyState = &v 15218 return s 15219} 15220 15221// SetPendingWindowInDays sets the PendingWindowInDays field's value. 15222func (s *ScheduleKeyDeletionOutput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionOutput { 15223 s.PendingWindowInDays = &v 15224 return s 15225} 15226 15227type SignInput struct { 15228 _ struct{} `type:"structure"` 15229 15230 // A list of grant tokens. 15231 // 15232 // Use a grant token when your permission to call this operation comes from 15233 // a new grant that has not yet achieved eventual consistency. For more information, 15234 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 15235 // in the AWS Key Management Service Developer Guide. 15236 GrantTokens []*string `type:"list"` 15237 15238 // Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric 15239 // CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY. 15240 // To find the KeyUsage of a CMK, use the DescribeKey operation. 15241 // 15242 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 15243 // using an alias name, prefix it with "alias/". To specify a CMK in a different 15244 // AWS account, you must use the key ARN or alias ARN. 15245 // 15246 // For example: 15247 // 15248 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15249 // 15250 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15251 // 15252 // * Alias name: alias/ExampleAlias 15253 // 15254 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 15255 // 15256 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 15257 // get the alias name and alias ARN, use ListAliases. 15258 // 15259 // KeyId is a required field 15260 KeyId *string `min:"1" type:"string" required:"true"` 15261 15262 // Specifies the message or message digest to sign. Messages can be 0-4096 bytes. 15263 // To sign a larger message, provide the message digest. 15264 // 15265 // If you provide a message, AWS KMS generates a hash digest of the message 15266 // and then signs it. 15267 // 15268 // Message is automatically base64 encoded/decoded by the SDK. 15269 // 15270 // Message is a required field 15271 Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` 15272 15273 // Tells AWS KMS whether the value of the Message parameter is a message or 15274 // message digest. The default value, RAW, indicates a message. To indicate 15275 // a message digest, enter DIGEST. 15276 MessageType *string `type:"string" enum:"MessageType"` 15277 15278 // Specifies the signing algorithm to use when signing the message. 15279 // 15280 // Choose an algorithm that is compatible with the type and size of the specified 15281 // asymmetric CMK. 15282 // 15283 // SigningAlgorithm is a required field 15284 SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` 15285} 15286 15287// String returns the string representation 15288func (s SignInput) String() string { 15289 return awsutil.Prettify(s) 15290} 15291 15292// GoString returns the string representation 15293func (s SignInput) GoString() string { 15294 return s.String() 15295} 15296 15297// Validate inspects the fields of the type to determine if they are valid. 15298func (s *SignInput) Validate() error { 15299 invalidParams := request.ErrInvalidParams{Context: "SignInput"} 15300 if s.KeyId == nil { 15301 invalidParams.Add(request.NewErrParamRequired("KeyId")) 15302 } 15303 if s.KeyId != nil && len(*s.KeyId) < 1 { 15304 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 15305 } 15306 if s.Message == nil { 15307 invalidParams.Add(request.NewErrParamRequired("Message")) 15308 } 15309 if s.Message != nil && len(s.Message) < 1 { 15310 invalidParams.Add(request.NewErrParamMinLen("Message", 1)) 15311 } 15312 if s.SigningAlgorithm == nil { 15313 invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm")) 15314 } 15315 15316 if invalidParams.Len() > 0 { 15317 return invalidParams 15318 } 15319 return nil 15320} 15321 15322// SetGrantTokens sets the GrantTokens field's value. 15323func (s *SignInput) SetGrantTokens(v []*string) *SignInput { 15324 s.GrantTokens = v 15325 return s 15326} 15327 15328// SetKeyId sets the KeyId field's value. 15329func (s *SignInput) SetKeyId(v string) *SignInput { 15330 s.KeyId = &v 15331 return s 15332} 15333 15334// SetMessage sets the Message field's value. 15335func (s *SignInput) SetMessage(v []byte) *SignInput { 15336 s.Message = v 15337 return s 15338} 15339 15340// SetMessageType sets the MessageType field's value. 15341func (s *SignInput) SetMessageType(v string) *SignInput { 15342 s.MessageType = &v 15343 return s 15344} 15345 15346// SetSigningAlgorithm sets the SigningAlgorithm field's value. 15347func (s *SignInput) SetSigningAlgorithm(v string) *SignInput { 15348 s.SigningAlgorithm = &v 15349 return s 15350} 15351 15352type SignOutput struct { 15353 _ struct{} `type:"structure"` 15354 15355 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 15356 // of the asymmetric CMK that was used to sign the message. 15357 KeyId *string `min:"1" type:"string"` 15358 15359 // The cryptographic signature that was generated for the message. 15360 // 15361 // * When used with the supported RSA signing algorithms, the encoding of 15362 // this value is defined by PKCS #1 in RFC 8017 (https://tools.ietf.org/html/rfc8017). 15363 // 15364 // * When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing 15365 // algorithms, this value is a DER-encoded object as defined by ANS X9.62–2005 15366 // and RFC 3279 Section 2.2.3 (https://tools.ietf.org/html/rfc3279#section-2.2.3). 15367 // This is the most commonly used signature format and is appropriate for 15368 // most uses. 15369 // 15370 // When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, 15371 // it is not Base64-encoded. 15372 // 15373 // Signature is automatically base64 encoded/decoded by the SDK. 15374 Signature []byte `min:"1" type:"blob"` 15375 15376 // The signing algorithm that was used to sign the message. 15377 SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"` 15378} 15379 15380// String returns the string representation 15381func (s SignOutput) String() string { 15382 return awsutil.Prettify(s) 15383} 15384 15385// GoString returns the string representation 15386func (s SignOutput) GoString() string { 15387 return s.String() 15388} 15389 15390// SetKeyId sets the KeyId field's value. 15391func (s *SignOutput) SetKeyId(v string) *SignOutput { 15392 s.KeyId = &v 15393 return s 15394} 15395 15396// SetSignature sets the Signature field's value. 15397func (s *SignOutput) SetSignature(v []byte) *SignOutput { 15398 s.Signature = v 15399 return s 15400} 15401 15402// SetSigningAlgorithm sets the SigningAlgorithm field's value. 15403func (s *SignOutput) SetSigningAlgorithm(v string) *SignOutput { 15404 s.SigningAlgorithm = &v 15405 return s 15406} 15407 15408// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and 15409// tag values are both required, but tag values can be empty (null) strings. 15410// 15411// For information about the rules that apply to tag keys and tag values, see 15412// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) 15413// in the AWS Billing and Cost Management User Guide. 15414type Tag struct { 15415 _ struct{} `type:"structure"` 15416 15417 // The key of the tag. 15418 // 15419 // TagKey is a required field 15420 TagKey *string `min:"1" type:"string" required:"true"` 15421 15422 // The value of the tag. 15423 // 15424 // TagValue is a required field 15425 TagValue *string `type:"string" required:"true"` 15426} 15427 15428// String returns the string representation 15429func (s Tag) String() string { 15430 return awsutil.Prettify(s) 15431} 15432 15433// GoString returns the string representation 15434func (s Tag) GoString() string { 15435 return s.String() 15436} 15437 15438// Validate inspects the fields of the type to determine if they are valid. 15439func (s *Tag) Validate() error { 15440 invalidParams := request.ErrInvalidParams{Context: "Tag"} 15441 if s.TagKey == nil { 15442 invalidParams.Add(request.NewErrParamRequired("TagKey")) 15443 } 15444 if s.TagKey != nil && len(*s.TagKey) < 1 { 15445 invalidParams.Add(request.NewErrParamMinLen("TagKey", 1)) 15446 } 15447 if s.TagValue == nil { 15448 invalidParams.Add(request.NewErrParamRequired("TagValue")) 15449 } 15450 15451 if invalidParams.Len() > 0 { 15452 return invalidParams 15453 } 15454 return nil 15455} 15456 15457// SetTagKey sets the TagKey field's value. 15458func (s *Tag) SetTagKey(v string) *Tag { 15459 s.TagKey = &v 15460 return s 15461} 15462 15463// SetTagValue sets the TagValue field's value. 15464func (s *Tag) SetTagValue(v string) *Tag { 15465 s.TagValue = &v 15466 return s 15467} 15468 15469// The request was rejected because one or more tags are not valid. 15470type TagException struct { 15471 _ struct{} `type:"structure"` 15472 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 15473 15474 Message_ *string `locationName:"message" type:"string"` 15475} 15476 15477// String returns the string representation 15478func (s TagException) String() string { 15479 return awsutil.Prettify(s) 15480} 15481 15482// GoString returns the string representation 15483func (s TagException) GoString() string { 15484 return s.String() 15485} 15486 15487func newErrorTagException(v protocol.ResponseMetadata) error { 15488 return &TagException{ 15489 RespMetadata: v, 15490 } 15491} 15492 15493// Code returns the exception type name. 15494func (s *TagException) Code() string { 15495 return "TagException" 15496} 15497 15498// Message returns the exception's message. 15499func (s *TagException) Message() string { 15500 if s.Message_ != nil { 15501 return *s.Message_ 15502 } 15503 return "" 15504} 15505 15506// OrigErr always returns nil, satisfies awserr.Error interface. 15507func (s *TagException) OrigErr() error { 15508 return nil 15509} 15510 15511func (s *TagException) Error() string { 15512 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 15513} 15514 15515// Status code returns the HTTP status code for the request's response error. 15516func (s *TagException) StatusCode() int { 15517 return s.RespMetadata.StatusCode 15518} 15519 15520// RequestID returns the service's response RequestID for request. 15521func (s *TagException) RequestID() string { 15522 return s.RespMetadata.RequestID 15523} 15524 15525type TagResourceInput struct { 15526 _ struct{} `type:"structure"` 15527 15528 // Identifies a customer managed CMK in the account and Region. 15529 // 15530 // Specify the key ID or key ARN of the CMK. 15531 // 15532 // For example: 15533 // 15534 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15535 // 15536 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15537 // 15538 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15539 // 15540 // KeyId is a required field 15541 KeyId *string `min:"1" type:"string" required:"true"` 15542 15543 // One or more tags. 15544 // 15545 // Each tag consists of a tag key and a tag value. The tag value can be an empty 15546 // (null) string. 15547 // 15548 // You cannot have more than one tag on a CMK with the same tag key. If you 15549 // specify an existing tag key with a different tag value, AWS KMS replaces 15550 // the current tag value with the specified one. 15551 // 15552 // Tags is a required field 15553 Tags []*Tag `type:"list" required:"true"` 15554} 15555 15556// String returns the string representation 15557func (s TagResourceInput) String() string { 15558 return awsutil.Prettify(s) 15559} 15560 15561// GoString returns the string representation 15562func (s TagResourceInput) GoString() string { 15563 return s.String() 15564} 15565 15566// Validate inspects the fields of the type to determine if they are valid. 15567func (s *TagResourceInput) Validate() error { 15568 invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"} 15569 if s.KeyId == nil { 15570 invalidParams.Add(request.NewErrParamRequired("KeyId")) 15571 } 15572 if s.KeyId != nil && len(*s.KeyId) < 1 { 15573 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 15574 } 15575 if s.Tags == nil { 15576 invalidParams.Add(request.NewErrParamRequired("Tags")) 15577 } 15578 if s.Tags != nil { 15579 for i, v := range s.Tags { 15580 if v == nil { 15581 continue 15582 } 15583 if err := v.Validate(); err != nil { 15584 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 15585 } 15586 } 15587 } 15588 15589 if invalidParams.Len() > 0 { 15590 return invalidParams 15591 } 15592 return nil 15593} 15594 15595// SetKeyId sets the KeyId field's value. 15596func (s *TagResourceInput) SetKeyId(v string) *TagResourceInput { 15597 s.KeyId = &v 15598 return s 15599} 15600 15601// SetTags sets the Tags field's value. 15602func (s *TagResourceInput) SetTags(v []*Tag) *TagResourceInput { 15603 s.Tags = v 15604 return s 15605} 15606 15607type TagResourceOutput struct { 15608 _ struct{} `type:"structure"` 15609} 15610 15611// String returns the string representation 15612func (s TagResourceOutput) String() string { 15613 return awsutil.Prettify(s) 15614} 15615 15616// GoString returns the string representation 15617func (s TagResourceOutput) GoString() string { 15618 return s.String() 15619} 15620 15621// The request was rejected because a specified parameter is not supported or 15622// a specified resource is not valid for this operation. 15623type UnsupportedOperationException struct { 15624 _ struct{} `type:"structure"` 15625 RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` 15626 15627 Message_ *string `locationName:"message" type:"string"` 15628} 15629 15630// String returns the string representation 15631func (s UnsupportedOperationException) String() string { 15632 return awsutil.Prettify(s) 15633} 15634 15635// GoString returns the string representation 15636func (s UnsupportedOperationException) GoString() string { 15637 return s.String() 15638} 15639 15640func newErrorUnsupportedOperationException(v protocol.ResponseMetadata) error { 15641 return &UnsupportedOperationException{ 15642 RespMetadata: v, 15643 } 15644} 15645 15646// Code returns the exception type name. 15647func (s *UnsupportedOperationException) Code() string { 15648 return "UnsupportedOperationException" 15649} 15650 15651// Message returns the exception's message. 15652func (s *UnsupportedOperationException) Message() string { 15653 if s.Message_ != nil { 15654 return *s.Message_ 15655 } 15656 return "" 15657} 15658 15659// OrigErr always returns nil, satisfies awserr.Error interface. 15660func (s *UnsupportedOperationException) OrigErr() error { 15661 return nil 15662} 15663 15664func (s *UnsupportedOperationException) Error() string { 15665 return fmt.Sprintf("%s: %s", s.Code(), s.Message()) 15666} 15667 15668// Status code returns the HTTP status code for the request's response error. 15669func (s *UnsupportedOperationException) StatusCode() int { 15670 return s.RespMetadata.StatusCode 15671} 15672 15673// RequestID returns the service's response RequestID for request. 15674func (s *UnsupportedOperationException) RequestID() string { 15675 return s.RespMetadata.RequestID 15676} 15677 15678type UntagResourceInput struct { 15679 _ struct{} `type:"structure"` 15680 15681 // Identifies the CMK from which you are removing tags. 15682 // 15683 // Specify the key ID or key ARN of the CMK. 15684 // 15685 // For example: 15686 // 15687 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15688 // 15689 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15690 // 15691 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15692 // 15693 // KeyId is a required field 15694 KeyId *string `min:"1" type:"string" required:"true"` 15695 15696 // One or more tag keys. Specify only the tag keys, not the tag values. 15697 // 15698 // TagKeys is a required field 15699 TagKeys []*string `type:"list" required:"true"` 15700} 15701 15702// String returns the string representation 15703func (s UntagResourceInput) String() string { 15704 return awsutil.Prettify(s) 15705} 15706 15707// GoString returns the string representation 15708func (s UntagResourceInput) GoString() string { 15709 return s.String() 15710} 15711 15712// Validate inspects the fields of the type to determine if they are valid. 15713func (s *UntagResourceInput) Validate() error { 15714 invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"} 15715 if s.KeyId == nil { 15716 invalidParams.Add(request.NewErrParamRequired("KeyId")) 15717 } 15718 if s.KeyId != nil && len(*s.KeyId) < 1 { 15719 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 15720 } 15721 if s.TagKeys == nil { 15722 invalidParams.Add(request.NewErrParamRequired("TagKeys")) 15723 } 15724 15725 if invalidParams.Len() > 0 { 15726 return invalidParams 15727 } 15728 return nil 15729} 15730 15731// SetKeyId sets the KeyId field's value. 15732func (s *UntagResourceInput) SetKeyId(v string) *UntagResourceInput { 15733 s.KeyId = &v 15734 return s 15735} 15736 15737// SetTagKeys sets the TagKeys field's value. 15738func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput { 15739 s.TagKeys = v 15740 return s 15741} 15742 15743type UntagResourceOutput struct { 15744 _ struct{} `type:"structure"` 15745} 15746 15747// String returns the string representation 15748func (s UntagResourceOutput) String() string { 15749 return awsutil.Prettify(s) 15750} 15751 15752// GoString returns the string representation 15753func (s UntagResourceOutput) GoString() string { 15754 return s.String() 15755} 15756 15757type UpdateAliasInput struct { 15758 _ struct{} `type:"structure"` 15759 15760 // Identifies the alias that is changing its CMK. This value must begin with 15761 // alias/ followed by the alias name, such as alias/ExampleAlias. You cannot 15762 // use UpdateAlias to change the alias name. 15763 // 15764 // AliasName is a required field 15765 AliasName *string `min:"1" type:"string" required:"true"` 15766 15767 // Identifies the customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) 15768 // to associate with the alias. You don't have permission to associate an alias 15769 // with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). 15770 // 15771 // The CMK must be in the same AWS account and Region as the alias. Also, the 15772 // new target CMK must be the same type as the current target CMK (both symmetric 15773 // or both asymmetric) and they must have the same key usage. 15774 // 15775 // Specify the key ID or key ARN of the CMK. 15776 // 15777 // For example: 15778 // 15779 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15780 // 15781 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15782 // 15783 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15784 // 15785 // To verify that the alias is mapped to the correct CMK, use ListAliases. 15786 // 15787 // TargetKeyId is a required field 15788 TargetKeyId *string `min:"1" type:"string" required:"true"` 15789} 15790 15791// String returns the string representation 15792func (s UpdateAliasInput) String() string { 15793 return awsutil.Prettify(s) 15794} 15795 15796// GoString returns the string representation 15797func (s UpdateAliasInput) GoString() string { 15798 return s.String() 15799} 15800 15801// Validate inspects the fields of the type to determine if they are valid. 15802func (s *UpdateAliasInput) Validate() error { 15803 invalidParams := request.ErrInvalidParams{Context: "UpdateAliasInput"} 15804 if s.AliasName == nil { 15805 invalidParams.Add(request.NewErrParamRequired("AliasName")) 15806 } 15807 if s.AliasName != nil && len(*s.AliasName) < 1 { 15808 invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) 15809 } 15810 if s.TargetKeyId == nil { 15811 invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) 15812 } 15813 if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { 15814 invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) 15815 } 15816 15817 if invalidParams.Len() > 0 { 15818 return invalidParams 15819 } 15820 return nil 15821} 15822 15823// SetAliasName sets the AliasName field's value. 15824func (s *UpdateAliasInput) SetAliasName(v string) *UpdateAliasInput { 15825 s.AliasName = &v 15826 return s 15827} 15828 15829// SetTargetKeyId sets the TargetKeyId field's value. 15830func (s *UpdateAliasInput) SetTargetKeyId(v string) *UpdateAliasInput { 15831 s.TargetKeyId = &v 15832 return s 15833} 15834 15835type UpdateAliasOutput struct { 15836 _ struct{} `type:"structure"` 15837} 15838 15839// String returns the string representation 15840func (s UpdateAliasOutput) String() string { 15841 return awsutil.Prettify(s) 15842} 15843 15844// GoString returns the string representation 15845func (s UpdateAliasOutput) GoString() string { 15846 return s.String() 15847} 15848 15849type UpdateCustomKeyStoreInput struct { 15850 _ struct{} `type:"structure"` 15851 15852 // Associates the custom key store with a related AWS CloudHSM cluster. 15853 // 15854 // Enter the cluster ID of the cluster that you used to create the custom key 15855 // store or a cluster that shares a backup history and has the same cluster 15856 // certificate as the original cluster. You cannot use this parameter to associate 15857 // a custom key store with an unrelated cluster. In addition, the replacement 15858 // cluster must fulfill the requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) 15859 // for a cluster associated with a custom key store. To view the cluster certificate 15860 // of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) 15861 // operation. 15862 CloudHsmClusterId *string `min:"19" type:"string"` 15863 15864 // Identifies the custom key store that you want to update. Enter the ID of 15865 // the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores 15866 // operation. 15867 // 15868 // CustomKeyStoreId is a required field 15869 CustomKeyStoreId *string `min:"1" type:"string" required:"true"` 15870 15871 // Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM 15872 // cluster that is associated with the custom key store. 15873 // 15874 // This parameter tells AWS KMS the current password of the kmsuser crypto user 15875 // (CU). It does not set or change the password of any users in the AWS CloudHSM 15876 // cluster. 15877 KeyStorePassword *string `min:"7" type:"string" sensitive:"true"` 15878 15879 // Changes the friendly name of the custom key store to the value that you specify. 15880 // The custom key store name must be unique in the AWS account. 15881 NewCustomKeyStoreName *string `min:"1" type:"string"` 15882} 15883 15884// String returns the string representation 15885func (s UpdateCustomKeyStoreInput) String() string { 15886 return awsutil.Prettify(s) 15887} 15888 15889// GoString returns the string representation 15890func (s UpdateCustomKeyStoreInput) GoString() string { 15891 return s.String() 15892} 15893 15894// Validate inspects the fields of the type to determine if they are valid. 15895func (s *UpdateCustomKeyStoreInput) Validate() error { 15896 invalidParams := request.ErrInvalidParams{Context: "UpdateCustomKeyStoreInput"} 15897 if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { 15898 invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) 15899 } 15900 if s.CustomKeyStoreId == nil { 15901 invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) 15902 } 15903 if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { 15904 invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) 15905 } 15906 if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 7 { 15907 invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 7)) 15908 } 15909 if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 { 15910 invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1)) 15911 } 15912 15913 if invalidParams.Len() > 0 { 15914 return invalidParams 15915 } 15916 return nil 15917} 15918 15919// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. 15920func (s *UpdateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *UpdateCustomKeyStoreInput { 15921 s.CloudHsmClusterId = &v 15922 return s 15923} 15924 15925// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. 15926func (s *UpdateCustomKeyStoreInput) SetCustomKeyStoreId(v string) *UpdateCustomKeyStoreInput { 15927 s.CustomKeyStoreId = &v 15928 return s 15929} 15930 15931// SetKeyStorePassword sets the KeyStorePassword field's value. 15932func (s *UpdateCustomKeyStoreInput) SetKeyStorePassword(v string) *UpdateCustomKeyStoreInput { 15933 s.KeyStorePassword = &v 15934 return s 15935} 15936 15937// SetNewCustomKeyStoreName sets the NewCustomKeyStoreName field's value. 15938func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCustomKeyStoreInput { 15939 s.NewCustomKeyStoreName = &v 15940 return s 15941} 15942 15943type UpdateCustomKeyStoreOutput struct { 15944 _ struct{} `type:"structure"` 15945} 15946 15947// String returns the string representation 15948func (s UpdateCustomKeyStoreOutput) String() string { 15949 return awsutil.Prettify(s) 15950} 15951 15952// GoString returns the string representation 15953func (s UpdateCustomKeyStoreOutput) GoString() string { 15954 return s.String() 15955} 15956 15957type UpdateKeyDescriptionInput struct { 15958 _ struct{} `type:"structure"` 15959 15960 // New description for the CMK. 15961 // 15962 // Description is a required field 15963 Description *string `type:"string" required:"true"` 15964 15965 // Updates the description of the specified customer master key (CMK). 15966 // 15967 // Specify the key ID or key ARN of the CMK. 15968 // 15969 // For example: 15970 // 15971 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 15972 // 15973 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 15974 // 15975 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 15976 // 15977 // KeyId is a required field 15978 KeyId *string `min:"1" type:"string" required:"true"` 15979} 15980 15981// String returns the string representation 15982func (s UpdateKeyDescriptionInput) String() string { 15983 return awsutil.Prettify(s) 15984} 15985 15986// GoString returns the string representation 15987func (s UpdateKeyDescriptionInput) GoString() string { 15988 return s.String() 15989} 15990 15991// Validate inspects the fields of the type to determine if they are valid. 15992func (s *UpdateKeyDescriptionInput) Validate() error { 15993 invalidParams := request.ErrInvalidParams{Context: "UpdateKeyDescriptionInput"} 15994 if s.Description == nil { 15995 invalidParams.Add(request.NewErrParamRequired("Description")) 15996 } 15997 if s.KeyId == nil { 15998 invalidParams.Add(request.NewErrParamRequired("KeyId")) 15999 } 16000 if s.KeyId != nil && len(*s.KeyId) < 1 { 16001 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 16002 } 16003 16004 if invalidParams.Len() > 0 { 16005 return invalidParams 16006 } 16007 return nil 16008} 16009 16010// SetDescription sets the Description field's value. 16011func (s *UpdateKeyDescriptionInput) SetDescription(v string) *UpdateKeyDescriptionInput { 16012 s.Description = &v 16013 return s 16014} 16015 16016// SetKeyId sets the KeyId field's value. 16017func (s *UpdateKeyDescriptionInput) SetKeyId(v string) *UpdateKeyDescriptionInput { 16018 s.KeyId = &v 16019 return s 16020} 16021 16022type UpdateKeyDescriptionOutput struct { 16023 _ struct{} `type:"structure"` 16024} 16025 16026// String returns the string representation 16027func (s UpdateKeyDescriptionOutput) String() string { 16028 return awsutil.Prettify(s) 16029} 16030 16031// GoString returns the string representation 16032func (s UpdateKeyDescriptionOutput) GoString() string { 16033 return s.String() 16034} 16035 16036type UpdatePrimaryRegionInput struct { 16037 _ struct{} `type:"structure"` 16038 16039 // Identifies the current primary key. When the operation completes, this CMK 16040 // will be a replica key. 16041 // 16042 // Specify the key ID or key ARN of a multi-Region primary key. 16043 // 16044 // For example: 16045 // 16046 // * Key ID: mrk-1234abcd12ab34cd56ef1234567890ab 16047 // 16048 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab 16049 // 16050 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. 16051 // 16052 // KeyId is a required field 16053 KeyId *string `min:"1" type:"string" required:"true"` 16054 16055 // The AWS Region of the new primary key. Enter the Region ID, such as us-east-1 16056 // or ap-southeast-2. There must be an existing replica key in this Region. 16057 // 16058 // When the operation completes, the multi-Region key in this Region will be 16059 // the primary key. 16060 // 16061 // PrimaryRegion is a required field 16062 PrimaryRegion *string `min:"1" type:"string" required:"true"` 16063} 16064 16065// String returns the string representation 16066func (s UpdatePrimaryRegionInput) String() string { 16067 return awsutil.Prettify(s) 16068} 16069 16070// GoString returns the string representation 16071func (s UpdatePrimaryRegionInput) GoString() string { 16072 return s.String() 16073} 16074 16075// Validate inspects the fields of the type to determine if they are valid. 16076func (s *UpdatePrimaryRegionInput) Validate() error { 16077 invalidParams := request.ErrInvalidParams{Context: "UpdatePrimaryRegionInput"} 16078 if s.KeyId == nil { 16079 invalidParams.Add(request.NewErrParamRequired("KeyId")) 16080 } 16081 if s.KeyId != nil && len(*s.KeyId) < 1 { 16082 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 16083 } 16084 if s.PrimaryRegion == nil { 16085 invalidParams.Add(request.NewErrParamRequired("PrimaryRegion")) 16086 } 16087 if s.PrimaryRegion != nil && len(*s.PrimaryRegion) < 1 { 16088 invalidParams.Add(request.NewErrParamMinLen("PrimaryRegion", 1)) 16089 } 16090 16091 if invalidParams.Len() > 0 { 16092 return invalidParams 16093 } 16094 return nil 16095} 16096 16097// SetKeyId sets the KeyId field's value. 16098func (s *UpdatePrimaryRegionInput) SetKeyId(v string) *UpdatePrimaryRegionInput { 16099 s.KeyId = &v 16100 return s 16101} 16102 16103// SetPrimaryRegion sets the PrimaryRegion field's value. 16104func (s *UpdatePrimaryRegionInput) SetPrimaryRegion(v string) *UpdatePrimaryRegionInput { 16105 s.PrimaryRegion = &v 16106 return s 16107} 16108 16109type UpdatePrimaryRegionOutput struct { 16110 _ struct{} `type:"structure"` 16111} 16112 16113// String returns the string representation 16114func (s UpdatePrimaryRegionOutput) String() string { 16115 return awsutil.Prettify(s) 16116} 16117 16118// GoString returns the string representation 16119func (s UpdatePrimaryRegionOutput) GoString() string { 16120 return s.String() 16121} 16122 16123type VerifyInput struct { 16124 _ struct{} `type:"structure"` 16125 16126 // A list of grant tokens. 16127 // 16128 // Use a grant token when your permission to call this operation comes from 16129 // a new grant that has not yet achieved eventual consistency. For more information, 16130 // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) 16131 // in the AWS Key Management Service Developer Guide. 16132 GrantTokens []*string `type:"list"` 16133 16134 // Identifies the asymmetric CMK that will be used to verify the signature. 16135 // This must be the same CMK that was used to generate the signature. If you 16136 // specify a different CMK, the signature verification fails. 16137 // 16138 // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When 16139 // using an alias name, prefix it with "alias/". To specify a CMK in a different 16140 // AWS account, you must use the key ARN or alias ARN. 16141 // 16142 // For example: 16143 // 16144 // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab 16145 // 16146 // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab 16147 // 16148 // * Alias name: alias/ExampleAlias 16149 // 16150 // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias 16151 // 16152 // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To 16153 // get the alias name and alias ARN, use ListAliases. 16154 // 16155 // KeyId is a required field 16156 KeyId *string `min:"1" type:"string" required:"true"` 16157 16158 // Specifies the message that was signed. You can submit a raw message of up 16159 // to 4096 bytes, or a hash digest of the message. If you submit a digest, use 16160 // the MessageType parameter with a value of DIGEST. 16161 // 16162 // If the message specified here is different from the message that was signed, 16163 // the signature verification fails. A message and its hash digest are considered 16164 // to be the same message. 16165 // 16166 // Message is automatically base64 encoded/decoded by the SDK. 16167 // 16168 // Message is a required field 16169 Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` 16170 16171 // Tells AWS KMS whether the value of the Message parameter is a message or 16172 // message digest. The default value, RAW, indicates a message. To indicate 16173 // a message digest, enter DIGEST. 16174 // 16175 // Use the DIGEST value only when the value of the Message parameter is a message 16176 // digest. If you use the DIGEST value with a raw message, the security of the 16177 // verification operation can be compromised. 16178 MessageType *string `type:"string" enum:"MessageType"` 16179 16180 // The signature that the Sign operation generated. 16181 // 16182 // Signature is automatically base64 encoded/decoded by the SDK. 16183 // 16184 // Signature is a required field 16185 Signature []byte `min:"1" type:"blob" required:"true"` 16186 16187 // The signing algorithm that was used to sign the message. If you submit a 16188 // different algorithm, the signature verification fails. 16189 // 16190 // SigningAlgorithm is a required field 16191 SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` 16192} 16193 16194// String returns the string representation 16195func (s VerifyInput) String() string { 16196 return awsutil.Prettify(s) 16197} 16198 16199// GoString returns the string representation 16200func (s VerifyInput) GoString() string { 16201 return s.String() 16202} 16203 16204// Validate inspects the fields of the type to determine if they are valid. 16205func (s *VerifyInput) Validate() error { 16206 invalidParams := request.ErrInvalidParams{Context: "VerifyInput"} 16207 if s.KeyId == nil { 16208 invalidParams.Add(request.NewErrParamRequired("KeyId")) 16209 } 16210 if s.KeyId != nil && len(*s.KeyId) < 1 { 16211 invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) 16212 } 16213 if s.Message == nil { 16214 invalidParams.Add(request.NewErrParamRequired("Message")) 16215 } 16216 if s.Message != nil && len(s.Message) < 1 { 16217 invalidParams.Add(request.NewErrParamMinLen("Message", 1)) 16218 } 16219 if s.Signature == nil { 16220 invalidParams.Add(request.NewErrParamRequired("Signature")) 16221 } 16222 if s.Signature != nil && len(s.Signature) < 1 { 16223 invalidParams.Add(request.NewErrParamMinLen("Signature", 1)) 16224 } 16225 if s.SigningAlgorithm == nil { 16226 invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm")) 16227 } 16228 16229 if invalidParams.Len() > 0 { 16230 return invalidParams 16231 } 16232 return nil 16233} 16234 16235// SetGrantTokens sets the GrantTokens field's value. 16236func (s *VerifyInput) SetGrantTokens(v []*string) *VerifyInput { 16237 s.GrantTokens = v 16238 return s 16239} 16240 16241// SetKeyId sets the KeyId field's value. 16242func (s *VerifyInput) SetKeyId(v string) *VerifyInput { 16243 s.KeyId = &v 16244 return s 16245} 16246 16247// SetMessage sets the Message field's value. 16248func (s *VerifyInput) SetMessage(v []byte) *VerifyInput { 16249 s.Message = v 16250 return s 16251} 16252 16253// SetMessageType sets the MessageType field's value. 16254func (s *VerifyInput) SetMessageType(v string) *VerifyInput { 16255 s.MessageType = &v 16256 return s 16257} 16258 16259// SetSignature sets the Signature field's value. 16260func (s *VerifyInput) SetSignature(v []byte) *VerifyInput { 16261 s.Signature = v 16262 return s 16263} 16264 16265// SetSigningAlgorithm sets the SigningAlgorithm field's value. 16266func (s *VerifyInput) SetSigningAlgorithm(v string) *VerifyInput { 16267 s.SigningAlgorithm = &v 16268 return s 16269} 16270 16271type VerifyOutput struct { 16272 _ struct{} `type:"structure"` 16273 16274 // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) 16275 // of the asymmetric CMK that was used to verify the signature. 16276 KeyId *string `min:"1" type:"string"` 16277 16278 // A Boolean value that indicates whether the signature was verified. A value 16279 // of True indicates that the Signature was produced by signing the Message 16280 // with the specified KeyID and SigningAlgorithm. If the signature is not verified, 16281 // the Verify operation fails with a KMSInvalidSignatureException exception. 16282 SignatureValid *bool `type:"boolean"` 16283 16284 // The signing algorithm that was used to verify the signature. 16285 SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"` 16286} 16287 16288// String returns the string representation 16289func (s VerifyOutput) String() string { 16290 return awsutil.Prettify(s) 16291} 16292 16293// GoString returns the string representation 16294func (s VerifyOutput) GoString() string { 16295 return s.String() 16296} 16297 16298// SetKeyId sets the KeyId field's value. 16299func (s *VerifyOutput) SetKeyId(v string) *VerifyOutput { 16300 s.KeyId = &v 16301 return s 16302} 16303 16304// SetSignatureValid sets the SignatureValid field's value. 16305func (s *VerifyOutput) SetSignatureValid(v bool) *VerifyOutput { 16306 s.SignatureValid = &v 16307 return s 16308} 16309 16310// SetSigningAlgorithm sets the SigningAlgorithm field's value. 16311func (s *VerifyOutput) SetSigningAlgorithm(v string) *VerifyOutput { 16312 s.SigningAlgorithm = &v 16313 return s 16314} 16315 16316const ( 16317 // AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value 16318 AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5" 16319 16320 // AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value 16321 AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" 16322 16323 // AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value 16324 AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" 16325) 16326 16327// AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum 16328func AlgorithmSpec_Values() []string { 16329 return []string{ 16330 AlgorithmSpecRsaesPkcs1V15, 16331 AlgorithmSpecRsaesOaepSha1, 16332 AlgorithmSpecRsaesOaepSha256, 16333 } 16334} 16335 16336const ( 16337 // ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value 16338 ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS" 16339 16340 // ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value 16341 ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND" 16342 16343 // ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value 16344 ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS" 16345 16346 // ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value 16347 ConnectionErrorCodeTypeInternalError = "INTERNAL_ERROR" 16348 16349 // ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value 16350 ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS" 16351 16352 // ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value 16353 ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT" 16354 16355 // ConnectionErrorCodeTypeUserNotFound is a ConnectionErrorCodeType enum value 16356 ConnectionErrorCodeTypeUserNotFound = "USER_NOT_FOUND" 16357 16358 // ConnectionErrorCodeTypeUserLoggedIn is a ConnectionErrorCodeType enum value 16359 ConnectionErrorCodeTypeUserLoggedIn = "USER_LOGGED_IN" 16360 16361 // ConnectionErrorCodeTypeSubnetNotFound is a ConnectionErrorCodeType enum value 16362 ConnectionErrorCodeTypeSubnetNotFound = "SUBNET_NOT_FOUND" 16363) 16364 16365// ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum 16366func ConnectionErrorCodeType_Values() []string { 16367 return []string{ 16368 ConnectionErrorCodeTypeInvalidCredentials, 16369 ConnectionErrorCodeTypeClusterNotFound, 16370 ConnectionErrorCodeTypeNetworkErrors, 16371 ConnectionErrorCodeTypeInternalError, 16372 ConnectionErrorCodeTypeInsufficientCloudhsmHsms, 16373 ConnectionErrorCodeTypeUserLockedOut, 16374 ConnectionErrorCodeTypeUserNotFound, 16375 ConnectionErrorCodeTypeUserLoggedIn, 16376 ConnectionErrorCodeTypeSubnetNotFound, 16377 } 16378} 16379 16380const ( 16381 // ConnectionStateTypeConnected is a ConnectionStateType enum value 16382 ConnectionStateTypeConnected = "CONNECTED" 16383 16384 // ConnectionStateTypeConnecting is a ConnectionStateType enum value 16385 ConnectionStateTypeConnecting = "CONNECTING" 16386 16387 // ConnectionStateTypeFailed is a ConnectionStateType enum value 16388 ConnectionStateTypeFailed = "FAILED" 16389 16390 // ConnectionStateTypeDisconnected is a ConnectionStateType enum value 16391 ConnectionStateTypeDisconnected = "DISCONNECTED" 16392 16393 // ConnectionStateTypeDisconnecting is a ConnectionStateType enum value 16394 ConnectionStateTypeDisconnecting = "DISCONNECTING" 16395) 16396 16397// ConnectionStateType_Values returns all elements of the ConnectionStateType enum 16398func ConnectionStateType_Values() []string { 16399 return []string{ 16400 ConnectionStateTypeConnected, 16401 ConnectionStateTypeConnecting, 16402 ConnectionStateTypeFailed, 16403 ConnectionStateTypeDisconnected, 16404 ConnectionStateTypeDisconnecting, 16405 } 16406} 16407 16408const ( 16409 // CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value 16410 CustomerMasterKeySpecRsa2048 = "RSA_2048" 16411 16412 // CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value 16413 CustomerMasterKeySpecRsa3072 = "RSA_3072" 16414 16415 // CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value 16416 CustomerMasterKeySpecRsa4096 = "RSA_4096" 16417 16418 // CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value 16419 CustomerMasterKeySpecEccNistP256 = "ECC_NIST_P256" 16420 16421 // CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value 16422 CustomerMasterKeySpecEccNistP384 = "ECC_NIST_P384" 16423 16424 // CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value 16425 CustomerMasterKeySpecEccNistP521 = "ECC_NIST_P521" 16426 16427 // CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value 16428 CustomerMasterKeySpecEccSecgP256k1 = "ECC_SECG_P256K1" 16429 16430 // CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value 16431 CustomerMasterKeySpecSymmetricDefault = "SYMMETRIC_DEFAULT" 16432) 16433 16434// CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum 16435func CustomerMasterKeySpec_Values() []string { 16436 return []string{ 16437 CustomerMasterKeySpecRsa2048, 16438 CustomerMasterKeySpecRsa3072, 16439 CustomerMasterKeySpecRsa4096, 16440 CustomerMasterKeySpecEccNistP256, 16441 CustomerMasterKeySpecEccNistP384, 16442 CustomerMasterKeySpecEccNistP521, 16443 CustomerMasterKeySpecEccSecgP256k1, 16444 CustomerMasterKeySpecSymmetricDefault, 16445 } 16446} 16447 16448const ( 16449 // DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value 16450 DataKeyPairSpecRsa2048 = "RSA_2048" 16451 16452 // DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value 16453 DataKeyPairSpecRsa3072 = "RSA_3072" 16454 16455 // DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value 16456 DataKeyPairSpecRsa4096 = "RSA_4096" 16457 16458 // DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value 16459 DataKeyPairSpecEccNistP256 = "ECC_NIST_P256" 16460 16461 // DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value 16462 DataKeyPairSpecEccNistP384 = "ECC_NIST_P384" 16463 16464 // DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value 16465 DataKeyPairSpecEccNistP521 = "ECC_NIST_P521" 16466 16467 // DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value 16468 DataKeyPairSpecEccSecgP256k1 = "ECC_SECG_P256K1" 16469) 16470 16471// DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum 16472func DataKeyPairSpec_Values() []string { 16473 return []string{ 16474 DataKeyPairSpecRsa2048, 16475 DataKeyPairSpecRsa3072, 16476 DataKeyPairSpecRsa4096, 16477 DataKeyPairSpecEccNistP256, 16478 DataKeyPairSpecEccNistP384, 16479 DataKeyPairSpecEccNistP521, 16480 DataKeyPairSpecEccSecgP256k1, 16481 } 16482} 16483 16484const ( 16485 // DataKeySpecAes256 is a DataKeySpec enum value 16486 DataKeySpecAes256 = "AES_256" 16487 16488 // DataKeySpecAes128 is a DataKeySpec enum value 16489 DataKeySpecAes128 = "AES_128" 16490) 16491 16492// DataKeySpec_Values returns all elements of the DataKeySpec enum 16493func DataKeySpec_Values() []string { 16494 return []string{ 16495 DataKeySpecAes256, 16496 DataKeySpecAes128, 16497 } 16498} 16499 16500const ( 16501 // EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value 16502 EncryptionAlgorithmSpecSymmetricDefault = "SYMMETRIC_DEFAULT" 16503 16504 // EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value 16505 EncryptionAlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" 16506 16507 // EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value 16508 EncryptionAlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" 16509) 16510 16511// EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum 16512func EncryptionAlgorithmSpec_Values() []string { 16513 return []string{ 16514 EncryptionAlgorithmSpecSymmetricDefault, 16515 EncryptionAlgorithmSpecRsaesOaepSha1, 16516 EncryptionAlgorithmSpecRsaesOaepSha256, 16517 } 16518} 16519 16520const ( 16521 // ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value 16522 ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES" 16523 16524 // ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value 16525 ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE" 16526) 16527 16528// ExpirationModelType_Values returns all elements of the ExpirationModelType enum 16529func ExpirationModelType_Values() []string { 16530 return []string{ 16531 ExpirationModelTypeKeyMaterialExpires, 16532 ExpirationModelTypeKeyMaterialDoesNotExpire, 16533 } 16534} 16535 16536const ( 16537 // GrantOperationDecrypt is a GrantOperation enum value 16538 GrantOperationDecrypt = "Decrypt" 16539 16540 // GrantOperationEncrypt is a GrantOperation enum value 16541 GrantOperationEncrypt = "Encrypt" 16542 16543 // GrantOperationGenerateDataKey is a GrantOperation enum value 16544 GrantOperationGenerateDataKey = "GenerateDataKey" 16545 16546 // GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value 16547 GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" 16548 16549 // GrantOperationReEncryptFrom is a GrantOperation enum value 16550 GrantOperationReEncryptFrom = "ReEncryptFrom" 16551 16552 // GrantOperationReEncryptTo is a GrantOperation enum value 16553 GrantOperationReEncryptTo = "ReEncryptTo" 16554 16555 // GrantOperationSign is a GrantOperation enum value 16556 GrantOperationSign = "Sign" 16557 16558 // GrantOperationVerify is a GrantOperation enum value 16559 GrantOperationVerify = "Verify" 16560 16561 // GrantOperationGetPublicKey is a GrantOperation enum value 16562 GrantOperationGetPublicKey = "GetPublicKey" 16563 16564 // GrantOperationCreateGrant is a GrantOperation enum value 16565 GrantOperationCreateGrant = "CreateGrant" 16566 16567 // GrantOperationRetireGrant is a GrantOperation enum value 16568 GrantOperationRetireGrant = "RetireGrant" 16569 16570 // GrantOperationDescribeKey is a GrantOperation enum value 16571 GrantOperationDescribeKey = "DescribeKey" 16572 16573 // GrantOperationGenerateDataKeyPair is a GrantOperation enum value 16574 GrantOperationGenerateDataKeyPair = "GenerateDataKeyPair" 16575 16576 // GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value 16577 GrantOperationGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext" 16578) 16579 16580// GrantOperation_Values returns all elements of the GrantOperation enum 16581func GrantOperation_Values() []string { 16582 return []string{ 16583 GrantOperationDecrypt, 16584 GrantOperationEncrypt, 16585 GrantOperationGenerateDataKey, 16586 GrantOperationGenerateDataKeyWithoutPlaintext, 16587 GrantOperationReEncryptFrom, 16588 GrantOperationReEncryptTo, 16589 GrantOperationSign, 16590 GrantOperationVerify, 16591 GrantOperationGetPublicKey, 16592 GrantOperationCreateGrant, 16593 GrantOperationRetireGrant, 16594 GrantOperationDescribeKey, 16595 GrantOperationGenerateDataKeyPair, 16596 GrantOperationGenerateDataKeyPairWithoutPlaintext, 16597 } 16598} 16599 16600const ( 16601 // KeyManagerTypeAws is a KeyManagerType enum value 16602 KeyManagerTypeAws = "AWS" 16603 16604 // KeyManagerTypeCustomer is a KeyManagerType enum value 16605 KeyManagerTypeCustomer = "CUSTOMER" 16606) 16607 16608// KeyManagerType_Values returns all elements of the KeyManagerType enum 16609func KeyManagerType_Values() []string { 16610 return []string{ 16611 KeyManagerTypeAws, 16612 KeyManagerTypeCustomer, 16613 } 16614} 16615 16616const ( 16617 // KeyStateCreating is a KeyState enum value 16618 KeyStateCreating = "Creating" 16619 16620 // KeyStateEnabled is a KeyState enum value 16621 KeyStateEnabled = "Enabled" 16622 16623 // KeyStateDisabled is a KeyState enum value 16624 KeyStateDisabled = "Disabled" 16625 16626 // KeyStatePendingDeletion is a KeyState enum value 16627 KeyStatePendingDeletion = "PendingDeletion" 16628 16629 // KeyStatePendingImport is a KeyState enum value 16630 KeyStatePendingImport = "PendingImport" 16631 16632 // KeyStatePendingReplicaDeletion is a KeyState enum value 16633 KeyStatePendingReplicaDeletion = "PendingReplicaDeletion" 16634 16635 // KeyStateUnavailable is a KeyState enum value 16636 KeyStateUnavailable = "Unavailable" 16637 16638 // KeyStateUpdating is a KeyState enum value 16639 KeyStateUpdating = "Updating" 16640) 16641 16642// KeyState_Values returns all elements of the KeyState enum 16643func KeyState_Values() []string { 16644 return []string{ 16645 KeyStateCreating, 16646 KeyStateEnabled, 16647 KeyStateDisabled, 16648 KeyStatePendingDeletion, 16649 KeyStatePendingImport, 16650 KeyStatePendingReplicaDeletion, 16651 KeyStateUnavailable, 16652 KeyStateUpdating, 16653 } 16654} 16655 16656const ( 16657 // KeyUsageTypeSignVerify is a KeyUsageType enum value 16658 KeyUsageTypeSignVerify = "SIGN_VERIFY" 16659 16660 // KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value 16661 KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT" 16662) 16663 16664// KeyUsageType_Values returns all elements of the KeyUsageType enum 16665func KeyUsageType_Values() []string { 16666 return []string{ 16667 KeyUsageTypeSignVerify, 16668 KeyUsageTypeEncryptDecrypt, 16669 } 16670} 16671 16672const ( 16673 // MessageTypeRaw is a MessageType enum value 16674 MessageTypeRaw = "RAW" 16675 16676 // MessageTypeDigest is a MessageType enum value 16677 MessageTypeDigest = "DIGEST" 16678) 16679 16680// MessageType_Values returns all elements of the MessageType enum 16681func MessageType_Values() []string { 16682 return []string{ 16683 MessageTypeRaw, 16684 MessageTypeDigest, 16685 } 16686} 16687 16688const ( 16689 // MultiRegionKeyTypePrimary is a MultiRegionKeyType enum value 16690 MultiRegionKeyTypePrimary = "PRIMARY" 16691 16692 // MultiRegionKeyTypeReplica is a MultiRegionKeyType enum value 16693 MultiRegionKeyTypeReplica = "REPLICA" 16694) 16695 16696// MultiRegionKeyType_Values returns all elements of the MultiRegionKeyType enum 16697func MultiRegionKeyType_Values() []string { 16698 return []string{ 16699 MultiRegionKeyTypePrimary, 16700 MultiRegionKeyTypeReplica, 16701 } 16702} 16703 16704const ( 16705 // OriginTypeAwsKms is a OriginType enum value 16706 OriginTypeAwsKms = "AWS_KMS" 16707 16708 // OriginTypeExternal is a OriginType enum value 16709 OriginTypeExternal = "EXTERNAL" 16710 16711 // OriginTypeAwsCloudhsm is a OriginType enum value 16712 OriginTypeAwsCloudhsm = "AWS_CLOUDHSM" 16713) 16714 16715// OriginType_Values returns all elements of the OriginType enum 16716func OriginType_Values() []string { 16717 return []string{ 16718 OriginTypeAwsKms, 16719 OriginTypeExternal, 16720 OriginTypeAwsCloudhsm, 16721 } 16722} 16723 16724const ( 16725 // SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value 16726 SigningAlgorithmSpecRsassaPssSha256 = "RSASSA_PSS_SHA_256" 16727 16728 // SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value 16729 SigningAlgorithmSpecRsassaPssSha384 = "RSASSA_PSS_SHA_384" 16730 16731 // SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value 16732 SigningAlgorithmSpecRsassaPssSha512 = "RSASSA_PSS_SHA_512" 16733 16734 // SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value 16735 SigningAlgorithmSpecRsassaPkcs1V15Sha256 = "RSASSA_PKCS1_V1_5_SHA_256" 16736 16737 // SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value 16738 SigningAlgorithmSpecRsassaPkcs1V15Sha384 = "RSASSA_PKCS1_V1_5_SHA_384" 16739 16740 // SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value 16741 SigningAlgorithmSpecRsassaPkcs1V15Sha512 = "RSASSA_PKCS1_V1_5_SHA_512" 16742 16743 // SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value 16744 SigningAlgorithmSpecEcdsaSha256 = "ECDSA_SHA_256" 16745 16746 // SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value 16747 SigningAlgorithmSpecEcdsaSha384 = "ECDSA_SHA_384" 16748 16749 // SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value 16750 SigningAlgorithmSpecEcdsaSha512 = "ECDSA_SHA_512" 16751) 16752 16753// SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum 16754func SigningAlgorithmSpec_Values() []string { 16755 return []string{ 16756 SigningAlgorithmSpecRsassaPssSha256, 16757 SigningAlgorithmSpecRsassaPssSha384, 16758 SigningAlgorithmSpecRsassaPssSha512, 16759 SigningAlgorithmSpecRsassaPkcs1V15Sha256, 16760 SigningAlgorithmSpecRsassaPkcs1V15Sha384, 16761 SigningAlgorithmSpecRsassaPkcs1V15Sha512, 16762 SigningAlgorithmSpecEcdsaSha256, 16763 SigningAlgorithmSpecEcdsaSha384, 16764 SigningAlgorithmSpecEcdsaSha512, 16765 } 16766} 16767 16768const ( 16769 // WrappingKeySpecRsa2048 is a WrappingKeySpec enum value 16770 WrappingKeySpecRsa2048 = "RSA_2048" 16771) 16772 16773// WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum 16774func WrappingKeySpec_Values() []string { 16775 return []string{ 16776 WrappingKeySpecRsa2048, 16777 } 16778} 16779