1// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
2
3package kms
4
5import (
6	"fmt"
7	"time"
8
9	"github.com/aws/aws-sdk-go/aws"
10	"github.com/aws/aws-sdk-go/aws/awsutil"
11	"github.com/aws/aws-sdk-go/aws/request"
12	"github.com/aws/aws-sdk-go/private/protocol"
13	"github.com/aws/aws-sdk-go/private/protocol/jsonrpc"
14)
15
16const opCancelKeyDeletion = "CancelKeyDeletion"
17
18// CancelKeyDeletionRequest generates a "aws/request.Request" representing the
19// client's request for the CancelKeyDeletion operation. The "output" return
20// value will be populated with the request's response once the request completes
21// successfully.
22//
23// Use "Send" method on the returned Request to send the API call to the service.
24// the "output" return value is not valid until after Send returns without error.
25//
26// See CancelKeyDeletion for more information on using the CancelKeyDeletion
27// API call, and error handling.
28//
29// This method is useful when you want to inject custom logic or configuration
30// into the SDK's request lifecycle. Such as custom headers, or retry logic.
31//
32//
33//    // Example sending a request using the CancelKeyDeletionRequest method.
34//    req, resp := client.CancelKeyDeletionRequest(params)
35//
36//    err := req.Send()
37//    if err == nil { // resp is now filled
38//        fmt.Println(resp)
39//    }
40//
41// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion
42func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *request.Request, output *CancelKeyDeletionOutput) {
43	op := &request.Operation{
44		Name:       opCancelKeyDeletion,
45		HTTPMethod: "POST",
46		HTTPPath:   "/",
47	}
48
49	if input == nil {
50		input = &CancelKeyDeletionInput{}
51	}
52
53	output = &CancelKeyDeletionOutput{}
54	req = c.newRequest(op, input, output)
55	return
56}
57
58// CancelKeyDeletion API operation for AWS Key Management Service.
59//
60// Cancels the deletion of a customer master key (CMK). When this operation
61// succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey.
62//
63// For more information about scheduling and canceling deletion of a CMK, see
64// Deleting Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)
65// in the AWS Key Management Service Developer Guide.
66//
67// The CMK that you use for this operation must be in a compatible key state.
68// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
69// in the AWS Key Management Service Developer Guide.
70//
71// Cross-account use: No. You cannot perform this operation on a CMK in a different
72// AWS account.
73//
74// Required permissions: kms:CancelKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
75// (key policy)
76//
77// Related operations: ScheduleKeyDeletion
78//
79// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
80// with awserr.Error's Code and Message methods to get detailed information about
81// the error.
82//
83// See the AWS API reference guide for AWS Key Management Service's
84// API operation CancelKeyDeletion for usage and error information.
85//
86// Returned Error Types:
87//   * NotFoundException
88//   The request was rejected because the specified entity or resource could not
89//   be found.
90//
91//   * InvalidArnException
92//   The request was rejected because a specified ARN, or an ARN in a key policy,
93//   is not valid.
94//
95//   * DependencyTimeoutException
96//   The system timed out while trying to fulfill the request. The request can
97//   be retried.
98//
99//   * InternalException
100//   The request was rejected because an internal exception occurred. The request
101//   can be retried.
102//
103//   * InvalidStateException
104//   The request was rejected because the state of the specified resource is not
105//   valid for this request.
106//
107//   For more information about how key state affects the use of a CMK, see How
108//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
109//   in the AWS Key Management Service Developer Guide .
110//
111// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion
112func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) {
113	req, out := c.CancelKeyDeletionRequest(input)
114	return out, req.Send()
115}
116
117// CancelKeyDeletionWithContext is the same as CancelKeyDeletion with the addition of
118// the ability to pass a context and additional request options.
119//
120// See CancelKeyDeletion for details on how to use this API operation.
121//
122// The context must be non-nil and will be used for request cancellation. If
123// the context is nil a panic will occur. In the future the SDK may create
124// sub-contexts for http.Requests. See https://golang.org/pkg/context/
125// for more information on using Contexts.
126func (c *KMS) CancelKeyDeletionWithContext(ctx aws.Context, input *CancelKeyDeletionInput, opts ...request.Option) (*CancelKeyDeletionOutput, error) {
127	req, out := c.CancelKeyDeletionRequest(input)
128	req.SetContext(ctx)
129	req.ApplyOptions(opts...)
130	return out, req.Send()
131}
132
133const opConnectCustomKeyStore = "ConnectCustomKeyStore"
134
135// ConnectCustomKeyStoreRequest generates a "aws/request.Request" representing the
136// client's request for the ConnectCustomKeyStore operation. The "output" return
137// value will be populated with the request's response once the request completes
138// successfully.
139//
140// Use "Send" method on the returned Request to send the API call to the service.
141// the "output" return value is not valid until after Send returns without error.
142//
143// See ConnectCustomKeyStore for more information on using the ConnectCustomKeyStore
144// API call, and error handling.
145//
146// This method is useful when you want to inject custom logic or configuration
147// into the SDK's request lifecycle. Such as custom headers, or retry logic.
148//
149//
150//    // Example sending a request using the ConnectCustomKeyStoreRequest method.
151//    req, resp := client.ConnectCustomKeyStoreRequest(params)
152//
153//    err := req.Send()
154//    if err == nil { // resp is now filled
155//        fmt.Println(resp)
156//    }
157//
158// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore
159func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (req *request.Request, output *ConnectCustomKeyStoreOutput) {
160	op := &request.Operation{
161		Name:       opConnectCustomKeyStore,
162		HTTPMethod: "POST",
163		HTTPPath:   "/",
164	}
165
166	if input == nil {
167		input = &ConnectCustomKeyStoreInput{}
168	}
169
170	output = &ConnectCustomKeyStoreOutput{}
171	req = c.newRequest(op, input, output)
172	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
173	return
174}
175
176// ConnectCustomKeyStore API operation for AWS Key Management Service.
177//
178// Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
179// to its associated AWS CloudHSM cluster.
180//
181// The custom key store must be connected before you can create customer master
182// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect
183// and reconnect a custom key store at any time.
184//
185// To connect a custom key store, its associated AWS CloudHSM cluster must have
186// at least one active HSM. To get the number of active HSMs in a cluster, use
187// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
188// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
189// operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
190// (CU) must not be logged into the cluster. This prevents AWS KMS from using
191// this account to log in.
192//
193// The connection process can take an extended amount of time to complete; up
194// to 20 minutes. This operation starts the connection process, but it does
195// not wait for it to complete. When it succeeds, this operation quickly returns
196// an HTTP 200 response and a JSON object with no properties. However, this
197// response does not indicate that the custom key store is connected. To get
198// the connection state of the custom key store, use the DescribeCustomKeyStores
199// operation.
200//
201// During the connection process, AWS KMS finds the AWS CloudHSM cluster that
202// is associated with the custom key store, creates the connection infrastructure,
203// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser
204// CU, and rotates its password.
205//
206// The ConnectCustomKeyStore operation might fail for various reasons. To find
207// the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode
208// in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
209//
210// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect
211// the custom key store, correct the error, use the UpdateCustomKeyStore operation
212// if necessary, and then use ConnectCustomKeyStore again.
213//
214// If you are having trouble connecting or disconnecting a custom key store,
215// see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
216// in the AWS Key Management Service Developer Guide.
217//
218// Cross-account use: No. You cannot perform this operation on a custom key
219// store in a different AWS account.
220//
221// Required permissions: kms:ConnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
222// (IAM policy)
223//
224// Related operations
225//
226//    * CreateCustomKeyStore
227//
228//    * DeleteCustomKeyStore
229//
230//    * DescribeCustomKeyStores
231//
232//    * DisconnectCustomKeyStore
233//
234//    * UpdateCustomKeyStore
235//
236// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
237// with awserr.Error's Code and Message methods to get detailed information about
238// the error.
239//
240// See the AWS API reference guide for AWS Key Management Service's
241// API operation ConnectCustomKeyStore for usage and error information.
242//
243// Returned Error Types:
244//   * CloudHsmClusterNotActiveException
245//   The request was rejected because the AWS CloudHSM cluster that is associated
246//   with the custom key store is not active. Initialize and activate the cluster
247//   and try the command again. For detailed instructions, see Getting Started
248//   (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
249//   in the AWS CloudHSM User Guide.
250//
251//   * CustomKeyStoreInvalidStateException
252//   The request was rejected because of the ConnectionState of the custom key
253//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
254//   operation.
255//
256//   This exception is thrown under the following conditions:
257//
258//      * You requested the CreateKey or GenerateRandom operation in a custom
259//      key store that is not connected. These operations are valid only when
260//      the custom key store ConnectionState is CONNECTED.
261//
262//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
263//      on a custom key store that is not disconnected. This operation is valid
264//      only when the custom key store ConnectionState is DISCONNECTED.
265//
266//      * You requested the ConnectCustomKeyStore operation on a custom key store
267//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
268//      for all other ConnectionState values.
269//
270//   * CustomKeyStoreNotFoundException
271//   The request was rejected because AWS KMS cannot find a custom key store with
272//   the specified key store name or ID.
273//
274//   * InternalException
275//   The request was rejected because an internal exception occurred. The request
276//   can be retried.
277//
278//   * CloudHsmClusterInvalidConfigurationException
279//   The request was rejected because the associated AWS CloudHSM cluster did
280//   not meet the configuration requirements for a custom key store.
281//
282//      * The cluster must be configured with private subnets in at least two
283//      different Availability Zones in the Region.
284//
285//      * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
286//      (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
287//      rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
288//      rules and the Destination in the outbound rules must match the security
289//      group ID. These rules are set by default when you create the cluster.
290//      Do not delete or change them. To get information about a particular security
291//      group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
292//      operation.
293//
294//      * The cluster must contain at least as many HSMs as the operation requires.
295//      To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
296//      operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
297//      operations, the AWS CloudHSM cluster must have at least two active HSMs,
298//      each in a different Availability Zone. For the ConnectCustomKeyStore operation,
299//      the AWS CloudHSM must contain at least one active HSM.
300//
301//   For information about the requirements for an AWS CloudHSM cluster that is
302//   associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
303//   in the AWS Key Management Service Developer Guide. For information about
304//   creating a private subnet for an AWS CloudHSM cluster, see Create a Private
305//   Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
306//   in the AWS CloudHSM User Guide. For information about cluster security groups,
307//   see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
308//   in the AWS CloudHSM User Guide .
309//
310// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore
311func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) {
312	req, out := c.ConnectCustomKeyStoreRequest(input)
313	return out, req.Send()
314}
315
316// ConnectCustomKeyStoreWithContext is the same as ConnectCustomKeyStore with the addition of
317// the ability to pass a context and additional request options.
318//
319// See ConnectCustomKeyStore for details on how to use this API operation.
320//
321// The context must be non-nil and will be used for request cancellation. If
322// the context is nil a panic will occur. In the future the SDK may create
323// sub-contexts for http.Requests. See https://golang.org/pkg/context/
324// for more information on using Contexts.
325func (c *KMS) ConnectCustomKeyStoreWithContext(ctx aws.Context, input *ConnectCustomKeyStoreInput, opts ...request.Option) (*ConnectCustomKeyStoreOutput, error) {
326	req, out := c.ConnectCustomKeyStoreRequest(input)
327	req.SetContext(ctx)
328	req.ApplyOptions(opts...)
329	return out, req.Send()
330}
331
332const opCreateAlias = "CreateAlias"
333
334// CreateAliasRequest generates a "aws/request.Request" representing the
335// client's request for the CreateAlias operation. The "output" return
336// value will be populated with the request's response once the request completes
337// successfully.
338//
339// Use "Send" method on the returned Request to send the API call to the service.
340// the "output" return value is not valid until after Send returns without error.
341//
342// See CreateAlias for more information on using the CreateAlias
343// API call, and error handling.
344//
345// This method is useful when you want to inject custom logic or configuration
346// into the SDK's request lifecycle. Such as custom headers, or retry logic.
347//
348//
349//    // Example sending a request using the CreateAliasRequest method.
350//    req, resp := client.CreateAliasRequest(params)
351//
352//    err := req.Send()
353//    if err == nil { // resp is now filled
354//        fmt.Println(resp)
355//    }
356//
357// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias
358func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, output *CreateAliasOutput) {
359	op := &request.Operation{
360		Name:       opCreateAlias,
361		HTTPMethod: "POST",
362		HTTPPath:   "/",
363	}
364
365	if input == nil {
366		input = &CreateAliasInput{}
367	}
368
369	output = &CreateAliasOutput{}
370	req = c.newRequest(op, input, output)
371	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
372	return
373}
374
375// CreateAlias API operation for AWS Key Management Service.
376//
377// Creates a friendly name for a customer master key (CMK).
378//
379// Adding, deleting, or updating an alias can allow or deny permission to the
380// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
381// in the AWS Key Management Service Developer Guide.
382//
383// You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey
384// operation and in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations),
385// such as Encrypt and GenerateDataKey. You can also change the CMK that's associated
386// with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time.
387// These operations don't affect the underlying CMK.
388//
389// You can associate the alias with any customer managed CMK in the same AWS
390// Region. Each alias is associated with only one CMK at a time, but a CMK can
391// have multiple aliases. A valid CMK is required. You can't create an alias
392// without a CMK.
393//
394// The alias must be unique in the account and Region, but you can have aliases
395// with the same name in different Regions. For detailed information about aliases,
396// see Using aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html)
397// in the AWS Key Management Service Developer Guide.
398//
399// This operation does not return a response. To get the alias that you created,
400// use the ListAliases operation.
401//
402// The CMK that you use for this operation must be in a compatible key state.
403// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
404// in the AWS Key Management Service Developer Guide.
405//
406// Cross-account use: No. You cannot perform this operation on an alias in a
407// different AWS account.
408//
409// Required permissions
410//
411//    * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
412//    on the alias (IAM policy).
413//
414//    * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
415//    on the CMK (key policy).
416//
417// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access)
418// in the AWS Key Management Service Developer Guide.
419//
420// Related operations:
421//
422//    * DeleteAlias
423//
424//    * ListAliases
425//
426//    * UpdateAlias
427//
428// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
429// with awserr.Error's Code and Message methods to get detailed information about
430// the error.
431//
432// See the AWS API reference guide for AWS Key Management Service's
433// API operation CreateAlias for usage and error information.
434//
435// Returned Error Types:
436//   * DependencyTimeoutException
437//   The system timed out while trying to fulfill the request. The request can
438//   be retried.
439//
440//   * AlreadyExistsException
441//   The request was rejected because it attempted to create a resource that already
442//   exists.
443//
444//   * NotFoundException
445//   The request was rejected because the specified entity or resource could not
446//   be found.
447//
448//   * InvalidAliasNameException
449//   The request was rejected because the specified alias name is not valid.
450//
451//   * InternalException
452//   The request was rejected because an internal exception occurred. The request
453//   can be retried.
454//
455//   * LimitExceededException
456//   The request was rejected because a quota was exceeded. For more information,
457//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
458//   in the AWS Key Management Service Developer Guide.
459//
460//   * InvalidStateException
461//   The request was rejected because the state of the specified resource is not
462//   valid for this request.
463//
464//   For more information about how key state affects the use of a CMK, see How
465//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
466//   in the AWS Key Management Service Developer Guide .
467//
468// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias
469func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) {
470	req, out := c.CreateAliasRequest(input)
471	return out, req.Send()
472}
473
474// CreateAliasWithContext is the same as CreateAlias with the addition of
475// the ability to pass a context and additional request options.
476//
477// See CreateAlias for details on how to use this API operation.
478//
479// The context must be non-nil and will be used for request cancellation. If
480// the context is nil a panic will occur. In the future the SDK may create
481// sub-contexts for http.Requests. See https://golang.org/pkg/context/
482// for more information on using Contexts.
483func (c *KMS) CreateAliasWithContext(ctx aws.Context, input *CreateAliasInput, opts ...request.Option) (*CreateAliasOutput, error) {
484	req, out := c.CreateAliasRequest(input)
485	req.SetContext(ctx)
486	req.ApplyOptions(opts...)
487	return out, req.Send()
488}
489
490const opCreateCustomKeyStore = "CreateCustomKeyStore"
491
492// CreateCustomKeyStoreRequest generates a "aws/request.Request" representing the
493// client's request for the CreateCustomKeyStore operation. The "output" return
494// value will be populated with the request's response once the request completes
495// successfully.
496//
497// Use "Send" method on the returned Request to send the API call to the service.
498// the "output" return value is not valid until after Send returns without error.
499//
500// See CreateCustomKeyStore for more information on using the CreateCustomKeyStore
501// API call, and error handling.
502//
503// This method is useful when you want to inject custom logic or configuration
504// into the SDK's request lifecycle. Such as custom headers, or retry logic.
505//
506//
507//    // Example sending a request using the CreateCustomKeyStoreRequest method.
508//    req, resp := client.CreateCustomKeyStoreRequest(params)
509//
510//    err := req.Send()
511//    if err == nil { // resp is now filled
512//        fmt.Println(resp)
513//    }
514//
515// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore
516func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req *request.Request, output *CreateCustomKeyStoreOutput) {
517	op := &request.Operation{
518		Name:       opCreateCustomKeyStore,
519		HTTPMethod: "POST",
520		HTTPPath:   "/",
521	}
522
523	if input == nil {
524		input = &CreateCustomKeyStoreInput{}
525	}
526
527	output = &CreateCustomKeyStoreOutput{}
528	req = c.newRequest(op, input, output)
529	return
530}
531
532// CreateCustomKeyStore API operation for AWS Key Management Service.
533//
534// Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
535// that is associated with an AWS CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html)
536// that you own and manage.
537//
538// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
539// feature in AWS KMS, which combines the convenience and extensive integration
540// of AWS KMS with the isolation and control of a single-tenant key store.
541//
542// Before you create the custom key store, you must assemble the required elements,
543// including an AWS CloudHSM cluster that fulfills the requirements for a custom
544// key store. For details about the required elements, see Assemble the Prerequisites
545// (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
546// in the AWS Key Management Service Developer Guide.
547//
548// When the operation completes successfully, it returns the ID of the new custom
549// key store. Before you can use your new custom key store, you need to use
550// the ConnectCustomKeyStore operation to connect the new key store to its AWS
551// CloudHSM cluster. Even if you are not going to use your custom key store
552// immediately, you might want to connect it to verify that all settings are
553// correct and then disconnect it until you are ready to use it.
554//
555// For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
556// in the AWS Key Management Service Developer Guide.
557//
558// Cross-account use: No. You cannot perform this operation on a custom key
559// store in a different AWS account.
560//
561// Required permissions: kms:CreateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
562// (IAM policy).
563//
564// Related operations:
565//
566//    * ConnectCustomKeyStore
567//
568//    * DeleteCustomKeyStore
569//
570//    * DescribeCustomKeyStores
571//
572//    * DisconnectCustomKeyStore
573//
574//    * UpdateCustomKeyStore
575//
576// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
577// with awserr.Error's Code and Message methods to get detailed information about
578// the error.
579//
580// See the AWS API reference guide for AWS Key Management Service's
581// API operation CreateCustomKeyStore for usage and error information.
582//
583// Returned Error Types:
584//   * CloudHsmClusterInUseException
585//   The request was rejected because the specified AWS CloudHSM cluster is already
586//   associated with a custom key store or it shares a backup history with a cluster
587//   that is associated with a custom key store. Each custom key store must be
588//   associated with a different AWS CloudHSM cluster.
589//
590//   Clusters that share a backup history have the same cluster certificate. To
591//   view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
592//   operation.
593//
594//   * CustomKeyStoreNameInUseException
595//   The request was rejected because the specified custom key store name is already
596//   assigned to another custom key store in the account. Try again with a custom
597//   key store name that is unique in the account.
598//
599//   * CloudHsmClusterNotFoundException
600//   The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster
601//   with the specified cluster ID. Retry the request with a different cluster
602//   ID.
603//
604//   * InternalException
605//   The request was rejected because an internal exception occurred. The request
606//   can be retried.
607//
608//   * CloudHsmClusterNotActiveException
609//   The request was rejected because the AWS CloudHSM cluster that is associated
610//   with the custom key store is not active. Initialize and activate the cluster
611//   and try the command again. For detailed instructions, see Getting Started
612//   (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
613//   in the AWS CloudHSM User Guide.
614//
615//   * IncorrectTrustAnchorException
616//   The request was rejected because the trust anchor certificate in the request
617//   is not the trust anchor certificate for the specified AWS CloudHSM cluster.
618//
619//   When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
620//   you create the trust anchor certificate and save it in the customerCA.crt
621//   file.
622//
623//   * CloudHsmClusterInvalidConfigurationException
624//   The request was rejected because the associated AWS CloudHSM cluster did
625//   not meet the configuration requirements for a custom key store.
626//
627//      * The cluster must be configured with private subnets in at least two
628//      different Availability Zones in the Region.
629//
630//      * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
631//      (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
632//      rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
633//      rules and the Destination in the outbound rules must match the security
634//      group ID. These rules are set by default when you create the cluster.
635//      Do not delete or change them. To get information about a particular security
636//      group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
637//      operation.
638//
639//      * The cluster must contain at least as many HSMs as the operation requires.
640//      To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
641//      operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
642//      operations, the AWS CloudHSM cluster must have at least two active HSMs,
643//      each in a different Availability Zone. For the ConnectCustomKeyStore operation,
644//      the AWS CloudHSM must contain at least one active HSM.
645//
646//   For information about the requirements for an AWS CloudHSM cluster that is
647//   associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
648//   in the AWS Key Management Service Developer Guide. For information about
649//   creating a private subnet for an AWS CloudHSM cluster, see Create a Private
650//   Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
651//   in the AWS CloudHSM User Guide. For information about cluster security groups,
652//   see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
653//   in the AWS CloudHSM User Guide .
654//
655// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore
656func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) {
657	req, out := c.CreateCustomKeyStoreRequest(input)
658	return out, req.Send()
659}
660
661// CreateCustomKeyStoreWithContext is the same as CreateCustomKeyStore with the addition of
662// the ability to pass a context and additional request options.
663//
664// See CreateCustomKeyStore for details on how to use this API operation.
665//
666// The context must be non-nil and will be used for request cancellation. If
667// the context is nil a panic will occur. In the future the SDK may create
668// sub-contexts for http.Requests. See https://golang.org/pkg/context/
669// for more information on using Contexts.
670func (c *KMS) CreateCustomKeyStoreWithContext(ctx aws.Context, input *CreateCustomKeyStoreInput, opts ...request.Option) (*CreateCustomKeyStoreOutput, error) {
671	req, out := c.CreateCustomKeyStoreRequest(input)
672	req.SetContext(ctx)
673	req.ApplyOptions(opts...)
674	return out, req.Send()
675}
676
677const opCreateGrant = "CreateGrant"
678
679// CreateGrantRequest generates a "aws/request.Request" representing the
680// client's request for the CreateGrant operation. The "output" return
681// value will be populated with the request's response once the request completes
682// successfully.
683//
684// Use "Send" method on the returned Request to send the API call to the service.
685// the "output" return value is not valid until after Send returns without error.
686//
687// See CreateGrant for more information on using the CreateGrant
688// API call, and error handling.
689//
690// This method is useful when you want to inject custom logic or configuration
691// into the SDK's request lifecycle. Such as custom headers, or retry logic.
692//
693//
694//    // Example sending a request using the CreateGrantRequest method.
695//    req, resp := client.CreateGrantRequest(params)
696//
697//    err := req.Send()
698//    if err == nil { // resp is now filled
699//        fmt.Println(resp)
700//    }
701//
702// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant
703func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, output *CreateGrantOutput) {
704	op := &request.Operation{
705		Name:       opCreateGrant,
706		HTTPMethod: "POST",
707		HTTPPath:   "/",
708	}
709
710	if input == nil {
711		input = &CreateGrantInput{}
712	}
713
714	output = &CreateGrantOutput{}
715	req = c.newRequest(op, input, output)
716	return
717}
718
719// CreateGrant API operation for AWS Key Management Service.
720//
721// Adds a grant to a customer master key (CMK).
722//
723// A grant is a policy instrument that allows AWS principals to use AWS KMS
724// customer master keys (CMKs) in cryptographic operations. It also can allow
725// them to view a CMK (DescribeKey) and create and manage grants. When authorizing
726// access to a CMK, grants are considered along with key policies and IAM policies.
727// Grants are often used for temporary permissions because you can create one,
728// use its permissions, and delete it without changing your key policies or
729// IAM policies.
730//
731// For detailed information about grants, including grant terminology, see Using
732// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)
733// in the AWS Key Management Service Developer Guide . For examples of working
734// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html).
735//
736// The CreateGrant operation returns a GrantToken and a GrantId.
737//
738//    * When you create, retire, or revoke a grant, there might be a brief delay,
739//    usually less than five minutes, until the grant is available throughout
740//    AWS KMS. This state is known as eventual consistency. Once the grant has
741//    achieved eventual consistency, the grantee principal can use the permissions
742//    in the grant without identifying the grant. However, to use the permissions
743//    in the grant immediately, use the GrantToken that CreateGrant returns.
744//    For details, see Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html)
745//    in the AWS Key Management Service Developer Guide .
746//
747//    * The CreateGrant operation also returns a GrantId. You can use the GrantId
748//    and a key identifier to identify the grant in the RetireGrant and RevokeGrant
749//    operations. To find the grant ID, use the ListGrants or ListRetirableGrants
750//    operations.
751//
752// For information about symmetric and asymmetric CMKs, see Using Symmetric
753// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
754// in the AWS Key Management Service Developer Guide. For more information about
755// grants, see Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)
756// in the AWS Key Management Service Developer Guide .
757//
758// The CMK that you use for this operation must be in a compatible key state.
759// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
760// in the AWS Key Management Service Developer Guide.
761//
762// Cross-account use: Yes. To perform this operation on a CMK in a different
763// AWS account, specify the key ARN in the value of the KeyId parameter.
764//
765// Required permissions: kms:CreateGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
766// (key policy)
767//
768// Related operations:
769//
770//    * ListGrants
771//
772//    * ListRetirableGrants
773//
774//    * RetireGrant
775//
776//    * RevokeGrant
777//
778// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
779// with awserr.Error's Code and Message methods to get detailed information about
780// the error.
781//
782// See the AWS API reference guide for AWS Key Management Service's
783// API operation CreateGrant for usage and error information.
784//
785// Returned Error Types:
786//   * NotFoundException
787//   The request was rejected because the specified entity or resource could not
788//   be found.
789//
790//   * DisabledException
791//   The request was rejected because the specified CMK is not enabled.
792//
793//   * DependencyTimeoutException
794//   The system timed out while trying to fulfill the request. The request can
795//   be retried.
796//
797//   * InvalidArnException
798//   The request was rejected because a specified ARN, or an ARN in a key policy,
799//   is not valid.
800//
801//   * InternalException
802//   The request was rejected because an internal exception occurred. The request
803//   can be retried.
804//
805//   * InvalidGrantTokenException
806//   The request was rejected because the specified grant token is not valid.
807//
808//   * LimitExceededException
809//   The request was rejected because a quota was exceeded. For more information,
810//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
811//   in the AWS Key Management Service Developer Guide.
812//
813//   * InvalidStateException
814//   The request was rejected because the state of the specified resource is not
815//   valid for this request.
816//
817//   For more information about how key state affects the use of a CMK, see How
818//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
819//   in the AWS Key Management Service Developer Guide .
820//
821// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant
822func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) {
823	req, out := c.CreateGrantRequest(input)
824	return out, req.Send()
825}
826
827// CreateGrantWithContext is the same as CreateGrant with the addition of
828// the ability to pass a context and additional request options.
829//
830// See CreateGrant for details on how to use this API operation.
831//
832// The context must be non-nil and will be used for request cancellation. If
833// the context is nil a panic will occur. In the future the SDK may create
834// sub-contexts for http.Requests. See https://golang.org/pkg/context/
835// for more information on using Contexts.
836func (c *KMS) CreateGrantWithContext(ctx aws.Context, input *CreateGrantInput, opts ...request.Option) (*CreateGrantOutput, error) {
837	req, out := c.CreateGrantRequest(input)
838	req.SetContext(ctx)
839	req.ApplyOptions(opts...)
840	return out, req.Send()
841}
842
843const opCreateKey = "CreateKey"
844
845// CreateKeyRequest generates a "aws/request.Request" representing the
846// client's request for the CreateKey operation. The "output" return
847// value will be populated with the request's response once the request completes
848// successfully.
849//
850// Use "Send" method on the returned Request to send the API call to the service.
851// the "output" return value is not valid until after Send returns without error.
852//
853// See CreateKey for more information on using the CreateKey
854// API call, and error handling.
855//
856// This method is useful when you want to inject custom logic or configuration
857// into the SDK's request lifecycle. Such as custom headers, or retry logic.
858//
859//
860//    // Example sending a request using the CreateKeyRequest method.
861//    req, resp := client.CreateKeyRequest(params)
862//
863//    err := req.Send()
864//    if err == nil { // resp is now filled
865//        fmt.Println(resp)
866//    }
867//
868// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey
869func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, output *CreateKeyOutput) {
870	op := &request.Operation{
871		Name:       opCreateKey,
872		HTTPMethod: "POST",
873		HTTPPath:   "/",
874	}
875
876	if input == nil {
877		input = &CreateKeyInput{}
878	}
879
880	output = &CreateKeyOutput{}
881	req = c.newRequest(op, input, output)
882	return
883}
884
885// CreateKey API operation for AWS Key Management Service.
886//
887// Creates a unique customer managed customer master key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys)
888// (CMK) in your AWS account and Region.
889//
890// You can use the CreateKey operation to create symmetric or asymmetric CMKs.
891//
892//    * Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS
893//    KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a
894//    symmetric CMK to encrypt and decrypt small amounts of data, but they are
895//    typically used to generate data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys)
896//    and data keys pairs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs).
897//    For details, see GenerateDataKey and GenerateDataKeyPair.
898//
899//    * Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC)
900//    key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted.
901//    However, you can use the GetPublicKey operation to download the public
902//    key so it can be used outside of AWS KMS. CMKs with RSA key pairs can
903//    be used to encrypt or decrypt data or sign and verify messages (but not
904//    both). CMKs with ECC key pairs can be used only to sign and verify messages.
905//
906// For information about symmetric and asymmetric CMKs, see Using Symmetric
907// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
908// in the AWS Key Management Service Developer Guide.
909//
910// To create different types of CMKs, use the following guidance:
911//
912// Asymmetric CMKs
913//
914// To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify
915// the type of key material in the CMK. Then, use the KeyUsage parameter to
916// determine whether the CMK will be used to encrypt and decrypt or sign and
917// verify. You can't change these properties after the CMK is created.
918//
919// Symmetric CMKs
920//
921// When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec
922// or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT,
923// and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values
924// for symmetric CMKs.
925//
926// Multi-Region primary keys
927//
928// Imported key material
929//
930// To create a multi-Region primary key in the local AWS Region, use the MultiRegion
931// parameter with a value of True. To create a multi-Region replica key, that
932// is, a CMK with the same key ID and key material as a primary key, but in
933// a different AWS Region, use the ReplicateKey operation. To change a replica
934// key to a primary key, and its primary key to a replica key, use the UpdatePrimaryRegion
935// operation.
936//
937// This operation supports multi-Region keys, an AWS KMS feature that lets you
938// create multiple interoperable CMKs in different AWS Regions. Because these
939// CMKs have the same key ID, key material, and other metadata, you can use
940// them to encrypt data in one AWS Region and decrypt it in a different AWS
941// Region without making a cross-Region call or exposing the plaintext data.
942// For more information about multi-Region keys, see Using multi-Region keys
943// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
944// in the AWS Key Management Service Developer Guide.
945//
946// You can create symmetric and asymmetric multi-Region keys and multi-Region
947// keys with imported key material. You cannot create multi-Region keys in a
948// custom key store.
949//
950// To import your own key material, begin by creating a symmetric CMK with no
951// key material. To do this, use the Origin parameter of CreateKey with a value
952// of EXTERNAL. Next, use GetParametersForImport operation to get a public key
953// and import token, and use the public key to encrypt your key material. Then,
954// use ImportKeyMaterial with your import token to import the key material.
955// For step-by-step instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
956// in the AWS Key Management Service Developer Guide . You cannot import the
957// key material into an asymmetric CMK.
958//
959// To create a multi-Region primary key with imported key material, use the
960// Origin parameter of CreateKey with a value of EXTERNAL and the MultiRegion
961// parameter with a value of True. To create replicas of the multi-Region primary
962// key, use the ReplicateKey operation. For more information about multi-Region
963// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
964// in the AWS Key Management Service Developer Guide.
965//
966// Custom key store
967//
968// To create a symmetric CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
969// use the CustomKeyStoreId parameter to specify the custom key store. You must
970// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM
971// cluster that is associated with the custom key store must have at least two
972// active HSMs in different Availability Zones in the AWS Region.
973//
974// You cannot create an asymmetric CMK or a multi-Region CMK in a custom key
975// store. For information about custom key stores in AWS KMS see Using Custom
976// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
977// in the AWS Key Management Service Developer Guide .
978//
979// Cross-account use: No. You cannot use this operation to create a CMK in a
980// different AWS account.
981//
982// Required permissions: kms:CreateKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
983// (IAM policy). To use the Tags parameter, kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
984// (IAM policy). For examples and information about related permissions, see
985// Allow a user to create CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key)
986// in the AWS Key Management Service Developer Guide.
987//
988// Related operations:
989//
990//    * DescribeKey
991//
992//    * ListKeys
993//
994//    * ScheduleKeyDeletion
995//
996// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
997// with awserr.Error's Code and Message methods to get detailed information about
998// the error.
999//
1000// See the AWS API reference guide for AWS Key Management Service's
1001// API operation CreateKey for usage and error information.
1002//
1003// Returned Error Types:
1004//   * MalformedPolicyDocumentException
1005//   The request was rejected because the specified policy is not syntactically
1006//   or semantically correct.
1007//
1008//   * DependencyTimeoutException
1009//   The system timed out while trying to fulfill the request. The request can
1010//   be retried.
1011//
1012//   * InvalidArnException
1013//   The request was rejected because a specified ARN, or an ARN in a key policy,
1014//   is not valid.
1015//
1016//   * UnsupportedOperationException
1017//   The request was rejected because a specified parameter is not supported or
1018//   a specified resource is not valid for this operation.
1019//
1020//   * InternalException
1021//   The request was rejected because an internal exception occurred. The request
1022//   can be retried.
1023//
1024//   * LimitExceededException
1025//   The request was rejected because a quota was exceeded. For more information,
1026//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
1027//   in the AWS Key Management Service Developer Guide.
1028//
1029//   * TagException
1030//   The request was rejected because one or more tags are not valid.
1031//
1032//   * CustomKeyStoreNotFoundException
1033//   The request was rejected because AWS KMS cannot find a custom key store with
1034//   the specified key store name or ID.
1035//
1036//   * CustomKeyStoreInvalidStateException
1037//   The request was rejected because of the ConnectionState of the custom key
1038//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
1039//   operation.
1040//
1041//   This exception is thrown under the following conditions:
1042//
1043//      * You requested the CreateKey or GenerateRandom operation in a custom
1044//      key store that is not connected. These operations are valid only when
1045//      the custom key store ConnectionState is CONNECTED.
1046//
1047//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
1048//      on a custom key store that is not disconnected. This operation is valid
1049//      only when the custom key store ConnectionState is DISCONNECTED.
1050//
1051//      * You requested the ConnectCustomKeyStore operation on a custom key store
1052//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
1053//      for all other ConnectionState values.
1054//
1055//   * CloudHsmClusterInvalidConfigurationException
1056//   The request was rejected because the associated AWS CloudHSM cluster did
1057//   not meet the configuration requirements for a custom key store.
1058//
1059//      * The cluster must be configured with private subnets in at least two
1060//      different Availability Zones in the Region.
1061//
1062//      * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
1063//      (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
1064//      rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
1065//      rules and the Destination in the outbound rules must match the security
1066//      group ID. These rules are set by default when you create the cluster.
1067//      Do not delete or change them. To get information about a particular security
1068//      group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
1069//      operation.
1070//
1071//      * The cluster must contain at least as many HSMs as the operation requires.
1072//      To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
1073//      operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
1074//      operations, the AWS CloudHSM cluster must have at least two active HSMs,
1075//      each in a different Availability Zone. For the ConnectCustomKeyStore operation,
1076//      the AWS CloudHSM must contain at least one active HSM.
1077//
1078//   For information about the requirements for an AWS CloudHSM cluster that is
1079//   associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
1080//   in the AWS Key Management Service Developer Guide. For information about
1081//   creating a private subnet for an AWS CloudHSM cluster, see Create a Private
1082//   Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
1083//   in the AWS CloudHSM User Guide. For information about cluster security groups,
1084//   see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
1085//   in the AWS CloudHSM User Guide .
1086//
1087// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey
1088func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) {
1089	req, out := c.CreateKeyRequest(input)
1090	return out, req.Send()
1091}
1092
1093// CreateKeyWithContext is the same as CreateKey with the addition of
1094// the ability to pass a context and additional request options.
1095//
1096// See CreateKey for details on how to use this API operation.
1097//
1098// The context must be non-nil and will be used for request cancellation. If
1099// the context is nil a panic will occur. In the future the SDK may create
1100// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1101// for more information on using Contexts.
1102func (c *KMS) CreateKeyWithContext(ctx aws.Context, input *CreateKeyInput, opts ...request.Option) (*CreateKeyOutput, error) {
1103	req, out := c.CreateKeyRequest(input)
1104	req.SetContext(ctx)
1105	req.ApplyOptions(opts...)
1106	return out, req.Send()
1107}
1108
1109const opDecrypt = "Decrypt"
1110
1111// DecryptRequest generates a "aws/request.Request" representing the
1112// client's request for the Decrypt operation. The "output" return
1113// value will be populated with the request's response once the request completes
1114// successfully.
1115//
1116// Use "Send" method on the returned Request to send the API call to the service.
1117// the "output" return value is not valid until after Send returns without error.
1118//
1119// See Decrypt for more information on using the Decrypt
1120// API call, and error handling.
1121//
1122// This method is useful when you want to inject custom logic or configuration
1123// into the SDK's request lifecycle. Such as custom headers, or retry logic.
1124//
1125//
1126//    // Example sending a request using the DecryptRequest method.
1127//    req, resp := client.DecryptRequest(params)
1128//
1129//    err := req.Send()
1130//    if err == nil { // resp is now filled
1131//        fmt.Println(resp)
1132//    }
1133//
1134// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt
1135func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output *DecryptOutput) {
1136	op := &request.Operation{
1137		Name:       opDecrypt,
1138		HTTPMethod: "POST",
1139		HTTPPath:   "/",
1140	}
1141
1142	if input == nil {
1143		input = &DecryptInput{}
1144	}
1145
1146	output = &DecryptOutput{}
1147	req = c.newRequest(op, input, output)
1148	return
1149}
1150
1151// Decrypt API operation for AWS Key Management Service.
1152//
1153// Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK)
1154// using any of the following operations:
1155//
1156//    * Encrypt
1157//
1158//    * GenerateDataKey
1159//
1160//    * GenerateDataKeyPair
1161//
1162//    * GenerateDataKeyWithoutPlaintext
1163//
1164//    * GenerateDataKeyPairWithoutPlaintext
1165//
1166// You can use this operation to decrypt ciphertext that was encrypted under
1167// a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify
1168// the CMK and the encryption algorithm that was used to encrypt the ciphertext.
1169// For information about symmetric and asymmetric CMKs, see Using Symmetric
1170// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
1171// in the AWS Key Management Service Developer Guide.
1172//
1173// The Decrypt operation also decrypts ciphertext that was encrypted outside
1174// of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot
1175// decrypt ciphertext produced by other libraries, such as the AWS Encryption
1176// SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/)
1177// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html).
1178// These libraries return a ciphertext format that is incompatible with AWS
1179// KMS.
1180//
1181// If the ciphertext was encrypted under a symmetric CMK, the KeyId parameter
1182// is optional. AWS KMS can get this information from metadata that it adds
1183// to the symmetric ciphertext blob. This feature adds durability to your implementation
1184// by ensuring that authorized users can decrypt ciphertext decades after it
1185// was encrypted, even if they've lost track of the CMK ID. However, specifying
1186// the CMK is always recommended as a best practice. When you use the KeyId
1187// parameter to specify a CMK, AWS KMS only uses the CMK you specify. If the
1188// ciphertext was encrypted under a different CMK, the Decrypt operation fails.
1189// This practice ensures that you use the CMK that you intend.
1190//
1191// Whenever possible, use key policies to give users permission to call the
1192// Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise,
1193// you might create an IAM user policy that gives the user Decrypt permission
1194// on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs
1195// in other accounts if the key policy for the cross-account CMK permits it.
1196// If you must use an IAM policy for Decrypt permissions, limit the user to
1197// particular CMKs or particular trusted accounts. For details, see Best practices
1198// for IAM policies (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices)
1199// in the AWS Key Management Service Developer Guide.
1200//
1201// The CMK that you use for this operation must be in a compatible key state.
1202// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
1203// in the AWS Key Management Service Developer Guide.
1204//
1205// Cross-account use: Yes. You can decrypt a ciphertext using a CMK in a different
1206// AWS account.
1207//
1208// Required permissions: kms:Decrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1209// (key policy)
1210//
1211// Related operations:
1212//
1213//    * Encrypt
1214//
1215//    * GenerateDataKey
1216//
1217//    * GenerateDataKeyPair
1218//
1219//    * ReEncrypt
1220//
1221// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1222// with awserr.Error's Code and Message methods to get detailed information about
1223// the error.
1224//
1225// See the AWS API reference guide for AWS Key Management Service's
1226// API operation Decrypt for usage and error information.
1227//
1228// Returned Error Types:
1229//   * NotFoundException
1230//   The request was rejected because the specified entity or resource could not
1231//   be found.
1232//
1233//   * DisabledException
1234//   The request was rejected because the specified CMK is not enabled.
1235//
1236//   * InvalidCiphertextException
1237//   From the Decrypt or ReEncrypt operation, the request was rejected because
1238//   the specified ciphertext, or additional authenticated data incorporated into
1239//   the ciphertext, such as the encryption context, is corrupted, missing, or
1240//   otherwise invalid.
1241//
1242//   From the ImportKeyMaterial operation, the request was rejected because AWS
1243//   KMS could not decrypt the encrypted (wrapped) key material.
1244//
1245//   * KeyUnavailableException
1246//   The request was rejected because the specified CMK was not available. You
1247//   can retry the request.
1248//
1249//   * IncorrectKeyException
1250//   The request was rejected because the specified CMK cannot decrypt the data.
1251//   The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request
1252//   must identify the same CMK that was used to encrypt the ciphertext.
1253//
1254//   * InvalidKeyUsageException
1255//   The request was rejected for one of the following reasons:
1256//
1257//      * The KeyUsage value of the CMK is incompatible with the API operation.
1258//
1259//      * The encryption algorithm or signing algorithm specified for the operation
1260//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
1261//
1262//   For encrypting, decrypting, re-encrypting, and generating data keys, the
1263//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
1264//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
1265//
1266//   To find the encryption or signing algorithms supported for a particular CMK,
1267//   use the DescribeKey operation.
1268//
1269//   * DependencyTimeoutException
1270//   The system timed out while trying to fulfill the request. The request can
1271//   be retried.
1272//
1273//   * InvalidGrantTokenException
1274//   The request was rejected because the specified grant token is not valid.
1275//
1276//   * InternalException
1277//   The request was rejected because an internal exception occurred. The request
1278//   can be retried.
1279//
1280//   * InvalidStateException
1281//   The request was rejected because the state of the specified resource is not
1282//   valid for this request.
1283//
1284//   For more information about how key state affects the use of a CMK, see How
1285//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
1286//   in the AWS Key Management Service Developer Guide .
1287//
1288// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt
1289func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) {
1290	req, out := c.DecryptRequest(input)
1291	return out, req.Send()
1292}
1293
1294// DecryptWithContext is the same as Decrypt with the addition of
1295// the ability to pass a context and additional request options.
1296//
1297// See Decrypt for details on how to use this API operation.
1298//
1299// The context must be non-nil and will be used for request cancellation. If
1300// the context is nil a panic will occur. In the future the SDK may create
1301// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1302// for more information on using Contexts.
1303func (c *KMS) DecryptWithContext(ctx aws.Context, input *DecryptInput, opts ...request.Option) (*DecryptOutput, error) {
1304	req, out := c.DecryptRequest(input)
1305	req.SetContext(ctx)
1306	req.ApplyOptions(opts...)
1307	return out, req.Send()
1308}
1309
1310const opDeleteAlias = "DeleteAlias"
1311
1312// DeleteAliasRequest generates a "aws/request.Request" representing the
1313// client's request for the DeleteAlias operation. The "output" return
1314// value will be populated with the request's response once the request completes
1315// successfully.
1316//
1317// Use "Send" method on the returned Request to send the API call to the service.
1318// the "output" return value is not valid until after Send returns without error.
1319//
1320// See DeleteAlias for more information on using the DeleteAlias
1321// API call, and error handling.
1322//
1323// This method is useful when you want to inject custom logic or configuration
1324// into the SDK's request lifecycle. Such as custom headers, or retry logic.
1325//
1326//
1327//    // Example sending a request using the DeleteAliasRequest method.
1328//    req, resp := client.DeleteAliasRequest(params)
1329//
1330//    err := req.Send()
1331//    if err == nil { // resp is now filled
1332//        fmt.Println(resp)
1333//    }
1334//
1335// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias
1336func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, output *DeleteAliasOutput) {
1337	op := &request.Operation{
1338		Name:       opDeleteAlias,
1339		HTTPMethod: "POST",
1340		HTTPPath:   "/",
1341	}
1342
1343	if input == nil {
1344		input = &DeleteAliasInput{}
1345	}
1346
1347	output = &DeleteAliasOutput{}
1348	req = c.newRequest(op, input, output)
1349	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
1350	return
1351}
1352
1353// DeleteAlias API operation for AWS Key Management Service.
1354//
1355// Deletes the specified alias.
1356//
1357// Adding, deleting, or updating an alias can allow or deny permission to the
1358// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
1359// in the AWS Key Management Service Developer Guide.
1360//
1361// Because an alias is not a property of a CMK, you can delete and change the
1362// aliases of a CMK without affecting the CMK. Also, aliases do not appear in
1363// the response from the DescribeKey operation. To get the aliases of all CMKs,
1364// use the ListAliases operation.
1365//
1366// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias
1367// to delete the current alias and CreateAlias to create a new alias. To associate
1368// an existing alias with a different customer master key (CMK), call UpdateAlias.
1369//
1370// Cross-account use: No. You cannot perform this operation on an alias in a
1371// different AWS account.
1372//
1373// Required permissions
1374//
1375//    * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1376//    on the alias (IAM policy).
1377//
1378//    * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1379//    on the CMK (key policy).
1380//
1381// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access)
1382// in the AWS Key Management Service Developer Guide.
1383//
1384// Related operations:
1385//
1386//    * CreateAlias
1387//
1388//    * ListAliases
1389//
1390//    * UpdateAlias
1391//
1392// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1393// with awserr.Error's Code and Message methods to get detailed information about
1394// the error.
1395//
1396// See the AWS API reference guide for AWS Key Management Service's
1397// API operation DeleteAlias for usage and error information.
1398//
1399// Returned Error Types:
1400//   * DependencyTimeoutException
1401//   The system timed out while trying to fulfill the request. The request can
1402//   be retried.
1403//
1404//   * NotFoundException
1405//   The request was rejected because the specified entity or resource could not
1406//   be found.
1407//
1408//   * InternalException
1409//   The request was rejected because an internal exception occurred. The request
1410//   can be retried.
1411//
1412//   * InvalidStateException
1413//   The request was rejected because the state of the specified resource is not
1414//   valid for this request.
1415//
1416//   For more information about how key state affects the use of a CMK, see How
1417//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
1418//   in the AWS Key Management Service Developer Guide .
1419//
1420// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias
1421func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) {
1422	req, out := c.DeleteAliasRequest(input)
1423	return out, req.Send()
1424}
1425
1426// DeleteAliasWithContext is the same as DeleteAlias with the addition of
1427// the ability to pass a context and additional request options.
1428//
1429// See DeleteAlias for details on how to use this API operation.
1430//
1431// The context must be non-nil and will be used for request cancellation. If
1432// the context is nil a panic will occur. In the future the SDK may create
1433// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1434// for more information on using Contexts.
1435func (c *KMS) DeleteAliasWithContext(ctx aws.Context, input *DeleteAliasInput, opts ...request.Option) (*DeleteAliasOutput, error) {
1436	req, out := c.DeleteAliasRequest(input)
1437	req.SetContext(ctx)
1438	req.ApplyOptions(opts...)
1439	return out, req.Send()
1440}
1441
1442const opDeleteCustomKeyStore = "DeleteCustomKeyStore"
1443
1444// DeleteCustomKeyStoreRequest generates a "aws/request.Request" representing the
1445// client's request for the DeleteCustomKeyStore operation. The "output" return
1446// value will be populated with the request's response once the request completes
1447// successfully.
1448//
1449// Use "Send" method on the returned Request to send the API call to the service.
1450// the "output" return value is not valid until after Send returns without error.
1451//
1452// See DeleteCustomKeyStore for more information on using the DeleteCustomKeyStore
1453// API call, and error handling.
1454//
1455// This method is useful when you want to inject custom logic or configuration
1456// into the SDK's request lifecycle. Such as custom headers, or retry logic.
1457//
1458//
1459//    // Example sending a request using the DeleteCustomKeyStoreRequest method.
1460//    req, resp := client.DeleteCustomKeyStoreRequest(params)
1461//
1462//    err := req.Send()
1463//    if err == nil { // resp is now filled
1464//        fmt.Println(resp)
1465//    }
1466//
1467// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore
1468func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req *request.Request, output *DeleteCustomKeyStoreOutput) {
1469	op := &request.Operation{
1470		Name:       opDeleteCustomKeyStore,
1471		HTTPMethod: "POST",
1472		HTTPPath:   "/",
1473	}
1474
1475	if input == nil {
1476		input = &DeleteCustomKeyStoreInput{}
1477	}
1478
1479	output = &DeleteCustomKeyStoreOutput{}
1480	req = c.newRequest(op, input, output)
1481	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
1482	return
1483}
1484
1485// DeleteCustomKeyStore API operation for AWS Key Management Service.
1486//
1487// Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
1488// This operation does not delete the AWS CloudHSM cluster that is associated
1489// with the custom key store, or affect any users or keys in the cluster.
1490//
1491// The custom key store that you delete cannot contain any AWS KMS customer
1492// master keys (CMKs) (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys).
1493// Before deleting the key store, verify that you will never need to use any
1494// of the CMKs in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations).
1495// Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys
1496// (CMKs) from the key store. When the scheduled waiting period expires, the
1497// ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort
1498// to delete the key material from the associated cluster. However, you might
1499// need to manually delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
1500// from the cluster and its backups.
1501//
1502// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to
1503// disconnect the key store from AWS KMS. Then, you can delete the custom key
1504// store.
1505//
1506// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore
1507// to disconnect it from AWS KMS. While the key store is disconnected, you cannot
1508// create or use the CMKs in the key store. But, you do not need to delete CMKs
1509// and you can reconnect a disconnected custom key store at any time.
1510//
1511// If the operation succeeds, it returns a JSON object with no properties.
1512//
1513// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
1514// feature in AWS KMS, which combines the convenience and extensive integration
1515// of AWS KMS with the isolation and control of a single-tenant key store.
1516//
1517// Cross-account use: No. You cannot perform this operation on a custom key
1518// store in a different AWS account.
1519//
1520// Required permissions: kms:DeleteCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1521// (IAM policy)
1522//
1523// Related operations:
1524//
1525//    * ConnectCustomKeyStore
1526//
1527//    * CreateCustomKeyStore
1528//
1529//    * DescribeCustomKeyStores
1530//
1531//    * DisconnectCustomKeyStore
1532//
1533//    * UpdateCustomKeyStore
1534//
1535// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1536// with awserr.Error's Code and Message methods to get detailed information about
1537// the error.
1538//
1539// See the AWS API reference guide for AWS Key Management Service's
1540// API operation DeleteCustomKeyStore for usage and error information.
1541//
1542// Returned Error Types:
1543//   * CustomKeyStoreHasCMKsException
1544//   The request was rejected because the custom key store contains AWS KMS customer
1545//   master keys (CMKs). After verifying that you do not need to use the CMKs,
1546//   use the ScheduleKeyDeletion operation to delete the CMKs. After they are
1547//   deleted, you can delete the custom key store.
1548//
1549//   * CustomKeyStoreInvalidStateException
1550//   The request was rejected because of the ConnectionState of the custom key
1551//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
1552//   operation.
1553//
1554//   This exception is thrown under the following conditions:
1555//
1556//      * You requested the CreateKey or GenerateRandom operation in a custom
1557//      key store that is not connected. These operations are valid only when
1558//      the custom key store ConnectionState is CONNECTED.
1559//
1560//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
1561//      on a custom key store that is not disconnected. This operation is valid
1562//      only when the custom key store ConnectionState is DISCONNECTED.
1563//
1564//      * You requested the ConnectCustomKeyStore operation on a custom key store
1565//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
1566//      for all other ConnectionState values.
1567//
1568//   * CustomKeyStoreNotFoundException
1569//   The request was rejected because AWS KMS cannot find a custom key store with
1570//   the specified key store name or ID.
1571//
1572//   * InternalException
1573//   The request was rejected because an internal exception occurred. The request
1574//   can be retried.
1575//
1576// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore
1577func (c *KMS) DeleteCustomKeyStore(input *DeleteCustomKeyStoreInput) (*DeleteCustomKeyStoreOutput, error) {
1578	req, out := c.DeleteCustomKeyStoreRequest(input)
1579	return out, req.Send()
1580}
1581
1582// DeleteCustomKeyStoreWithContext is the same as DeleteCustomKeyStore with the addition of
1583// the ability to pass a context and additional request options.
1584//
1585// See DeleteCustomKeyStore for details on how to use this API operation.
1586//
1587// The context must be non-nil and will be used for request cancellation. If
1588// the context is nil a panic will occur. In the future the SDK may create
1589// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1590// for more information on using Contexts.
1591func (c *KMS) DeleteCustomKeyStoreWithContext(ctx aws.Context, input *DeleteCustomKeyStoreInput, opts ...request.Option) (*DeleteCustomKeyStoreOutput, error) {
1592	req, out := c.DeleteCustomKeyStoreRequest(input)
1593	req.SetContext(ctx)
1594	req.ApplyOptions(opts...)
1595	return out, req.Send()
1596}
1597
1598const opDeleteImportedKeyMaterial = "DeleteImportedKeyMaterial"
1599
1600// DeleteImportedKeyMaterialRequest generates a "aws/request.Request" representing the
1601// client's request for the DeleteImportedKeyMaterial operation. The "output" return
1602// value will be populated with the request's response once the request completes
1603// successfully.
1604//
1605// Use "Send" method on the returned Request to send the API call to the service.
1606// the "output" return value is not valid until after Send returns without error.
1607//
1608// See DeleteImportedKeyMaterial for more information on using the DeleteImportedKeyMaterial
1609// API call, and error handling.
1610//
1611// This method is useful when you want to inject custom logic or configuration
1612// into the SDK's request lifecycle. Such as custom headers, or retry logic.
1613//
1614//
1615//    // Example sending a request using the DeleteImportedKeyMaterialRequest method.
1616//    req, resp := client.DeleteImportedKeyMaterialRequest(params)
1617//
1618//    err := req.Send()
1619//    if err == nil { // resp is now filled
1620//        fmt.Println(resp)
1621//    }
1622//
1623// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial
1624func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialInput) (req *request.Request, output *DeleteImportedKeyMaterialOutput) {
1625	op := &request.Operation{
1626		Name:       opDeleteImportedKeyMaterial,
1627		HTTPMethod: "POST",
1628		HTTPPath:   "/",
1629	}
1630
1631	if input == nil {
1632		input = &DeleteImportedKeyMaterialInput{}
1633	}
1634
1635	output = &DeleteImportedKeyMaterialOutput{}
1636	req = c.newRequest(op, input, output)
1637	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
1638	return
1639}
1640
1641// DeleteImportedKeyMaterial API operation for AWS Key Management Service.
1642//
1643// Deletes key material that you previously imported. This operation makes the
1644// specified customer master key (CMK) unusable. For more information about
1645// importing key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
1646// in the AWS Key Management Service Developer Guide.
1647//
1648// When the specified CMK is in the PendingDeletion state, this operation does
1649// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport.
1650//
1651// After you delete key material, you can use ImportKeyMaterial to reimport
1652// the same key material into the CMK.
1653//
1654// The CMK that you use for this operation must be in a compatible key state.
1655// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
1656// in the AWS Key Management Service Developer Guide.
1657//
1658// Cross-account use: No. You cannot perform this operation on a CMK in a different
1659// AWS account.
1660//
1661// Required permissions: kms:DeleteImportedKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1662// (key policy)
1663//
1664// Related operations:
1665//
1666//    * GetParametersForImport
1667//
1668//    * ImportKeyMaterial
1669//
1670// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1671// with awserr.Error's Code and Message methods to get detailed information about
1672// the error.
1673//
1674// See the AWS API reference guide for AWS Key Management Service's
1675// API operation DeleteImportedKeyMaterial for usage and error information.
1676//
1677// Returned Error Types:
1678//   * InvalidArnException
1679//   The request was rejected because a specified ARN, or an ARN in a key policy,
1680//   is not valid.
1681//
1682//   * UnsupportedOperationException
1683//   The request was rejected because a specified parameter is not supported or
1684//   a specified resource is not valid for this operation.
1685//
1686//   * DependencyTimeoutException
1687//   The system timed out while trying to fulfill the request. The request can
1688//   be retried.
1689//
1690//   * NotFoundException
1691//   The request was rejected because the specified entity or resource could not
1692//   be found.
1693//
1694//   * InternalException
1695//   The request was rejected because an internal exception occurred. The request
1696//   can be retried.
1697//
1698//   * InvalidStateException
1699//   The request was rejected because the state of the specified resource is not
1700//   valid for this request.
1701//
1702//   For more information about how key state affects the use of a CMK, see How
1703//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
1704//   in the AWS Key Management Service Developer Guide .
1705//
1706// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial
1707func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) {
1708	req, out := c.DeleteImportedKeyMaterialRequest(input)
1709	return out, req.Send()
1710}
1711
1712// DeleteImportedKeyMaterialWithContext is the same as DeleteImportedKeyMaterial with the addition of
1713// the ability to pass a context and additional request options.
1714//
1715// See DeleteImportedKeyMaterial for details on how to use this API operation.
1716//
1717// The context must be non-nil and will be used for request cancellation. If
1718// the context is nil a panic will occur. In the future the SDK may create
1719// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1720// for more information on using Contexts.
1721func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *DeleteImportedKeyMaterialInput, opts ...request.Option) (*DeleteImportedKeyMaterialOutput, error) {
1722	req, out := c.DeleteImportedKeyMaterialRequest(input)
1723	req.SetContext(ctx)
1724	req.ApplyOptions(opts...)
1725	return out, req.Send()
1726}
1727
1728const opDescribeCustomKeyStores = "DescribeCustomKeyStores"
1729
1730// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the
1731// client's request for the DescribeCustomKeyStores operation. The "output" return
1732// value will be populated with the request's response once the request completes
1733// successfully.
1734//
1735// Use "Send" method on the returned Request to send the API call to the service.
1736// the "output" return value is not valid until after Send returns without error.
1737//
1738// See DescribeCustomKeyStores for more information on using the DescribeCustomKeyStores
1739// API call, and error handling.
1740//
1741// This method is useful when you want to inject custom logic or configuration
1742// into the SDK's request lifecycle. Such as custom headers, or retry logic.
1743//
1744//
1745//    // Example sending a request using the DescribeCustomKeyStoresRequest method.
1746//    req, resp := client.DescribeCustomKeyStoresRequest(params)
1747//
1748//    err := req.Send()
1749//    if err == nil { // resp is now filled
1750//        fmt.Println(resp)
1751//    }
1752//
1753// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores
1754func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput) (req *request.Request, output *DescribeCustomKeyStoresOutput) {
1755	op := &request.Operation{
1756		Name:       opDescribeCustomKeyStores,
1757		HTTPMethod: "POST",
1758		HTTPPath:   "/",
1759	}
1760
1761	if input == nil {
1762		input = &DescribeCustomKeyStoresInput{}
1763	}
1764
1765	output = &DescribeCustomKeyStoresOutput{}
1766	req = c.newRequest(op, input, output)
1767	return
1768}
1769
1770// DescribeCustomKeyStores API operation for AWS Key Management Service.
1771//
1772// Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
1773// in the account and Region.
1774//
1775// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
1776// feature in AWS KMS, which combines the convenience and extensive integration
1777// of AWS KMS with the isolation and control of a single-tenant key store.
1778//
1779// By default, this operation returns information about all custom key stores
1780// in the account and Region. To get only information about a particular custom
1781// key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter
1782// (but not both).
1783//
1784// To determine whether the custom key store is connected to its AWS CloudHSM
1785// cluster, use the ConnectionState element in the response. If an attempt to
1786// connect the custom key store failed, the ConnectionState value is FAILED
1787// and the ConnectionErrorCode element in the response indicates the cause of
1788// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
1789//
1790// Custom key stores have a DISCONNECTED connection state if the key store has
1791// never been connected or you use the DisconnectCustomKeyStore operation to
1792// disconnect it. If your custom key store state is CONNECTED but you are having
1793// trouble using it, make sure that its associated AWS CloudHSM cluster is active
1794// and contains the minimum number of HSMs required for the operation, if any.
1795//
1796// For help repairing your custom key store, see the Troubleshooting Custom
1797// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
1798// topic in the AWS Key Management Service Developer Guide.
1799//
1800// Cross-account use: No. You cannot perform this operation on a custom key
1801// store in a different AWS account.
1802//
1803// Required permissions: kms:DescribeCustomKeyStores (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1804// (IAM policy)
1805//
1806// Related operations:
1807//
1808//    * ConnectCustomKeyStore
1809//
1810//    * CreateCustomKeyStore
1811//
1812//    * DeleteCustomKeyStore
1813//
1814//    * DisconnectCustomKeyStore
1815//
1816//    * UpdateCustomKeyStore
1817//
1818// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1819// with awserr.Error's Code and Message methods to get detailed information about
1820// the error.
1821//
1822// See the AWS API reference guide for AWS Key Management Service's
1823// API operation DescribeCustomKeyStores for usage and error information.
1824//
1825// Returned Error Types:
1826//   * CustomKeyStoreNotFoundException
1827//   The request was rejected because AWS KMS cannot find a custom key store with
1828//   the specified key store name or ID.
1829//
1830//   * InvalidMarkerException
1831//   The request was rejected because the marker that specifies where pagination
1832//   should next begin is not valid.
1833//
1834//   * InternalException
1835//   The request was rejected because an internal exception occurred. The request
1836//   can be retried.
1837//
1838// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores
1839func (c *KMS) DescribeCustomKeyStores(input *DescribeCustomKeyStoresInput) (*DescribeCustomKeyStoresOutput, error) {
1840	req, out := c.DescribeCustomKeyStoresRequest(input)
1841	return out, req.Send()
1842}
1843
1844// DescribeCustomKeyStoresWithContext is the same as DescribeCustomKeyStores with the addition of
1845// the ability to pass a context and additional request options.
1846//
1847// See DescribeCustomKeyStores for details on how to use this API operation.
1848//
1849// The context must be non-nil and will be used for request cancellation. If
1850// the context is nil a panic will occur. In the future the SDK may create
1851// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1852// for more information on using Contexts.
1853func (c *KMS) DescribeCustomKeyStoresWithContext(ctx aws.Context, input *DescribeCustomKeyStoresInput, opts ...request.Option) (*DescribeCustomKeyStoresOutput, error) {
1854	req, out := c.DescribeCustomKeyStoresRequest(input)
1855	req.SetContext(ctx)
1856	req.ApplyOptions(opts...)
1857	return out, req.Send()
1858}
1859
1860const opDescribeKey = "DescribeKey"
1861
1862// DescribeKeyRequest generates a "aws/request.Request" representing the
1863// client's request for the DescribeKey operation. The "output" return
1864// value will be populated with the request's response once the request completes
1865// successfully.
1866//
1867// Use "Send" method on the returned Request to send the API call to the service.
1868// the "output" return value is not valid until after Send returns without error.
1869//
1870// See DescribeKey for more information on using the DescribeKey
1871// API call, and error handling.
1872//
1873// This method is useful when you want to inject custom logic or configuration
1874// into the SDK's request lifecycle. Such as custom headers, or retry logic.
1875//
1876//
1877//    // Example sending a request using the DescribeKeyRequest method.
1878//    req, resp := client.DescribeKeyRequest(params)
1879//
1880//    err := req.Send()
1881//    if err == nil { // resp is now filled
1882//        fmt.Println(resp)
1883//    }
1884//
1885// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey
1886func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, output *DescribeKeyOutput) {
1887	op := &request.Operation{
1888		Name:       opDescribeKey,
1889		HTTPMethod: "POST",
1890		HTTPPath:   "/",
1891	}
1892
1893	if input == nil {
1894		input = &DescribeKeyInput{}
1895	}
1896
1897	output = &DescribeKeyOutput{}
1898	req = c.newRequest(op, input, output)
1899	return
1900}
1901
1902// DescribeKey API operation for AWS Key Management Service.
1903//
1904// Provides detailed information about a customer master key (CMK). You can
1905// run DescribeKey on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)
1906// or an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
1907//
1908// This detailed information includes the key ARN, creation date (and deletion
1909// date, if applicable), the key state, and the origin and expiration date (if
1910// any) of the key material. For CMKs in custom key stores, it includes information
1911// about the custom key store, such as the key store ID and the AWS CloudHSM
1912// cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric
1913// from asymmetric CMKs. It also provides information that is particularly important
1914// to asymmetric CMKs, such as the key usage (encryption or signing) and the
1915// encryption algorithms or signing algorithms that the CMK supports.
1916//
1917// DescribeKey does not return the following information:
1918//
1919//    * Aliases associated with the CMK. To get this information, use ListAliases.
1920//
1921//    * Whether automatic key rotation is enabled on the CMK. To get this information,
1922//    use GetKeyRotationStatus. Also, some key states prevent a CMK from being
1923//    automatically rotated. For details, see How Automatic Key Rotation Works
1924//    (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works)
1925//    in AWS Key Management Service Developer Guide.
1926//
1927//    * Tags on the CMK. To get this information, use ListResourceTags.
1928//
1929//    * Key policies and grants on the CMK. To get this information, use GetKeyPolicy
1930//    and ListGrants.
1931//
1932// If you call the DescribeKey operation on a predefined AWS alias, that is,
1933// an AWS alias with no key ID, AWS KMS creates an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys).
1934// Then, it associates the alias with the new CMK, and returns the KeyId and
1935// Arn of the new CMK in the response.
1936//
1937// Cross-account use: Yes. To perform this operation with a CMK in a different
1938// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
1939//
1940// Required permissions: kms:DescribeKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
1941// (key policy)
1942//
1943// Related operations:
1944//
1945//    * GetKeyPolicy
1946//
1947//    * GetKeyRotationStatus
1948//
1949//    * ListAliases
1950//
1951//    * ListGrants
1952//
1953//    * ListKeys
1954//
1955//    * ListResourceTags
1956//
1957//    * ListRetirableGrants
1958//
1959// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1960// with awserr.Error's Code and Message methods to get detailed information about
1961// the error.
1962//
1963// See the AWS API reference guide for AWS Key Management Service's
1964// API operation DescribeKey for usage and error information.
1965//
1966// Returned Error Types:
1967//   * NotFoundException
1968//   The request was rejected because the specified entity or resource could not
1969//   be found.
1970//
1971//   * InvalidArnException
1972//   The request was rejected because a specified ARN, or an ARN in a key policy,
1973//   is not valid.
1974//
1975//   * DependencyTimeoutException
1976//   The system timed out while trying to fulfill the request. The request can
1977//   be retried.
1978//
1979//   * InternalException
1980//   The request was rejected because an internal exception occurred. The request
1981//   can be retried.
1982//
1983// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey
1984func (c *KMS) DescribeKey(input *DescribeKeyInput) (*DescribeKeyOutput, error) {
1985	req, out := c.DescribeKeyRequest(input)
1986	return out, req.Send()
1987}
1988
1989// DescribeKeyWithContext is the same as DescribeKey with the addition of
1990// the ability to pass a context and additional request options.
1991//
1992// See DescribeKey for details on how to use this API operation.
1993//
1994// The context must be non-nil and will be used for request cancellation. If
1995// the context is nil a panic will occur. In the future the SDK may create
1996// sub-contexts for http.Requests. See https://golang.org/pkg/context/
1997// for more information on using Contexts.
1998func (c *KMS) DescribeKeyWithContext(ctx aws.Context, input *DescribeKeyInput, opts ...request.Option) (*DescribeKeyOutput, error) {
1999	req, out := c.DescribeKeyRequest(input)
2000	req.SetContext(ctx)
2001	req.ApplyOptions(opts...)
2002	return out, req.Send()
2003}
2004
2005const opDisableKey = "DisableKey"
2006
2007// DisableKeyRequest generates a "aws/request.Request" representing the
2008// client's request for the DisableKey operation. The "output" return
2009// value will be populated with the request's response once the request completes
2010// successfully.
2011//
2012// Use "Send" method on the returned Request to send the API call to the service.
2013// the "output" return value is not valid until after Send returns without error.
2014//
2015// See DisableKey for more information on using the DisableKey
2016// API call, and error handling.
2017//
2018// This method is useful when you want to inject custom logic or configuration
2019// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2020//
2021//
2022//    // Example sending a request using the DisableKeyRequest method.
2023//    req, resp := client.DisableKeyRequest(params)
2024//
2025//    err := req.Send()
2026//    if err == nil { // resp is now filled
2027//        fmt.Println(resp)
2028//    }
2029//
2030// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey
2031func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, output *DisableKeyOutput) {
2032	op := &request.Operation{
2033		Name:       opDisableKey,
2034		HTTPMethod: "POST",
2035		HTTPPath:   "/",
2036	}
2037
2038	if input == nil {
2039		input = &DisableKeyInput{}
2040	}
2041
2042	output = &DisableKeyOutput{}
2043	req = c.newRequest(op, input, output)
2044	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
2045	return
2046}
2047
2048// DisableKey API operation for AWS Key Management Service.
2049//
2050// Sets the state of a customer master key (CMK) to disabled. This change temporarily
2051// prevents use of the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations).
2052//
2053// For more information about how key state affects the use of a CMK, see Key
2054// state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2055// in the AWS Key Management Service Developer Guide .
2056//
2057// The CMK that you use for this operation must be in a compatible key state.
2058// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2059// in the AWS Key Management Service Developer Guide.
2060//
2061// Cross-account use: No. You cannot perform this operation on a CMK in a different
2062// AWS account.
2063//
2064// Required permissions: kms:DisableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2065// (key policy)
2066//
2067// Related operations: EnableKey
2068//
2069// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2070// with awserr.Error's Code and Message methods to get detailed information about
2071// the error.
2072//
2073// See the AWS API reference guide for AWS Key Management Service's
2074// API operation DisableKey for usage and error information.
2075//
2076// Returned Error Types:
2077//   * NotFoundException
2078//   The request was rejected because the specified entity or resource could not
2079//   be found.
2080//
2081//   * InvalidArnException
2082//   The request was rejected because a specified ARN, or an ARN in a key policy,
2083//   is not valid.
2084//
2085//   * DependencyTimeoutException
2086//   The system timed out while trying to fulfill the request. The request can
2087//   be retried.
2088//
2089//   * InternalException
2090//   The request was rejected because an internal exception occurred. The request
2091//   can be retried.
2092//
2093//   * InvalidStateException
2094//   The request was rejected because the state of the specified resource is not
2095//   valid for this request.
2096//
2097//   For more information about how key state affects the use of a CMK, see How
2098//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2099//   in the AWS Key Management Service Developer Guide .
2100//
2101// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey
2102func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) {
2103	req, out := c.DisableKeyRequest(input)
2104	return out, req.Send()
2105}
2106
2107// DisableKeyWithContext is the same as DisableKey with the addition of
2108// the ability to pass a context and additional request options.
2109//
2110// See DisableKey for details on how to use this API operation.
2111//
2112// The context must be non-nil and will be used for request cancellation. If
2113// the context is nil a panic will occur. In the future the SDK may create
2114// sub-contexts for http.Requests. See https://golang.org/pkg/context/
2115// for more information on using Contexts.
2116func (c *KMS) DisableKeyWithContext(ctx aws.Context, input *DisableKeyInput, opts ...request.Option) (*DisableKeyOutput, error) {
2117	req, out := c.DisableKeyRequest(input)
2118	req.SetContext(ctx)
2119	req.ApplyOptions(opts...)
2120	return out, req.Send()
2121}
2122
2123const opDisableKeyRotation = "DisableKeyRotation"
2124
2125// DisableKeyRotationRequest generates a "aws/request.Request" representing the
2126// client's request for the DisableKeyRotation operation. The "output" return
2127// value will be populated with the request's response once the request completes
2128// successfully.
2129//
2130// Use "Send" method on the returned Request to send the API call to the service.
2131// the "output" return value is not valid until after Send returns without error.
2132//
2133// See DisableKeyRotation for more information on using the DisableKeyRotation
2134// API call, and error handling.
2135//
2136// This method is useful when you want to inject custom logic or configuration
2137// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2138//
2139//
2140//    // Example sending a request using the DisableKeyRotationRequest method.
2141//    req, resp := client.DisableKeyRotationRequest(params)
2142//
2143//    err := req.Send()
2144//    if err == nil { // resp is now filled
2145//        fmt.Println(resp)
2146//    }
2147//
2148// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation
2149func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *request.Request, output *DisableKeyRotationOutput) {
2150	op := &request.Operation{
2151		Name:       opDisableKeyRotation,
2152		HTTPMethod: "POST",
2153		HTTPPath:   "/",
2154	}
2155
2156	if input == nil {
2157		input = &DisableKeyRotationInput{}
2158	}
2159
2160	output = &DisableKeyRotationOutput{}
2161	req = c.newRequest(op, input, output)
2162	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
2163	return
2164}
2165
2166// DisableKeyRotation API operation for AWS Key Management Service.
2167//
2168// Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
2169// for the specified symmetric customer master key (CMK).
2170//
2171// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks),
2172// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
2173// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
2174// To enable or disable automatic rotation of a set of related multi-Region
2175// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key),
2176// set the property on the primary key.
2177//
2178// The CMK that you use for this operation must be in a compatible key state.
2179// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2180// in the AWS Key Management Service Developer Guide.
2181//
2182// Cross-account use: No. You cannot perform this operation on a CMK in a different
2183// AWS account.
2184//
2185// Required permissions: kms:DisableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2186// (key policy)
2187//
2188// Related operations:
2189//
2190//    * EnableKeyRotation
2191//
2192//    * GetKeyRotationStatus
2193//
2194// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2195// with awserr.Error's Code and Message methods to get detailed information about
2196// the error.
2197//
2198// See the AWS API reference guide for AWS Key Management Service's
2199// API operation DisableKeyRotation for usage and error information.
2200//
2201// Returned Error Types:
2202//   * NotFoundException
2203//   The request was rejected because the specified entity or resource could not
2204//   be found.
2205//
2206//   * DisabledException
2207//   The request was rejected because the specified CMK is not enabled.
2208//
2209//   * InvalidArnException
2210//   The request was rejected because a specified ARN, or an ARN in a key policy,
2211//   is not valid.
2212//
2213//   * DependencyTimeoutException
2214//   The system timed out while trying to fulfill the request. The request can
2215//   be retried.
2216//
2217//   * InternalException
2218//   The request was rejected because an internal exception occurred. The request
2219//   can be retried.
2220//
2221//   * InvalidStateException
2222//   The request was rejected because the state of the specified resource is not
2223//   valid for this request.
2224//
2225//   For more information about how key state affects the use of a CMK, see How
2226//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2227//   in the AWS Key Management Service Developer Guide .
2228//
2229//   * UnsupportedOperationException
2230//   The request was rejected because a specified parameter is not supported or
2231//   a specified resource is not valid for this operation.
2232//
2233// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation
2234func (c *KMS) DisableKeyRotation(input *DisableKeyRotationInput) (*DisableKeyRotationOutput, error) {
2235	req, out := c.DisableKeyRotationRequest(input)
2236	return out, req.Send()
2237}
2238
2239// DisableKeyRotationWithContext is the same as DisableKeyRotation with the addition of
2240// the ability to pass a context and additional request options.
2241//
2242// See DisableKeyRotation for details on how to use this API operation.
2243//
2244// The context must be non-nil and will be used for request cancellation. If
2245// the context is nil a panic will occur. In the future the SDK may create
2246// sub-contexts for http.Requests. See https://golang.org/pkg/context/
2247// for more information on using Contexts.
2248func (c *KMS) DisableKeyRotationWithContext(ctx aws.Context, input *DisableKeyRotationInput, opts ...request.Option) (*DisableKeyRotationOutput, error) {
2249	req, out := c.DisableKeyRotationRequest(input)
2250	req.SetContext(ctx)
2251	req.ApplyOptions(opts...)
2252	return out, req.Send()
2253}
2254
2255const opDisconnectCustomKeyStore = "DisconnectCustomKeyStore"
2256
2257// DisconnectCustomKeyStoreRequest generates a "aws/request.Request" representing the
2258// client's request for the DisconnectCustomKeyStore operation. The "output" return
2259// value will be populated with the request's response once the request completes
2260// successfully.
2261//
2262// Use "Send" method on the returned Request to send the API call to the service.
2263// the "output" return value is not valid until after Send returns without error.
2264//
2265// See DisconnectCustomKeyStore for more information on using the DisconnectCustomKeyStore
2266// API call, and error handling.
2267//
2268// This method is useful when you want to inject custom logic or configuration
2269// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2270//
2271//
2272//    // Example sending a request using the DisconnectCustomKeyStoreRequest method.
2273//    req, resp := client.DisconnectCustomKeyStoreRequest(params)
2274//
2275//    err := req.Send()
2276//    if err == nil { // resp is now filled
2277//        fmt.Println(resp)
2278//    }
2279//
2280// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore
2281func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInput) (req *request.Request, output *DisconnectCustomKeyStoreOutput) {
2282	op := &request.Operation{
2283		Name:       opDisconnectCustomKeyStore,
2284		HTTPMethod: "POST",
2285		HTTPPath:   "/",
2286	}
2287
2288	if input == nil {
2289		input = &DisconnectCustomKeyStoreInput{}
2290	}
2291
2292	output = &DisconnectCustomKeyStoreOutput{}
2293	req = c.newRequest(op, input, output)
2294	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
2295	return
2296}
2297
2298// DisconnectCustomKeyStore API operation for AWS Key Management Service.
2299//
2300// Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
2301// from its associated AWS CloudHSM cluster. While a custom key store is disconnected,
2302// you can manage the custom key store and its customer master keys (CMKs),
2303// but you cannot create or use CMKs in the custom key store. You can reconnect
2304// the custom key store at any time.
2305//
2306// While a custom key store is disconnected, all attempts to create customer
2307// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic
2308// operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
2309// will fail. This action can prevent users from storing and accessing sensitive
2310// data.
2311//
2312// To find the connection state of a custom key store, use the DescribeCustomKeyStores
2313// operation. To reconnect a custom key store, use the ConnectCustomKeyStore
2314// operation.
2315//
2316// If the operation succeeds, it returns a JSON object with no properties.
2317//
2318// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
2319// feature in AWS KMS, which combines the convenience and extensive integration
2320// of AWS KMS with the isolation and control of a single-tenant key store.
2321//
2322// Cross-account use: No. You cannot perform this operation on a custom key
2323// store in a different AWS account.
2324//
2325// Required permissions: kms:DisconnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2326// (IAM policy)
2327//
2328// Related operations:
2329//
2330//    * ConnectCustomKeyStore
2331//
2332//    * CreateCustomKeyStore
2333//
2334//    * DeleteCustomKeyStore
2335//
2336//    * DescribeCustomKeyStores
2337//
2338//    * UpdateCustomKeyStore
2339//
2340// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2341// with awserr.Error's Code and Message methods to get detailed information about
2342// the error.
2343//
2344// See the AWS API reference guide for AWS Key Management Service's
2345// API operation DisconnectCustomKeyStore for usage and error information.
2346//
2347// Returned Error Types:
2348//   * CustomKeyStoreInvalidStateException
2349//   The request was rejected because of the ConnectionState of the custom key
2350//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
2351//   operation.
2352//
2353//   This exception is thrown under the following conditions:
2354//
2355//      * You requested the CreateKey or GenerateRandom operation in a custom
2356//      key store that is not connected. These operations are valid only when
2357//      the custom key store ConnectionState is CONNECTED.
2358//
2359//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
2360//      on a custom key store that is not disconnected. This operation is valid
2361//      only when the custom key store ConnectionState is DISCONNECTED.
2362//
2363//      * You requested the ConnectCustomKeyStore operation on a custom key store
2364//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
2365//      for all other ConnectionState values.
2366//
2367//   * CustomKeyStoreNotFoundException
2368//   The request was rejected because AWS KMS cannot find a custom key store with
2369//   the specified key store name or ID.
2370//
2371//   * InternalException
2372//   The request was rejected because an internal exception occurred. The request
2373//   can be retried.
2374//
2375// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore
2376func (c *KMS) DisconnectCustomKeyStore(input *DisconnectCustomKeyStoreInput) (*DisconnectCustomKeyStoreOutput, error) {
2377	req, out := c.DisconnectCustomKeyStoreRequest(input)
2378	return out, req.Send()
2379}
2380
2381// DisconnectCustomKeyStoreWithContext is the same as DisconnectCustomKeyStore with the addition of
2382// the ability to pass a context and additional request options.
2383//
2384// See DisconnectCustomKeyStore for details on how to use this API operation.
2385//
2386// The context must be non-nil and will be used for request cancellation. If
2387// the context is nil a panic will occur. In the future the SDK may create
2388// sub-contexts for http.Requests. See https://golang.org/pkg/context/
2389// for more information on using Contexts.
2390func (c *KMS) DisconnectCustomKeyStoreWithContext(ctx aws.Context, input *DisconnectCustomKeyStoreInput, opts ...request.Option) (*DisconnectCustomKeyStoreOutput, error) {
2391	req, out := c.DisconnectCustomKeyStoreRequest(input)
2392	req.SetContext(ctx)
2393	req.ApplyOptions(opts...)
2394	return out, req.Send()
2395}
2396
2397const opEnableKey = "EnableKey"
2398
2399// EnableKeyRequest generates a "aws/request.Request" representing the
2400// client's request for the EnableKey operation. The "output" return
2401// value will be populated with the request's response once the request completes
2402// successfully.
2403//
2404// Use "Send" method on the returned Request to send the API call to the service.
2405// the "output" return value is not valid until after Send returns without error.
2406//
2407// See EnableKey for more information on using the EnableKey
2408// API call, and error handling.
2409//
2410// This method is useful when you want to inject custom logic or configuration
2411// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2412//
2413//
2414//    // Example sending a request using the EnableKeyRequest method.
2415//    req, resp := client.EnableKeyRequest(params)
2416//
2417//    err := req.Send()
2418//    if err == nil { // resp is now filled
2419//        fmt.Println(resp)
2420//    }
2421//
2422// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey
2423func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, output *EnableKeyOutput) {
2424	op := &request.Operation{
2425		Name:       opEnableKey,
2426		HTTPMethod: "POST",
2427		HTTPPath:   "/",
2428	}
2429
2430	if input == nil {
2431		input = &EnableKeyInput{}
2432	}
2433
2434	output = &EnableKeyOutput{}
2435	req = c.newRequest(op, input, output)
2436	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
2437	return
2438}
2439
2440// EnableKey API operation for AWS Key Management Service.
2441//
2442// Sets the key state of a customer master key (CMK) to enabled. This allows
2443// you to use the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations).
2444//
2445// The CMK that you use for this operation must be in a compatible key state.
2446// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2447// in the AWS Key Management Service Developer Guide.
2448//
2449// Cross-account use: No. You cannot perform this operation on a CMK in a different
2450// AWS account.
2451//
2452// Required permissions: kms:EnableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2453// (key policy)
2454//
2455// Related operations: DisableKey
2456//
2457// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2458// with awserr.Error's Code and Message methods to get detailed information about
2459// the error.
2460//
2461// See the AWS API reference guide for AWS Key Management Service's
2462// API operation EnableKey for usage and error information.
2463//
2464// Returned Error Types:
2465//   * NotFoundException
2466//   The request was rejected because the specified entity or resource could not
2467//   be found.
2468//
2469//   * InvalidArnException
2470//   The request was rejected because a specified ARN, or an ARN in a key policy,
2471//   is not valid.
2472//
2473//   * DependencyTimeoutException
2474//   The system timed out while trying to fulfill the request. The request can
2475//   be retried.
2476//
2477//   * InternalException
2478//   The request was rejected because an internal exception occurred. The request
2479//   can be retried.
2480//
2481//   * LimitExceededException
2482//   The request was rejected because a quota was exceeded. For more information,
2483//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
2484//   in the AWS Key Management Service Developer Guide.
2485//
2486//   * InvalidStateException
2487//   The request was rejected because the state of the specified resource is not
2488//   valid for this request.
2489//
2490//   For more information about how key state affects the use of a CMK, see How
2491//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2492//   in the AWS Key Management Service Developer Guide .
2493//
2494// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey
2495func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) {
2496	req, out := c.EnableKeyRequest(input)
2497	return out, req.Send()
2498}
2499
2500// EnableKeyWithContext is the same as EnableKey with the addition of
2501// the ability to pass a context and additional request options.
2502//
2503// See EnableKey for details on how to use this API operation.
2504//
2505// The context must be non-nil and will be used for request cancellation. If
2506// the context is nil a panic will occur. In the future the SDK may create
2507// sub-contexts for http.Requests. See https://golang.org/pkg/context/
2508// for more information on using Contexts.
2509func (c *KMS) EnableKeyWithContext(ctx aws.Context, input *EnableKeyInput, opts ...request.Option) (*EnableKeyOutput, error) {
2510	req, out := c.EnableKeyRequest(input)
2511	req.SetContext(ctx)
2512	req.ApplyOptions(opts...)
2513	return out, req.Send()
2514}
2515
2516const opEnableKeyRotation = "EnableKeyRotation"
2517
2518// EnableKeyRotationRequest generates a "aws/request.Request" representing the
2519// client's request for the EnableKeyRotation operation. The "output" return
2520// value will be populated with the request's response once the request completes
2521// successfully.
2522//
2523// Use "Send" method on the returned Request to send the API call to the service.
2524// the "output" return value is not valid until after Send returns without error.
2525//
2526// See EnableKeyRotation for more information on using the EnableKeyRotation
2527// API call, and error handling.
2528//
2529// This method is useful when you want to inject custom logic or configuration
2530// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2531//
2532//
2533//    // Example sending a request using the EnableKeyRotationRequest method.
2534//    req, resp := client.EnableKeyRotationRequest(params)
2535//
2536//    err := req.Send()
2537//    if err == nil { // resp is now filled
2538//        fmt.Println(resp)
2539//    }
2540//
2541// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation
2542func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *request.Request, output *EnableKeyRotationOutput) {
2543	op := &request.Operation{
2544		Name:       opEnableKeyRotation,
2545		HTTPMethod: "POST",
2546		HTTPPath:   "/",
2547	}
2548
2549	if input == nil {
2550		input = &EnableKeyRotationInput{}
2551	}
2552
2553	output = &EnableKeyRotationOutput{}
2554	req = c.newRequest(op, input, output)
2555	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
2556	return
2557}
2558
2559// EnableKeyRotation API operation for AWS Key Management Service.
2560//
2561// Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
2562// for the specified symmetric customer master key (CMK).
2563//
2564// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks),
2565// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
2566// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
2567// To enable or disable automatic rotation of a set of related multi-Region
2568// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key),
2569// set the property on the primary key.
2570//
2571// The CMK that you use for this operation must be in a compatible key state.
2572// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2573// in the AWS Key Management Service Developer Guide.
2574//
2575// Cross-account use: No. You cannot perform this operation on a CMK in a different
2576// AWS account.
2577//
2578// Required permissions: kms:EnableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2579// (key policy)
2580//
2581// Related operations:
2582//
2583//    * DisableKeyRotation
2584//
2585//    * GetKeyRotationStatus
2586//
2587// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2588// with awserr.Error's Code and Message methods to get detailed information about
2589// the error.
2590//
2591// See the AWS API reference guide for AWS Key Management Service's
2592// API operation EnableKeyRotation for usage and error information.
2593//
2594// Returned Error Types:
2595//   * NotFoundException
2596//   The request was rejected because the specified entity or resource could not
2597//   be found.
2598//
2599//   * DisabledException
2600//   The request was rejected because the specified CMK is not enabled.
2601//
2602//   * InvalidArnException
2603//   The request was rejected because a specified ARN, or an ARN in a key policy,
2604//   is not valid.
2605//
2606//   * DependencyTimeoutException
2607//   The system timed out while trying to fulfill the request. The request can
2608//   be retried.
2609//
2610//   * InternalException
2611//   The request was rejected because an internal exception occurred. The request
2612//   can be retried.
2613//
2614//   * InvalidStateException
2615//   The request was rejected because the state of the specified resource is not
2616//   valid for this request.
2617//
2618//   For more information about how key state affects the use of a CMK, see How
2619//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2620//   in the AWS Key Management Service Developer Guide .
2621//
2622//   * UnsupportedOperationException
2623//   The request was rejected because a specified parameter is not supported or
2624//   a specified resource is not valid for this operation.
2625//
2626// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation
2627func (c *KMS) EnableKeyRotation(input *EnableKeyRotationInput) (*EnableKeyRotationOutput, error) {
2628	req, out := c.EnableKeyRotationRequest(input)
2629	return out, req.Send()
2630}
2631
2632// EnableKeyRotationWithContext is the same as EnableKeyRotation with the addition of
2633// the ability to pass a context and additional request options.
2634//
2635// See EnableKeyRotation for details on how to use this API operation.
2636//
2637// The context must be non-nil and will be used for request cancellation. If
2638// the context is nil a panic will occur. In the future the SDK may create
2639// sub-contexts for http.Requests. See https://golang.org/pkg/context/
2640// for more information on using Contexts.
2641func (c *KMS) EnableKeyRotationWithContext(ctx aws.Context, input *EnableKeyRotationInput, opts ...request.Option) (*EnableKeyRotationOutput, error) {
2642	req, out := c.EnableKeyRotationRequest(input)
2643	req.SetContext(ctx)
2644	req.ApplyOptions(opts...)
2645	return out, req.Send()
2646}
2647
2648const opEncrypt = "Encrypt"
2649
2650// EncryptRequest generates a "aws/request.Request" representing the
2651// client's request for the Encrypt operation. The "output" return
2652// value will be populated with the request's response once the request completes
2653// successfully.
2654//
2655// Use "Send" method on the returned Request to send the API call to the service.
2656// the "output" return value is not valid until after Send returns without error.
2657//
2658// See Encrypt for more information on using the Encrypt
2659// API call, and error handling.
2660//
2661// This method is useful when you want to inject custom logic or configuration
2662// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2663//
2664//
2665//    // Example sending a request using the EncryptRequest method.
2666//    req, resp := client.EncryptRequest(params)
2667//
2668//    err := req.Send()
2669//    if err == nil { // resp is now filled
2670//        fmt.Println(resp)
2671//    }
2672//
2673// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt
2674func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output *EncryptOutput) {
2675	op := &request.Operation{
2676		Name:       opEncrypt,
2677		HTTPMethod: "POST",
2678		HTTPPath:   "/",
2679	}
2680
2681	if input == nil {
2682		input = &EncryptInput{}
2683	}
2684
2685	output = &EncryptOutput{}
2686	req = c.newRequest(op, input, output)
2687	return
2688}
2689
2690// Encrypt API operation for AWS Key Management Service.
2691//
2692// Encrypts plaintext into ciphertext by using a customer master key (CMK).
2693// The Encrypt operation has two primary use cases:
2694//
2695//    * You can encrypt small amounts of arbitrary data, such as a personal
2696//    identifier or database password, or other sensitive information.
2697//
2698//    * You can use the Encrypt operation to move encrypted data from one AWS
2699//    Region to another. For example, in Region A, generate a data key and use
2700//    the plaintext key to encrypt your data. Then, in Region A, use the Encrypt
2701//    operation to encrypt the plaintext data key under a CMK in Region B. Now,
2702//    you can move the encrypted data and the encrypted data key to Region B.
2703//    When necessary, you can decrypt the encrypted data key and the encrypted
2704//    data entirely within in Region B.
2705//
2706// You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey
2707// and GenerateDataKeyPair operations return a plaintext data key and an encrypted
2708// copy of that data key.
2709//
2710// When you encrypt data, you must specify a symmetric or asymmetric CMK to
2711// use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT.
2712// To find the KeyUsage of a CMK, use the DescribeKey operation.
2713//
2714// If you use a symmetric CMK, you can use an encryption context to add additional
2715// security to your encryption operation. If you specify an EncryptionContext
2716// when encrypting data, you must specify the same encryption context (a case-sensitive
2717// exact match) when decrypting the data. Otherwise, the request to decrypt
2718// fails with an InvalidCiphertextException. For more information, see Encryption
2719// Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
2720// in the AWS Key Management Service Developer Guide.
2721//
2722// If you specify an asymmetric CMK, you must also specify the encryption algorithm.
2723// The algorithm must be compatible with the CMK type.
2724//
2725// When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record
2726// the CMK and encryption algorithm that you choose. You will be required to
2727// provide the same CMK and encryption algorithm when you decrypt the data.
2728// If the CMK and algorithm do not match the values used to encrypt the data,
2729// the decrypt operation fails.
2730//
2731// You are not required to supply the CMK ID and encryption algorithm when you
2732// decrypt with symmetric CMKs because AWS KMS stores this information in the
2733// ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with
2734// asymmetric keys. The standard format for asymmetric key ciphertext does not
2735// include configurable fields.
2736//
2737// The maximum size of the data that you can encrypt varies with the type of
2738// CMK and the encryption algorithm that you choose.
2739//
2740//    * Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes
2741//
2742//    * RSA_2048 RSAES_OAEP_SHA_1: 214 bytes RSAES_OAEP_SHA_256: 190 bytes
2743//
2744//    * RSA_3072 RSAES_OAEP_SHA_1: 342 bytes RSAES_OAEP_SHA_256: 318 bytes
2745//
2746//    * RSA_4096 RSAES_OAEP_SHA_1: 470 bytes RSAES_OAEP_SHA_256: 446 bytes
2747//
2748// The CMK that you use for this operation must be in a compatible key state.
2749// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2750// in the AWS Key Management Service Developer Guide.
2751//
2752// Cross-account use: Yes. To perform this operation with a CMK in a different
2753// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
2754//
2755// Required permissions: kms:Encrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2756// (key policy)
2757//
2758// Related operations:
2759//
2760//    * Decrypt
2761//
2762//    * GenerateDataKey
2763//
2764//    * GenerateDataKeyPair
2765//
2766// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2767// with awserr.Error's Code and Message methods to get detailed information about
2768// the error.
2769//
2770// See the AWS API reference guide for AWS Key Management Service's
2771// API operation Encrypt for usage and error information.
2772//
2773// Returned Error Types:
2774//   * NotFoundException
2775//   The request was rejected because the specified entity or resource could not
2776//   be found.
2777//
2778//   * DisabledException
2779//   The request was rejected because the specified CMK is not enabled.
2780//
2781//   * KeyUnavailableException
2782//   The request was rejected because the specified CMK was not available. You
2783//   can retry the request.
2784//
2785//   * DependencyTimeoutException
2786//   The system timed out while trying to fulfill the request. The request can
2787//   be retried.
2788//
2789//   * InvalidKeyUsageException
2790//   The request was rejected for one of the following reasons:
2791//
2792//      * The KeyUsage value of the CMK is incompatible with the API operation.
2793//
2794//      * The encryption algorithm or signing algorithm specified for the operation
2795//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
2796//
2797//   For encrypting, decrypting, re-encrypting, and generating data keys, the
2798//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
2799//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
2800//
2801//   To find the encryption or signing algorithms supported for a particular CMK,
2802//   use the DescribeKey operation.
2803//
2804//   * InvalidGrantTokenException
2805//   The request was rejected because the specified grant token is not valid.
2806//
2807//   * InternalException
2808//   The request was rejected because an internal exception occurred. The request
2809//   can be retried.
2810//
2811//   * InvalidStateException
2812//   The request was rejected because the state of the specified resource is not
2813//   valid for this request.
2814//
2815//   For more information about how key state affects the use of a CMK, see How
2816//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2817//   in the AWS Key Management Service Developer Guide .
2818//
2819// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt
2820func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) {
2821	req, out := c.EncryptRequest(input)
2822	return out, req.Send()
2823}
2824
2825// EncryptWithContext is the same as Encrypt with the addition of
2826// the ability to pass a context and additional request options.
2827//
2828// See Encrypt for details on how to use this API operation.
2829//
2830// The context must be non-nil and will be used for request cancellation. If
2831// the context is nil a panic will occur. In the future the SDK may create
2832// sub-contexts for http.Requests. See https://golang.org/pkg/context/
2833// for more information on using Contexts.
2834func (c *KMS) EncryptWithContext(ctx aws.Context, input *EncryptInput, opts ...request.Option) (*EncryptOutput, error) {
2835	req, out := c.EncryptRequest(input)
2836	req.SetContext(ctx)
2837	req.ApplyOptions(opts...)
2838	return out, req.Send()
2839}
2840
2841const opGenerateDataKey = "GenerateDataKey"
2842
2843// GenerateDataKeyRequest generates a "aws/request.Request" representing the
2844// client's request for the GenerateDataKey operation. The "output" return
2845// value will be populated with the request's response once the request completes
2846// successfully.
2847//
2848// Use "Send" method on the returned Request to send the API call to the service.
2849// the "output" return value is not valid until after Send returns without error.
2850//
2851// See GenerateDataKey for more information on using the GenerateDataKey
2852// API call, and error handling.
2853//
2854// This method is useful when you want to inject custom logic or configuration
2855// into the SDK's request lifecycle. Such as custom headers, or retry logic.
2856//
2857//
2858//    // Example sending a request using the GenerateDataKeyRequest method.
2859//    req, resp := client.GenerateDataKeyRequest(params)
2860//
2861//    err := req.Send()
2862//    if err == nil { // resp is now filled
2863//        fmt.Println(resp)
2864//    }
2865//
2866// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey
2867func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.Request, output *GenerateDataKeyOutput) {
2868	op := &request.Operation{
2869		Name:       opGenerateDataKey,
2870		HTTPMethod: "POST",
2871		HTTPPath:   "/",
2872	}
2873
2874	if input == nil {
2875		input = &GenerateDataKeyInput{}
2876	}
2877
2878	output = &GenerateDataKeyOutput{}
2879	req = c.newRequest(op, input, output)
2880	return
2881}
2882
2883// GenerateDataKey API operation for AWS Key Management Service.
2884//
2885// Generates a unique symmetric data key for client-side encryption. This operation
2886// returns a plaintext copy of the data key and a copy that is encrypted under
2887// a customer master key (CMK) that you specify. You can use the plaintext key
2888// to encrypt your data outside of AWS KMS and store the encrypted data key
2889// with the encrypted data.
2890//
2891// GenerateDataKey returns a unique data key for each request. The bytes in
2892// the plaintext key are not related to the caller or the CMK.
2893//
2894// To generate a data key, specify the symmetric CMK that will be used to encrypt
2895// the data key. You cannot use an asymmetric CMK to generate data keys. To
2896// get the type of your CMK, use the DescribeKey operation. You must also specify
2897// the length of the data key. Use either the KeySpec or NumberOfBytes parameters
2898// (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.
2899//
2900// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext.
2901// To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext
2902// operation. To get a cryptographically secure random byte string, use GenerateRandom.
2903//
2904// You can use the optional encryption context to add additional security to
2905// the encryption operation. If you specify an EncryptionContext, you must specify
2906// the same encryption context (a case-sensitive exact match) when decrypting
2907// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException.
2908// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
2909// in the AWS Key Management Service Developer Guide.
2910//
2911// The CMK that you use for this operation must be in a compatible key state.
2912// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
2913// in the AWS Key Management Service Developer Guide.
2914//
2915// How to use your data key
2916//
2917// We recommend that you use the following pattern to encrypt data locally in
2918// your application. You can write your own code or use a client-side encryption
2919// library, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/),
2920// the Amazon DynamoDB Encryption Client (https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/),
2921// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html)
2922// to do these tasks for you.
2923//
2924// To encrypt data outside of AWS KMS:
2925//
2926// Use the GenerateDataKey operation to get a data key.
2927//
2928// Use the plaintext data key (in the Plaintext field of the response) to encrypt
2929// your data outside of AWS KMS. Then erase the plaintext data key from memory.
2930//
2931// Store the encrypted data key (in the CiphertextBlob field of the response)
2932// with the encrypted data.
2933//
2934// To decrypt data outside of AWS KMS:
2935//
2936// Use the Decrypt operation to decrypt the encrypted data key. The operation
2937// returns a plaintext copy of the data key.
2938//
2939// Use the plaintext data key to decrypt data outside of AWS KMS, then erase
2940// the plaintext data key from memory.
2941//
2942// Cross-account use: Yes. To perform this operation with a CMK in a different
2943// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
2944//
2945// Required permissions: kms:GenerateDataKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
2946// (key policy)
2947//
2948// Related operations:
2949//
2950//    * Decrypt
2951//
2952//    * Encrypt
2953//
2954//    * GenerateDataKeyPair
2955//
2956//    * GenerateDataKeyPairWithoutPlaintext
2957//
2958//    * GenerateDataKeyWithoutPlaintext
2959//
2960// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
2961// with awserr.Error's Code and Message methods to get detailed information about
2962// the error.
2963//
2964// See the AWS API reference guide for AWS Key Management Service's
2965// API operation GenerateDataKey for usage and error information.
2966//
2967// Returned Error Types:
2968//   * NotFoundException
2969//   The request was rejected because the specified entity or resource could not
2970//   be found.
2971//
2972//   * DisabledException
2973//   The request was rejected because the specified CMK is not enabled.
2974//
2975//   * KeyUnavailableException
2976//   The request was rejected because the specified CMK was not available. You
2977//   can retry the request.
2978//
2979//   * DependencyTimeoutException
2980//   The system timed out while trying to fulfill the request. The request can
2981//   be retried.
2982//
2983//   * InvalidKeyUsageException
2984//   The request was rejected for one of the following reasons:
2985//
2986//      * The KeyUsage value of the CMK is incompatible with the API operation.
2987//
2988//      * The encryption algorithm or signing algorithm specified for the operation
2989//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
2990//
2991//   For encrypting, decrypting, re-encrypting, and generating data keys, the
2992//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
2993//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
2994//
2995//   To find the encryption or signing algorithms supported for a particular CMK,
2996//   use the DescribeKey operation.
2997//
2998//   * InvalidGrantTokenException
2999//   The request was rejected because the specified grant token is not valid.
3000//
3001//   * InternalException
3002//   The request was rejected because an internal exception occurred. The request
3003//   can be retried.
3004//
3005//   * InvalidStateException
3006//   The request was rejected because the state of the specified resource is not
3007//   valid for this request.
3008//
3009//   For more information about how key state affects the use of a CMK, see How
3010//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3011//   in the AWS Key Management Service Developer Guide .
3012//
3013// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey
3014func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) {
3015	req, out := c.GenerateDataKeyRequest(input)
3016	return out, req.Send()
3017}
3018
3019// GenerateDataKeyWithContext is the same as GenerateDataKey with the addition of
3020// the ability to pass a context and additional request options.
3021//
3022// See GenerateDataKey for details on how to use this API operation.
3023//
3024// The context must be non-nil and will be used for request cancellation. If
3025// the context is nil a panic will occur. In the future the SDK may create
3026// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3027// for more information on using Contexts.
3028func (c *KMS) GenerateDataKeyWithContext(ctx aws.Context, input *GenerateDataKeyInput, opts ...request.Option) (*GenerateDataKeyOutput, error) {
3029	req, out := c.GenerateDataKeyRequest(input)
3030	req.SetContext(ctx)
3031	req.ApplyOptions(opts...)
3032	return out, req.Send()
3033}
3034
3035const opGenerateDataKeyPair = "GenerateDataKeyPair"
3036
3037// GenerateDataKeyPairRequest generates a "aws/request.Request" representing the
3038// client's request for the GenerateDataKeyPair operation. The "output" return
3039// value will be populated with the request's response once the request completes
3040// successfully.
3041//
3042// Use "Send" method on the returned Request to send the API call to the service.
3043// the "output" return value is not valid until after Send returns without error.
3044//
3045// See GenerateDataKeyPair for more information on using the GenerateDataKeyPair
3046// API call, and error handling.
3047//
3048// This method is useful when you want to inject custom logic or configuration
3049// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3050//
3051//
3052//    // Example sending a request using the GenerateDataKeyPairRequest method.
3053//    req, resp := client.GenerateDataKeyPairRequest(params)
3054//
3055//    err := req.Send()
3056//    if err == nil { // resp is now filled
3057//        fmt.Println(resp)
3058//    }
3059//
3060// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair
3061func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *request.Request, output *GenerateDataKeyPairOutput) {
3062	op := &request.Operation{
3063		Name:       opGenerateDataKeyPair,
3064		HTTPMethod: "POST",
3065		HTTPPath:   "/",
3066	}
3067
3068	if input == nil {
3069		input = &GenerateDataKeyPairInput{}
3070	}
3071
3072	output = &GenerateDataKeyPairOutput{}
3073	req = c.newRequest(op, input, output)
3074	return
3075}
3076
3077// GenerateDataKeyPair API operation for AWS Key Management Service.
3078//
3079// Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation
3080// returns a plaintext public key, a plaintext private key, and a copy of the
3081// private key that is encrypted under the symmetric CMK you specify. You can
3082// use the data key pair to perform asymmetric cryptography outside of AWS KMS.
3083//
3084// GenerateDataKeyPair returns a unique data key pair for each request. The
3085// bytes in the keys are not related to the caller or the CMK that is used to
3086// encrypt the private key.
3087//
3088// You can use the public key that GenerateDataKeyPair returns to encrypt data
3089// or verify a signature outside of AWS KMS. Then, store the encrypted private
3090// key with the data. When you are ready to decrypt data or sign a message,
3091// you can use the Decrypt operation to decrypt the encrypted private key.
3092//
3093// To generate a data key pair, you must specify a symmetric customer master
3094// key (CMK) to encrypt the private key in a data key pair. You cannot use an
3095// asymmetric CMK or a CMK in a custom key store. To get the type and origin
3096// of your CMK, use the DescribeKey operation.
3097//
3098// If you are using the data key pair to encrypt data, or for any operation
3099// where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext
3100// operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public
3101// key and an encrypted private key, but omits the plaintext private key that
3102// you need only to decrypt ciphertext or sign a message. Later, when you need
3103// to decrypt the data or sign a message, use the Decrypt operation to decrypt
3104// the encrypted private key in the data key pair.
3105//
3106// You can use the optional encryption context to add additional security to
3107// the encryption operation. If you specify an EncryptionContext, you must specify
3108// the same encryption context (a case-sensitive exact match) when decrypting
3109// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException.
3110// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
3111// in the AWS Key Management Service Developer Guide.
3112//
3113// The CMK that you use for this operation must be in a compatible key state.
3114// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3115// in the AWS Key Management Service Developer Guide.
3116//
3117// Cross-account use: Yes. To perform this operation with a CMK in a different
3118// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
3119//
3120// Required permissions: kms:GenerateDataKeyPair (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
3121// (key policy)
3122//
3123// Related operations:
3124//
3125//    * Decrypt
3126//
3127//    * Encrypt
3128//
3129//    * GenerateDataKey
3130//
3131//    * GenerateDataKeyPairWithoutPlaintext
3132//
3133//    * GenerateDataKeyWithoutPlaintext
3134//
3135// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
3136// with awserr.Error's Code and Message methods to get detailed information about
3137// the error.
3138//
3139// See the AWS API reference guide for AWS Key Management Service's
3140// API operation GenerateDataKeyPair for usage and error information.
3141//
3142// Returned Error Types:
3143//   * NotFoundException
3144//   The request was rejected because the specified entity or resource could not
3145//   be found.
3146//
3147//   * DisabledException
3148//   The request was rejected because the specified CMK is not enabled.
3149//
3150//   * KeyUnavailableException
3151//   The request was rejected because the specified CMK was not available. You
3152//   can retry the request.
3153//
3154//   * DependencyTimeoutException
3155//   The system timed out while trying to fulfill the request. The request can
3156//   be retried.
3157//
3158//   * InvalidKeyUsageException
3159//   The request was rejected for one of the following reasons:
3160//
3161//      * The KeyUsage value of the CMK is incompatible with the API operation.
3162//
3163//      * The encryption algorithm or signing algorithm specified for the operation
3164//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
3165//
3166//   For encrypting, decrypting, re-encrypting, and generating data keys, the
3167//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
3168//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
3169//
3170//   To find the encryption or signing algorithms supported for a particular CMK,
3171//   use the DescribeKey operation.
3172//
3173//   * InvalidGrantTokenException
3174//   The request was rejected because the specified grant token is not valid.
3175//
3176//   * InternalException
3177//   The request was rejected because an internal exception occurred. The request
3178//   can be retried.
3179//
3180//   * InvalidStateException
3181//   The request was rejected because the state of the specified resource is not
3182//   valid for this request.
3183//
3184//   For more information about how key state affects the use of a CMK, see How
3185//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3186//   in the AWS Key Management Service Developer Guide .
3187//
3188//   * UnsupportedOperationException
3189//   The request was rejected because a specified parameter is not supported or
3190//   a specified resource is not valid for this operation.
3191//
3192// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair
3193func (c *KMS) GenerateDataKeyPair(input *GenerateDataKeyPairInput) (*GenerateDataKeyPairOutput, error) {
3194	req, out := c.GenerateDataKeyPairRequest(input)
3195	return out, req.Send()
3196}
3197
3198// GenerateDataKeyPairWithContext is the same as GenerateDataKeyPair with the addition of
3199// the ability to pass a context and additional request options.
3200//
3201// See GenerateDataKeyPair for details on how to use this API operation.
3202//
3203// The context must be non-nil and will be used for request cancellation. If
3204// the context is nil a panic will occur. In the future the SDK may create
3205// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3206// for more information on using Contexts.
3207func (c *KMS) GenerateDataKeyPairWithContext(ctx aws.Context, input *GenerateDataKeyPairInput, opts ...request.Option) (*GenerateDataKeyPairOutput, error) {
3208	req, out := c.GenerateDataKeyPairRequest(input)
3209	req.SetContext(ctx)
3210	req.ApplyOptions(opts...)
3211	return out, req.Send()
3212}
3213
3214const opGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext"
3215
3216// GenerateDataKeyPairWithoutPlaintextRequest generates a "aws/request.Request" representing the
3217// client's request for the GenerateDataKeyPairWithoutPlaintext operation. The "output" return
3218// value will be populated with the request's response once the request completes
3219// successfully.
3220//
3221// Use "Send" method on the returned Request to send the API call to the service.
3222// the "output" return value is not valid until after Send returns without error.
3223//
3224// See GenerateDataKeyPairWithoutPlaintext for more information on using the GenerateDataKeyPairWithoutPlaintext
3225// API call, and error handling.
3226//
3227// This method is useful when you want to inject custom logic or configuration
3228// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3229//
3230//
3231//    // Example sending a request using the GenerateDataKeyPairWithoutPlaintextRequest method.
3232//    req, resp := client.GenerateDataKeyPairWithoutPlaintextRequest(params)
3233//
3234//    err := req.Send()
3235//    if err == nil { // resp is now filled
3236//        fmt.Println(resp)
3237//    }
3238//
3239// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext
3240func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyPairWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyPairWithoutPlaintextOutput) {
3241	op := &request.Operation{
3242		Name:       opGenerateDataKeyPairWithoutPlaintext,
3243		HTTPMethod: "POST",
3244		HTTPPath:   "/",
3245	}
3246
3247	if input == nil {
3248		input = &GenerateDataKeyPairWithoutPlaintextInput{}
3249	}
3250
3251	output = &GenerateDataKeyPairWithoutPlaintextOutput{}
3252	req = c.newRequest(op, input, output)
3253	return
3254}
3255
3256// GenerateDataKeyPairWithoutPlaintext API operation for AWS Key Management Service.
3257//
3258// Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext
3259// operation returns a plaintext public key and a copy of the private key that
3260// is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair,
3261// this operation does not return a plaintext private key.
3262//
3263// To generate a data key pair, you must specify a symmetric customer master
3264// key (CMK) to encrypt the private key in the data key pair. You cannot use
3265// an asymmetric CMK or a CMK in a custom key store. To get the type and origin
3266// of your CMK, use the KeySpec field in the DescribeKey response.
3267//
3268// You can use the public key that GenerateDataKeyPairWithoutPlaintext returns
3269// to encrypt data or verify a signature outside of AWS KMS. Then, store the
3270// encrypted private key with the data. When you are ready to decrypt data or
3271// sign a message, you can use the Decrypt operation to decrypt the encrypted
3272// private key.
3273//
3274// GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each
3275// request. The bytes in the key are not related to the caller or CMK that is
3276// used to encrypt the private key.
3277//
3278// You can use the optional encryption context to add additional security to
3279// the encryption operation. If you specify an EncryptionContext, you must specify
3280// the same encryption context (a case-sensitive exact match) when decrypting
3281// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException.
3282// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
3283// in the AWS Key Management Service Developer Guide.
3284//
3285// The CMK that you use for this operation must be in a compatible key state.
3286// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3287// in the AWS Key Management Service Developer Guide.
3288//
3289// Cross-account use: Yes. To perform this operation with a CMK in a different
3290// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
3291//
3292// Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
3293// (key policy)
3294//
3295// Related operations:
3296//
3297//    * Decrypt
3298//
3299//    * Encrypt
3300//
3301//    * GenerateDataKey
3302//
3303//    * GenerateDataKeyPair
3304//
3305//    * GenerateDataKeyWithoutPlaintext
3306//
3307// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
3308// with awserr.Error's Code and Message methods to get detailed information about
3309// the error.
3310//
3311// See the AWS API reference guide for AWS Key Management Service's
3312// API operation GenerateDataKeyPairWithoutPlaintext for usage and error information.
3313//
3314// Returned Error Types:
3315//   * NotFoundException
3316//   The request was rejected because the specified entity or resource could not
3317//   be found.
3318//
3319//   * DisabledException
3320//   The request was rejected because the specified CMK is not enabled.
3321//
3322//   * KeyUnavailableException
3323//   The request was rejected because the specified CMK was not available. You
3324//   can retry the request.
3325//
3326//   * DependencyTimeoutException
3327//   The system timed out while trying to fulfill the request. The request can
3328//   be retried.
3329//
3330//   * InvalidKeyUsageException
3331//   The request was rejected for one of the following reasons:
3332//
3333//      * The KeyUsage value of the CMK is incompatible with the API operation.
3334//
3335//      * The encryption algorithm or signing algorithm specified for the operation
3336//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
3337//
3338//   For encrypting, decrypting, re-encrypting, and generating data keys, the
3339//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
3340//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
3341//
3342//   To find the encryption or signing algorithms supported for a particular CMK,
3343//   use the DescribeKey operation.
3344//
3345//   * InvalidGrantTokenException
3346//   The request was rejected because the specified grant token is not valid.
3347//
3348//   * InternalException
3349//   The request was rejected because an internal exception occurred. The request
3350//   can be retried.
3351//
3352//   * InvalidStateException
3353//   The request was rejected because the state of the specified resource is not
3354//   valid for this request.
3355//
3356//   For more information about how key state affects the use of a CMK, see How
3357//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3358//   in the AWS Key Management Service Developer Guide .
3359//
3360//   * UnsupportedOperationException
3361//   The request was rejected because a specified parameter is not supported or
3362//   a specified resource is not valid for this operation.
3363//
3364// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext
3365func (c *KMS) GenerateDataKeyPairWithoutPlaintext(input *GenerateDataKeyPairWithoutPlaintextInput) (*GenerateDataKeyPairWithoutPlaintextOutput, error) {
3366	req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input)
3367	return out, req.Send()
3368}
3369
3370// GenerateDataKeyPairWithoutPlaintextWithContext is the same as GenerateDataKeyPairWithoutPlaintext with the addition of
3371// the ability to pass a context and additional request options.
3372//
3373// See GenerateDataKeyPairWithoutPlaintext for details on how to use this API operation.
3374//
3375// The context must be non-nil and will be used for request cancellation. If
3376// the context is nil a panic will occur. In the future the SDK may create
3377// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3378// for more information on using Contexts.
3379func (c *KMS) GenerateDataKeyPairWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyPairWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyPairWithoutPlaintextOutput, error) {
3380	req, out := c.GenerateDataKeyPairWithoutPlaintextRequest(input)
3381	req.SetContext(ctx)
3382	req.ApplyOptions(opts...)
3383	return out, req.Send()
3384}
3385
3386const opGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext"
3387
3388// GenerateDataKeyWithoutPlaintextRequest generates a "aws/request.Request" representing the
3389// client's request for the GenerateDataKeyWithoutPlaintext operation. The "output" return
3390// value will be populated with the request's response once the request completes
3391// successfully.
3392//
3393// Use "Send" method on the returned Request to send the API call to the service.
3394// the "output" return value is not valid until after Send returns without error.
3395//
3396// See GenerateDataKeyWithoutPlaintext for more information on using the GenerateDataKeyWithoutPlaintext
3397// API call, and error handling.
3398//
3399// This method is useful when you want to inject custom logic or configuration
3400// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3401//
3402//
3403//    // Example sending a request using the GenerateDataKeyWithoutPlaintextRequest method.
3404//    req, resp := client.GenerateDataKeyWithoutPlaintextRequest(params)
3405//
3406//    err := req.Send()
3407//    if err == nil { // resp is now filled
3408//        fmt.Println(resp)
3409//    }
3410//
3411// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
3412func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyWithoutPlaintextOutput) {
3413	op := &request.Operation{
3414		Name:       opGenerateDataKeyWithoutPlaintext,
3415		HTTPMethod: "POST",
3416		HTTPPath:   "/",
3417	}
3418
3419	if input == nil {
3420		input = &GenerateDataKeyWithoutPlaintextInput{}
3421	}
3422
3423	output = &GenerateDataKeyWithoutPlaintextOutput{}
3424	req = c.newRequest(op, input, output)
3425	return
3426}
3427
3428// GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service.
3429//
3430// Generates a unique symmetric data key. This operation returns a data key
3431// that is encrypted under a customer master key (CMK) that you specify. To
3432// request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext
3433// operations.
3434//
3435// GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation
3436// except that returns only the encrypted copy of the data key. This operation
3437// is useful for systems that need to encrypt data at some point, but not immediately.
3438// When you need to encrypt the data, you call the Decrypt operation on the
3439// encrypted copy of the key.
3440//
3441// It's also useful in distributed systems with different levels of trust. For
3442// example, you might store encrypted data in containers. One component of your
3443// system creates new containers and stores an encrypted data key with each
3444// container. Then, a different component puts the data into the containers.
3445// That component first decrypts the data key, uses the plaintext data key to
3446// encrypt data, puts the encrypted data into the container, and then destroys
3447// the plaintext data key. In this system, the component that creates the containers
3448// never sees the plaintext data key.
3449//
3450// GenerateDataKeyWithoutPlaintext returns a unique data key for each request.
3451// The bytes in the keys are not related to the caller or CMK that is used to
3452// encrypt the private key.
3453//
3454// To generate a data key, you must specify the symmetric customer master key
3455// (CMK) that is used to encrypt the data key. You cannot use an asymmetric
3456// CMK to generate a data key. To get the type of your CMK, use the DescribeKey
3457// operation.
3458//
3459// If the operation succeeds, you will find the encrypted copy of the data key
3460// in the CiphertextBlob field.
3461//
3462// You can use the optional encryption context to add additional security to
3463// the encryption operation. If you specify an EncryptionContext, you must specify
3464// the same encryption context (a case-sensitive exact match) when decrypting
3465// the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException.
3466// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
3467// in the AWS Key Management Service Developer Guide.
3468//
3469// The CMK that you use for this operation must be in a compatible key state.
3470// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3471// in the AWS Key Management Service Developer Guide.
3472//
3473// Cross-account use: Yes. To perform this operation with a CMK in a different
3474// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
3475//
3476// Required permissions: kms:GenerateDataKeyWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
3477// (key policy)
3478//
3479// Related operations:
3480//
3481//    * Decrypt
3482//
3483//    * Encrypt
3484//
3485//    * GenerateDataKey
3486//
3487//    * GenerateDataKeyPair
3488//
3489//    * GenerateDataKeyPairWithoutPlaintext
3490//
3491// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
3492// with awserr.Error's Code and Message methods to get detailed information about
3493// the error.
3494//
3495// See the AWS API reference guide for AWS Key Management Service's
3496// API operation GenerateDataKeyWithoutPlaintext for usage and error information.
3497//
3498// Returned Error Types:
3499//   * NotFoundException
3500//   The request was rejected because the specified entity or resource could not
3501//   be found.
3502//
3503//   * DisabledException
3504//   The request was rejected because the specified CMK is not enabled.
3505//
3506//   * KeyUnavailableException
3507//   The request was rejected because the specified CMK was not available. You
3508//   can retry the request.
3509//
3510//   * DependencyTimeoutException
3511//   The system timed out while trying to fulfill the request. The request can
3512//   be retried.
3513//
3514//   * InvalidKeyUsageException
3515//   The request was rejected for one of the following reasons:
3516//
3517//      * The KeyUsage value of the CMK is incompatible with the API operation.
3518//
3519//      * The encryption algorithm or signing algorithm specified for the operation
3520//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
3521//
3522//   For encrypting, decrypting, re-encrypting, and generating data keys, the
3523//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
3524//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
3525//
3526//   To find the encryption or signing algorithms supported for a particular CMK,
3527//   use the DescribeKey operation.
3528//
3529//   * InvalidGrantTokenException
3530//   The request was rejected because the specified grant token is not valid.
3531//
3532//   * InternalException
3533//   The request was rejected because an internal exception occurred. The request
3534//   can be retried.
3535//
3536//   * InvalidStateException
3537//   The request was rejected because the state of the specified resource is not
3538//   valid for this request.
3539//
3540//   For more information about how key state affects the use of a CMK, see How
3541//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3542//   in the AWS Key Management Service Developer Guide .
3543//
3544// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
3545func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) {
3546	req, out := c.GenerateDataKeyWithoutPlaintextRequest(input)
3547	return out, req.Send()
3548}
3549
3550// GenerateDataKeyWithoutPlaintextWithContext is the same as GenerateDataKeyWithoutPlaintext with the addition of
3551// the ability to pass a context and additional request options.
3552//
3553// See GenerateDataKeyWithoutPlaintext for details on how to use this API operation.
3554//
3555// The context must be non-nil and will be used for request cancellation. If
3556// the context is nil a panic will occur. In the future the SDK may create
3557// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3558// for more information on using Contexts.
3559func (c *KMS) GenerateDataKeyWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyWithoutPlaintextOutput, error) {
3560	req, out := c.GenerateDataKeyWithoutPlaintextRequest(input)
3561	req.SetContext(ctx)
3562	req.ApplyOptions(opts...)
3563	return out, req.Send()
3564}
3565
3566const opGenerateRandom = "GenerateRandom"
3567
3568// GenerateRandomRequest generates a "aws/request.Request" representing the
3569// client's request for the GenerateRandom operation. The "output" return
3570// value will be populated with the request's response once the request completes
3571// successfully.
3572//
3573// Use "Send" method on the returned Request to send the API call to the service.
3574// the "output" return value is not valid until after Send returns without error.
3575//
3576// See GenerateRandom for more information on using the GenerateRandom
3577// API call, and error handling.
3578//
3579// This method is useful when you want to inject custom logic or configuration
3580// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3581//
3582//
3583//    // Example sending a request using the GenerateRandomRequest method.
3584//    req, resp := client.GenerateRandomRequest(params)
3585//
3586//    err := req.Send()
3587//    if err == nil { // resp is now filled
3588//        fmt.Println(resp)
3589//    }
3590//
3591// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom
3592func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Request, output *GenerateRandomOutput) {
3593	op := &request.Operation{
3594		Name:       opGenerateRandom,
3595		HTTPMethod: "POST",
3596		HTTPPath:   "/",
3597	}
3598
3599	if input == nil {
3600		input = &GenerateRandomInput{}
3601	}
3602
3603	output = &GenerateRandomOutput{}
3604	req = c.newRequest(op, input, output)
3605	return
3606}
3607
3608// GenerateRandom API operation for AWS Key Management Service.
3609//
3610// Returns a random byte string that is cryptographically secure.
3611//
3612// By default, the random byte string is generated in AWS KMS. To generate the
3613// byte string in the AWS CloudHSM cluster that is associated with a custom
3614// key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
3615// specify the custom key store ID.
3616//
3617// For more information about entropy and random number generation, see AWS
3618// Key Management Service Cryptographic Details (https://docs.aws.amazon.com/kms/latest/cryptographic-details/).
3619//
3620// Required permissions: kms:GenerateRandom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
3621// (IAM policy)
3622//
3623// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
3624// with awserr.Error's Code and Message methods to get detailed information about
3625// the error.
3626//
3627// See the AWS API reference guide for AWS Key Management Service's
3628// API operation GenerateRandom for usage and error information.
3629//
3630// Returned Error Types:
3631//   * DependencyTimeoutException
3632//   The system timed out while trying to fulfill the request. The request can
3633//   be retried.
3634//
3635//   * InternalException
3636//   The request was rejected because an internal exception occurred. The request
3637//   can be retried.
3638//
3639//   * CustomKeyStoreNotFoundException
3640//   The request was rejected because AWS KMS cannot find a custom key store with
3641//   the specified key store name or ID.
3642//
3643//   * CustomKeyStoreInvalidStateException
3644//   The request was rejected because of the ConnectionState of the custom key
3645//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
3646//   operation.
3647//
3648//   This exception is thrown under the following conditions:
3649//
3650//      * You requested the CreateKey or GenerateRandom operation in a custom
3651//      key store that is not connected. These operations are valid only when
3652//      the custom key store ConnectionState is CONNECTED.
3653//
3654//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
3655//      on a custom key store that is not disconnected. This operation is valid
3656//      only when the custom key store ConnectionState is DISCONNECTED.
3657//
3658//      * You requested the ConnectCustomKeyStore operation on a custom key store
3659//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
3660//      for all other ConnectionState values.
3661//
3662// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom
3663func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) {
3664	req, out := c.GenerateRandomRequest(input)
3665	return out, req.Send()
3666}
3667
3668// GenerateRandomWithContext is the same as GenerateRandom with the addition of
3669// the ability to pass a context and additional request options.
3670//
3671// See GenerateRandom for details on how to use this API operation.
3672//
3673// The context must be non-nil and will be used for request cancellation. If
3674// the context is nil a panic will occur. In the future the SDK may create
3675// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3676// for more information on using Contexts.
3677func (c *KMS) GenerateRandomWithContext(ctx aws.Context, input *GenerateRandomInput, opts ...request.Option) (*GenerateRandomOutput, error) {
3678	req, out := c.GenerateRandomRequest(input)
3679	req.SetContext(ctx)
3680	req.ApplyOptions(opts...)
3681	return out, req.Send()
3682}
3683
3684const opGetKeyPolicy = "GetKeyPolicy"
3685
3686// GetKeyPolicyRequest generates a "aws/request.Request" representing the
3687// client's request for the GetKeyPolicy operation. The "output" return
3688// value will be populated with the request's response once the request completes
3689// successfully.
3690//
3691// Use "Send" method on the returned Request to send the API call to the service.
3692// the "output" return value is not valid until after Send returns without error.
3693//
3694// See GetKeyPolicy for more information on using the GetKeyPolicy
3695// API call, and error handling.
3696//
3697// This method is useful when you want to inject custom logic or configuration
3698// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3699//
3700//
3701//    // Example sending a request using the GetKeyPolicyRequest method.
3702//    req, resp := client.GetKeyPolicyRequest(params)
3703//
3704//    err := req.Send()
3705//    if err == nil { // resp is now filled
3706//        fmt.Println(resp)
3707//    }
3708//
3709// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy
3710func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Request, output *GetKeyPolicyOutput) {
3711	op := &request.Operation{
3712		Name:       opGetKeyPolicy,
3713		HTTPMethod: "POST",
3714		HTTPPath:   "/",
3715	}
3716
3717	if input == nil {
3718		input = &GetKeyPolicyInput{}
3719	}
3720
3721	output = &GetKeyPolicyOutput{}
3722	req = c.newRequest(op, input, output)
3723	return
3724}
3725
3726// GetKeyPolicy API operation for AWS Key Management Service.
3727//
3728// Gets a key policy attached to the specified customer master key (CMK).
3729//
3730// Cross-account use: No. You cannot perform this operation on a CMK in a different
3731// AWS account.
3732//
3733// Required permissions: kms:GetKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
3734// (key policy)
3735//
3736// Related operations: PutKeyPolicy
3737//
3738// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
3739// with awserr.Error's Code and Message methods to get detailed information about
3740// the error.
3741//
3742// See the AWS API reference guide for AWS Key Management Service's
3743// API operation GetKeyPolicy for usage and error information.
3744//
3745// Returned Error Types:
3746//   * NotFoundException
3747//   The request was rejected because the specified entity or resource could not
3748//   be found.
3749//
3750//   * InvalidArnException
3751//   The request was rejected because a specified ARN, or an ARN in a key policy,
3752//   is not valid.
3753//
3754//   * DependencyTimeoutException
3755//   The system timed out while trying to fulfill the request. The request can
3756//   be retried.
3757//
3758//   * InternalException
3759//   The request was rejected because an internal exception occurred. The request
3760//   can be retried.
3761//
3762//   * InvalidStateException
3763//   The request was rejected because the state of the specified resource is not
3764//   valid for this request.
3765//
3766//   For more information about how key state affects the use of a CMK, see How
3767//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3768//   in the AWS Key Management Service Developer Guide .
3769//
3770// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy
3771func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) {
3772	req, out := c.GetKeyPolicyRequest(input)
3773	return out, req.Send()
3774}
3775
3776// GetKeyPolicyWithContext is the same as GetKeyPolicy with the addition of
3777// the ability to pass a context and additional request options.
3778//
3779// See GetKeyPolicy for details on how to use this API operation.
3780//
3781// The context must be non-nil and will be used for request cancellation. If
3782// the context is nil a panic will occur. In the future the SDK may create
3783// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3784// for more information on using Contexts.
3785func (c *KMS) GetKeyPolicyWithContext(ctx aws.Context, input *GetKeyPolicyInput, opts ...request.Option) (*GetKeyPolicyOutput, error) {
3786	req, out := c.GetKeyPolicyRequest(input)
3787	req.SetContext(ctx)
3788	req.ApplyOptions(opts...)
3789	return out, req.Send()
3790}
3791
3792const opGetKeyRotationStatus = "GetKeyRotationStatus"
3793
3794// GetKeyRotationStatusRequest generates a "aws/request.Request" representing the
3795// client's request for the GetKeyRotationStatus operation. The "output" return
3796// value will be populated with the request's response once the request completes
3797// successfully.
3798//
3799// Use "Send" method on the returned Request to send the API call to the service.
3800// the "output" return value is not valid until after Send returns without error.
3801//
3802// See GetKeyRotationStatus for more information on using the GetKeyRotationStatus
3803// API call, and error handling.
3804//
3805// This method is useful when you want to inject custom logic or configuration
3806// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3807//
3808//
3809//    // Example sending a request using the GetKeyRotationStatusRequest method.
3810//    req, resp := client.GetKeyRotationStatusRequest(params)
3811//
3812//    err := req.Send()
3813//    if err == nil { // resp is now filled
3814//        fmt.Println(resp)
3815//    }
3816//
3817// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus
3818func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req *request.Request, output *GetKeyRotationStatusOutput) {
3819	op := &request.Operation{
3820		Name:       opGetKeyRotationStatus,
3821		HTTPMethod: "POST",
3822		HTTPPath:   "/",
3823	}
3824
3825	if input == nil {
3826		input = &GetKeyRotationStatusInput{}
3827	}
3828
3829	output = &GetKeyRotationStatusOutput{}
3830	req = c.newRequest(op, input, output)
3831	return
3832}
3833
3834// GetKeyRotationStatus API operation for AWS Key Management Service.
3835//
3836// Gets a Boolean value that indicates whether automatic rotation of the key
3837// material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
3838// is enabled for the specified customer master key (CMK).
3839//
3840// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks),
3841// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
3842// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
3843// To enable or disable automatic rotation of a set of related multi-Region
3844// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key),
3845// set the property on the primary key. The key rotation status for these CMKs
3846// is always false.
3847//
3848// The CMK that you use for this operation must be in a compatible key state.
3849// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3850// in the AWS Key Management Service Developer Guide.
3851//
3852//    * Disabled: The key rotation status does not change when you disable a
3853//    CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing
3854//    key.
3855//
3856//    * Pending deletion: While a CMK is pending deletion, its key rotation
3857//    status is false and AWS KMS does not rotate the backing key. If you cancel
3858//    the deletion, the original key rotation status is restored.
3859//
3860// Cross-account use: Yes. To perform this operation on a CMK in a different
3861// AWS account, specify the key ARN in the value of the KeyId parameter.
3862//
3863// Required permissions: kms:GetKeyRotationStatus (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
3864// (key policy)
3865//
3866// Related operations:
3867//
3868//    * DisableKeyRotation
3869//
3870//    * EnableKeyRotation
3871//
3872// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
3873// with awserr.Error's Code and Message methods to get detailed information about
3874// the error.
3875//
3876// See the AWS API reference guide for AWS Key Management Service's
3877// API operation GetKeyRotationStatus for usage and error information.
3878//
3879// Returned Error Types:
3880//   * NotFoundException
3881//   The request was rejected because the specified entity or resource could not
3882//   be found.
3883//
3884//   * InvalidArnException
3885//   The request was rejected because a specified ARN, or an ARN in a key policy,
3886//   is not valid.
3887//
3888//   * DependencyTimeoutException
3889//   The system timed out while trying to fulfill the request. The request can
3890//   be retried.
3891//
3892//   * InternalException
3893//   The request was rejected because an internal exception occurred. The request
3894//   can be retried.
3895//
3896//   * InvalidStateException
3897//   The request was rejected because the state of the specified resource is not
3898//   valid for this request.
3899//
3900//   For more information about how key state affects the use of a CMK, see How
3901//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3902//   in the AWS Key Management Service Developer Guide .
3903//
3904//   * UnsupportedOperationException
3905//   The request was rejected because a specified parameter is not supported or
3906//   a specified resource is not valid for this operation.
3907//
3908// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus
3909func (c *KMS) GetKeyRotationStatus(input *GetKeyRotationStatusInput) (*GetKeyRotationStatusOutput, error) {
3910	req, out := c.GetKeyRotationStatusRequest(input)
3911	return out, req.Send()
3912}
3913
3914// GetKeyRotationStatusWithContext is the same as GetKeyRotationStatus with the addition of
3915// the ability to pass a context and additional request options.
3916//
3917// See GetKeyRotationStatus for details on how to use this API operation.
3918//
3919// The context must be non-nil and will be used for request cancellation. If
3920// the context is nil a panic will occur. In the future the SDK may create
3921// sub-contexts for http.Requests. See https://golang.org/pkg/context/
3922// for more information on using Contexts.
3923func (c *KMS) GetKeyRotationStatusWithContext(ctx aws.Context, input *GetKeyRotationStatusInput, opts ...request.Option) (*GetKeyRotationStatusOutput, error) {
3924	req, out := c.GetKeyRotationStatusRequest(input)
3925	req.SetContext(ctx)
3926	req.ApplyOptions(opts...)
3927	return out, req.Send()
3928}
3929
3930const opGetParametersForImport = "GetParametersForImport"
3931
3932// GetParametersForImportRequest generates a "aws/request.Request" representing the
3933// client's request for the GetParametersForImport operation. The "output" return
3934// value will be populated with the request's response once the request completes
3935// successfully.
3936//
3937// Use "Send" method on the returned Request to send the API call to the service.
3938// the "output" return value is not valid until after Send returns without error.
3939//
3940// See GetParametersForImport for more information on using the GetParametersForImport
3941// API call, and error handling.
3942//
3943// This method is useful when you want to inject custom logic or configuration
3944// into the SDK's request lifecycle. Such as custom headers, or retry logic.
3945//
3946//
3947//    // Example sending a request using the GetParametersForImportRequest method.
3948//    req, resp := client.GetParametersForImportRequest(params)
3949//
3950//    err := req.Send()
3951//    if err == nil { // resp is now filled
3952//        fmt.Println(resp)
3953//    }
3954//
3955// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport
3956func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) (req *request.Request, output *GetParametersForImportOutput) {
3957	op := &request.Operation{
3958		Name:       opGetParametersForImport,
3959		HTTPMethod: "POST",
3960		HTTPPath:   "/",
3961	}
3962
3963	if input == nil {
3964		input = &GetParametersForImportInput{}
3965	}
3966
3967	output = &GetParametersForImportOutput{}
3968	req = c.newRequest(op, input, output)
3969	return
3970}
3971
3972// GetParametersForImport API operation for AWS Key Management Service.
3973//
3974// Returns the items you need to import key material into a symmetric, customer
3975// managed customer master key (CMK). For more information about importing key
3976// material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
3977// in the AWS Key Management Service Developer Guide.
3978//
3979// This operation returns a public key and an import token. Use the public key
3980// to encrypt the symmetric key material. Store the import token to send with
3981// a subsequent ImportKeyMaterial request.
3982//
3983// You must specify the key ID of the symmetric CMK into which you will import
3984// key material. This CMK's Origin must be EXTERNAL. You must also specify the
3985// wrapping algorithm and type of wrapping key (public key) that you will use
3986// to encrypt the key material. You cannot perform this operation on an asymmetric
3987// CMK or on any CMK in a different AWS account.
3988//
3989// To import key material, you must use the public key and import token from
3990// the same response. These items are valid for 24 hours. The expiration date
3991// and time appear in the GetParametersForImport response. You cannot use an
3992// expired token in an ImportKeyMaterial request. If your key and token expire,
3993// send another GetParametersForImport request.
3994//
3995// The CMK that you use for this operation must be in a compatible key state.
3996// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
3997// in the AWS Key Management Service Developer Guide.
3998//
3999// Cross-account use: No. You cannot perform this operation on a CMK in a different
4000// AWS account.
4001//
4002// Required permissions: kms:GetParametersForImport (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
4003// (key policy)
4004//
4005// Related operations:
4006//
4007//    * ImportKeyMaterial
4008//
4009//    * DeleteImportedKeyMaterial
4010//
4011// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
4012// with awserr.Error's Code and Message methods to get detailed information about
4013// the error.
4014//
4015// See the AWS API reference guide for AWS Key Management Service's
4016// API operation GetParametersForImport for usage and error information.
4017//
4018// Returned Error Types:
4019//   * InvalidArnException
4020//   The request was rejected because a specified ARN, or an ARN in a key policy,
4021//   is not valid.
4022//
4023//   * UnsupportedOperationException
4024//   The request was rejected because a specified parameter is not supported or
4025//   a specified resource is not valid for this operation.
4026//
4027//   * DependencyTimeoutException
4028//   The system timed out while trying to fulfill the request. The request can
4029//   be retried.
4030//
4031//   * NotFoundException
4032//   The request was rejected because the specified entity or resource could not
4033//   be found.
4034//
4035//   * InternalException
4036//   The request was rejected because an internal exception occurred. The request
4037//   can be retried.
4038//
4039//   * InvalidStateException
4040//   The request was rejected because the state of the specified resource is not
4041//   valid for this request.
4042//
4043//   For more information about how key state affects the use of a CMK, see How
4044//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4045//   in the AWS Key Management Service Developer Guide .
4046//
4047// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport
4048func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) {
4049	req, out := c.GetParametersForImportRequest(input)
4050	return out, req.Send()
4051}
4052
4053// GetParametersForImportWithContext is the same as GetParametersForImport with the addition of
4054// the ability to pass a context and additional request options.
4055//
4056// See GetParametersForImport for details on how to use this API operation.
4057//
4058// The context must be non-nil and will be used for request cancellation. If
4059// the context is nil a panic will occur. In the future the SDK may create
4060// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4061// for more information on using Contexts.
4062func (c *KMS) GetParametersForImportWithContext(ctx aws.Context, input *GetParametersForImportInput, opts ...request.Option) (*GetParametersForImportOutput, error) {
4063	req, out := c.GetParametersForImportRequest(input)
4064	req.SetContext(ctx)
4065	req.ApplyOptions(opts...)
4066	return out, req.Send()
4067}
4068
4069const opGetPublicKey = "GetPublicKey"
4070
4071// GetPublicKeyRequest generates a "aws/request.Request" representing the
4072// client's request for the GetPublicKey operation. The "output" return
4073// value will be populated with the request's response once the request completes
4074// successfully.
4075//
4076// Use "Send" method on the returned Request to send the API call to the service.
4077// the "output" return value is not valid until after Send returns without error.
4078//
4079// See GetPublicKey for more information on using the GetPublicKey
4080// API call, and error handling.
4081//
4082// This method is useful when you want to inject custom logic or configuration
4083// into the SDK's request lifecycle. Such as custom headers, or retry logic.
4084//
4085//
4086//    // Example sending a request using the GetPublicKeyRequest method.
4087//    req, resp := client.GetPublicKeyRequest(params)
4088//
4089//    err := req.Send()
4090//    if err == nil { // resp is now filled
4091//        fmt.Println(resp)
4092//    }
4093//
4094// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey
4095func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Request, output *GetPublicKeyOutput) {
4096	op := &request.Operation{
4097		Name:       opGetPublicKey,
4098		HTTPMethod: "POST",
4099		HTTPPath:   "/",
4100	}
4101
4102	if input == nil {
4103		input = &GetPublicKeyInput{}
4104	}
4105
4106	output = &GetPublicKeyOutput{}
4107	req = c.newRequest(op, input, output)
4108	return
4109}
4110
4111// GetPublicKey API operation for AWS Key Management Service.
4112//
4113// Returns the public key of an asymmetric CMK. Unlike the private key of a
4114// asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey
4115// permission can download the public key of an asymmetric CMK. You can share
4116// the public key to allow others to encrypt messages and verify signatures
4117// outside of AWS KMS. For information about symmetric and asymmetric CMKs,
4118// see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
4119// in the AWS Key Management Service Developer Guide.
4120//
4121// You do not need to download the public key. Instead, you can use the public
4122// key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations
4123// with the identifier of an asymmetric CMK. When you use the public key within
4124// AWS KMS, you benefit from the authentication, authorization, and logging
4125// that are part of every AWS KMS operation. You also reduce of risk of encrypting
4126// data that cannot be decrypted. These features are not effective outside of
4127// AWS KMS. For details, see Special Considerations for Downloading Public Keys
4128// (https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations).
4129//
4130// To help you use the public key safely outside of AWS KMS, GetPublicKey returns
4131// important information about the public key in the response, including:
4132//
4133//    * CustomerMasterKeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec):
4134//    The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
4135//
4136//    * KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage):
4137//    Whether the key is used for encryption or signing.
4138//
4139//    * EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms)
4140//    or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms):
4141//    A list of the encryption algorithms or the signing algorithms for the
4142//    key.
4143//
4144// Although AWS KMS cannot enforce these restrictions on external operations,
4145// it is crucial that you use this information to prevent the public key from
4146// being used improperly. For example, you can prevent a public signing key
4147// from being used encrypt data, or prevent a public key from being used with
4148// an encryption algorithm that is not supported by AWS KMS. You can also avoid
4149// errors, such as using the wrong signing algorithm in a verification operation.
4150//
4151// The CMK that you use for this operation must be in a compatible key state.
4152// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4153// in the AWS Key Management Service Developer Guide.
4154//
4155// Cross-account use: Yes. To perform this operation with a CMK in a different
4156// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
4157//
4158// Required permissions: kms:GetPublicKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
4159// (key policy)
4160//
4161// Related operations: CreateKey
4162//
4163// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
4164// with awserr.Error's Code and Message methods to get detailed information about
4165// the error.
4166//
4167// See the AWS API reference guide for AWS Key Management Service's
4168// API operation GetPublicKey for usage and error information.
4169//
4170// Returned Error Types:
4171//   * NotFoundException
4172//   The request was rejected because the specified entity or resource could not
4173//   be found.
4174//
4175//   * DisabledException
4176//   The request was rejected because the specified CMK is not enabled.
4177//
4178//   * KeyUnavailableException
4179//   The request was rejected because the specified CMK was not available. You
4180//   can retry the request.
4181//
4182//   * DependencyTimeoutException
4183//   The system timed out while trying to fulfill the request. The request can
4184//   be retried.
4185//
4186//   * UnsupportedOperationException
4187//   The request was rejected because a specified parameter is not supported or
4188//   a specified resource is not valid for this operation.
4189//
4190//   * InvalidArnException
4191//   The request was rejected because a specified ARN, or an ARN in a key policy,
4192//   is not valid.
4193//
4194//   * InvalidGrantTokenException
4195//   The request was rejected because the specified grant token is not valid.
4196//
4197//   * InvalidKeyUsageException
4198//   The request was rejected for one of the following reasons:
4199//
4200//      * The KeyUsage value of the CMK is incompatible with the API operation.
4201//
4202//      * The encryption algorithm or signing algorithm specified for the operation
4203//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
4204//
4205//   For encrypting, decrypting, re-encrypting, and generating data keys, the
4206//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
4207//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
4208//
4209//   To find the encryption or signing algorithms supported for a particular CMK,
4210//   use the DescribeKey operation.
4211//
4212//   * InternalException
4213//   The request was rejected because an internal exception occurred. The request
4214//   can be retried.
4215//
4216//   * InvalidStateException
4217//   The request was rejected because the state of the specified resource is not
4218//   valid for this request.
4219//
4220//   For more information about how key state affects the use of a CMK, see How
4221//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4222//   in the AWS Key Management Service Developer Guide .
4223//
4224// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey
4225func (c *KMS) GetPublicKey(input *GetPublicKeyInput) (*GetPublicKeyOutput, error) {
4226	req, out := c.GetPublicKeyRequest(input)
4227	return out, req.Send()
4228}
4229
4230// GetPublicKeyWithContext is the same as GetPublicKey with the addition of
4231// the ability to pass a context and additional request options.
4232//
4233// See GetPublicKey for details on how to use this API operation.
4234//
4235// The context must be non-nil and will be used for request cancellation. If
4236// the context is nil a panic will occur. In the future the SDK may create
4237// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4238// for more information on using Contexts.
4239func (c *KMS) GetPublicKeyWithContext(ctx aws.Context, input *GetPublicKeyInput, opts ...request.Option) (*GetPublicKeyOutput, error) {
4240	req, out := c.GetPublicKeyRequest(input)
4241	req.SetContext(ctx)
4242	req.ApplyOptions(opts...)
4243	return out, req.Send()
4244}
4245
4246const opImportKeyMaterial = "ImportKeyMaterial"
4247
4248// ImportKeyMaterialRequest generates a "aws/request.Request" representing the
4249// client's request for the ImportKeyMaterial operation. The "output" return
4250// value will be populated with the request's response once the request completes
4251// successfully.
4252//
4253// Use "Send" method on the returned Request to send the API call to the service.
4254// the "output" return value is not valid until after Send returns without error.
4255//
4256// See ImportKeyMaterial for more information on using the ImportKeyMaterial
4257// API call, and error handling.
4258//
4259// This method is useful when you want to inject custom logic or configuration
4260// into the SDK's request lifecycle. Such as custom headers, or retry logic.
4261//
4262//
4263//    // Example sending a request using the ImportKeyMaterialRequest method.
4264//    req, resp := client.ImportKeyMaterialRequest(params)
4265//
4266//    err := req.Send()
4267//    if err == nil { // resp is now filled
4268//        fmt.Println(resp)
4269//    }
4270//
4271// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial
4272func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *request.Request, output *ImportKeyMaterialOutput) {
4273	op := &request.Operation{
4274		Name:       opImportKeyMaterial,
4275		HTTPMethod: "POST",
4276		HTTPPath:   "/",
4277	}
4278
4279	if input == nil {
4280		input = &ImportKeyMaterialInput{}
4281	}
4282
4283	output = &ImportKeyMaterialOutput{}
4284	req = c.newRequest(op, input, output)
4285	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
4286	return
4287}
4288
4289// ImportKeyMaterial API operation for AWS Key Management Service.
4290//
4291// Imports key material into an existing symmetric AWS KMS customer master key
4292// (CMK) that was created without key material. After you successfully import
4293// key material into a CMK, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material)
4294// into that CMK, but you cannot import different key material.
4295//
4296// You cannot perform this operation on an asymmetric CMK or on any CMK in a
4297// different AWS account. For more information about creating CMKs with no key
4298// material and then importing key material, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
4299// in the AWS Key Management Service Developer Guide.
4300//
4301// Before using this operation, call GetParametersForImport. Its response includes
4302// a public key and an import token. Use the public key to encrypt the key material.
4303// Then, submit the import token from the same GetParametersForImport response.
4304//
4305// When calling this operation, you must specify the following values:
4306//
4307//    * The key ID or key ARN of a CMK with no key material. Its Origin must
4308//    be EXTERNAL. To create a CMK with no key material, call CreateKey and
4309//    set the value of its Origin parameter to EXTERNAL. To get the Origin of
4310//    a CMK, call DescribeKey.)
4311//
4312//    * The encrypted key material. To get the public key to encrypt the key
4313//    material, call GetParametersForImport.
4314//
4315//    * The import token that GetParametersForImport returned. You must use
4316//    a public key and token from the same GetParametersForImport response.
4317//
4318//    * Whether the key material expires and if so, when. If you set an expiration
4319//    date, AWS KMS deletes the key material from the CMK on the specified date,
4320//    and the CMK becomes unusable. To use the CMK again, you must reimport
4321//    the same key material. The only way to change an expiration date is by
4322//    reimporting the same key material and specifying a new expiration date.
4323//
4324// When this operation is successful, the key state of the CMK changes from
4325// PendingImport to Enabled, and you can use the CMK.
4326//
4327// If this operation fails, use the exception to help determine the problem.
4328// If the error is related to the key material, the import token, or wrapping
4329// key, use GetParametersForImport to get a new public key and import token
4330// for the CMK and repeat the import procedure. For help, see How To Import
4331// Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview)
4332// in the AWS Key Management Service Developer Guide.
4333//
4334// The CMK that you use for this operation must be in a compatible key state.
4335// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4336// in the AWS Key Management Service Developer Guide.
4337//
4338// Cross-account use: No. You cannot perform this operation on a CMK in a different
4339// AWS account.
4340//
4341// Required permissions: kms:ImportKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
4342// (key policy)
4343//
4344// Related operations:
4345//
4346//    * DeleteImportedKeyMaterial
4347//
4348//    * GetParametersForImport
4349//
4350// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
4351// with awserr.Error's Code and Message methods to get detailed information about
4352// the error.
4353//
4354// See the AWS API reference guide for AWS Key Management Service's
4355// API operation ImportKeyMaterial for usage and error information.
4356//
4357// Returned Error Types:
4358//   * InvalidArnException
4359//   The request was rejected because a specified ARN, or an ARN in a key policy,
4360//   is not valid.
4361//
4362//   * UnsupportedOperationException
4363//   The request was rejected because a specified parameter is not supported or
4364//   a specified resource is not valid for this operation.
4365//
4366//   * DependencyTimeoutException
4367//   The system timed out while trying to fulfill the request. The request can
4368//   be retried.
4369//
4370//   * NotFoundException
4371//   The request was rejected because the specified entity or resource could not
4372//   be found.
4373//
4374//   * InternalException
4375//   The request was rejected because an internal exception occurred. The request
4376//   can be retried.
4377//
4378//   * InvalidStateException
4379//   The request was rejected because the state of the specified resource is not
4380//   valid for this request.
4381//
4382//   For more information about how key state affects the use of a CMK, see How
4383//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4384//   in the AWS Key Management Service Developer Guide .
4385//
4386//   * InvalidCiphertextException
4387//   From the Decrypt or ReEncrypt operation, the request was rejected because
4388//   the specified ciphertext, or additional authenticated data incorporated into
4389//   the ciphertext, such as the encryption context, is corrupted, missing, or
4390//   otherwise invalid.
4391//
4392//   From the ImportKeyMaterial operation, the request was rejected because AWS
4393//   KMS could not decrypt the encrypted (wrapped) key material.
4394//
4395//   * IncorrectKeyMaterialException
4396//   The request was rejected because the key material in the request is, expired,
4397//   invalid, or is not the same key material that was previously imported into
4398//   this customer master key (CMK).
4399//
4400//   * ExpiredImportTokenException
4401//   The request was rejected because the specified import token is expired. Use
4402//   GetParametersForImport to get a new import token and public key, use the
4403//   new public key to encrypt the key material, and then try the request again.
4404//
4405//   * InvalidImportTokenException
4406//   The request was rejected because the provided import token is invalid or
4407//   is associated with a different customer master key (CMK).
4408//
4409// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial
4410func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) {
4411	req, out := c.ImportKeyMaterialRequest(input)
4412	return out, req.Send()
4413}
4414
4415// ImportKeyMaterialWithContext is the same as ImportKeyMaterial with the addition of
4416// the ability to pass a context and additional request options.
4417//
4418// See ImportKeyMaterial for details on how to use this API operation.
4419//
4420// The context must be non-nil and will be used for request cancellation. If
4421// the context is nil a panic will occur. In the future the SDK may create
4422// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4423// for more information on using Contexts.
4424func (c *KMS) ImportKeyMaterialWithContext(ctx aws.Context, input *ImportKeyMaterialInput, opts ...request.Option) (*ImportKeyMaterialOutput, error) {
4425	req, out := c.ImportKeyMaterialRequest(input)
4426	req.SetContext(ctx)
4427	req.ApplyOptions(opts...)
4428	return out, req.Send()
4429}
4430
4431const opListAliases = "ListAliases"
4432
4433// ListAliasesRequest generates a "aws/request.Request" representing the
4434// client's request for the ListAliases operation. The "output" return
4435// value will be populated with the request's response once the request completes
4436// successfully.
4437//
4438// Use "Send" method on the returned Request to send the API call to the service.
4439// the "output" return value is not valid until after Send returns without error.
4440//
4441// See ListAliases for more information on using the ListAliases
4442// API call, and error handling.
4443//
4444// This method is useful when you want to inject custom logic or configuration
4445// into the SDK's request lifecycle. Such as custom headers, or retry logic.
4446//
4447//
4448//    // Example sending a request using the ListAliasesRequest method.
4449//    req, resp := client.ListAliasesRequest(params)
4450//
4451//    err := req.Send()
4452//    if err == nil { // resp is now filled
4453//        fmt.Println(resp)
4454//    }
4455//
4456// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases
4457func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, output *ListAliasesOutput) {
4458	op := &request.Operation{
4459		Name:       opListAliases,
4460		HTTPMethod: "POST",
4461		HTTPPath:   "/",
4462		Paginator: &request.Paginator{
4463			InputTokens:     []string{"Marker"},
4464			OutputTokens:    []string{"NextMarker"},
4465			LimitToken:      "Limit",
4466			TruncationToken: "Truncated",
4467		},
4468	}
4469
4470	if input == nil {
4471		input = &ListAliasesInput{}
4472	}
4473
4474	output = &ListAliasesOutput{}
4475	req = c.newRequest(op, input, output)
4476	return
4477}
4478
4479// ListAliases API operation for AWS Key Management Service.
4480//
4481// Gets a list of aliases in the caller's AWS account and region. For more information
4482// about aliases, see CreateAlias.
4483//
4484// By default, the ListAliases operation returns all aliases in the account
4485// and region. To get only the aliases associated with a particular customer
4486// master key (CMK), use the KeyId parameter.
4487//
4488// The ListAliases response can include aliases that you created and associated
4489// with your customer managed CMKs, and aliases that AWS created and associated
4490// with AWS managed CMKs in your account. You can recognize AWS aliases because
4491// their names have the format aws/<service-name>, such as aws/dynamodb.
4492//
4493// The response might also include aliases that have no TargetKeyId field. These
4494// are predefined aliases that AWS has created but has not yet associated with
4495// a CMK. Aliases that AWS creates in your account, including predefined aliases,
4496// do not count against your AWS KMS aliases quota (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit).
4497//
4498// Cross-account use: No. ListAliases does not return aliases in other AWS accounts.
4499//
4500// Required permissions: kms:ListAliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
4501// (IAM policy)
4502//
4503// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access)
4504// in the AWS Key Management Service Developer Guide.
4505//
4506// Related operations:
4507//
4508//    * CreateAlias
4509//
4510//    * DeleteAlias
4511//
4512//    * UpdateAlias
4513//
4514// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
4515// with awserr.Error's Code and Message methods to get detailed information about
4516// the error.
4517//
4518// See the AWS API reference guide for AWS Key Management Service's
4519// API operation ListAliases for usage and error information.
4520//
4521// Returned Error Types:
4522//   * DependencyTimeoutException
4523//   The system timed out while trying to fulfill the request. The request can
4524//   be retried.
4525//
4526//   * InvalidMarkerException
4527//   The request was rejected because the marker that specifies where pagination
4528//   should next begin is not valid.
4529//
4530//   * InternalException
4531//   The request was rejected because an internal exception occurred. The request
4532//   can be retried.
4533//
4534//   * InvalidArnException
4535//   The request was rejected because a specified ARN, or an ARN in a key policy,
4536//   is not valid.
4537//
4538//   * NotFoundException
4539//   The request was rejected because the specified entity or resource could not
4540//   be found.
4541//
4542// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases
4543func (c *KMS) ListAliases(input *ListAliasesInput) (*ListAliasesOutput, error) {
4544	req, out := c.ListAliasesRequest(input)
4545	return out, req.Send()
4546}
4547
4548// ListAliasesWithContext is the same as ListAliases with the addition of
4549// the ability to pass a context and additional request options.
4550//
4551// See ListAliases for details on how to use this API operation.
4552//
4553// The context must be non-nil and will be used for request cancellation. If
4554// the context is nil a panic will occur. In the future the SDK may create
4555// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4556// for more information on using Contexts.
4557func (c *KMS) ListAliasesWithContext(ctx aws.Context, input *ListAliasesInput, opts ...request.Option) (*ListAliasesOutput, error) {
4558	req, out := c.ListAliasesRequest(input)
4559	req.SetContext(ctx)
4560	req.ApplyOptions(opts...)
4561	return out, req.Send()
4562}
4563
4564// ListAliasesPages iterates over the pages of a ListAliases operation,
4565// calling the "fn" function with the response data for each page. To stop
4566// iterating, return false from the fn function.
4567//
4568// See ListAliases method for more information on how to use this operation.
4569//
4570// Note: This operation can generate multiple requests to a service.
4571//
4572//    // Example iterating over at most 3 pages of a ListAliases operation.
4573//    pageNum := 0
4574//    err := client.ListAliasesPages(params,
4575//        func(page *kms.ListAliasesOutput, lastPage bool) bool {
4576//            pageNum++
4577//            fmt.Println(page)
4578//            return pageNum <= 3
4579//        })
4580//
4581func (c *KMS) ListAliasesPages(input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool) error {
4582	return c.ListAliasesPagesWithContext(aws.BackgroundContext(), input, fn)
4583}
4584
4585// ListAliasesPagesWithContext same as ListAliasesPages except
4586// it takes a Context and allows setting request options on the pages.
4587//
4588// The context must be non-nil and will be used for request cancellation. If
4589// the context is nil a panic will occur. In the future the SDK may create
4590// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4591// for more information on using Contexts.
4592func (c *KMS) ListAliasesPagesWithContext(ctx aws.Context, input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool, opts ...request.Option) error {
4593	p := request.Pagination{
4594		NewRequest: func() (*request.Request, error) {
4595			var inCpy *ListAliasesInput
4596			if input != nil {
4597				tmp := *input
4598				inCpy = &tmp
4599			}
4600			req, _ := c.ListAliasesRequest(inCpy)
4601			req.SetContext(ctx)
4602			req.ApplyOptions(opts...)
4603			return req, nil
4604		},
4605	}
4606
4607	for p.Next() {
4608		if !fn(p.Page().(*ListAliasesOutput), !p.HasNextPage()) {
4609			break
4610		}
4611	}
4612
4613	return p.Err()
4614}
4615
4616const opListGrants = "ListGrants"
4617
4618// ListGrantsRequest generates a "aws/request.Request" representing the
4619// client's request for the ListGrants operation. The "output" return
4620// value will be populated with the request's response once the request completes
4621// successfully.
4622//
4623// Use "Send" method on the returned Request to send the API call to the service.
4624// the "output" return value is not valid until after Send returns without error.
4625//
4626// See ListGrants for more information on using the ListGrants
4627// API call, and error handling.
4628//
4629// This method is useful when you want to inject custom logic or configuration
4630// into the SDK's request lifecycle. Such as custom headers, or retry logic.
4631//
4632//
4633//    // Example sending a request using the ListGrantsRequest method.
4634//    req, resp := client.ListGrantsRequest(params)
4635//
4636//    err := req.Send()
4637//    if err == nil { // resp is now filled
4638//        fmt.Println(resp)
4639//    }
4640//
4641// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants
4642func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, output *ListGrantsResponse) {
4643	op := &request.Operation{
4644		Name:       opListGrants,
4645		HTTPMethod: "POST",
4646		HTTPPath:   "/",
4647		Paginator: &request.Paginator{
4648			InputTokens:     []string{"Marker"},
4649			OutputTokens:    []string{"NextMarker"},
4650			LimitToken:      "Limit",
4651			TruncationToken: "Truncated",
4652		},
4653	}
4654
4655	if input == nil {
4656		input = &ListGrantsInput{}
4657	}
4658
4659	output = &ListGrantsResponse{}
4660	req = c.newRequest(op, input, output)
4661	return
4662}
4663
4664// ListGrants API operation for AWS Key Management Service.
4665//
4666// Gets a list of all grants for the specified customer master key (CMK).
4667//
4668// You must specify the CMK in all requests. You can filter the grant list by
4669// grant ID or grantee principal.
4670//
4671// The GranteePrincipal field in the ListGrants response usually contains the
4672// user or role designated as the grantee principal in the grant. However, when
4673// the grantee principal in the grant is an AWS service, the GranteePrincipal
4674// field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services),
4675// which might represent several different grantee principals.
4676//
4677// Cross-account use: Yes. To perform this operation on a CMK in a different
4678// AWS account, specify the key ARN in the value of the KeyId parameter.
4679//
4680// Required permissions: kms:ListGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
4681// (key policy)
4682//
4683// Related operations:
4684//
4685//    * CreateGrant
4686//
4687//    * ListRetirableGrants
4688//
4689//    * RetireGrant
4690//
4691//    * RevokeGrant
4692//
4693// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
4694// with awserr.Error's Code and Message methods to get detailed information about
4695// the error.
4696//
4697// See the AWS API reference guide for AWS Key Management Service's
4698// API operation ListGrants for usage and error information.
4699//
4700// Returned Error Types:
4701//   * NotFoundException
4702//   The request was rejected because the specified entity or resource could not
4703//   be found.
4704//
4705//   * DependencyTimeoutException
4706//   The system timed out while trying to fulfill the request. The request can
4707//   be retried.
4708//
4709//   * InvalidMarkerException
4710//   The request was rejected because the marker that specifies where pagination
4711//   should next begin is not valid.
4712//
4713//   * InvalidGrantIdException
4714//   The request was rejected because the specified GrantId is not valid.
4715//
4716//   * InvalidArnException
4717//   The request was rejected because a specified ARN, or an ARN in a key policy,
4718//   is not valid.
4719//
4720//   * InternalException
4721//   The request was rejected because an internal exception occurred. The request
4722//   can be retried.
4723//
4724//   * InvalidStateException
4725//   The request was rejected because the state of the specified resource is not
4726//   valid for this request.
4727//
4728//   For more information about how key state affects the use of a CMK, see How
4729//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4730//   in the AWS Key Management Service Developer Guide .
4731//
4732// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants
4733func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) {
4734	req, out := c.ListGrantsRequest(input)
4735	return out, req.Send()
4736}
4737
4738// ListGrantsWithContext is the same as ListGrants with the addition of
4739// the ability to pass a context and additional request options.
4740//
4741// See ListGrants for details on how to use this API operation.
4742//
4743// The context must be non-nil and will be used for request cancellation. If
4744// the context is nil a panic will occur. In the future the SDK may create
4745// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4746// for more information on using Contexts.
4747func (c *KMS) ListGrantsWithContext(ctx aws.Context, input *ListGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) {
4748	req, out := c.ListGrantsRequest(input)
4749	req.SetContext(ctx)
4750	req.ApplyOptions(opts...)
4751	return out, req.Send()
4752}
4753
4754// ListGrantsPages iterates over the pages of a ListGrants operation,
4755// calling the "fn" function with the response data for each page. To stop
4756// iterating, return false from the fn function.
4757//
4758// See ListGrants method for more information on how to use this operation.
4759//
4760// Note: This operation can generate multiple requests to a service.
4761//
4762//    // Example iterating over at most 3 pages of a ListGrants operation.
4763//    pageNum := 0
4764//    err := client.ListGrantsPages(params,
4765//        func(page *kms.ListGrantsResponse, lastPage bool) bool {
4766//            pageNum++
4767//            fmt.Println(page)
4768//            return pageNum <= 3
4769//        })
4770//
4771func (c *KMS) ListGrantsPages(input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool) error {
4772	return c.ListGrantsPagesWithContext(aws.BackgroundContext(), input, fn)
4773}
4774
4775// ListGrantsPagesWithContext same as ListGrantsPages except
4776// it takes a Context and allows setting request options on the pages.
4777//
4778// The context must be non-nil and will be used for request cancellation. If
4779// the context is nil a panic will occur. In the future the SDK may create
4780// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4781// for more information on using Contexts.
4782func (c *KMS) ListGrantsPagesWithContext(ctx aws.Context, input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool, opts ...request.Option) error {
4783	p := request.Pagination{
4784		NewRequest: func() (*request.Request, error) {
4785			var inCpy *ListGrantsInput
4786			if input != nil {
4787				tmp := *input
4788				inCpy = &tmp
4789			}
4790			req, _ := c.ListGrantsRequest(inCpy)
4791			req.SetContext(ctx)
4792			req.ApplyOptions(opts...)
4793			return req, nil
4794		},
4795	}
4796
4797	for p.Next() {
4798		if !fn(p.Page().(*ListGrantsResponse), !p.HasNextPage()) {
4799			break
4800		}
4801	}
4802
4803	return p.Err()
4804}
4805
4806const opListKeyPolicies = "ListKeyPolicies"
4807
4808// ListKeyPoliciesRequest generates a "aws/request.Request" representing the
4809// client's request for the ListKeyPolicies operation. The "output" return
4810// value will be populated with the request's response once the request completes
4811// successfully.
4812//
4813// Use "Send" method on the returned Request to send the API call to the service.
4814// the "output" return value is not valid until after Send returns without error.
4815//
4816// See ListKeyPolicies for more information on using the ListKeyPolicies
4817// API call, and error handling.
4818//
4819// This method is useful when you want to inject custom logic or configuration
4820// into the SDK's request lifecycle. Such as custom headers, or retry logic.
4821//
4822//
4823//    // Example sending a request using the ListKeyPoliciesRequest method.
4824//    req, resp := client.ListKeyPoliciesRequest(params)
4825//
4826//    err := req.Send()
4827//    if err == nil { // resp is now filled
4828//        fmt.Println(resp)
4829//    }
4830//
4831// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies
4832func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.Request, output *ListKeyPoliciesOutput) {
4833	op := &request.Operation{
4834		Name:       opListKeyPolicies,
4835		HTTPMethod: "POST",
4836		HTTPPath:   "/",
4837		Paginator: &request.Paginator{
4838			InputTokens:     []string{"Marker"},
4839			OutputTokens:    []string{"NextMarker"},
4840			LimitToken:      "Limit",
4841			TruncationToken: "Truncated",
4842		},
4843	}
4844
4845	if input == nil {
4846		input = &ListKeyPoliciesInput{}
4847	}
4848
4849	output = &ListKeyPoliciesOutput{}
4850	req = c.newRequest(op, input, output)
4851	return
4852}
4853
4854// ListKeyPolicies API operation for AWS Key Management Service.
4855//
4856// Gets the names of the key policies that are attached to a customer master
4857// key (CMK). This operation is designed to get policy names that you can use
4858// in a GetKeyPolicy operation. However, the only valid policy name is default.
4859//
4860// Cross-account use: No. You cannot perform this operation on a CMK in a different
4861// AWS account.
4862//
4863// Required permissions: kms:ListKeyPolicies (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
4864// (key policy)
4865//
4866// Related operations:
4867//
4868//    * GetKeyPolicy
4869//
4870//    * PutKeyPolicy
4871//
4872// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
4873// with awserr.Error's Code and Message methods to get detailed information about
4874// the error.
4875//
4876// See the AWS API reference guide for AWS Key Management Service's
4877// API operation ListKeyPolicies for usage and error information.
4878//
4879// Returned Error Types:
4880//   * NotFoundException
4881//   The request was rejected because the specified entity or resource could not
4882//   be found.
4883//
4884//   * InvalidArnException
4885//   The request was rejected because a specified ARN, or an ARN in a key policy,
4886//   is not valid.
4887//
4888//   * DependencyTimeoutException
4889//   The system timed out while trying to fulfill the request. The request can
4890//   be retried.
4891//
4892//   * InternalException
4893//   The request was rejected because an internal exception occurred. The request
4894//   can be retried.
4895//
4896//   * InvalidStateException
4897//   The request was rejected because the state of the specified resource is not
4898//   valid for this request.
4899//
4900//   For more information about how key state affects the use of a CMK, see How
4901//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
4902//   in the AWS Key Management Service Developer Guide .
4903//
4904// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies
4905func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) {
4906	req, out := c.ListKeyPoliciesRequest(input)
4907	return out, req.Send()
4908}
4909
4910// ListKeyPoliciesWithContext is the same as ListKeyPolicies with the addition of
4911// the ability to pass a context and additional request options.
4912//
4913// See ListKeyPolicies for details on how to use this API operation.
4914//
4915// The context must be non-nil and will be used for request cancellation. If
4916// the context is nil a panic will occur. In the future the SDK may create
4917// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4918// for more information on using Contexts.
4919func (c *KMS) ListKeyPoliciesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, opts ...request.Option) (*ListKeyPoliciesOutput, error) {
4920	req, out := c.ListKeyPoliciesRequest(input)
4921	req.SetContext(ctx)
4922	req.ApplyOptions(opts...)
4923	return out, req.Send()
4924}
4925
4926// ListKeyPoliciesPages iterates over the pages of a ListKeyPolicies operation,
4927// calling the "fn" function with the response data for each page. To stop
4928// iterating, return false from the fn function.
4929//
4930// See ListKeyPolicies method for more information on how to use this operation.
4931//
4932// Note: This operation can generate multiple requests to a service.
4933//
4934//    // Example iterating over at most 3 pages of a ListKeyPolicies operation.
4935//    pageNum := 0
4936//    err := client.ListKeyPoliciesPages(params,
4937//        func(page *kms.ListKeyPoliciesOutput, lastPage bool) bool {
4938//            pageNum++
4939//            fmt.Println(page)
4940//            return pageNum <= 3
4941//        })
4942//
4943func (c *KMS) ListKeyPoliciesPages(input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool) error {
4944	return c.ListKeyPoliciesPagesWithContext(aws.BackgroundContext(), input, fn)
4945}
4946
4947// ListKeyPoliciesPagesWithContext same as ListKeyPoliciesPages except
4948// it takes a Context and allows setting request options on the pages.
4949//
4950// The context must be non-nil and will be used for request cancellation. If
4951// the context is nil a panic will occur. In the future the SDK may create
4952// sub-contexts for http.Requests. See https://golang.org/pkg/context/
4953// for more information on using Contexts.
4954func (c *KMS) ListKeyPoliciesPagesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool, opts ...request.Option) error {
4955	p := request.Pagination{
4956		NewRequest: func() (*request.Request, error) {
4957			var inCpy *ListKeyPoliciesInput
4958			if input != nil {
4959				tmp := *input
4960				inCpy = &tmp
4961			}
4962			req, _ := c.ListKeyPoliciesRequest(inCpy)
4963			req.SetContext(ctx)
4964			req.ApplyOptions(opts...)
4965			return req, nil
4966		},
4967	}
4968
4969	for p.Next() {
4970		if !fn(p.Page().(*ListKeyPoliciesOutput), !p.HasNextPage()) {
4971			break
4972		}
4973	}
4974
4975	return p.Err()
4976}
4977
4978const opListKeys = "ListKeys"
4979
4980// ListKeysRequest generates a "aws/request.Request" representing the
4981// client's request for the ListKeys operation. The "output" return
4982// value will be populated with the request's response once the request completes
4983// successfully.
4984//
4985// Use "Send" method on the returned Request to send the API call to the service.
4986// the "output" return value is not valid until after Send returns without error.
4987//
4988// See ListKeys for more information on using the ListKeys
4989// API call, and error handling.
4990//
4991// This method is useful when you want to inject custom logic or configuration
4992// into the SDK's request lifecycle. Such as custom headers, or retry logic.
4993//
4994//
4995//    // Example sending a request using the ListKeysRequest method.
4996//    req, resp := client.ListKeysRequest(params)
4997//
4998//    err := req.Send()
4999//    if err == nil { // resp is now filled
5000//        fmt.Println(resp)
5001//    }
5002//
5003// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys
5004func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, output *ListKeysOutput) {
5005	op := &request.Operation{
5006		Name:       opListKeys,
5007		HTTPMethod: "POST",
5008		HTTPPath:   "/",
5009		Paginator: &request.Paginator{
5010			InputTokens:     []string{"Marker"},
5011			OutputTokens:    []string{"NextMarker"},
5012			LimitToken:      "Limit",
5013			TruncationToken: "Truncated",
5014		},
5015	}
5016
5017	if input == nil {
5018		input = &ListKeysInput{}
5019	}
5020
5021	output = &ListKeysOutput{}
5022	req = c.newRequest(op, input, output)
5023	return
5024}
5025
5026// ListKeys API operation for AWS Key Management Service.
5027//
5028// Gets a list of all customer master keys (CMKs) in the caller's AWS account
5029// and Region.
5030//
5031// Cross-account use: No. You cannot perform this operation on a CMK in a different
5032// AWS account.
5033//
5034// Required permissions: kms:ListKeys (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
5035// (IAM policy)
5036//
5037// Related operations:
5038//
5039//    * CreateKey
5040//
5041//    * DescribeKey
5042//
5043//    * ListAliases
5044//
5045//    * ListResourceTags
5046//
5047// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5048// with awserr.Error's Code and Message methods to get detailed information about
5049// the error.
5050//
5051// See the AWS API reference guide for AWS Key Management Service's
5052// API operation ListKeys for usage and error information.
5053//
5054// Returned Error Types:
5055//   * DependencyTimeoutException
5056//   The system timed out while trying to fulfill the request. The request can
5057//   be retried.
5058//
5059//   * InternalException
5060//   The request was rejected because an internal exception occurred. The request
5061//   can be retried.
5062//
5063//   * InvalidMarkerException
5064//   The request was rejected because the marker that specifies where pagination
5065//   should next begin is not valid.
5066//
5067// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys
5068func (c *KMS) ListKeys(input *ListKeysInput) (*ListKeysOutput, error) {
5069	req, out := c.ListKeysRequest(input)
5070	return out, req.Send()
5071}
5072
5073// ListKeysWithContext is the same as ListKeys with the addition of
5074// the ability to pass a context and additional request options.
5075//
5076// See ListKeys for details on how to use this API operation.
5077//
5078// The context must be non-nil and will be used for request cancellation. If
5079// the context is nil a panic will occur. In the future the SDK may create
5080// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5081// for more information on using Contexts.
5082func (c *KMS) ListKeysWithContext(ctx aws.Context, input *ListKeysInput, opts ...request.Option) (*ListKeysOutput, error) {
5083	req, out := c.ListKeysRequest(input)
5084	req.SetContext(ctx)
5085	req.ApplyOptions(opts...)
5086	return out, req.Send()
5087}
5088
5089// ListKeysPages iterates over the pages of a ListKeys operation,
5090// calling the "fn" function with the response data for each page. To stop
5091// iterating, return false from the fn function.
5092//
5093// See ListKeys method for more information on how to use this operation.
5094//
5095// Note: This operation can generate multiple requests to a service.
5096//
5097//    // Example iterating over at most 3 pages of a ListKeys operation.
5098//    pageNum := 0
5099//    err := client.ListKeysPages(params,
5100//        func(page *kms.ListKeysOutput, lastPage bool) bool {
5101//            pageNum++
5102//            fmt.Println(page)
5103//            return pageNum <= 3
5104//        })
5105//
5106func (c *KMS) ListKeysPages(input *ListKeysInput, fn func(*ListKeysOutput, bool) bool) error {
5107	return c.ListKeysPagesWithContext(aws.BackgroundContext(), input, fn)
5108}
5109
5110// ListKeysPagesWithContext same as ListKeysPages except
5111// it takes a Context and allows setting request options on the pages.
5112//
5113// The context must be non-nil and will be used for request cancellation. If
5114// the context is nil a panic will occur. In the future the SDK may create
5115// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5116// for more information on using Contexts.
5117func (c *KMS) ListKeysPagesWithContext(ctx aws.Context, input *ListKeysInput, fn func(*ListKeysOutput, bool) bool, opts ...request.Option) error {
5118	p := request.Pagination{
5119		NewRequest: func() (*request.Request, error) {
5120			var inCpy *ListKeysInput
5121			if input != nil {
5122				tmp := *input
5123				inCpy = &tmp
5124			}
5125			req, _ := c.ListKeysRequest(inCpy)
5126			req.SetContext(ctx)
5127			req.ApplyOptions(opts...)
5128			return req, nil
5129		},
5130	}
5131
5132	for p.Next() {
5133		if !fn(p.Page().(*ListKeysOutput), !p.HasNextPage()) {
5134			break
5135		}
5136	}
5137
5138	return p.Err()
5139}
5140
5141const opListResourceTags = "ListResourceTags"
5142
5143// ListResourceTagsRequest generates a "aws/request.Request" representing the
5144// client's request for the ListResourceTags operation. The "output" return
5145// value will be populated with the request's response once the request completes
5146// successfully.
5147//
5148// Use "Send" method on the returned Request to send the API call to the service.
5149// the "output" return value is not valid until after Send returns without error.
5150//
5151// See ListResourceTags for more information on using the ListResourceTags
5152// API call, and error handling.
5153//
5154// This method is useful when you want to inject custom logic or configuration
5155// into the SDK's request lifecycle. Such as custom headers, or retry logic.
5156//
5157//
5158//    // Example sending a request using the ListResourceTagsRequest method.
5159//    req, resp := client.ListResourceTagsRequest(params)
5160//
5161//    err := req.Send()
5162//    if err == nil { // resp is now filled
5163//        fmt.Println(resp)
5164//    }
5165//
5166// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags
5167func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *request.Request, output *ListResourceTagsOutput) {
5168	op := &request.Operation{
5169		Name:       opListResourceTags,
5170		HTTPMethod: "POST",
5171		HTTPPath:   "/",
5172	}
5173
5174	if input == nil {
5175		input = &ListResourceTagsInput{}
5176	}
5177
5178	output = &ListResourceTagsOutput{}
5179	req = c.newRequest(op, input, output)
5180	return
5181}
5182
5183// ListResourceTags API operation for AWS Key Management Service.
5184//
5185// Returns all tags on the specified customer master key (CMK).
5186//
5187// For general information about tags, including the format and syntax, see
5188// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html)
5189// in the Amazon Web Services General Reference. For information about using
5190// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
5191//
5192// Cross-account use: No. You cannot perform this operation on a CMK in a different
5193// AWS account.
5194//
5195// Required permissions: kms:ListResourceTags (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
5196// (key policy)
5197//
5198// Related operations:
5199//
5200//    * CreateKey
5201//
5202//    * ReplicateKey
5203//
5204//    * TagResource
5205//
5206//    * UntagResource
5207//
5208// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5209// with awserr.Error's Code and Message methods to get detailed information about
5210// the error.
5211//
5212// See the AWS API reference guide for AWS Key Management Service's
5213// API operation ListResourceTags for usage and error information.
5214//
5215// Returned Error Types:
5216//   * InternalException
5217//   The request was rejected because an internal exception occurred. The request
5218//   can be retried.
5219//
5220//   * NotFoundException
5221//   The request was rejected because the specified entity or resource could not
5222//   be found.
5223//
5224//   * InvalidArnException
5225//   The request was rejected because a specified ARN, or an ARN in a key policy,
5226//   is not valid.
5227//
5228//   * InvalidMarkerException
5229//   The request was rejected because the marker that specifies where pagination
5230//   should next begin is not valid.
5231//
5232// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags
5233func (c *KMS) ListResourceTags(input *ListResourceTagsInput) (*ListResourceTagsOutput, error) {
5234	req, out := c.ListResourceTagsRequest(input)
5235	return out, req.Send()
5236}
5237
5238// ListResourceTagsWithContext is the same as ListResourceTags with the addition of
5239// the ability to pass a context and additional request options.
5240//
5241// See ListResourceTags for details on how to use this API operation.
5242//
5243// The context must be non-nil and will be used for request cancellation. If
5244// the context is nil a panic will occur. In the future the SDK may create
5245// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5246// for more information on using Contexts.
5247func (c *KMS) ListResourceTagsWithContext(ctx aws.Context, input *ListResourceTagsInput, opts ...request.Option) (*ListResourceTagsOutput, error) {
5248	req, out := c.ListResourceTagsRequest(input)
5249	req.SetContext(ctx)
5250	req.ApplyOptions(opts...)
5251	return out, req.Send()
5252}
5253
5254const opListRetirableGrants = "ListRetirableGrants"
5255
5256// ListRetirableGrantsRequest generates a "aws/request.Request" representing the
5257// client's request for the ListRetirableGrants operation. The "output" return
5258// value will be populated with the request's response once the request completes
5259// successfully.
5260//
5261// Use "Send" method on the returned Request to send the API call to the service.
5262// the "output" return value is not valid until after Send returns without error.
5263//
5264// See ListRetirableGrants for more information on using the ListRetirableGrants
5265// API call, and error handling.
5266//
5267// This method is useful when you want to inject custom logic or configuration
5268// into the SDK's request lifecycle. Such as custom headers, or retry logic.
5269//
5270//
5271//    // Example sending a request using the ListRetirableGrantsRequest method.
5272//    req, resp := client.ListRetirableGrantsRequest(params)
5273//
5274//    err := req.Send()
5275//    if err == nil { // resp is now filled
5276//        fmt.Println(resp)
5277//    }
5278//
5279// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants
5280func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *request.Request, output *ListGrantsResponse) {
5281	op := &request.Operation{
5282		Name:       opListRetirableGrants,
5283		HTTPMethod: "POST",
5284		HTTPPath:   "/",
5285	}
5286
5287	if input == nil {
5288		input = &ListRetirableGrantsInput{}
5289	}
5290
5291	output = &ListGrantsResponse{}
5292	req = c.newRequest(op, input, output)
5293	return
5294}
5295
5296// ListRetirableGrants API operation for AWS Key Management Service.
5297//
5298// Returns information about all grants in the AWS account and Region that have
5299// the specified retiring principal. For more information about grants, see
5300// Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)
5301// in the AWS Key Management Service Developer Guide .
5302//
5303// You can specify any principal in your AWS account. The grants that are returned
5304// include grants for CMKs in your AWS account and other AWS accounts.
5305//
5306// You might use this operation to determine which grants you may retire. To
5307// retire a grant, use the RetireGrant operation.
5308//
5309// Cross-account use: You must specify a principal in your AWS account. However,
5310// this operation can return grants in any AWS account. You do not need kms:ListRetirableGrants
5311// permission (or any other additional permission) in any AWS account other
5312// than your own.
5313//
5314// Required permissions: kms:ListRetirableGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
5315// (IAM policy) in your AWS account.
5316//
5317// Related operations:
5318//
5319//    * CreateGrant
5320//
5321//    * ListGrants
5322//
5323//    * RetireGrant
5324//
5325//    * RevokeGrant
5326//
5327// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5328// with awserr.Error's Code and Message methods to get detailed information about
5329// the error.
5330//
5331// See the AWS API reference guide for AWS Key Management Service's
5332// API operation ListRetirableGrants for usage and error information.
5333//
5334// Returned Error Types:
5335//   * DependencyTimeoutException
5336//   The system timed out while trying to fulfill the request. The request can
5337//   be retried.
5338//
5339//   * InvalidMarkerException
5340//   The request was rejected because the marker that specifies where pagination
5341//   should next begin is not valid.
5342//
5343//   * InvalidArnException
5344//   The request was rejected because a specified ARN, or an ARN in a key policy,
5345//   is not valid.
5346//
5347//   * NotFoundException
5348//   The request was rejected because the specified entity or resource could not
5349//   be found.
5350//
5351//   * InternalException
5352//   The request was rejected because an internal exception occurred. The request
5353//   can be retried.
5354//
5355// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants
5356func (c *KMS) ListRetirableGrants(input *ListRetirableGrantsInput) (*ListGrantsResponse, error) {
5357	req, out := c.ListRetirableGrantsRequest(input)
5358	return out, req.Send()
5359}
5360
5361// ListRetirableGrantsWithContext is the same as ListRetirableGrants with the addition of
5362// the ability to pass a context and additional request options.
5363//
5364// See ListRetirableGrants for details on how to use this API operation.
5365//
5366// The context must be non-nil and will be used for request cancellation. If
5367// the context is nil a panic will occur. In the future the SDK may create
5368// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5369// for more information on using Contexts.
5370func (c *KMS) ListRetirableGrantsWithContext(ctx aws.Context, input *ListRetirableGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) {
5371	req, out := c.ListRetirableGrantsRequest(input)
5372	req.SetContext(ctx)
5373	req.ApplyOptions(opts...)
5374	return out, req.Send()
5375}
5376
5377const opPutKeyPolicy = "PutKeyPolicy"
5378
5379// PutKeyPolicyRequest generates a "aws/request.Request" representing the
5380// client's request for the PutKeyPolicy operation. The "output" return
5381// value will be populated with the request's response once the request completes
5382// successfully.
5383//
5384// Use "Send" method on the returned Request to send the API call to the service.
5385// the "output" return value is not valid until after Send returns without error.
5386//
5387// See PutKeyPolicy for more information on using the PutKeyPolicy
5388// API call, and error handling.
5389//
5390// This method is useful when you want to inject custom logic or configuration
5391// into the SDK's request lifecycle. Such as custom headers, or retry logic.
5392//
5393//
5394//    // Example sending a request using the PutKeyPolicyRequest method.
5395//    req, resp := client.PutKeyPolicyRequest(params)
5396//
5397//    err := req.Send()
5398//    if err == nil { // resp is now filled
5399//        fmt.Println(resp)
5400//    }
5401//
5402// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy
5403func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Request, output *PutKeyPolicyOutput) {
5404	op := &request.Operation{
5405		Name:       opPutKeyPolicy,
5406		HTTPMethod: "POST",
5407		HTTPPath:   "/",
5408	}
5409
5410	if input == nil {
5411		input = &PutKeyPolicyInput{}
5412	}
5413
5414	output = &PutKeyPolicyOutput{}
5415	req = c.newRequest(op, input, output)
5416	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
5417	return
5418}
5419
5420// PutKeyPolicy API operation for AWS Key Management Service.
5421//
5422// Attaches a key policy to the specified customer master key (CMK).
5423//
5424// For more information about key policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)
5425// in the AWS Key Management Service Developer Guide. For help writing and formatting
5426// a JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
5427// in the IAM User Guide . For examples of adding a key policy in multiple programming
5428// languages, see Setting a key policy (https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy)
5429// in the AWS Key Management Service Developer Guide.
5430//
5431// Cross-account use: No. You cannot perform this operation on a CMK in a different
5432// AWS account.
5433//
5434// Required permissions: kms:PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
5435// (key policy)
5436//
5437// Related operations: GetKeyPolicy
5438//
5439// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5440// with awserr.Error's Code and Message methods to get detailed information about
5441// the error.
5442//
5443// See the AWS API reference guide for AWS Key Management Service's
5444// API operation PutKeyPolicy for usage and error information.
5445//
5446// Returned Error Types:
5447//   * NotFoundException
5448//   The request was rejected because the specified entity or resource could not
5449//   be found.
5450//
5451//   * InvalidArnException
5452//   The request was rejected because a specified ARN, or an ARN in a key policy,
5453//   is not valid.
5454//
5455//   * MalformedPolicyDocumentException
5456//   The request was rejected because the specified policy is not syntactically
5457//   or semantically correct.
5458//
5459//   * DependencyTimeoutException
5460//   The system timed out while trying to fulfill the request. The request can
5461//   be retried.
5462//
5463//   * UnsupportedOperationException
5464//   The request was rejected because a specified parameter is not supported or
5465//   a specified resource is not valid for this operation.
5466//
5467//   * InternalException
5468//   The request was rejected because an internal exception occurred. The request
5469//   can be retried.
5470//
5471//   * LimitExceededException
5472//   The request was rejected because a quota was exceeded. For more information,
5473//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
5474//   in the AWS Key Management Service Developer Guide.
5475//
5476//   * InvalidStateException
5477//   The request was rejected because the state of the specified resource is not
5478//   valid for this request.
5479//
5480//   For more information about how key state affects the use of a CMK, see How
5481//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
5482//   in the AWS Key Management Service Developer Guide .
5483//
5484// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy
5485func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) {
5486	req, out := c.PutKeyPolicyRequest(input)
5487	return out, req.Send()
5488}
5489
5490// PutKeyPolicyWithContext is the same as PutKeyPolicy with the addition of
5491// the ability to pass a context and additional request options.
5492//
5493// See PutKeyPolicy for details on how to use this API operation.
5494//
5495// The context must be non-nil and will be used for request cancellation. If
5496// the context is nil a panic will occur. In the future the SDK may create
5497// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5498// for more information on using Contexts.
5499func (c *KMS) PutKeyPolicyWithContext(ctx aws.Context, input *PutKeyPolicyInput, opts ...request.Option) (*PutKeyPolicyOutput, error) {
5500	req, out := c.PutKeyPolicyRequest(input)
5501	req.SetContext(ctx)
5502	req.ApplyOptions(opts...)
5503	return out, req.Send()
5504}
5505
5506const opReEncrypt = "ReEncrypt"
5507
5508// ReEncryptRequest generates a "aws/request.Request" representing the
5509// client's request for the ReEncrypt operation. The "output" return
5510// value will be populated with the request's response once the request completes
5511// successfully.
5512//
5513// Use "Send" method on the returned Request to send the API call to the service.
5514// the "output" return value is not valid until after Send returns without error.
5515//
5516// See ReEncrypt for more information on using the ReEncrypt
5517// API call, and error handling.
5518//
5519// This method is useful when you want to inject custom logic or configuration
5520// into the SDK's request lifecycle. Such as custom headers, or retry logic.
5521//
5522//
5523//    // Example sending a request using the ReEncryptRequest method.
5524//    req, resp := client.ReEncryptRequest(params)
5525//
5526//    err := req.Send()
5527//    if err == nil { // resp is now filled
5528//        fmt.Println(resp)
5529//    }
5530//
5531// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt
5532func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, output *ReEncryptOutput) {
5533	op := &request.Operation{
5534		Name:       opReEncrypt,
5535		HTTPMethod: "POST",
5536		HTTPPath:   "/",
5537	}
5538
5539	if input == nil {
5540		input = &ReEncryptInput{}
5541	}
5542
5543	output = &ReEncryptOutput{}
5544	req = c.newRequest(op, input, output)
5545	return
5546}
5547
5548// ReEncrypt API operation for AWS Key Management Service.
5549//
5550// Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can
5551// use this operation to change the customer master key (CMK) under which data
5552// is encrypted, such as when you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)
5553// a CMK or change the CMK that protects a ciphertext. You can also use it to
5554// reencrypt ciphertext under the same CMK, such as to change the encryption
5555// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
5556// of a ciphertext.
5557//
5558// The ReEncrypt operation can decrypt ciphertext that was encrypted by using
5559// an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey.
5560// It can also decrypt ciphertext that was encrypted by using the public key
5561// of an asymmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks)
5562// outside of AWS KMS. However, it cannot decrypt ciphertext produced by other
5563// libraries, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/)
5564// or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html).
5565// These libraries return a ciphertext format that is incompatible with AWS
5566// KMS.
5567//
5568// When you use the ReEncrypt operation, you need to provide information for
5569// the decrypt operation and the subsequent encrypt operation.
5570//
5571//    * If your ciphertext was encrypted under an asymmetric CMK, you must use
5572//    the SourceKeyId parameter to identify the CMK that encrypted the ciphertext.
5573//    You must also supply the encryption algorithm that was used. This information
5574//    is required to decrypt the data.
5575//
5576//    * If your ciphertext was encrypted under a symmetric CMK, the SourceKeyId
5577//    parameter is optional. AWS KMS can get this information from metadata
5578//    that it adds to the symmetric ciphertext blob. This feature adds durability
5579//    to your implementation by ensuring that authorized users can decrypt ciphertext
5580//    decades after it was encrypted, even if they've lost track of the CMK
5581//    ID. However, specifying the source CMK is always recommended as a best
5582//    practice. When you use the SourceKeyId parameter to specify a CMK, AWS
5583//    KMS uses only the CMK you specify. If the ciphertext was encrypted under
5584//    a different CMK, the ReEncrypt operation fails. This practice ensures
5585//    that you use the CMK that you intend.
5586//
5587//    * To reencrypt the data, you must use the DestinationKeyId parameter specify
5588//    the CMK that re-encrypts the data after it is decrypted. You can select
5589//    a symmetric or asymmetric CMK. If the destination CMK is an asymmetric
5590//    CMK, you must also provide the encryption algorithm. The algorithm that
5591//    you choose must be compatible with the CMK. When you use an asymmetric
5592//    CMK to encrypt or reencrypt data, be sure to record the CMK and encryption
5593//    algorithm that you choose. You will be required to provide the same CMK
5594//    and encryption algorithm when you decrypt the data. If the CMK and algorithm
5595//    do not match the values used to encrypt the data, the decrypt operation
5596//    fails. You are not required to supply the CMK ID and encryption algorithm
5597//    when you decrypt with symmetric CMKs because AWS KMS stores this information
5598//    in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated
5599//    with asymmetric keys. The standard format for asymmetric key ciphertext
5600//    does not include configurable fields.
5601//
5602// The CMK that you use for this operation must be in a compatible key state.
5603// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
5604// in the AWS Key Management Service Developer Guide.
5605//
5606// Cross-account use: Yes. The source CMK and destination CMK can be in different
5607// AWS accounts. Either or both CMKs can be in a different account than the
5608// caller.
5609//
5610// Required permissions:
5611//
5612//    * kms:ReEncryptFrom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
5613//    permission on the source CMK (key policy)
5614//
5615//    * kms:ReEncryptTo (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
5616//    permission on the destination CMK (key policy)
5617//
5618// To permit reencryption from or to a CMK, include the "kms:ReEncrypt*" permission
5619// in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
5620// This permission is automatically included in the key policy when you use
5621// the console to create a CMK. But you must include it manually when you create
5622// a CMK programmatically or when you use the PutKeyPolicy operation to set
5623// a key policy.
5624//
5625// Related operations:
5626//
5627//    * Decrypt
5628//
5629//    * Encrypt
5630//
5631//    * GenerateDataKey
5632//
5633//    * GenerateDataKeyPair
5634//
5635// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5636// with awserr.Error's Code and Message methods to get detailed information about
5637// the error.
5638//
5639// See the AWS API reference guide for AWS Key Management Service's
5640// API operation ReEncrypt for usage and error information.
5641//
5642// Returned Error Types:
5643//   * NotFoundException
5644//   The request was rejected because the specified entity or resource could not
5645//   be found.
5646//
5647//   * DisabledException
5648//   The request was rejected because the specified CMK is not enabled.
5649//
5650//   * InvalidCiphertextException
5651//   From the Decrypt or ReEncrypt operation, the request was rejected because
5652//   the specified ciphertext, or additional authenticated data incorporated into
5653//   the ciphertext, such as the encryption context, is corrupted, missing, or
5654//   otherwise invalid.
5655//
5656//   From the ImportKeyMaterial operation, the request was rejected because AWS
5657//   KMS could not decrypt the encrypted (wrapped) key material.
5658//
5659//   * KeyUnavailableException
5660//   The request was rejected because the specified CMK was not available. You
5661//   can retry the request.
5662//
5663//   * IncorrectKeyException
5664//   The request was rejected because the specified CMK cannot decrypt the data.
5665//   The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request
5666//   must identify the same CMK that was used to encrypt the ciphertext.
5667//
5668//   * DependencyTimeoutException
5669//   The system timed out while trying to fulfill the request. The request can
5670//   be retried.
5671//
5672//   * InvalidKeyUsageException
5673//   The request was rejected for one of the following reasons:
5674//
5675//      * The KeyUsage value of the CMK is incompatible with the API operation.
5676//
5677//      * The encryption algorithm or signing algorithm specified for the operation
5678//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
5679//
5680//   For encrypting, decrypting, re-encrypting, and generating data keys, the
5681//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
5682//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
5683//
5684//   To find the encryption or signing algorithms supported for a particular CMK,
5685//   use the DescribeKey operation.
5686//
5687//   * InvalidGrantTokenException
5688//   The request was rejected because the specified grant token is not valid.
5689//
5690//   * InternalException
5691//   The request was rejected because an internal exception occurred. The request
5692//   can be retried.
5693//
5694//   * InvalidStateException
5695//   The request was rejected because the state of the specified resource is not
5696//   valid for this request.
5697//
5698//   For more information about how key state affects the use of a CMK, see How
5699//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
5700//   in the AWS Key Management Service Developer Guide .
5701//
5702// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt
5703func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) {
5704	req, out := c.ReEncryptRequest(input)
5705	return out, req.Send()
5706}
5707
5708// ReEncryptWithContext is the same as ReEncrypt with the addition of
5709// the ability to pass a context and additional request options.
5710//
5711// See ReEncrypt for details on how to use this API operation.
5712//
5713// The context must be non-nil and will be used for request cancellation. If
5714// the context is nil a panic will occur. In the future the SDK may create
5715// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5716// for more information on using Contexts.
5717func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts ...request.Option) (*ReEncryptOutput, error) {
5718	req, out := c.ReEncryptRequest(input)
5719	req.SetContext(ctx)
5720	req.ApplyOptions(opts...)
5721	return out, req.Send()
5722}
5723
5724const opReplicateKey = "ReplicateKey"
5725
5726// ReplicateKeyRequest generates a "aws/request.Request" representing the
5727// client's request for the ReplicateKey operation. The "output" return
5728// value will be populated with the request's response once the request completes
5729// successfully.
5730//
5731// Use "Send" method on the returned Request to send the API call to the service.
5732// the "output" return value is not valid until after Send returns without error.
5733//
5734// See ReplicateKey for more information on using the ReplicateKey
5735// API call, and error handling.
5736//
5737// This method is useful when you want to inject custom logic or configuration
5738// into the SDK's request lifecycle. Such as custom headers, or retry logic.
5739//
5740//
5741//    // Example sending a request using the ReplicateKeyRequest method.
5742//    req, resp := client.ReplicateKeyRequest(params)
5743//
5744//    err := req.Send()
5745//    if err == nil { // resp is now filled
5746//        fmt.Println(resp)
5747//    }
5748//
5749// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey
5750func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Request, output *ReplicateKeyOutput) {
5751	op := &request.Operation{
5752		Name:       opReplicateKey,
5753		HTTPMethod: "POST",
5754		HTTPPath:   "/",
5755	}
5756
5757	if input == nil {
5758		input = &ReplicateKeyInput{}
5759	}
5760
5761	output = &ReplicateKeyOutput{}
5762	req = c.newRequest(op, input, output)
5763	return
5764}
5765
5766// ReplicateKey API operation for AWS Key Management Service.
5767//
5768// Replicates a multi-Region key into the specified Region. This operation creates
5769// a multi-Region replica key based on a multi-Region primary key in a different
5770// Region of the same AWS partition. You can create multiple replicas of a primary
5771// key, but each must be in a different Region. To create a multi-Region primary
5772// key, use the CreateKey operation.
5773//
5774// This operation supports multi-Region keys, an AWS KMS feature that lets you
5775// create multiple interoperable CMKs in different AWS Regions. Because these
5776// CMKs have the same key ID, key material, and other metadata, you can use
5777// them to encrypt data in one AWS Region and decrypt it in a different AWS
5778// Region without making a cross-Region call or exposing the plaintext data.
5779// For more information about multi-Region keys, see Using multi-Region keys
5780// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
5781// in the AWS Key Management Service Developer Guide.
5782//
5783// A replica key is a fully-functional CMK that can be used independently of
5784// its primary and peer replica keys. A primary key and its replica keys share
5785// properties that make them interoperable. They have the same key ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id)
5786// and key material. They also have the same key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec),
5787// key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage),
5788// key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin),
5789// and automatic key rotation status (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html).
5790// AWS KMS automatically synchronizes these shared properties among related
5791// multi-Region keys. All other properties of a replica key can differ, including
5792// its key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html),
5793// tags (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html),
5794// aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html),
5795// and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html).
5796// AWS KMS pricing and quotas for CMKs apply to each primary key and replica
5797// key.
5798//
5799// When this operation completes, the new replica key has a transient key state
5800// of Creating. This key state changes to Enabled (or PendingImport) after a
5801// few seconds when the process of creating the new replica key is complete.
5802// While the key state is Creating, you can manage key, but you cannot yet use
5803// it in cryptographic operations. If you are creating and using the replica
5804// key programmatically, retry on KMSInvalidStateException or call DescribeKey
5805// to check its KeyState value before using it. For details about the Creating
5806// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html)
5807// in the AWS Key Management Service Developer Guide.
5808//
5809// The AWS CloudTrail log of a ReplicateKey operation records a ReplicateKey
5810// operation in the primary key's Region and a CreateKey operation in the replica
5811// key's Region.
5812//
5813// If you replicate a multi-Region primary key with imported key material, the
5814// replica key is created with no key material. You must import the same key
5815// material that you imported into the primary key. For details, see Importing
5816// key material into multi-Region keys (kms/latest/developerguide/multi-region-keys-import.html)
5817// in the AWS Key Management Service Developer Guide.
5818//
5819// To convert a replica key to a primary key, use the UpdatePrimaryRegion operation.
5820//
5821// ReplicateKey uses different default values for the KeyPolicy and Tags parameters
5822// than those used in the AWS KMS console. For details, see the parameter descriptions.
5823//
5824// Cross-account use: No. You cannot use this operation to create a CMK in a
5825// different AWS account.
5826//
5827// Required permissions:
5828//
5829//    * kms:ReplicateKey on the primary CMK (in the primary CMK's Region). Include
5830//    this permission in the primary CMK's key policy.
5831//
5832//    * kms:CreateKey in an IAM policy in the replica Region.
5833//
5834//    * To use the Tags parameter, kms:TagResource in an IAM policy in the replica
5835//    Region.
5836//
5837// Related operations
5838//
5839//    * CreateKey
5840//
5841//    * UpdatePrimaryRegion
5842//
5843// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5844// with awserr.Error's Code and Message methods to get detailed information about
5845// the error.
5846//
5847// See the AWS API reference guide for AWS Key Management Service's
5848// API operation ReplicateKey for usage and error information.
5849//
5850// Returned Error Types:
5851//   * AlreadyExistsException
5852//   The request was rejected because it attempted to create a resource that already
5853//   exists.
5854//
5855//   * DisabledException
5856//   The request was rejected because the specified CMK is not enabled.
5857//
5858//   * InvalidArnException
5859//   The request was rejected because a specified ARN, or an ARN in a key policy,
5860//   is not valid.
5861//
5862//   * InvalidStateException
5863//   The request was rejected because the state of the specified resource is not
5864//   valid for this request.
5865//
5866//   For more information about how key state affects the use of a CMK, see How
5867//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
5868//   in the AWS Key Management Service Developer Guide .
5869//
5870//   * InternalException
5871//   The request was rejected because an internal exception occurred. The request
5872//   can be retried.
5873//
5874//   * LimitExceededException
5875//   The request was rejected because a quota was exceeded. For more information,
5876//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
5877//   in the AWS Key Management Service Developer Guide.
5878//
5879//   * MalformedPolicyDocumentException
5880//   The request was rejected because the specified policy is not syntactically
5881//   or semantically correct.
5882//
5883//   * NotFoundException
5884//   The request was rejected because the specified entity or resource could not
5885//   be found.
5886//
5887//   * TagException
5888//   The request was rejected because one or more tags are not valid.
5889//
5890//   * UnsupportedOperationException
5891//   The request was rejected because a specified parameter is not supported or
5892//   a specified resource is not valid for this operation.
5893//
5894// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey
5895func (c *KMS) ReplicateKey(input *ReplicateKeyInput) (*ReplicateKeyOutput, error) {
5896	req, out := c.ReplicateKeyRequest(input)
5897	return out, req.Send()
5898}
5899
5900// ReplicateKeyWithContext is the same as ReplicateKey with the addition of
5901// the ability to pass a context and additional request options.
5902//
5903// See ReplicateKey for details on how to use this API operation.
5904//
5905// The context must be non-nil and will be used for request cancellation. If
5906// the context is nil a panic will occur. In the future the SDK may create
5907// sub-contexts for http.Requests. See https://golang.org/pkg/context/
5908// for more information on using Contexts.
5909func (c *KMS) ReplicateKeyWithContext(ctx aws.Context, input *ReplicateKeyInput, opts ...request.Option) (*ReplicateKeyOutput, error) {
5910	req, out := c.ReplicateKeyRequest(input)
5911	req.SetContext(ctx)
5912	req.ApplyOptions(opts...)
5913	return out, req.Send()
5914}
5915
5916const opRetireGrant = "RetireGrant"
5917
5918// RetireGrantRequest generates a "aws/request.Request" representing the
5919// client's request for the RetireGrant operation. The "output" return
5920// value will be populated with the request's response once the request completes
5921// successfully.
5922//
5923// Use "Send" method on the returned Request to send the API call to the service.
5924// the "output" return value is not valid until after Send returns without error.
5925//
5926// See RetireGrant for more information on using the RetireGrant
5927// API call, and error handling.
5928//
5929// This method is useful when you want to inject custom logic or configuration
5930// into the SDK's request lifecycle. Such as custom headers, or retry logic.
5931//
5932//
5933//    // Example sending a request using the RetireGrantRequest method.
5934//    req, resp := client.RetireGrantRequest(params)
5935//
5936//    err := req.Send()
5937//    if err == nil { // resp is now filled
5938//        fmt.Println(resp)
5939//    }
5940//
5941// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant
5942func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, output *RetireGrantOutput) {
5943	op := &request.Operation{
5944		Name:       opRetireGrant,
5945		HTTPMethod: "POST",
5946		HTTPPath:   "/",
5947	}
5948
5949	if input == nil {
5950		input = &RetireGrantInput{}
5951	}
5952
5953	output = &RetireGrantOutput{}
5954	req = c.newRequest(op, input, output)
5955	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
5956	return
5957}
5958
5959// RetireGrant API operation for AWS Key Management Service.
5960//
5961// Deletes a grant. Typically, you retire a grant when you no longer need its
5962// permissions. To identify the grant to retire, use a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token),
5963// or both the grant ID and a key identifier (key ID or key ARN) of the customer
5964// master key (CMK). The CreateGrant operation returns both values.
5965//
5966// This operation can be called by the retiring principal for a grant, by the
5967// grantee principal if the grant allows the RetireGrant operation, and by the
5968// AWS account (root user) in which the grant is created. It can also be called
5969// by principals to whom permission for retiring a grant is delegated. For details,
5970// see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete)
5971// in the AWS Key Management Service Developer Guide.
5972//
5973// For detailed information about grants, including grant terminology, see Using
5974// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html)
5975// in the AWS Key Management Service Developer Guide . For examples of working
5976// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html).
5977//
5978// Cross-account use: Yes. You can retire a grant on a CMK in a different AWS
5979// account.
5980//
5981// Required permissions::Permission to retire a grant is determined primarily
5982// by the grant. For details, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete)
5983// in the AWS Key Management Service Developer Guide.
5984//
5985// Related operations:
5986//
5987//    * CreateGrant
5988//
5989//    * ListGrants
5990//
5991//    * ListRetirableGrants
5992//
5993//    * RevokeGrant
5994//
5995// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
5996// with awserr.Error's Code and Message methods to get detailed information about
5997// the error.
5998//
5999// See the AWS API reference guide for AWS Key Management Service's
6000// API operation RetireGrant for usage and error information.
6001//
6002// Returned Error Types:
6003//   * InvalidArnException
6004//   The request was rejected because a specified ARN, or an ARN in a key policy,
6005//   is not valid.
6006//
6007//   * InvalidGrantTokenException
6008//   The request was rejected because the specified grant token is not valid.
6009//
6010//   * InvalidGrantIdException
6011//   The request was rejected because the specified GrantId is not valid.
6012//
6013//   * NotFoundException
6014//   The request was rejected because the specified entity or resource could not
6015//   be found.
6016//
6017//   * DependencyTimeoutException
6018//   The system timed out while trying to fulfill the request. The request can
6019//   be retried.
6020//
6021//   * InternalException
6022//   The request was rejected because an internal exception occurred. The request
6023//   can be retried.
6024//
6025//   * InvalidStateException
6026//   The request was rejected because the state of the specified resource is not
6027//   valid for this request.
6028//
6029//   For more information about how key state affects the use of a CMK, see How
6030//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6031//   in the AWS Key Management Service Developer Guide .
6032//
6033// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant
6034func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) {
6035	req, out := c.RetireGrantRequest(input)
6036	return out, req.Send()
6037}
6038
6039// RetireGrantWithContext is the same as RetireGrant with the addition of
6040// the ability to pass a context and additional request options.
6041//
6042// See RetireGrant for details on how to use this API operation.
6043//
6044// The context must be non-nil and will be used for request cancellation. If
6045// the context is nil a panic will occur. In the future the SDK may create
6046// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6047// for more information on using Contexts.
6048func (c *KMS) RetireGrantWithContext(ctx aws.Context, input *RetireGrantInput, opts ...request.Option) (*RetireGrantOutput, error) {
6049	req, out := c.RetireGrantRequest(input)
6050	req.SetContext(ctx)
6051	req.ApplyOptions(opts...)
6052	return out, req.Send()
6053}
6054
6055const opRevokeGrant = "RevokeGrant"
6056
6057// RevokeGrantRequest generates a "aws/request.Request" representing the
6058// client's request for the RevokeGrant operation. The "output" return
6059// value will be populated with the request's response once the request completes
6060// successfully.
6061//
6062// Use "Send" method on the returned Request to send the API call to the service.
6063// the "output" return value is not valid until after Send returns without error.
6064//
6065// See RevokeGrant for more information on using the RevokeGrant
6066// API call, and error handling.
6067//
6068// This method is useful when you want to inject custom logic or configuration
6069// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6070//
6071//
6072//    // Example sending a request using the RevokeGrantRequest method.
6073//    req, resp := client.RevokeGrantRequest(params)
6074//
6075//    err := req.Send()
6076//    if err == nil { // resp is now filled
6077//        fmt.Println(resp)
6078//    }
6079//
6080// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant
6081func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, output *RevokeGrantOutput) {
6082	op := &request.Operation{
6083		Name:       opRevokeGrant,
6084		HTTPMethod: "POST",
6085		HTTPPath:   "/",
6086	}
6087
6088	if input == nil {
6089		input = &RevokeGrantInput{}
6090	}
6091
6092	output = &RevokeGrantOutput{}
6093	req = c.newRequest(op, input, output)
6094	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
6095	return
6096}
6097
6098// RevokeGrant API operation for AWS Key Management Service.
6099//
6100// Deletes the specified grant. You revoke a grant to terminate the permissions
6101// that the grant allows. For more information, see Retiring and revoking grants
6102// (https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete)
6103// in the AWS Key Management Service Developer Guide .
6104//
6105// When you create, retire, or revoke a grant, there might be a brief delay,
6106// usually less than five minutes, until the grant is available throughout AWS
6107// KMS. This state is known as eventual consistency. For details, see Eventual
6108// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency)
6109// in the AWS Key Management Service Developer Guide .
6110//
6111// Cross-account use: Yes. To perform this operation on a CMK in a different
6112// AWS account, specify the key ARN in the value of the KeyId parameter.
6113//
6114// Required permissions: kms:RevokeGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6115// (key policy).
6116//
6117// Related operations:
6118//
6119//    * CreateGrant
6120//
6121//    * ListGrants
6122//
6123//    * ListRetirableGrants
6124//
6125//    * RetireGrant
6126//
6127// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
6128// with awserr.Error's Code and Message methods to get detailed information about
6129// the error.
6130//
6131// See the AWS API reference guide for AWS Key Management Service's
6132// API operation RevokeGrant for usage and error information.
6133//
6134// Returned Error Types:
6135//   * NotFoundException
6136//   The request was rejected because the specified entity or resource could not
6137//   be found.
6138//
6139//   * DependencyTimeoutException
6140//   The system timed out while trying to fulfill the request. The request can
6141//   be retried.
6142//
6143//   * InvalidArnException
6144//   The request was rejected because a specified ARN, or an ARN in a key policy,
6145//   is not valid.
6146//
6147//   * InvalidGrantIdException
6148//   The request was rejected because the specified GrantId is not valid.
6149//
6150//   * InternalException
6151//   The request was rejected because an internal exception occurred. The request
6152//   can be retried.
6153//
6154//   * InvalidStateException
6155//   The request was rejected because the state of the specified resource is not
6156//   valid for this request.
6157//
6158//   For more information about how key state affects the use of a CMK, see How
6159//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6160//   in the AWS Key Management Service Developer Guide .
6161//
6162// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant
6163func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) {
6164	req, out := c.RevokeGrantRequest(input)
6165	return out, req.Send()
6166}
6167
6168// RevokeGrantWithContext is the same as RevokeGrant with the addition of
6169// the ability to pass a context and additional request options.
6170//
6171// See RevokeGrant for details on how to use this API operation.
6172//
6173// The context must be non-nil and will be used for request cancellation. If
6174// the context is nil a panic will occur. In the future the SDK may create
6175// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6176// for more information on using Contexts.
6177func (c *KMS) RevokeGrantWithContext(ctx aws.Context, input *RevokeGrantInput, opts ...request.Option) (*RevokeGrantOutput, error) {
6178	req, out := c.RevokeGrantRequest(input)
6179	req.SetContext(ctx)
6180	req.ApplyOptions(opts...)
6181	return out, req.Send()
6182}
6183
6184const opScheduleKeyDeletion = "ScheduleKeyDeletion"
6185
6186// ScheduleKeyDeletionRequest generates a "aws/request.Request" representing the
6187// client's request for the ScheduleKeyDeletion operation. The "output" return
6188// value will be populated with the request's response once the request completes
6189// successfully.
6190//
6191// Use "Send" method on the returned Request to send the API call to the service.
6192// the "output" return value is not valid until after Send returns without error.
6193//
6194// See ScheduleKeyDeletion for more information on using the ScheduleKeyDeletion
6195// API call, and error handling.
6196//
6197// This method is useful when you want to inject custom logic or configuration
6198// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6199//
6200//
6201//    // Example sending a request using the ScheduleKeyDeletionRequest method.
6202//    req, resp := client.ScheduleKeyDeletionRequest(params)
6203//
6204//    err := req.Send()
6205//    if err == nil { // resp is now filled
6206//        fmt.Println(resp)
6207//    }
6208//
6209// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion
6210func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *request.Request, output *ScheduleKeyDeletionOutput) {
6211	op := &request.Operation{
6212		Name:       opScheduleKeyDeletion,
6213		HTTPMethod: "POST",
6214		HTTPPath:   "/",
6215	}
6216
6217	if input == nil {
6218		input = &ScheduleKeyDeletionInput{}
6219	}
6220
6221	output = &ScheduleKeyDeletionOutput{}
6222	req = c.newRequest(op, input, output)
6223	return
6224}
6225
6226// ScheduleKeyDeletion API operation for AWS Key Management Service.
6227//
6228// Schedules the deletion of a customer master key (CMK). By default, AWS KMS
6229// applies a waiting period of 30 days, but you can specify a waiting period
6230// of 7-30 days. When this operation is successful, the key state of the CMK
6231// changes to PendingDeletion and the key can't be used in any cryptographic
6232// operations. It remains in this state for the duration of the waiting period.
6233// Before the waiting period ends, you can use CancelKeyDeletion to cancel the
6234// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK,
6235// its key material, and all AWS KMS data associated with it, including all
6236// aliases that refer to it.
6237//
6238// Deleting a CMK is a destructive and potentially dangerous operation. When
6239// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable.
6240// (The only exception is a multi-Region replica key.) To prevent the use of
6241// a CMK without deleting it, use DisableKey.
6242//
6243// If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
6244// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from
6245// AWS KMS. Then AWS KMS makes a best effort to delete the key material from
6246// the associated AWS CloudHSM cluster. However, you might need to manually
6247// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key)
6248// from the cluster and its backups.
6249//
6250// You can schedule the deletion of a multi-Region primary key and its replica
6251// keys at any time. However, AWS KMS will not delete a multi-Region primary
6252// key with existing replica keys. If you schedule the deletion of a primary
6253// key with replicas, its key state changes to PendingReplicaDeletion and it
6254// cannot be replicated or used in cryptographic operations. This status can
6255// continue indefinitely. When the last of its replicas keys is deleted (not
6256// just scheduled), the key state of the primary key changes to PendingDeletion
6257// and its waiting period (PendingWindowInDays) begins. For details, see Deleting
6258// multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html)
6259// in the AWS Key Management Service Developer Guide.
6260//
6261// For more information about scheduling a CMK for deletion, see Deleting Customer
6262// Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html)
6263// in the AWS Key Management Service Developer Guide.
6264//
6265// The CMK that you use for this operation must be in a compatible key state.
6266// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6267// in the AWS Key Management Service Developer Guide.
6268//
6269// Cross-account use: No. You cannot perform this operation on a CMK in a different
6270// AWS account.
6271//
6272// Required permissions: kms:ScheduleKeyDeletion (key policy)
6273//
6274// Related operations
6275//
6276//    * CancelKeyDeletion
6277//
6278//    * DisableKey
6279//
6280// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
6281// with awserr.Error's Code and Message methods to get detailed information about
6282// the error.
6283//
6284// See the AWS API reference guide for AWS Key Management Service's
6285// API operation ScheduleKeyDeletion for usage and error information.
6286//
6287// Returned Error Types:
6288//   * NotFoundException
6289//   The request was rejected because the specified entity or resource could not
6290//   be found.
6291//
6292//   * InvalidArnException
6293//   The request was rejected because a specified ARN, or an ARN in a key policy,
6294//   is not valid.
6295//
6296//   * DependencyTimeoutException
6297//   The system timed out while trying to fulfill the request. The request can
6298//   be retried.
6299//
6300//   * InternalException
6301//   The request was rejected because an internal exception occurred. The request
6302//   can be retried.
6303//
6304//   * InvalidStateException
6305//   The request was rejected because the state of the specified resource is not
6306//   valid for this request.
6307//
6308//   For more information about how key state affects the use of a CMK, see How
6309//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6310//   in the AWS Key Management Service Developer Guide .
6311//
6312// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion
6313func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) {
6314	req, out := c.ScheduleKeyDeletionRequest(input)
6315	return out, req.Send()
6316}
6317
6318// ScheduleKeyDeletionWithContext is the same as ScheduleKeyDeletion with the addition of
6319// the ability to pass a context and additional request options.
6320//
6321// See ScheduleKeyDeletion for details on how to use this API operation.
6322//
6323// The context must be non-nil and will be used for request cancellation. If
6324// the context is nil a panic will occur. In the future the SDK may create
6325// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6326// for more information on using Contexts.
6327func (c *KMS) ScheduleKeyDeletionWithContext(ctx aws.Context, input *ScheduleKeyDeletionInput, opts ...request.Option) (*ScheduleKeyDeletionOutput, error) {
6328	req, out := c.ScheduleKeyDeletionRequest(input)
6329	req.SetContext(ctx)
6330	req.ApplyOptions(opts...)
6331	return out, req.Send()
6332}
6333
6334const opSign = "Sign"
6335
6336// SignRequest generates a "aws/request.Request" representing the
6337// client's request for the Sign operation. The "output" return
6338// value will be populated with the request's response once the request completes
6339// successfully.
6340//
6341// Use "Send" method on the returned Request to send the API call to the service.
6342// the "output" return value is not valid until after Send returns without error.
6343//
6344// See Sign for more information on using the Sign
6345// API call, and error handling.
6346//
6347// This method is useful when you want to inject custom logic or configuration
6348// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6349//
6350//
6351//    // Example sending a request using the SignRequest method.
6352//    req, resp := client.SignRequest(params)
6353//
6354//    err := req.Send()
6355//    if err == nil { // resp is now filled
6356//        fmt.Println(resp)
6357//    }
6358//
6359// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign
6360func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignOutput) {
6361	op := &request.Operation{
6362		Name:       opSign,
6363		HTTPMethod: "POST",
6364		HTTPPath:   "/",
6365	}
6366
6367	if input == nil {
6368		input = &SignInput{}
6369	}
6370
6371	output = &SignOutput{}
6372	req = c.newRequest(op, input, output)
6373	return
6374}
6375
6376// Sign API operation for AWS Key Management Service.
6377//
6378// Creates a digital signature (https://en.wikipedia.org/wiki/Digital_signature)
6379// for a message or message digest by using the private key in an asymmetric
6380// CMK. To verify the signature, use the Verify operation, or use the public
6381// key in the same asymmetric CMK outside of AWS KMS. For information about
6382// symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
6383// in the AWS Key Management Service Developer Guide.
6384//
6385// Digital signatures are generated and verified by using asymmetric key pair,
6386// such as an RSA or ECC pair that is represented by an asymmetric customer
6387// master key (CMK). The key owner (or an authorized user) uses their private
6388// key to sign a message. Anyone with the public key can verify that the message
6389// was signed with that particular private key and that the message hasn't changed
6390// since it was signed.
6391//
6392// To use the Sign operation, provide the following information:
6393//
6394//    * Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage
6395//    value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey
6396//    operation. The caller must have kms:Sign permission on the CMK.
6397//
6398//    * Use the Message parameter to specify the message or message digest to
6399//    sign. You can submit messages of up to 4096 bytes. To sign a larger message,
6400//    generate a hash digest of the message, and then provide the hash digest
6401//    in the Message parameter. To indicate whether the message is a full message
6402//    or a digest, use the MessageType parameter.
6403//
6404//    * Choose a signing algorithm that is compatible with the CMK.
6405//
6406// When signing a message, be sure to record the CMK and the signing algorithm.
6407// This information is required to verify the signature.
6408//
6409// To verify the signature that this operation generates, use the Verify operation.
6410// Or use the GetPublicKey operation to download the public key and then use
6411// the public key to verify the signature outside of AWS KMS.
6412//
6413// The CMK that you use for this operation must be in a compatible key state.
6414// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6415// in the AWS Key Management Service Developer Guide.
6416//
6417// Cross-account use: Yes. To perform this operation with a CMK in a different
6418// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
6419//
6420// Required permissions: kms:Sign (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6421// (key policy)
6422//
6423// Related operations: Verify
6424//
6425// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
6426// with awserr.Error's Code and Message methods to get detailed information about
6427// the error.
6428//
6429// See the AWS API reference guide for AWS Key Management Service's
6430// API operation Sign for usage and error information.
6431//
6432// Returned Error Types:
6433//   * NotFoundException
6434//   The request was rejected because the specified entity or resource could not
6435//   be found.
6436//
6437//   * DisabledException
6438//   The request was rejected because the specified CMK is not enabled.
6439//
6440//   * KeyUnavailableException
6441//   The request was rejected because the specified CMK was not available. You
6442//   can retry the request.
6443//
6444//   * DependencyTimeoutException
6445//   The system timed out while trying to fulfill the request. The request can
6446//   be retried.
6447//
6448//   * InvalidKeyUsageException
6449//   The request was rejected for one of the following reasons:
6450//
6451//      * The KeyUsage value of the CMK is incompatible with the API operation.
6452//
6453//      * The encryption algorithm or signing algorithm specified for the operation
6454//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
6455//
6456//   For encrypting, decrypting, re-encrypting, and generating data keys, the
6457//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
6458//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
6459//
6460//   To find the encryption or signing algorithms supported for a particular CMK,
6461//   use the DescribeKey operation.
6462//
6463//   * InvalidGrantTokenException
6464//   The request was rejected because the specified grant token is not valid.
6465//
6466//   * InternalException
6467//   The request was rejected because an internal exception occurred. The request
6468//   can be retried.
6469//
6470//   * InvalidStateException
6471//   The request was rejected because the state of the specified resource is not
6472//   valid for this request.
6473//
6474//   For more information about how key state affects the use of a CMK, see How
6475//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6476//   in the AWS Key Management Service Developer Guide .
6477//
6478// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign
6479func (c *KMS) Sign(input *SignInput) (*SignOutput, error) {
6480	req, out := c.SignRequest(input)
6481	return out, req.Send()
6482}
6483
6484// SignWithContext is the same as Sign with the addition of
6485// the ability to pass a context and additional request options.
6486//
6487// See Sign for details on how to use this API operation.
6488//
6489// The context must be non-nil and will be used for request cancellation. If
6490// the context is nil a panic will occur. In the future the SDK may create
6491// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6492// for more information on using Contexts.
6493func (c *KMS) SignWithContext(ctx aws.Context, input *SignInput, opts ...request.Option) (*SignOutput, error) {
6494	req, out := c.SignRequest(input)
6495	req.SetContext(ctx)
6496	req.ApplyOptions(opts...)
6497	return out, req.Send()
6498}
6499
6500const opTagResource = "TagResource"
6501
6502// TagResourceRequest generates a "aws/request.Request" representing the
6503// client's request for the TagResource operation. The "output" return
6504// value will be populated with the request's response once the request completes
6505// successfully.
6506//
6507// Use "Send" method on the returned Request to send the API call to the service.
6508// the "output" return value is not valid until after Send returns without error.
6509//
6510// See TagResource for more information on using the TagResource
6511// API call, and error handling.
6512//
6513// This method is useful when you want to inject custom logic or configuration
6514// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6515//
6516//
6517//    // Example sending a request using the TagResourceRequest method.
6518//    req, resp := client.TagResourceRequest(params)
6519//
6520//    err := req.Send()
6521//    if err == nil { // resp is now filled
6522//        fmt.Println(resp)
6523//    }
6524//
6525// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource
6526func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) {
6527	op := &request.Operation{
6528		Name:       opTagResource,
6529		HTTPMethod: "POST",
6530		HTTPPath:   "/",
6531	}
6532
6533	if input == nil {
6534		input = &TagResourceInput{}
6535	}
6536
6537	output = &TagResourceOutput{}
6538	req = c.newRequest(op, input, output)
6539	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
6540	return
6541}
6542
6543// TagResource API operation for AWS Key Management Service.
6544//
6545// Adds or edits tags on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk).
6546//
6547// Tagging or untagging a CMK can allow or deny permission to the CMK. For details,
6548// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
6549// in the AWS Key Management Service Developer Guide.
6550//
6551// Each tag consists of a tag key and a tag value, both of which are case-sensitive
6552// strings. The tag value can be an empty (null) string. To add a tag, specify
6553// a new tag key and a tag value. To edit a tag, specify an existing tag key
6554// and a new tag value.
6555//
6556// You can use this operation to tag a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk),
6557// but you cannot tag an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk),
6558// an AWS owned CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk),
6559// a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept),
6560// or an alias (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept).
6561//
6562// You can also add tags to a CMK while creating it (CreateKey) or replicating
6563// it (ReplicateKey).
6564//
6565// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
6566// For general information about tags, including the format and syntax, see
6567// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html)
6568// in the Amazon Web Services General Reference.
6569//
6570// The CMK that you use for this operation must be in a compatible key state.
6571// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6572// in the AWS Key Management Service Developer Guide.
6573//
6574// Cross-account use: No. You cannot perform this operation on a CMK in a different
6575// AWS account.
6576//
6577// Required permissions: kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6578// (key policy)
6579//
6580// Related operations
6581//
6582//    * CreateKey
6583//
6584//    * ListResourceTags
6585//
6586//    * ReplicateKey
6587//
6588//    * UntagResource
6589//
6590// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
6591// with awserr.Error's Code and Message methods to get detailed information about
6592// the error.
6593//
6594// See the AWS API reference guide for AWS Key Management Service's
6595// API operation TagResource for usage and error information.
6596//
6597// Returned Error Types:
6598//   * InternalException
6599//   The request was rejected because an internal exception occurred. The request
6600//   can be retried.
6601//
6602//   * NotFoundException
6603//   The request was rejected because the specified entity or resource could not
6604//   be found.
6605//
6606//   * InvalidArnException
6607//   The request was rejected because a specified ARN, or an ARN in a key policy,
6608//   is not valid.
6609//
6610//   * InvalidStateException
6611//   The request was rejected because the state of the specified resource is not
6612//   valid for this request.
6613//
6614//   For more information about how key state affects the use of a CMK, see How
6615//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6616//   in the AWS Key Management Service Developer Guide .
6617//
6618//   * LimitExceededException
6619//   The request was rejected because a quota was exceeded. For more information,
6620//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
6621//   in the AWS Key Management Service Developer Guide.
6622//
6623//   * TagException
6624//   The request was rejected because one or more tags are not valid.
6625//
6626// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource
6627func (c *KMS) TagResource(input *TagResourceInput) (*TagResourceOutput, error) {
6628	req, out := c.TagResourceRequest(input)
6629	return out, req.Send()
6630}
6631
6632// TagResourceWithContext is the same as TagResource with the addition of
6633// the ability to pass a context and additional request options.
6634//
6635// See TagResource for details on how to use this API operation.
6636//
6637// The context must be non-nil and will be used for request cancellation. If
6638// the context is nil a panic will occur. In the future the SDK may create
6639// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6640// for more information on using Contexts.
6641func (c *KMS) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) {
6642	req, out := c.TagResourceRequest(input)
6643	req.SetContext(ctx)
6644	req.ApplyOptions(opts...)
6645	return out, req.Send()
6646}
6647
6648const opUntagResource = "UntagResource"
6649
6650// UntagResourceRequest generates a "aws/request.Request" representing the
6651// client's request for the UntagResource operation. The "output" return
6652// value will be populated with the request's response once the request completes
6653// successfully.
6654//
6655// Use "Send" method on the returned Request to send the API call to the service.
6656// the "output" return value is not valid until after Send returns without error.
6657//
6658// See UntagResource for more information on using the UntagResource
6659// API call, and error handling.
6660//
6661// This method is useful when you want to inject custom logic or configuration
6662// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6663//
6664//
6665//    // Example sending a request using the UntagResourceRequest method.
6666//    req, resp := client.UntagResourceRequest(params)
6667//
6668//    err := req.Send()
6669//    if err == nil { // resp is now filled
6670//        fmt.Println(resp)
6671//    }
6672//
6673// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource
6674func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) {
6675	op := &request.Operation{
6676		Name:       opUntagResource,
6677		HTTPMethod: "POST",
6678		HTTPPath:   "/",
6679	}
6680
6681	if input == nil {
6682		input = &UntagResourceInput{}
6683	}
6684
6685	output = &UntagResourceOutput{}
6686	req = c.newRequest(op, input, output)
6687	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
6688	return
6689}
6690
6691// UntagResource API operation for AWS Key Management Service.
6692//
6693// Deletes tags from a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk).
6694// To delete a tag, specify the tag key and the CMK.
6695//
6696// Tagging or untagging a CMK can allow or deny permission to the CMK. For details,
6697// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
6698// in the AWS Key Management Service Developer Guide.
6699//
6700// When it succeeds, the UntagResource operation doesn't return any output.
6701// Also, if the specified tag key isn't found on the CMK, it doesn't throw an
6702// exception or return a response. To confirm that the operation worked, use
6703// the ListResourceTags operation.
6704//
6705// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
6706// For general information about tags, including the format and syntax, see
6707// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html)
6708// in the Amazon Web Services General Reference.
6709//
6710// The CMK that you use for this operation must be in a compatible key state.
6711// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6712// in the AWS Key Management Service Developer Guide.
6713//
6714// Cross-account use: No. You cannot perform this operation on a CMK in a different
6715// AWS account.
6716//
6717// Required permissions: kms:UntagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6718// (key policy)
6719//
6720// Related operations
6721//
6722//    * CreateKey
6723//
6724//    * ListResourceTags
6725//
6726//    * ReplicateKey
6727//
6728//    * TagResource
6729//
6730// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
6731// with awserr.Error's Code and Message methods to get detailed information about
6732// the error.
6733//
6734// See the AWS API reference guide for AWS Key Management Service's
6735// API operation UntagResource for usage and error information.
6736//
6737// Returned Error Types:
6738//   * InternalException
6739//   The request was rejected because an internal exception occurred. The request
6740//   can be retried.
6741//
6742//   * NotFoundException
6743//   The request was rejected because the specified entity or resource could not
6744//   be found.
6745//
6746//   * InvalidArnException
6747//   The request was rejected because a specified ARN, or an ARN in a key policy,
6748//   is not valid.
6749//
6750//   * InvalidStateException
6751//   The request was rejected because the state of the specified resource is not
6752//   valid for this request.
6753//
6754//   For more information about how key state affects the use of a CMK, see How
6755//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6756//   in the AWS Key Management Service Developer Guide .
6757//
6758//   * TagException
6759//   The request was rejected because one or more tags are not valid.
6760//
6761// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource
6762func (c *KMS) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) {
6763	req, out := c.UntagResourceRequest(input)
6764	return out, req.Send()
6765}
6766
6767// UntagResourceWithContext is the same as UntagResource with the addition of
6768// the ability to pass a context and additional request options.
6769//
6770// See UntagResource for details on how to use this API operation.
6771//
6772// The context must be non-nil and will be used for request cancellation. If
6773// the context is nil a panic will occur. In the future the SDK may create
6774// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6775// for more information on using Contexts.
6776func (c *KMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) {
6777	req, out := c.UntagResourceRequest(input)
6778	req.SetContext(ctx)
6779	req.ApplyOptions(opts...)
6780	return out, req.Send()
6781}
6782
6783const opUpdateAlias = "UpdateAlias"
6784
6785// UpdateAliasRequest generates a "aws/request.Request" representing the
6786// client's request for the UpdateAlias operation. The "output" return
6787// value will be populated with the request's response once the request completes
6788// successfully.
6789//
6790// Use "Send" method on the returned Request to send the API call to the service.
6791// the "output" return value is not valid until after Send returns without error.
6792//
6793// See UpdateAlias for more information on using the UpdateAlias
6794// API call, and error handling.
6795//
6796// This method is useful when you want to inject custom logic or configuration
6797// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6798//
6799//
6800//    // Example sending a request using the UpdateAliasRequest method.
6801//    req, resp := client.UpdateAliasRequest(params)
6802//
6803//    err := req.Send()
6804//    if err == nil { // resp is now filled
6805//        fmt.Println(resp)
6806//    }
6807//
6808// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias
6809func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, output *UpdateAliasOutput) {
6810	op := &request.Operation{
6811		Name:       opUpdateAlias,
6812		HTTPMethod: "POST",
6813		HTTPPath:   "/",
6814	}
6815
6816	if input == nil {
6817		input = &UpdateAliasInput{}
6818	}
6819
6820	output = &UpdateAliasOutput{}
6821	req = c.newRequest(op, input, output)
6822	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
6823	return
6824}
6825
6826// UpdateAlias API operation for AWS Key Management Service.
6827//
6828// Associates an existing AWS KMS alias with a different customer master key
6829// (CMK). Each alias is associated with only one CMK at a time, although a CMK
6830// can have multiple aliases. The alias and the CMK must be in the same AWS
6831// account and Region.
6832//
6833// Adding, deleting, or updating an alias can allow or deny permission to the
6834// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
6835// in the AWS Key Management Service Developer Guide.
6836//
6837// The current and new CMK must be the same type (both symmetric or both asymmetric),
6838// and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This
6839// restriction prevents errors in code that uses aliases. If you must assign
6840// an alias to a different type of CMK, use DeleteAlias to delete the old alias
6841// and CreateAlias to create a new alias.
6842//
6843// You cannot use UpdateAlias to change an alias name. To change an alias name,
6844// use DeleteAlias to delete the old alias and CreateAlias to create a new alias.
6845//
6846// Because an alias is not a property of a CMK, you can create, update, and
6847// delete the aliases of a CMK without affecting the CMK. Also, aliases do not
6848// appear in the response from the DescribeKey operation. To get the aliases
6849// of all CMKs in the account, use the ListAliases operation.
6850//
6851// The CMK that you use for this operation must be in a compatible key state.
6852// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6853// in the AWS Key Management Service Developer Guide.
6854//
6855// Cross-account use: No. You cannot perform this operation on a CMK in a different
6856// AWS account.
6857//
6858// Required permissions
6859//
6860//    * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6861//    on the alias (IAM policy).
6862//
6863//    * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6864//    on the current CMK (key policy).
6865//
6866//    * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
6867//    on the new CMK (key policy).
6868//
6869// For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access)
6870// in the AWS Key Management Service Developer Guide.
6871//
6872// Related operations:
6873//
6874//    * CreateAlias
6875//
6876//    * DeleteAlias
6877//
6878//    * ListAliases
6879//
6880// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
6881// with awserr.Error's Code and Message methods to get detailed information about
6882// the error.
6883//
6884// See the AWS API reference guide for AWS Key Management Service's
6885// API operation UpdateAlias for usage and error information.
6886//
6887// Returned Error Types:
6888//   * DependencyTimeoutException
6889//   The system timed out while trying to fulfill the request. The request can
6890//   be retried.
6891//
6892//   * NotFoundException
6893//   The request was rejected because the specified entity or resource could not
6894//   be found.
6895//
6896//   * InternalException
6897//   The request was rejected because an internal exception occurred. The request
6898//   can be retried.
6899//
6900//   * LimitExceededException
6901//   The request was rejected because a quota was exceeded. For more information,
6902//   see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
6903//   in the AWS Key Management Service Developer Guide.
6904//
6905//   * InvalidStateException
6906//   The request was rejected because the state of the specified resource is not
6907//   valid for this request.
6908//
6909//   For more information about how key state affects the use of a CMK, see How
6910//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
6911//   in the AWS Key Management Service Developer Guide .
6912//
6913// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias
6914func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) {
6915	req, out := c.UpdateAliasRequest(input)
6916	return out, req.Send()
6917}
6918
6919// UpdateAliasWithContext is the same as UpdateAlias with the addition of
6920// the ability to pass a context and additional request options.
6921//
6922// See UpdateAlias for details on how to use this API operation.
6923//
6924// The context must be non-nil and will be used for request cancellation. If
6925// the context is nil a panic will occur. In the future the SDK may create
6926// sub-contexts for http.Requests. See https://golang.org/pkg/context/
6927// for more information on using Contexts.
6928func (c *KMS) UpdateAliasWithContext(ctx aws.Context, input *UpdateAliasInput, opts ...request.Option) (*UpdateAliasOutput, error) {
6929	req, out := c.UpdateAliasRequest(input)
6930	req.SetContext(ctx)
6931	req.ApplyOptions(opts...)
6932	return out, req.Send()
6933}
6934
6935const opUpdateCustomKeyStore = "UpdateCustomKeyStore"
6936
6937// UpdateCustomKeyStoreRequest generates a "aws/request.Request" representing the
6938// client's request for the UpdateCustomKeyStore operation. The "output" return
6939// value will be populated with the request's response once the request completes
6940// successfully.
6941//
6942// Use "Send" method on the returned Request to send the API call to the service.
6943// the "output" return value is not valid until after Send returns without error.
6944//
6945// See UpdateCustomKeyStore for more information on using the UpdateCustomKeyStore
6946// API call, and error handling.
6947//
6948// This method is useful when you want to inject custom logic or configuration
6949// into the SDK's request lifecycle. Such as custom headers, or retry logic.
6950//
6951//
6952//    // Example sending a request using the UpdateCustomKeyStoreRequest method.
6953//    req, resp := client.UpdateCustomKeyStoreRequest(params)
6954//
6955//    err := req.Send()
6956//    if err == nil { // resp is now filled
6957//        fmt.Println(resp)
6958//    }
6959//
6960// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore
6961func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req *request.Request, output *UpdateCustomKeyStoreOutput) {
6962	op := &request.Operation{
6963		Name:       opUpdateCustomKeyStore,
6964		HTTPMethod: "POST",
6965		HTTPPath:   "/",
6966	}
6967
6968	if input == nil {
6969		input = &UpdateCustomKeyStoreInput{}
6970	}
6971
6972	output = &UpdateCustomKeyStoreOutput{}
6973	req = c.newRequest(op, input, output)
6974	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
6975	return
6976}
6977
6978// UpdateCustomKeyStore API operation for AWS Key Management Service.
6979//
6980// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter
6981// to identify the custom key store you want to edit. Use the remaining parameters
6982// to change the properties of the custom key store.
6983//
6984// You can only update a custom key store that is disconnected. To disconnect
6985// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom
6986// key store after the update completes, use ConnectCustomKeyStore. To find
6987// the connection state of a custom key store, use the DescribeCustomKeyStores
6988// operation.
6989//
6990// Use the parameters of UpdateCustomKeyStore to edit your keystore settings.
6991//
6992//    * Use the NewCustomKeyStoreName parameter to change the friendly name
6993//    of the custom key store to the value that you specify.
6994//
6995//    * Use the KeyStorePassword parameter tell AWS KMS the current password
6996//    of the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
6997//    in the associated AWS CloudHSM cluster. You can use this parameter to
6998//    fix connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password)
6999//    that occur when AWS KMS cannot log into the associated cluster because
7000//    the kmsuser password has changed. This value does not change the password
7001//    in the AWS CloudHSM cluster.
7002//
7003//    * Use the CloudHsmClusterId parameter to associate the custom key store
7004//    with a different, but related, AWS CloudHSM cluster. You can use this
7005//    parameter to repair a custom key store if its AWS CloudHSM cluster becomes
7006//    corrupted or is deleted, or when you need to create or restore a cluster
7007//    from a backup.
7008//
7009// If the operation succeeds, it returns a JSON object with no properties.
7010//
7011// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
7012// feature in AWS KMS, which combines the convenience and extensive integration
7013// of AWS KMS with the isolation and control of a single-tenant key store.
7014//
7015// Cross-account use: No. You cannot perform this operation on a custom key
7016// store in a different AWS account.
7017//
7018// Required permissions: kms:UpdateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
7019// (IAM policy)
7020//
7021// Related operations:
7022//
7023//    * ConnectCustomKeyStore
7024//
7025//    * CreateCustomKeyStore
7026//
7027//    * DeleteCustomKeyStore
7028//
7029//    * DescribeCustomKeyStores
7030//
7031//    * DisconnectCustomKeyStore
7032//
7033// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
7034// with awserr.Error's Code and Message methods to get detailed information about
7035// the error.
7036//
7037// See the AWS API reference guide for AWS Key Management Service's
7038// API operation UpdateCustomKeyStore for usage and error information.
7039//
7040// Returned Error Types:
7041//   * CustomKeyStoreNotFoundException
7042//   The request was rejected because AWS KMS cannot find a custom key store with
7043//   the specified key store name or ID.
7044//
7045//   * CustomKeyStoreNameInUseException
7046//   The request was rejected because the specified custom key store name is already
7047//   assigned to another custom key store in the account. Try again with a custom
7048//   key store name that is unique in the account.
7049//
7050//   * CloudHsmClusterNotFoundException
7051//   The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster
7052//   with the specified cluster ID. Retry the request with a different cluster
7053//   ID.
7054//
7055//   * CloudHsmClusterNotRelatedException
7056//   The request was rejected because the specified AWS CloudHSM cluster has a
7057//   different cluster certificate than the original cluster. You cannot use the
7058//   operation to specify an unrelated cluster.
7059//
7060//   Specify a cluster that shares a backup history with the original cluster.
7061//   This includes clusters that were created from a backup of the current cluster,
7062//   and clusters that were created from the same backup that produced the current
7063//   cluster.
7064//
7065//   Clusters that share a backup history have the same cluster certificate. To
7066//   view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
7067//   operation.
7068//
7069//   * CustomKeyStoreInvalidStateException
7070//   The request was rejected because of the ConnectionState of the custom key
7071//   store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
7072//   operation.
7073//
7074//   This exception is thrown under the following conditions:
7075//
7076//      * You requested the CreateKey or GenerateRandom operation in a custom
7077//      key store that is not connected. These operations are valid only when
7078//      the custom key store ConnectionState is CONNECTED.
7079//
7080//      * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
7081//      on a custom key store that is not disconnected. This operation is valid
7082//      only when the custom key store ConnectionState is DISCONNECTED.
7083//
7084//      * You requested the ConnectCustomKeyStore operation on a custom key store
7085//      with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
7086//      for all other ConnectionState values.
7087//
7088//   * InternalException
7089//   The request was rejected because an internal exception occurred. The request
7090//   can be retried.
7091//
7092//   * CloudHsmClusterNotActiveException
7093//   The request was rejected because the AWS CloudHSM cluster that is associated
7094//   with the custom key store is not active. Initialize and activate the cluster
7095//   and try the command again. For detailed instructions, see Getting Started
7096//   (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
7097//   in the AWS CloudHSM User Guide.
7098//
7099//   * CloudHsmClusterInvalidConfigurationException
7100//   The request was rejected because the associated AWS CloudHSM cluster did
7101//   not meet the configuration requirements for a custom key store.
7102//
7103//      * The cluster must be configured with private subnets in at least two
7104//      different Availability Zones in the Region.
7105//
7106//      * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
7107//      (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
7108//      rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
7109//      rules and the Destination in the outbound rules must match the security
7110//      group ID. These rules are set by default when you create the cluster.
7111//      Do not delete or change them. To get information about a particular security
7112//      group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
7113//      operation.
7114//
7115//      * The cluster must contain at least as many HSMs as the operation requires.
7116//      To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
7117//      operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
7118//      operations, the AWS CloudHSM cluster must have at least two active HSMs,
7119//      each in a different Availability Zone. For the ConnectCustomKeyStore operation,
7120//      the AWS CloudHSM must contain at least one active HSM.
7121//
7122//   For information about the requirements for an AWS CloudHSM cluster that is
7123//   associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
7124//   in the AWS Key Management Service Developer Guide. For information about
7125//   creating a private subnet for an AWS CloudHSM cluster, see Create a Private
7126//   Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
7127//   in the AWS CloudHSM User Guide. For information about cluster security groups,
7128//   see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
7129//   in the AWS CloudHSM User Guide .
7130//
7131// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore
7132func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) {
7133	req, out := c.UpdateCustomKeyStoreRequest(input)
7134	return out, req.Send()
7135}
7136
7137// UpdateCustomKeyStoreWithContext is the same as UpdateCustomKeyStore with the addition of
7138// the ability to pass a context and additional request options.
7139//
7140// See UpdateCustomKeyStore for details on how to use this API operation.
7141//
7142// The context must be non-nil and will be used for request cancellation. If
7143// the context is nil a panic will occur. In the future the SDK may create
7144// sub-contexts for http.Requests. See https://golang.org/pkg/context/
7145// for more information on using Contexts.
7146func (c *KMS) UpdateCustomKeyStoreWithContext(ctx aws.Context, input *UpdateCustomKeyStoreInput, opts ...request.Option) (*UpdateCustomKeyStoreOutput, error) {
7147	req, out := c.UpdateCustomKeyStoreRequest(input)
7148	req.SetContext(ctx)
7149	req.ApplyOptions(opts...)
7150	return out, req.Send()
7151}
7152
7153const opUpdateKeyDescription = "UpdateKeyDescription"
7154
7155// UpdateKeyDescriptionRequest generates a "aws/request.Request" representing the
7156// client's request for the UpdateKeyDescription operation. The "output" return
7157// value will be populated with the request's response once the request completes
7158// successfully.
7159//
7160// Use "Send" method on the returned Request to send the API call to the service.
7161// the "output" return value is not valid until after Send returns without error.
7162//
7163// See UpdateKeyDescription for more information on using the UpdateKeyDescription
7164// API call, and error handling.
7165//
7166// This method is useful when you want to inject custom logic or configuration
7167// into the SDK's request lifecycle. Such as custom headers, or retry logic.
7168//
7169//
7170//    // Example sending a request using the UpdateKeyDescriptionRequest method.
7171//    req, resp := client.UpdateKeyDescriptionRequest(params)
7172//
7173//    err := req.Send()
7174//    if err == nil { // resp is now filled
7175//        fmt.Println(resp)
7176//    }
7177//
7178// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription
7179func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req *request.Request, output *UpdateKeyDescriptionOutput) {
7180	op := &request.Operation{
7181		Name:       opUpdateKeyDescription,
7182		HTTPMethod: "POST",
7183		HTTPPath:   "/",
7184	}
7185
7186	if input == nil {
7187		input = &UpdateKeyDescriptionInput{}
7188	}
7189
7190	output = &UpdateKeyDescriptionOutput{}
7191	req = c.newRequest(op, input, output)
7192	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
7193	return
7194}
7195
7196// UpdateKeyDescription API operation for AWS Key Management Service.
7197//
7198// Updates the description of a customer master key (CMK). To see the description
7199// of a CMK, use DescribeKey.
7200//
7201// The CMK that you use for this operation must be in a compatible key state.
7202// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
7203// in the AWS Key Management Service Developer Guide.
7204//
7205// Cross-account use: No. You cannot perform this operation on a CMK in a different
7206// AWS account.
7207//
7208// Required permissions: kms:UpdateKeyDescription (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
7209// (key policy)
7210//
7211// Related operations
7212//
7213//    * CreateKey
7214//
7215//    * DescribeKey
7216//
7217// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
7218// with awserr.Error's Code and Message methods to get detailed information about
7219// the error.
7220//
7221// See the AWS API reference guide for AWS Key Management Service's
7222// API operation UpdateKeyDescription for usage and error information.
7223//
7224// Returned Error Types:
7225//   * NotFoundException
7226//   The request was rejected because the specified entity or resource could not
7227//   be found.
7228//
7229//   * InvalidArnException
7230//   The request was rejected because a specified ARN, or an ARN in a key policy,
7231//   is not valid.
7232//
7233//   * DependencyTimeoutException
7234//   The system timed out while trying to fulfill the request. The request can
7235//   be retried.
7236//
7237//   * InternalException
7238//   The request was rejected because an internal exception occurred. The request
7239//   can be retried.
7240//
7241//   * InvalidStateException
7242//   The request was rejected because the state of the specified resource is not
7243//   valid for this request.
7244//
7245//   For more information about how key state affects the use of a CMK, see How
7246//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
7247//   in the AWS Key Management Service Developer Guide .
7248//
7249// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription
7250func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) {
7251	req, out := c.UpdateKeyDescriptionRequest(input)
7252	return out, req.Send()
7253}
7254
7255// UpdateKeyDescriptionWithContext is the same as UpdateKeyDescription with the addition of
7256// the ability to pass a context and additional request options.
7257//
7258// See UpdateKeyDescription for details on how to use this API operation.
7259//
7260// The context must be non-nil and will be used for request cancellation. If
7261// the context is nil a panic will occur. In the future the SDK may create
7262// sub-contexts for http.Requests. See https://golang.org/pkg/context/
7263// for more information on using Contexts.
7264func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyDescriptionInput, opts ...request.Option) (*UpdateKeyDescriptionOutput, error) {
7265	req, out := c.UpdateKeyDescriptionRequest(input)
7266	req.SetContext(ctx)
7267	req.ApplyOptions(opts...)
7268	return out, req.Send()
7269}
7270
7271const opUpdatePrimaryRegion = "UpdatePrimaryRegion"
7272
7273// UpdatePrimaryRegionRequest generates a "aws/request.Request" representing the
7274// client's request for the UpdatePrimaryRegion operation. The "output" return
7275// value will be populated with the request's response once the request completes
7276// successfully.
7277//
7278// Use "Send" method on the returned Request to send the API call to the service.
7279// the "output" return value is not valid until after Send returns without error.
7280//
7281// See UpdatePrimaryRegion for more information on using the UpdatePrimaryRegion
7282// API call, and error handling.
7283//
7284// This method is useful when you want to inject custom logic or configuration
7285// into the SDK's request lifecycle. Such as custom headers, or retry logic.
7286//
7287//
7288//    // Example sending a request using the UpdatePrimaryRegionRequest method.
7289//    req, resp := client.UpdatePrimaryRegionRequest(params)
7290//
7291//    err := req.Send()
7292//    if err == nil { // resp is now filled
7293//        fmt.Println(resp)
7294//    }
7295//
7296// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion
7297func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req *request.Request, output *UpdatePrimaryRegionOutput) {
7298	op := &request.Operation{
7299		Name:       opUpdatePrimaryRegion,
7300		HTTPMethod: "POST",
7301		HTTPPath:   "/",
7302	}
7303
7304	if input == nil {
7305		input = &UpdatePrimaryRegionInput{}
7306	}
7307
7308	output = &UpdatePrimaryRegionOutput{}
7309	req = c.newRequest(op, input, output)
7310	req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler)
7311	return
7312}
7313
7314// UpdatePrimaryRegion API operation for AWS Key Management Service.
7315//
7316// Changes the primary key of a multi-Region key.
7317//
7318// This operation changes the replica key in the specified Region to a primary
7319// key and changes the former primary key to a replica key. For example, suppose
7320// you have a primary key in us-east-1 and a replica key in eu-west-2. If you
7321// run UpdatePrimaryRegion with a PrimaryRegion value of eu-west-2, the primary
7322// key is now the key in eu-west-2, and the key in us-east-1 becomes a replica
7323// key. For details, see
7324//
7325// This operation supports multi-Region keys, an AWS KMS feature that lets you
7326// create multiple interoperable CMKs in different AWS Regions. Because these
7327// CMKs have the same key ID, key material, and other metadata, you can use
7328// them to encrypt data in one AWS Region and decrypt it in a different AWS
7329// Region without making a cross-Region call or exposing the plaintext data.
7330// For more information about multi-Region keys, see Using multi-Region keys
7331// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
7332// in the AWS Key Management Service Developer Guide.
7333//
7334// The primary key of a multi-Region key is the source for properties that are
7335// always shared by primary and replica keys, including the key material, key
7336// ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id),
7337// key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec),
7338// key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage),
7339// key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin),
7340// and automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html).
7341// It's the only key that can be replicated. You cannot delete the primary key
7342// (https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html)
7343// until all replicas are deleted.
7344//
7345// The key ID and primary Region that you specify uniquely identify the replica
7346// key that will become the primary key. The primary Region must already have
7347// a replica key. This operation does not create a CMK in the specified Region.
7348// To find the replica keys, use the DescribeKey operation on the primary key
7349// or any replica key. To create a replica key, use the ReplicateKey operation.
7350//
7351// You can run this operation while using the affected multi-Region keys in
7352// cryptographic operations. This operation should not delay, interrupt, or
7353// cause failures in cryptographic operations.
7354//
7355// Even after this operation completes, the process of updating the primary
7356// Region might still be in progress for a few more seconds. Operations such
7357// as DescribeKey might display both the old and new primary keys as replicas.
7358// The old and new primary keys have a transient key state of Updating. The
7359// original key state is restored when the update is complete. While the key
7360// state is Updating, you can use the keys in cryptographic operations, but
7361// you cannot replicate the new primary key or perform certain management operations,
7362// such as enabling or disabling these keys. For details about the Updating
7363// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html)
7364// in the AWS Key Management Service Developer Guide.
7365//
7366// This operation does not return any output. To verify that primary key is
7367// changed, use the DescribeKey operation.
7368//
7369// Cross-account use: No. You cannot use this operation in a different AWS account.
7370//
7371// Required permissions:
7372//
7373//    * kms:UpdatePrimaryRegion on the current primary CMK (in the primary CMK's
7374//    Region). Include this permission primary CMK's key policy.
7375//
7376//    * kms:UpdatePrimaryRegion on the current replica CMK (in the replica CMK's
7377//    Region). Include this permission in the replica CMK's key policy.
7378//
7379// Related operations
7380//
7381//    * CreateKey
7382//
7383//    * ReplicateKey
7384//
7385// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
7386// with awserr.Error's Code and Message methods to get detailed information about
7387// the error.
7388//
7389// See the AWS API reference guide for AWS Key Management Service's
7390// API operation UpdatePrimaryRegion for usage and error information.
7391//
7392// Returned Error Types:
7393//   * DisabledException
7394//   The request was rejected because the specified CMK is not enabled.
7395//
7396//   * InvalidArnException
7397//   The request was rejected because a specified ARN, or an ARN in a key policy,
7398//   is not valid.
7399//
7400//   * InvalidStateException
7401//   The request was rejected because the state of the specified resource is not
7402//   valid for this request.
7403//
7404//   For more information about how key state affects the use of a CMK, see How
7405//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
7406//   in the AWS Key Management Service Developer Guide .
7407//
7408//   * InternalException
7409//   The request was rejected because an internal exception occurred. The request
7410//   can be retried.
7411//
7412//   * NotFoundException
7413//   The request was rejected because the specified entity or resource could not
7414//   be found.
7415//
7416//   * UnsupportedOperationException
7417//   The request was rejected because a specified parameter is not supported or
7418//   a specified resource is not valid for this operation.
7419//
7420// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion
7421func (c *KMS) UpdatePrimaryRegion(input *UpdatePrimaryRegionInput) (*UpdatePrimaryRegionOutput, error) {
7422	req, out := c.UpdatePrimaryRegionRequest(input)
7423	return out, req.Send()
7424}
7425
7426// UpdatePrimaryRegionWithContext is the same as UpdatePrimaryRegion with the addition of
7427// the ability to pass a context and additional request options.
7428//
7429// See UpdatePrimaryRegion for details on how to use this API operation.
7430//
7431// The context must be non-nil and will be used for request cancellation. If
7432// the context is nil a panic will occur. In the future the SDK may create
7433// sub-contexts for http.Requests. See https://golang.org/pkg/context/
7434// for more information on using Contexts.
7435func (c *KMS) UpdatePrimaryRegionWithContext(ctx aws.Context, input *UpdatePrimaryRegionInput, opts ...request.Option) (*UpdatePrimaryRegionOutput, error) {
7436	req, out := c.UpdatePrimaryRegionRequest(input)
7437	req.SetContext(ctx)
7438	req.ApplyOptions(opts...)
7439	return out, req.Send()
7440}
7441
7442const opVerify = "Verify"
7443
7444// VerifyRequest generates a "aws/request.Request" representing the
7445// client's request for the Verify operation. The "output" return
7446// value will be populated with the request's response once the request completes
7447// successfully.
7448//
7449// Use "Send" method on the returned Request to send the API call to the service.
7450// the "output" return value is not valid until after Send returns without error.
7451//
7452// See Verify for more information on using the Verify
7453// API call, and error handling.
7454//
7455// This method is useful when you want to inject custom logic or configuration
7456// into the SDK's request lifecycle. Such as custom headers, or retry logic.
7457//
7458//
7459//    // Example sending a request using the VerifyRequest method.
7460//    req, resp := client.VerifyRequest(params)
7461//
7462//    err := req.Send()
7463//    if err == nil { // resp is now filled
7464//        fmt.Println(resp)
7465//    }
7466//
7467// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify
7468func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *VerifyOutput) {
7469	op := &request.Operation{
7470		Name:       opVerify,
7471		HTTPMethod: "POST",
7472		HTTPPath:   "/",
7473	}
7474
7475	if input == nil {
7476		input = &VerifyInput{}
7477	}
7478
7479	output = &VerifyOutput{}
7480	req = c.newRequest(op, input, output)
7481	return
7482}
7483
7484// Verify API operation for AWS Key Management Service.
7485//
7486// Verifies a digital signature that was generated by the Sign operation.
7487//
7488// Verification confirms that an authorized user signed the message with the
7489// specified CMK and signing algorithm, and the message hasn't changed since
7490// it was signed. If the signature is verified, the value of the SignatureValid
7491// field in the response is True. If the signature verification fails, the Verify
7492// operation fails with an KMSInvalidSignatureException exception.
7493//
7494// A digital signature is generated by using the private key in an asymmetric
7495// CMK. The signature is verified by using the public key in the same asymmetric
7496// CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric
7497// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
7498// in the AWS Key Management Service Developer Guide.
7499//
7500// To verify a digital signature, you can use the Verify operation. Specify
7501// the same asymmetric CMK, message, and signing algorithm that were used to
7502// produce the signature.
7503//
7504// You can also verify the digital signature by using the public key of the
7505// CMK outside of AWS KMS. Use the GetPublicKey operation to download the public
7506// key in the asymmetric CMK and then use the public key to verify the signature
7507// outside of AWS KMS. The advantage of using the Verify operation is that it
7508// is performed within AWS KMS. As a result, it's easy to call, the operation
7509// is performed within the FIPS boundary, it is logged in AWS CloudTrail, and
7510// you can use key policy and IAM policy to determine who is authorized to use
7511// the CMK to verify signatures.
7512//
7513// The CMK that you use for this operation must be in a compatible key state.
7514// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
7515// in the AWS Key Management Service Developer Guide.
7516//
7517// Cross-account use: Yes. To perform this operation with a CMK in a different
7518// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter.
7519//
7520// Required permissions: kms:Verify (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
7521// (key policy)
7522//
7523// Related operations: Sign
7524//
7525// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
7526// with awserr.Error's Code and Message methods to get detailed information about
7527// the error.
7528//
7529// See the AWS API reference guide for AWS Key Management Service's
7530// API operation Verify for usage and error information.
7531//
7532// Returned Error Types:
7533//   * NotFoundException
7534//   The request was rejected because the specified entity or resource could not
7535//   be found.
7536//
7537//   * DisabledException
7538//   The request was rejected because the specified CMK is not enabled.
7539//
7540//   * KeyUnavailableException
7541//   The request was rejected because the specified CMK was not available. You
7542//   can retry the request.
7543//
7544//   * DependencyTimeoutException
7545//   The system timed out while trying to fulfill the request. The request can
7546//   be retried.
7547//
7548//   * InvalidKeyUsageException
7549//   The request was rejected for one of the following reasons:
7550//
7551//      * The KeyUsage value of the CMK is incompatible with the API operation.
7552//
7553//      * The encryption algorithm or signing algorithm specified for the operation
7554//      is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
7555//
7556//   For encrypting, decrypting, re-encrypting, and generating data keys, the
7557//   KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
7558//   must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
7559//
7560//   To find the encryption or signing algorithms supported for a particular CMK,
7561//   use the DescribeKey operation.
7562//
7563//   * InvalidGrantTokenException
7564//   The request was rejected because the specified grant token is not valid.
7565//
7566//   * InternalException
7567//   The request was rejected because an internal exception occurred. The request
7568//   can be retried.
7569//
7570//   * InvalidStateException
7571//   The request was rejected because the state of the specified resource is not
7572//   valid for this request.
7573//
7574//   For more information about how key state affects the use of a CMK, see How
7575//   Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
7576//   in the AWS Key Management Service Developer Guide .
7577//
7578//   * KMSInvalidSignatureException
7579//   The request was rejected because the signature verification failed. Signature
7580//   verification fails when it cannot confirm that signature was produced by
7581//   signing the specified message with the specified CMK and signing algorithm.
7582//
7583// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify
7584func (c *KMS) Verify(input *VerifyInput) (*VerifyOutput, error) {
7585	req, out := c.VerifyRequest(input)
7586	return out, req.Send()
7587}
7588
7589// VerifyWithContext is the same as Verify with the addition of
7590// the ability to pass a context and additional request options.
7591//
7592// See Verify for details on how to use this API operation.
7593//
7594// The context must be non-nil and will be used for request cancellation. If
7595// the context is nil a panic will occur. In the future the SDK may create
7596// sub-contexts for http.Requests. See https://golang.org/pkg/context/
7597// for more information on using Contexts.
7598func (c *KMS) VerifyWithContext(ctx aws.Context, input *VerifyInput, opts ...request.Option) (*VerifyOutput, error) {
7599	req, out := c.VerifyRequest(input)
7600	req.SetContext(ctx)
7601	req.ApplyOptions(opts...)
7602	return out, req.Send()
7603}
7604
7605// Contains information about an alias.
7606type AliasListEntry struct {
7607	_ struct{} `type:"structure"`
7608
7609	// String that contains the key ARN.
7610	AliasArn *string `min:"20" type:"string"`
7611
7612	// String that contains the alias. This value begins with alias/.
7613	AliasName *string `min:"1" type:"string"`
7614
7615	// Date and time that the alias was most recently created in the account and
7616	// Region. Formatted as Unix time.
7617	CreationDate *time.Time `type:"timestamp"`
7618
7619	// Date and time that the alias was most recently associated with a CMK in the
7620	// account and Region. Formatted as Unix time.
7621	LastUpdatedDate *time.Time `type:"timestamp"`
7622
7623	// String that contains the key identifier of the CMK associated with the alias.
7624	TargetKeyId *string `min:"1" type:"string"`
7625}
7626
7627// String returns the string representation
7628func (s AliasListEntry) String() string {
7629	return awsutil.Prettify(s)
7630}
7631
7632// GoString returns the string representation
7633func (s AliasListEntry) GoString() string {
7634	return s.String()
7635}
7636
7637// SetAliasArn sets the AliasArn field's value.
7638func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry {
7639	s.AliasArn = &v
7640	return s
7641}
7642
7643// SetAliasName sets the AliasName field's value.
7644func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry {
7645	s.AliasName = &v
7646	return s
7647}
7648
7649// SetCreationDate sets the CreationDate field's value.
7650func (s *AliasListEntry) SetCreationDate(v time.Time) *AliasListEntry {
7651	s.CreationDate = &v
7652	return s
7653}
7654
7655// SetLastUpdatedDate sets the LastUpdatedDate field's value.
7656func (s *AliasListEntry) SetLastUpdatedDate(v time.Time) *AliasListEntry {
7657	s.LastUpdatedDate = &v
7658	return s
7659}
7660
7661// SetTargetKeyId sets the TargetKeyId field's value.
7662func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry {
7663	s.TargetKeyId = &v
7664	return s
7665}
7666
7667// The request was rejected because it attempted to create a resource that already
7668// exists.
7669type AlreadyExistsException struct {
7670	_            struct{}                  `type:"structure"`
7671	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
7672
7673	Message_ *string `locationName:"message" type:"string"`
7674}
7675
7676// String returns the string representation
7677func (s AlreadyExistsException) String() string {
7678	return awsutil.Prettify(s)
7679}
7680
7681// GoString returns the string representation
7682func (s AlreadyExistsException) GoString() string {
7683	return s.String()
7684}
7685
7686func newErrorAlreadyExistsException(v protocol.ResponseMetadata) error {
7687	return &AlreadyExistsException{
7688		RespMetadata: v,
7689	}
7690}
7691
7692// Code returns the exception type name.
7693func (s *AlreadyExistsException) Code() string {
7694	return "AlreadyExistsException"
7695}
7696
7697// Message returns the exception's message.
7698func (s *AlreadyExistsException) Message() string {
7699	if s.Message_ != nil {
7700		return *s.Message_
7701	}
7702	return ""
7703}
7704
7705// OrigErr always returns nil, satisfies awserr.Error interface.
7706func (s *AlreadyExistsException) OrigErr() error {
7707	return nil
7708}
7709
7710func (s *AlreadyExistsException) Error() string {
7711	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
7712}
7713
7714// Status code returns the HTTP status code for the request's response error.
7715func (s *AlreadyExistsException) StatusCode() int {
7716	return s.RespMetadata.StatusCode
7717}
7718
7719// RequestID returns the service's response RequestID for request.
7720func (s *AlreadyExistsException) RequestID() string {
7721	return s.RespMetadata.RequestID
7722}
7723
7724type CancelKeyDeletionInput struct {
7725	_ struct{} `type:"structure"`
7726
7727	// Identifies the customer master key (CMK) whose deletion is being canceled.
7728	//
7729	// Specify the key ID or key ARN of the CMK.
7730	//
7731	// For example:
7732	//
7733	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
7734	//
7735	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
7736	//
7737	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
7738	//
7739	// KeyId is a required field
7740	KeyId *string `min:"1" type:"string" required:"true"`
7741}
7742
7743// String returns the string representation
7744func (s CancelKeyDeletionInput) String() string {
7745	return awsutil.Prettify(s)
7746}
7747
7748// GoString returns the string representation
7749func (s CancelKeyDeletionInput) GoString() string {
7750	return s.String()
7751}
7752
7753// Validate inspects the fields of the type to determine if they are valid.
7754func (s *CancelKeyDeletionInput) Validate() error {
7755	invalidParams := request.ErrInvalidParams{Context: "CancelKeyDeletionInput"}
7756	if s.KeyId == nil {
7757		invalidParams.Add(request.NewErrParamRequired("KeyId"))
7758	}
7759	if s.KeyId != nil && len(*s.KeyId) < 1 {
7760		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
7761	}
7762
7763	if invalidParams.Len() > 0 {
7764		return invalidParams
7765	}
7766	return nil
7767}
7768
7769// SetKeyId sets the KeyId field's value.
7770func (s *CancelKeyDeletionInput) SetKeyId(v string) *CancelKeyDeletionInput {
7771	s.KeyId = &v
7772	return s
7773}
7774
7775type CancelKeyDeletionOutput struct {
7776	_ struct{} `type:"structure"`
7777
7778	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
7779	// of the CMK whose deletion is canceled.
7780	KeyId *string `min:"1" type:"string"`
7781}
7782
7783// String returns the string representation
7784func (s CancelKeyDeletionOutput) String() string {
7785	return awsutil.Prettify(s)
7786}
7787
7788// GoString returns the string representation
7789func (s CancelKeyDeletionOutput) GoString() string {
7790	return s.String()
7791}
7792
7793// SetKeyId sets the KeyId field's value.
7794func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput {
7795	s.KeyId = &v
7796	return s
7797}
7798
7799// The request was rejected because the specified AWS CloudHSM cluster is already
7800// associated with a custom key store or it shares a backup history with a cluster
7801// that is associated with a custom key store. Each custom key store must be
7802// associated with a different AWS CloudHSM cluster.
7803//
7804// Clusters that share a backup history have the same cluster certificate. To
7805// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
7806// operation.
7807type CloudHsmClusterInUseException struct {
7808	_            struct{}                  `type:"structure"`
7809	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
7810
7811	Message_ *string `locationName:"message" type:"string"`
7812}
7813
7814// String returns the string representation
7815func (s CloudHsmClusterInUseException) String() string {
7816	return awsutil.Prettify(s)
7817}
7818
7819// GoString returns the string representation
7820func (s CloudHsmClusterInUseException) GoString() string {
7821	return s.String()
7822}
7823
7824func newErrorCloudHsmClusterInUseException(v protocol.ResponseMetadata) error {
7825	return &CloudHsmClusterInUseException{
7826		RespMetadata: v,
7827	}
7828}
7829
7830// Code returns the exception type name.
7831func (s *CloudHsmClusterInUseException) Code() string {
7832	return "CloudHsmClusterInUseException"
7833}
7834
7835// Message returns the exception's message.
7836func (s *CloudHsmClusterInUseException) Message() string {
7837	if s.Message_ != nil {
7838		return *s.Message_
7839	}
7840	return ""
7841}
7842
7843// OrigErr always returns nil, satisfies awserr.Error interface.
7844func (s *CloudHsmClusterInUseException) OrigErr() error {
7845	return nil
7846}
7847
7848func (s *CloudHsmClusterInUseException) Error() string {
7849	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
7850}
7851
7852// Status code returns the HTTP status code for the request's response error.
7853func (s *CloudHsmClusterInUseException) StatusCode() int {
7854	return s.RespMetadata.StatusCode
7855}
7856
7857// RequestID returns the service's response RequestID for request.
7858func (s *CloudHsmClusterInUseException) RequestID() string {
7859	return s.RespMetadata.RequestID
7860}
7861
7862// The request was rejected because the associated AWS CloudHSM cluster did
7863// not meet the configuration requirements for a custom key store.
7864//
7865//    * The cluster must be configured with private subnets in at least two
7866//    different Availability Zones in the Region.
7867//
7868//    * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
7869//    (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
7870//    rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
7871//    rules and the Destination in the outbound rules must match the security
7872//    group ID. These rules are set by default when you create the cluster.
7873//    Do not delete or change them. To get information about a particular security
7874//    group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
7875//    operation.
7876//
7877//    * The cluster must contain at least as many HSMs as the operation requires.
7878//    To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
7879//    operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
7880//    operations, the AWS CloudHSM cluster must have at least two active HSMs,
7881//    each in a different Availability Zone. For the ConnectCustomKeyStore operation,
7882//    the AWS CloudHSM must contain at least one active HSM.
7883//
7884// For information about the requirements for an AWS CloudHSM cluster that is
7885// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
7886// in the AWS Key Management Service Developer Guide. For information about
7887// creating a private subnet for an AWS CloudHSM cluster, see Create a Private
7888// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
7889// in the AWS CloudHSM User Guide. For information about cluster security groups,
7890// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
7891// in the AWS CloudHSM User Guide .
7892type CloudHsmClusterInvalidConfigurationException struct {
7893	_            struct{}                  `type:"structure"`
7894	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
7895
7896	Message_ *string `locationName:"message" type:"string"`
7897}
7898
7899// String returns the string representation
7900func (s CloudHsmClusterInvalidConfigurationException) String() string {
7901	return awsutil.Prettify(s)
7902}
7903
7904// GoString returns the string representation
7905func (s CloudHsmClusterInvalidConfigurationException) GoString() string {
7906	return s.String()
7907}
7908
7909func newErrorCloudHsmClusterInvalidConfigurationException(v protocol.ResponseMetadata) error {
7910	return &CloudHsmClusterInvalidConfigurationException{
7911		RespMetadata: v,
7912	}
7913}
7914
7915// Code returns the exception type name.
7916func (s *CloudHsmClusterInvalidConfigurationException) Code() string {
7917	return "CloudHsmClusterInvalidConfigurationException"
7918}
7919
7920// Message returns the exception's message.
7921func (s *CloudHsmClusterInvalidConfigurationException) Message() string {
7922	if s.Message_ != nil {
7923		return *s.Message_
7924	}
7925	return ""
7926}
7927
7928// OrigErr always returns nil, satisfies awserr.Error interface.
7929func (s *CloudHsmClusterInvalidConfigurationException) OrigErr() error {
7930	return nil
7931}
7932
7933func (s *CloudHsmClusterInvalidConfigurationException) Error() string {
7934	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
7935}
7936
7937// Status code returns the HTTP status code for the request's response error.
7938func (s *CloudHsmClusterInvalidConfigurationException) StatusCode() int {
7939	return s.RespMetadata.StatusCode
7940}
7941
7942// RequestID returns the service's response RequestID for request.
7943func (s *CloudHsmClusterInvalidConfigurationException) RequestID() string {
7944	return s.RespMetadata.RequestID
7945}
7946
7947// The request was rejected because the AWS CloudHSM cluster that is associated
7948// with the custom key store is not active. Initialize and activate the cluster
7949// and try the command again. For detailed instructions, see Getting Started
7950// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
7951// in the AWS CloudHSM User Guide.
7952type CloudHsmClusterNotActiveException struct {
7953	_            struct{}                  `type:"structure"`
7954	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
7955
7956	Message_ *string `locationName:"message" type:"string"`
7957}
7958
7959// String returns the string representation
7960func (s CloudHsmClusterNotActiveException) String() string {
7961	return awsutil.Prettify(s)
7962}
7963
7964// GoString returns the string representation
7965func (s CloudHsmClusterNotActiveException) GoString() string {
7966	return s.String()
7967}
7968
7969func newErrorCloudHsmClusterNotActiveException(v protocol.ResponseMetadata) error {
7970	return &CloudHsmClusterNotActiveException{
7971		RespMetadata: v,
7972	}
7973}
7974
7975// Code returns the exception type name.
7976func (s *CloudHsmClusterNotActiveException) Code() string {
7977	return "CloudHsmClusterNotActiveException"
7978}
7979
7980// Message returns the exception's message.
7981func (s *CloudHsmClusterNotActiveException) Message() string {
7982	if s.Message_ != nil {
7983		return *s.Message_
7984	}
7985	return ""
7986}
7987
7988// OrigErr always returns nil, satisfies awserr.Error interface.
7989func (s *CloudHsmClusterNotActiveException) OrigErr() error {
7990	return nil
7991}
7992
7993func (s *CloudHsmClusterNotActiveException) Error() string {
7994	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
7995}
7996
7997// Status code returns the HTTP status code for the request's response error.
7998func (s *CloudHsmClusterNotActiveException) StatusCode() int {
7999	return s.RespMetadata.StatusCode
8000}
8001
8002// RequestID returns the service's response RequestID for request.
8003func (s *CloudHsmClusterNotActiveException) RequestID() string {
8004	return s.RespMetadata.RequestID
8005}
8006
8007// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster
8008// with the specified cluster ID. Retry the request with a different cluster
8009// ID.
8010type CloudHsmClusterNotFoundException struct {
8011	_            struct{}                  `type:"structure"`
8012	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
8013
8014	Message_ *string `locationName:"message" type:"string"`
8015}
8016
8017// String returns the string representation
8018func (s CloudHsmClusterNotFoundException) String() string {
8019	return awsutil.Prettify(s)
8020}
8021
8022// GoString returns the string representation
8023func (s CloudHsmClusterNotFoundException) GoString() string {
8024	return s.String()
8025}
8026
8027func newErrorCloudHsmClusterNotFoundException(v protocol.ResponseMetadata) error {
8028	return &CloudHsmClusterNotFoundException{
8029		RespMetadata: v,
8030	}
8031}
8032
8033// Code returns the exception type name.
8034func (s *CloudHsmClusterNotFoundException) Code() string {
8035	return "CloudHsmClusterNotFoundException"
8036}
8037
8038// Message returns the exception's message.
8039func (s *CloudHsmClusterNotFoundException) Message() string {
8040	if s.Message_ != nil {
8041		return *s.Message_
8042	}
8043	return ""
8044}
8045
8046// OrigErr always returns nil, satisfies awserr.Error interface.
8047func (s *CloudHsmClusterNotFoundException) OrigErr() error {
8048	return nil
8049}
8050
8051func (s *CloudHsmClusterNotFoundException) Error() string {
8052	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
8053}
8054
8055// Status code returns the HTTP status code for the request's response error.
8056func (s *CloudHsmClusterNotFoundException) StatusCode() int {
8057	return s.RespMetadata.StatusCode
8058}
8059
8060// RequestID returns the service's response RequestID for request.
8061func (s *CloudHsmClusterNotFoundException) RequestID() string {
8062	return s.RespMetadata.RequestID
8063}
8064
8065// The request was rejected because the specified AWS CloudHSM cluster has a
8066// different cluster certificate than the original cluster. You cannot use the
8067// operation to specify an unrelated cluster.
8068//
8069// Specify a cluster that shares a backup history with the original cluster.
8070// This includes clusters that were created from a backup of the current cluster,
8071// and clusters that were created from the same backup that produced the current
8072// cluster.
8073//
8074// Clusters that share a backup history have the same cluster certificate. To
8075// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
8076// operation.
8077type CloudHsmClusterNotRelatedException struct {
8078	_            struct{}                  `type:"structure"`
8079	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
8080
8081	Message_ *string `locationName:"message" type:"string"`
8082}
8083
8084// String returns the string representation
8085func (s CloudHsmClusterNotRelatedException) String() string {
8086	return awsutil.Prettify(s)
8087}
8088
8089// GoString returns the string representation
8090func (s CloudHsmClusterNotRelatedException) GoString() string {
8091	return s.String()
8092}
8093
8094func newErrorCloudHsmClusterNotRelatedException(v protocol.ResponseMetadata) error {
8095	return &CloudHsmClusterNotRelatedException{
8096		RespMetadata: v,
8097	}
8098}
8099
8100// Code returns the exception type name.
8101func (s *CloudHsmClusterNotRelatedException) Code() string {
8102	return "CloudHsmClusterNotRelatedException"
8103}
8104
8105// Message returns the exception's message.
8106func (s *CloudHsmClusterNotRelatedException) Message() string {
8107	if s.Message_ != nil {
8108		return *s.Message_
8109	}
8110	return ""
8111}
8112
8113// OrigErr always returns nil, satisfies awserr.Error interface.
8114func (s *CloudHsmClusterNotRelatedException) OrigErr() error {
8115	return nil
8116}
8117
8118func (s *CloudHsmClusterNotRelatedException) Error() string {
8119	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
8120}
8121
8122// Status code returns the HTTP status code for the request's response error.
8123func (s *CloudHsmClusterNotRelatedException) StatusCode() int {
8124	return s.RespMetadata.StatusCode
8125}
8126
8127// RequestID returns the service's response RequestID for request.
8128func (s *CloudHsmClusterNotRelatedException) RequestID() string {
8129	return s.RespMetadata.RequestID
8130}
8131
8132type ConnectCustomKeyStoreInput struct {
8133	_ struct{} `type:"structure"`
8134
8135	// Enter the key store ID of the custom key store that you want to connect.
8136	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
8137	//
8138	// CustomKeyStoreId is a required field
8139	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
8140}
8141
8142// String returns the string representation
8143func (s ConnectCustomKeyStoreInput) String() string {
8144	return awsutil.Prettify(s)
8145}
8146
8147// GoString returns the string representation
8148func (s ConnectCustomKeyStoreInput) GoString() string {
8149	return s.String()
8150}
8151
8152// Validate inspects the fields of the type to determine if they are valid.
8153func (s *ConnectCustomKeyStoreInput) Validate() error {
8154	invalidParams := request.ErrInvalidParams{Context: "ConnectCustomKeyStoreInput"}
8155	if s.CustomKeyStoreId == nil {
8156		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
8157	}
8158	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
8159		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
8160	}
8161
8162	if invalidParams.Len() > 0 {
8163		return invalidParams
8164	}
8165	return nil
8166}
8167
8168// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
8169func (s *ConnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *ConnectCustomKeyStoreInput {
8170	s.CustomKeyStoreId = &v
8171	return s
8172}
8173
8174type ConnectCustomKeyStoreOutput struct {
8175	_ struct{} `type:"structure"`
8176}
8177
8178// String returns the string representation
8179func (s ConnectCustomKeyStoreOutput) String() string {
8180	return awsutil.Prettify(s)
8181}
8182
8183// GoString returns the string representation
8184func (s ConnectCustomKeyStoreOutput) GoString() string {
8185	return s.String()
8186}
8187
8188type CreateAliasInput struct {
8189	_ struct{} `type:"structure"`
8190
8191	// Specifies the alias name. This value must begin with alias/ followed by a
8192	// name, such as alias/ExampleAlias.
8193	//
8194	// The AliasName value must be string of 1-256 characters. It can contain only
8195	// alphanumeric characters, forward slashes (/), underscores (_), and dashes
8196	// (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is
8197	// reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
8198	//
8199	// AliasName is a required field
8200	AliasName *string `min:"1" type:"string" required:"true"`
8201
8202	// Associates the alias with the specified customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk).
8203	// The CMK must be in the same AWS Region.
8204	//
8205	// A valid CMK ID is required. If you supply a null or empty string value, this
8206	// operation returns an error.
8207	//
8208	// For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn)
8209	// in the AWS Key Management Service Developer Guide.
8210	//
8211	// Specify the key ID or key ARN of the CMK.
8212	//
8213	// For example:
8214	//
8215	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
8216	//
8217	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
8218	//
8219	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
8220	//
8221	// TargetKeyId is a required field
8222	TargetKeyId *string `min:"1" type:"string" required:"true"`
8223}
8224
8225// String returns the string representation
8226func (s CreateAliasInput) String() string {
8227	return awsutil.Prettify(s)
8228}
8229
8230// GoString returns the string representation
8231func (s CreateAliasInput) GoString() string {
8232	return s.String()
8233}
8234
8235// Validate inspects the fields of the type to determine if they are valid.
8236func (s *CreateAliasInput) Validate() error {
8237	invalidParams := request.ErrInvalidParams{Context: "CreateAliasInput"}
8238	if s.AliasName == nil {
8239		invalidParams.Add(request.NewErrParamRequired("AliasName"))
8240	}
8241	if s.AliasName != nil && len(*s.AliasName) < 1 {
8242		invalidParams.Add(request.NewErrParamMinLen("AliasName", 1))
8243	}
8244	if s.TargetKeyId == nil {
8245		invalidParams.Add(request.NewErrParamRequired("TargetKeyId"))
8246	}
8247	if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 {
8248		invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1))
8249	}
8250
8251	if invalidParams.Len() > 0 {
8252		return invalidParams
8253	}
8254	return nil
8255}
8256
8257// SetAliasName sets the AliasName field's value.
8258func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput {
8259	s.AliasName = &v
8260	return s
8261}
8262
8263// SetTargetKeyId sets the TargetKeyId field's value.
8264func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput {
8265	s.TargetKeyId = &v
8266	return s
8267}
8268
8269type CreateAliasOutput struct {
8270	_ struct{} `type:"structure"`
8271}
8272
8273// String returns the string representation
8274func (s CreateAliasOutput) String() string {
8275	return awsutil.Prettify(s)
8276}
8277
8278// GoString returns the string representation
8279func (s CreateAliasOutput) GoString() string {
8280	return s.String()
8281}
8282
8283type CreateCustomKeyStoreInput struct {
8284	_ struct{} `type:"structure"`
8285
8286	// Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster
8287	// ID of any active AWS CloudHSM cluster that is not already associated with
8288	// a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
8289	// operation.
8290	//
8291	// CloudHsmClusterId is a required field
8292	CloudHsmClusterId *string `min:"19" type:"string" required:"true"`
8293
8294	// Specifies a friendly name for the custom key store. The name must be unique
8295	// in your AWS account.
8296	//
8297	// CustomKeyStoreName is a required field
8298	CustomKeyStoreName *string `min:"1" type:"string" required:"true"`
8299
8300	// Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
8301	// in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this
8302	// user to manage key material on your behalf.
8303	//
8304	// The password must be a string of 7 to 32 characters. Its value is case sensitive.
8305	//
8306	// This parameter tells AWS KMS the kmsuser account password; it does not change
8307	// the password in the AWS CloudHSM cluster.
8308	//
8309	// KeyStorePassword is a required field
8310	KeyStorePassword *string `min:"7" type:"string" required:"true" sensitive:"true"`
8311
8312	// Enter the content of the trust anchor certificate for the cluster. This is
8313	// the content of the customerCA.crt file that you created when you initialized
8314	// the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html).
8315	//
8316	// TrustAnchorCertificate is a required field
8317	TrustAnchorCertificate *string `min:"1" type:"string" required:"true"`
8318}
8319
8320// String returns the string representation
8321func (s CreateCustomKeyStoreInput) String() string {
8322	return awsutil.Prettify(s)
8323}
8324
8325// GoString returns the string representation
8326func (s CreateCustomKeyStoreInput) GoString() string {
8327	return s.String()
8328}
8329
8330// Validate inspects the fields of the type to determine if they are valid.
8331func (s *CreateCustomKeyStoreInput) Validate() error {
8332	invalidParams := request.ErrInvalidParams{Context: "CreateCustomKeyStoreInput"}
8333	if s.CloudHsmClusterId == nil {
8334		invalidParams.Add(request.NewErrParamRequired("CloudHsmClusterId"))
8335	}
8336	if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 {
8337		invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19))
8338	}
8339	if s.CustomKeyStoreName == nil {
8340		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreName"))
8341	}
8342	if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 {
8343		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1))
8344	}
8345	if s.KeyStorePassword == nil {
8346		invalidParams.Add(request.NewErrParamRequired("KeyStorePassword"))
8347	}
8348	if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 7 {
8349		invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 7))
8350	}
8351	if s.TrustAnchorCertificate == nil {
8352		invalidParams.Add(request.NewErrParamRequired("TrustAnchorCertificate"))
8353	}
8354	if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 {
8355		invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1))
8356	}
8357
8358	if invalidParams.Len() > 0 {
8359		return invalidParams
8360	}
8361	return nil
8362}
8363
8364// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
8365func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput {
8366	s.CloudHsmClusterId = &v
8367	return s
8368}
8369
8370// SetCustomKeyStoreName sets the CustomKeyStoreName field's value.
8371func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput {
8372	s.CustomKeyStoreName = &v
8373	return s
8374}
8375
8376// SetKeyStorePassword sets the KeyStorePassword field's value.
8377func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput {
8378	s.KeyStorePassword = &v
8379	return s
8380}
8381
8382// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.
8383func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput {
8384	s.TrustAnchorCertificate = &v
8385	return s
8386}
8387
8388type CreateCustomKeyStoreOutput struct {
8389	_ struct{} `type:"structure"`
8390
8391	// A unique identifier for the new custom key store.
8392	CustomKeyStoreId *string `min:"1" type:"string"`
8393}
8394
8395// String returns the string representation
8396func (s CreateCustomKeyStoreOutput) String() string {
8397	return awsutil.Prettify(s)
8398}
8399
8400// GoString returns the string representation
8401func (s CreateCustomKeyStoreOutput) GoString() string {
8402	return s.String()
8403}
8404
8405// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
8406func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustomKeyStoreOutput {
8407	s.CustomKeyStoreId = &v
8408	return s
8409}
8410
8411type CreateGrantInput struct {
8412	_ struct{} `type:"structure"`
8413
8414	// Specifies a grant constraint.
8415	//
8416	// AWS KMS supports the EncryptionContextEquals and EncryptionContextSubset
8417	// grant constraints. Each constraint value can include up to 8 encryption context
8418	// pairs. The encryption context value in each constraint cannot exceed 384
8419	// characters.
8420	//
8421	// These grant constraints allow a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
8422	// only when the encryption context in the request matches (EncryptionContextEquals)
8423	// or includes (EncryptionContextSubset) the encryption context specified in
8424	// this structure. For more information about encryption context, see Encryption
8425	// Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
8426	// in the AWS Key Management Service Developer Guide . For information about
8427	// grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints)
8428	// in the AWS Key Management Service Developer Guide.
8429	//
8430	// The encryption context grant constraints are supported only on operations
8431	// that include an encryption context. You cannot use an encryption context
8432	// grant constraint for cryptographic operations with asymmetric CMKs or for
8433	// management operations, such as DescribeKey or RetireGrant.
8434	Constraints *GrantConstraints `type:"structure"`
8435
8436	// A list of grant tokens.
8437	//
8438	// Use a grant token when your permission to call this operation comes from
8439	// a new grant that has not yet achieved eventual consistency. For more information,
8440	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
8441	// in the AWS Key Management Service Developer Guide.
8442	GrantTokens []*string `type:"list"`
8443
8444	// The identity that gets the permissions specified in the grant.
8445	//
8446	// To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
8447	// of an AWS principal. Valid AWS principals include AWS accounts (root), IAM
8448	// users, IAM roles, federated users, and assumed role users. For examples of
8449	// the ARN syntax to use for specifying a principal, see AWS Identity and Access
8450	// Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
8451	// in the Example ARNs section of the AWS General Reference.
8452	//
8453	// GranteePrincipal is a required field
8454	GranteePrincipal *string `min:"1" type:"string" required:"true"`
8455
8456	// Identifies the customer master key (CMK) for the grant. The grant gives principals
8457	// permission to use this CMK.
8458	//
8459	// Specify the key ID or key ARN of the CMK. To specify a CMK in a different
8460	// AWS account, you must use the key ARN.
8461	//
8462	// For example:
8463	//
8464	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
8465	//
8466	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
8467	//
8468	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
8469	//
8470	// KeyId is a required field
8471	KeyId *string `min:"1" type:"string" required:"true"`
8472
8473	// A friendly name for the grant. Use this value to prevent the unintended creation
8474	// of duplicate grants when retrying this request.
8475	//
8476	// When this value is absent, all CreateGrant requests result in a new grant
8477	// with a unique GrantId even if all the supplied parameters are identical.
8478	// This can result in unintended duplicates when you retry the CreateGrant request.
8479	//
8480	// When this value is present, you can retry a CreateGrant request with identical
8481	// parameters; if the grant already exists, the original GrantId is returned
8482	// without creating a new grant. Note that the returned grant token is unique
8483	// with every CreateGrant request, even when a duplicate GrantId is returned.
8484	// All grant tokens for the same grant ID can be used interchangeably.
8485	Name *string `min:"1" type:"string"`
8486
8487	// A list of operations that the grant permits.
8488	//
8489	// The operation must be supported on the CMK. For example, you cannot create
8490	// a grant for a symmetric CMK that allows the Sign operation, or a grant for
8491	// an asymmetric CMK that allows the GenerateDataKey operation. If you try,
8492	// AWS KMS returns a ValidationError exception. For details, see Grant operations
8493	// (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
8494	// in the AWS Key Management Service Developer Guide.
8495	//
8496	// Operations is a required field
8497	Operations []*string `type:"list" required:"true"`
8498
8499	// The principal that is given permission to retire the grant by using RetireGrant
8500	// operation.
8501	//
8502	// To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
8503	// of an AWS principal. Valid AWS principals include AWS accounts (root), IAM
8504	// users, federated users, and assumed role users. For examples of the ARN syntax
8505	// to use for specifying a principal, see AWS Identity and Access Management
8506	// (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
8507	// in the Example ARNs section of the AWS General Reference.
8508	RetiringPrincipal *string `min:"1" type:"string"`
8509}
8510
8511// String returns the string representation
8512func (s CreateGrantInput) String() string {
8513	return awsutil.Prettify(s)
8514}
8515
8516// GoString returns the string representation
8517func (s CreateGrantInput) GoString() string {
8518	return s.String()
8519}
8520
8521// Validate inspects the fields of the type to determine if they are valid.
8522func (s *CreateGrantInput) Validate() error {
8523	invalidParams := request.ErrInvalidParams{Context: "CreateGrantInput"}
8524	if s.GranteePrincipal == nil {
8525		invalidParams.Add(request.NewErrParamRequired("GranteePrincipal"))
8526	}
8527	if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 {
8528		invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1))
8529	}
8530	if s.KeyId == nil {
8531		invalidParams.Add(request.NewErrParamRequired("KeyId"))
8532	}
8533	if s.KeyId != nil && len(*s.KeyId) < 1 {
8534		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
8535	}
8536	if s.Name != nil && len(*s.Name) < 1 {
8537		invalidParams.Add(request.NewErrParamMinLen("Name", 1))
8538	}
8539	if s.Operations == nil {
8540		invalidParams.Add(request.NewErrParamRequired("Operations"))
8541	}
8542	if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 {
8543		invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1))
8544	}
8545
8546	if invalidParams.Len() > 0 {
8547		return invalidParams
8548	}
8549	return nil
8550}
8551
8552// SetConstraints sets the Constraints field's value.
8553func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput {
8554	s.Constraints = v
8555	return s
8556}
8557
8558// SetGrantTokens sets the GrantTokens field's value.
8559func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput {
8560	s.GrantTokens = v
8561	return s
8562}
8563
8564// SetGranteePrincipal sets the GranteePrincipal field's value.
8565func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput {
8566	s.GranteePrincipal = &v
8567	return s
8568}
8569
8570// SetKeyId sets the KeyId field's value.
8571func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput {
8572	s.KeyId = &v
8573	return s
8574}
8575
8576// SetName sets the Name field's value.
8577func (s *CreateGrantInput) SetName(v string) *CreateGrantInput {
8578	s.Name = &v
8579	return s
8580}
8581
8582// SetOperations sets the Operations field's value.
8583func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput {
8584	s.Operations = v
8585	return s
8586}
8587
8588// SetRetiringPrincipal sets the RetiringPrincipal field's value.
8589func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput {
8590	s.RetiringPrincipal = &v
8591	return s
8592}
8593
8594type CreateGrantOutput struct {
8595	_ struct{} `type:"structure"`
8596
8597	// The unique identifier for the grant.
8598	//
8599	// You can use the GrantId in a ListGrants, RetireGrant, or RevokeGrant operation.
8600	GrantId *string `min:"1" type:"string"`
8601
8602	// The grant token.
8603	//
8604	// Use a grant token when your permission to call this operation comes from
8605	// a new grant that has not yet achieved eventual consistency. For more information,
8606	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
8607	// in the AWS Key Management Service Developer Guide.
8608	GrantToken *string `min:"1" type:"string"`
8609}
8610
8611// String returns the string representation
8612func (s CreateGrantOutput) String() string {
8613	return awsutil.Prettify(s)
8614}
8615
8616// GoString returns the string representation
8617func (s CreateGrantOutput) GoString() string {
8618	return s.String()
8619}
8620
8621// SetGrantId sets the GrantId field's value.
8622func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput {
8623	s.GrantId = &v
8624	return s
8625}
8626
8627// SetGrantToken sets the GrantToken field's value.
8628func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput {
8629	s.GrantToken = &v
8630	return s
8631}
8632
8633type CreateKeyInput struct {
8634	_ struct{} `type:"structure"`
8635
8636	// A flag to indicate whether to bypass the key policy lockout safety check.
8637	//
8638	// Setting this value to true increases the risk that the CMK becomes unmanageable.
8639	// Do not set this value to true indiscriminately.
8640	//
8641	// For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
8642	// section in the AWS Key Management Service Developer Guide .
8643	//
8644	// Use this parameter only when you include a policy in the request and you
8645	// intend to prevent the principal that is making the request from making a
8646	// subsequent PutKeyPolicy request on the CMK.
8647	//
8648	// The default value is false.
8649	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`
8650
8651	// Creates the CMK in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
8652	// and the key material in its associated AWS CloudHSM cluster. To create a
8653	// CMK in a custom key store, you must also specify the Origin parameter with
8654	// a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with
8655	// the custom key store must have at least two active HSMs, each in a different
8656	// Availability Zone in the Region.
8657	//
8658	// This parameter is valid only for symmetric CMKs and regional CMKs. You cannot
8659	// create an asymmetric CMK or a multi-Region CMK in a custom key store.
8660	//
8661	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
8662	//
8663	// The response includes the custom key store ID and the ID of the AWS CloudHSM
8664	// cluster.
8665	//
8666	// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
8667	// feature in AWS KMS, which combines the convenience and extensive integration
8668	// of AWS KMS with the isolation and control of a single-tenant key store.
8669	CustomKeyStoreId *string `min:"1" type:"string"`
8670
8671	// Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT,
8672	// creates a CMK with a 256-bit symmetric key for encryption and decryption.
8673	// For help choosing a key spec for your CMK, see How to Choose Your CMK Configuration
8674	// (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html)
8675	// in the AWS Key Management Service Developer Guide.
8676	//
8677	// The CustomerMasterKeySpec determines whether the CMK contains a symmetric
8678	// key or an asymmetric key pair. It also determines the encryption algorithms
8679	// or signing algorithms that the CMK supports. You can't change the CustomerMasterKeySpec
8680	// after the CMK is created. To further restrict the algorithms that can be
8681	// used with the CMK, use a condition key in its key policy or IAM policy. For
8682	// more information, see kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm)
8683	// or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm)
8684	// in the AWS Key Management Service Developer Guide.
8685	//
8686	// AWS services that are integrated with AWS KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration)
8687	// use symmetric CMKs to protect your data. These services do not support asymmetric
8688	// CMKs. For help determining whether a CMK is symmetric or asymmetric, see
8689	// Identifying Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html)
8690	// in the AWS Key Management Service Developer Guide.
8691	//
8692	// AWS KMS supports the following key specs for CMKs:
8693	//
8694	//    * Symmetric key (default) SYMMETRIC_DEFAULT (AES-256-GCM)
8695	//
8696	//    * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096
8697	//
8698	//    * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1)
8699	//    ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1)
8700	//
8701	//    * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1),
8702	//    commonly used for cryptocurrencies.
8703	CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"`
8704
8705	// A description of the CMK.
8706	//
8707	// Use a description that helps you decide whether the CMK is appropriate for
8708	// a task. The default value is an empty string (no description).
8709	Description *string `type:"string"`
8710
8711	// Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
8712	// for which you can use the CMK. The default value is ENCRYPT_DECRYPT. This
8713	// parameter is required only for asymmetric CMKs. You can't change the KeyUsage
8714	// value after the CMK is created.
8715	//
8716	// Select only one valid value.
8717	//
8718	//    * For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
8719	//
8720	//    * For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or
8721	//    SIGN_VERIFY.
8722	//
8723	//    * For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
8724	KeyUsage *string `type:"string" enum:"KeyUsageType"`
8725
8726	// Creates a multi-Region primary key that you can replicate into other AWS
8727	// Regions. You cannot change this value after you create the CMK.
8728	//
8729	// For a multi-Region key, set this parameter to True. For a single-Region CMK,
8730	// omit this parameter or set it to False. The default value is False.
8731	//
8732	// This operation supports multi-Region keys, an AWS KMS feature that lets you
8733	// create multiple interoperable CMKs in different AWS Regions. Because these
8734	// CMKs have the same key ID, key material, and other metadata, you can use
8735	// them to encrypt data in one AWS Region and decrypt it in a different AWS
8736	// Region without making a cross-Region call or exposing the plaintext data.
8737	// For more information about multi-Region keys, see Using multi-Region keys
8738	// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
8739	// in the AWS Key Management Service Developer Guide.
8740	//
8741	// This value creates a primary key, not a replica. To create a replica key,
8742	// use the ReplicateKey operation.
8743	//
8744	// You can create a symmetric or asymmetric multi-Region CMK, and you can create
8745	// a multi-Region CMK with imported key material. However, you cannot create
8746	// a multi-Region CMK in a custom key store.
8747	MultiRegion *bool `type:"boolean"`
8748
8749	// The source of the key material for the CMK. You cannot change the origin
8750	// after you create the CMK. The default is AWS_KMS, which means that AWS KMS
8751	// creates the key material.
8752	//
8753	// To create a CMK with no key material (for imported key material), set the
8754	// value to EXTERNAL. For more information about importing key material into
8755	// AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
8756	// in the AWS Key Management Service Developer Guide. This value is valid only
8757	// for symmetric CMKs.
8758	//
8759	// To create a CMK in an AWS KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
8760	// and create its key material in the associated AWS CloudHSM cluster, set this
8761	// value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to
8762	// identify the custom key store. This value is valid only for symmetric CMKs.
8763	Origin *string `type:"string" enum:"OriginType"`
8764
8765	// The key policy to attach to the CMK.
8766	//
8767	// If you provide a key policy, it must meet the following criteria:
8768	//
8769	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
8770	//    must allow the principal that is making the CreateKey request to make
8771	//    a subsequent PutKeyPolicy request on the CMK. This reduces the risk that
8772	//    the CMK becomes unmanageable. For more information, refer to the scenario
8773	//    in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
8774	//    section of the AWS Key Management Service Developer Guide .
8775	//
8776	//    * Each statement in the key policy must contain one or more principals.
8777	//    The principals in the key policy must exist and be visible to AWS KMS.
8778	//    When you create a new AWS principal (for example, an IAM user or role),
8779	//    you might need to enforce a delay before including the new principal in
8780	//    a key policy because the new principal might not be immediately visible
8781	//    to AWS KMS. For more information, see Changes that I make are not always
8782	//    immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
8783	//    in the AWS Identity and Access Management User Guide.
8784	//
8785	// If you do not provide a key policy, AWS KMS attaches a default key policy
8786	// to the CMK. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)
8787	// in the AWS Key Management Service Developer Guide.
8788	//
8789	// The key policy size quota is 32 kilobytes (32768 bytes).
8790	//
8791	// For help writing and formatting a JSON policy document, see the IAM JSON
8792	// Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
8793	// in the IAM User Guide .
8794	Policy *string `min:"1" type:"string"`
8795
8796	// Assigns one or more tags to the CMK. Use this parameter to tag the CMK when
8797	// it is created. To tag an existing CMK, use the TagResource operation.
8798	//
8799	// Tagging or untagging a CMK can allow or deny permission to the CMK. For details,
8800	// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
8801	// in the AWS Key Management Service Developer Guide.
8802	//
8803	// To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
8804	// permission in an IAM policy.
8805	//
8806	// Each tag consists of a tag key and a tag value. Both the tag key and the
8807	// tag value are required, but the tag value can be an empty (null) string.
8808	// You cannot have more than one tag on a CMK with the same tag key. If you
8809	// specify an existing tag key with a different tag value, AWS KMS replaces
8810	// the current tag value with the specified one.
8811	//
8812	// When you assign tags to an AWS resource, AWS generates a cost allocation
8813	// report with usage and costs aggregated by tags. Tags can also be used to
8814	// control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
8815	Tags []*Tag `type:"list"`
8816}
8817
8818// String returns the string representation
8819func (s CreateKeyInput) String() string {
8820	return awsutil.Prettify(s)
8821}
8822
8823// GoString returns the string representation
8824func (s CreateKeyInput) GoString() string {
8825	return s.String()
8826}
8827
8828// Validate inspects the fields of the type to determine if they are valid.
8829func (s *CreateKeyInput) Validate() error {
8830	invalidParams := request.ErrInvalidParams{Context: "CreateKeyInput"}
8831	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
8832		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
8833	}
8834	if s.Policy != nil && len(*s.Policy) < 1 {
8835		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
8836	}
8837	if s.Tags != nil {
8838		for i, v := range s.Tags {
8839			if v == nil {
8840				continue
8841			}
8842			if err := v.Validate(); err != nil {
8843				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
8844			}
8845		}
8846	}
8847
8848	if invalidParams.Len() > 0 {
8849		return invalidParams
8850	}
8851	return nil
8852}
8853
8854// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value.
8855func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput {
8856	s.BypassPolicyLockoutSafetyCheck = &v
8857	return s
8858}
8859
8860// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
8861func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput {
8862	s.CustomKeyStoreId = &v
8863	return s
8864}
8865
8866// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value.
8867func (s *CreateKeyInput) SetCustomerMasterKeySpec(v string) *CreateKeyInput {
8868	s.CustomerMasterKeySpec = &v
8869	return s
8870}
8871
8872// SetDescription sets the Description field's value.
8873func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput {
8874	s.Description = &v
8875	return s
8876}
8877
8878// SetKeyUsage sets the KeyUsage field's value.
8879func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput {
8880	s.KeyUsage = &v
8881	return s
8882}
8883
8884// SetMultiRegion sets the MultiRegion field's value.
8885func (s *CreateKeyInput) SetMultiRegion(v bool) *CreateKeyInput {
8886	s.MultiRegion = &v
8887	return s
8888}
8889
8890// SetOrigin sets the Origin field's value.
8891func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput {
8892	s.Origin = &v
8893	return s
8894}
8895
8896// SetPolicy sets the Policy field's value.
8897func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput {
8898	s.Policy = &v
8899	return s
8900}
8901
8902// SetTags sets the Tags field's value.
8903func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput {
8904	s.Tags = v
8905	return s
8906}
8907
8908type CreateKeyOutput struct {
8909	_ struct{} `type:"structure"`
8910
8911	// Metadata associated with the CMK.
8912	KeyMetadata *KeyMetadata `type:"structure"`
8913}
8914
8915// String returns the string representation
8916func (s CreateKeyOutput) String() string {
8917	return awsutil.Prettify(s)
8918}
8919
8920// GoString returns the string representation
8921func (s CreateKeyOutput) GoString() string {
8922	return s.String()
8923}
8924
8925// SetKeyMetadata sets the KeyMetadata field's value.
8926func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput {
8927	s.KeyMetadata = v
8928	return s
8929}
8930
8931// The request was rejected because the custom key store contains AWS KMS customer
8932// master keys (CMKs). After verifying that you do not need to use the CMKs,
8933// use the ScheduleKeyDeletion operation to delete the CMKs. After they are
8934// deleted, you can delete the custom key store.
8935type CustomKeyStoreHasCMKsException struct {
8936	_            struct{}                  `type:"structure"`
8937	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
8938
8939	Message_ *string `locationName:"message" type:"string"`
8940}
8941
8942// String returns the string representation
8943func (s CustomKeyStoreHasCMKsException) String() string {
8944	return awsutil.Prettify(s)
8945}
8946
8947// GoString returns the string representation
8948func (s CustomKeyStoreHasCMKsException) GoString() string {
8949	return s.String()
8950}
8951
8952func newErrorCustomKeyStoreHasCMKsException(v protocol.ResponseMetadata) error {
8953	return &CustomKeyStoreHasCMKsException{
8954		RespMetadata: v,
8955	}
8956}
8957
8958// Code returns the exception type name.
8959func (s *CustomKeyStoreHasCMKsException) Code() string {
8960	return "CustomKeyStoreHasCMKsException"
8961}
8962
8963// Message returns the exception's message.
8964func (s *CustomKeyStoreHasCMKsException) Message() string {
8965	if s.Message_ != nil {
8966		return *s.Message_
8967	}
8968	return ""
8969}
8970
8971// OrigErr always returns nil, satisfies awserr.Error interface.
8972func (s *CustomKeyStoreHasCMKsException) OrigErr() error {
8973	return nil
8974}
8975
8976func (s *CustomKeyStoreHasCMKsException) Error() string {
8977	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
8978}
8979
8980// Status code returns the HTTP status code for the request's response error.
8981func (s *CustomKeyStoreHasCMKsException) StatusCode() int {
8982	return s.RespMetadata.StatusCode
8983}
8984
8985// RequestID returns the service's response RequestID for request.
8986func (s *CustomKeyStoreHasCMKsException) RequestID() string {
8987	return s.RespMetadata.RequestID
8988}
8989
8990// The request was rejected because of the ConnectionState of the custom key
8991// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
8992// operation.
8993//
8994// This exception is thrown under the following conditions:
8995//
8996//    * You requested the CreateKey or GenerateRandom operation in a custom
8997//    key store that is not connected. These operations are valid only when
8998//    the custom key store ConnectionState is CONNECTED.
8999//
9000//    * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
9001//    on a custom key store that is not disconnected. This operation is valid
9002//    only when the custom key store ConnectionState is DISCONNECTED.
9003//
9004//    * You requested the ConnectCustomKeyStore operation on a custom key store
9005//    with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
9006//    for all other ConnectionState values.
9007type CustomKeyStoreInvalidStateException struct {
9008	_            struct{}                  `type:"structure"`
9009	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
9010
9011	Message_ *string `locationName:"message" type:"string"`
9012}
9013
9014// String returns the string representation
9015func (s CustomKeyStoreInvalidStateException) String() string {
9016	return awsutil.Prettify(s)
9017}
9018
9019// GoString returns the string representation
9020func (s CustomKeyStoreInvalidStateException) GoString() string {
9021	return s.String()
9022}
9023
9024func newErrorCustomKeyStoreInvalidStateException(v protocol.ResponseMetadata) error {
9025	return &CustomKeyStoreInvalidStateException{
9026		RespMetadata: v,
9027	}
9028}
9029
9030// Code returns the exception type name.
9031func (s *CustomKeyStoreInvalidStateException) Code() string {
9032	return "CustomKeyStoreInvalidStateException"
9033}
9034
9035// Message returns the exception's message.
9036func (s *CustomKeyStoreInvalidStateException) Message() string {
9037	if s.Message_ != nil {
9038		return *s.Message_
9039	}
9040	return ""
9041}
9042
9043// OrigErr always returns nil, satisfies awserr.Error interface.
9044func (s *CustomKeyStoreInvalidStateException) OrigErr() error {
9045	return nil
9046}
9047
9048func (s *CustomKeyStoreInvalidStateException) Error() string {
9049	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
9050}
9051
9052// Status code returns the HTTP status code for the request's response error.
9053func (s *CustomKeyStoreInvalidStateException) StatusCode() int {
9054	return s.RespMetadata.StatusCode
9055}
9056
9057// RequestID returns the service's response RequestID for request.
9058func (s *CustomKeyStoreInvalidStateException) RequestID() string {
9059	return s.RespMetadata.RequestID
9060}
9061
9062// The request was rejected because the specified custom key store name is already
9063// assigned to another custom key store in the account. Try again with a custom
9064// key store name that is unique in the account.
9065type CustomKeyStoreNameInUseException struct {
9066	_            struct{}                  `type:"structure"`
9067	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
9068
9069	Message_ *string `locationName:"message" type:"string"`
9070}
9071
9072// String returns the string representation
9073func (s CustomKeyStoreNameInUseException) String() string {
9074	return awsutil.Prettify(s)
9075}
9076
9077// GoString returns the string representation
9078func (s CustomKeyStoreNameInUseException) GoString() string {
9079	return s.String()
9080}
9081
9082func newErrorCustomKeyStoreNameInUseException(v protocol.ResponseMetadata) error {
9083	return &CustomKeyStoreNameInUseException{
9084		RespMetadata: v,
9085	}
9086}
9087
9088// Code returns the exception type name.
9089func (s *CustomKeyStoreNameInUseException) Code() string {
9090	return "CustomKeyStoreNameInUseException"
9091}
9092
9093// Message returns the exception's message.
9094func (s *CustomKeyStoreNameInUseException) Message() string {
9095	if s.Message_ != nil {
9096		return *s.Message_
9097	}
9098	return ""
9099}
9100
9101// OrigErr always returns nil, satisfies awserr.Error interface.
9102func (s *CustomKeyStoreNameInUseException) OrigErr() error {
9103	return nil
9104}
9105
9106func (s *CustomKeyStoreNameInUseException) Error() string {
9107	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
9108}
9109
9110// Status code returns the HTTP status code for the request's response error.
9111func (s *CustomKeyStoreNameInUseException) StatusCode() int {
9112	return s.RespMetadata.StatusCode
9113}
9114
9115// RequestID returns the service's response RequestID for request.
9116func (s *CustomKeyStoreNameInUseException) RequestID() string {
9117	return s.RespMetadata.RequestID
9118}
9119
9120// The request was rejected because AWS KMS cannot find a custom key store with
9121// the specified key store name or ID.
9122type CustomKeyStoreNotFoundException struct {
9123	_            struct{}                  `type:"structure"`
9124	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
9125
9126	Message_ *string `locationName:"message" type:"string"`
9127}
9128
9129// String returns the string representation
9130func (s CustomKeyStoreNotFoundException) String() string {
9131	return awsutil.Prettify(s)
9132}
9133
9134// GoString returns the string representation
9135func (s CustomKeyStoreNotFoundException) GoString() string {
9136	return s.String()
9137}
9138
9139func newErrorCustomKeyStoreNotFoundException(v protocol.ResponseMetadata) error {
9140	return &CustomKeyStoreNotFoundException{
9141		RespMetadata: v,
9142	}
9143}
9144
9145// Code returns the exception type name.
9146func (s *CustomKeyStoreNotFoundException) Code() string {
9147	return "CustomKeyStoreNotFoundException"
9148}
9149
9150// Message returns the exception's message.
9151func (s *CustomKeyStoreNotFoundException) Message() string {
9152	if s.Message_ != nil {
9153		return *s.Message_
9154	}
9155	return ""
9156}
9157
9158// OrigErr always returns nil, satisfies awserr.Error interface.
9159func (s *CustomKeyStoreNotFoundException) OrigErr() error {
9160	return nil
9161}
9162
9163func (s *CustomKeyStoreNotFoundException) Error() string {
9164	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
9165}
9166
9167// Status code returns the HTTP status code for the request's response error.
9168func (s *CustomKeyStoreNotFoundException) StatusCode() int {
9169	return s.RespMetadata.StatusCode
9170}
9171
9172// RequestID returns the service's response RequestID for request.
9173func (s *CustomKeyStoreNotFoundException) RequestID() string {
9174	return s.RespMetadata.RequestID
9175}
9176
9177// Contains information about each custom key store in the custom key store
9178// list.
9179type CustomKeyStoresListEntry struct {
9180	_ struct{} `type:"structure"`
9181
9182	// A unique identifier for the AWS CloudHSM cluster that is associated with
9183	// the custom key store.
9184	CloudHsmClusterId *string `min:"19" type:"string"`
9185
9186	// Describes the connection error. This field appears in the response only when
9187	// the ConnectionState is FAILED. For help resolving these errors, see How to
9188	// Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
9189	// in AWS Key Management Service Developer Guide.
9190	//
9191	// Valid values are:
9192	//
9193	//    * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with
9194	//    the specified cluster ID.
9195	//
9196	//    * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does
9197	//    not contain any active HSMs. To connect a custom key store to its AWS
9198	//    CloudHSM cluster, the cluster must contain at least one active HSM.
9199	//
9200	//    * INTERNAL_ERROR - AWS KMS could not complete the request due to an internal
9201	//    error. Retry the request. For ConnectCustomKeyStore requests, disconnect
9202	//    the custom key store before trying to connect again.
9203	//
9204	//    * INVALID_CREDENTIALS - AWS KMS does not have the correct password for
9205	//    the kmsuser crypto user in the AWS CloudHSM cluster. Before you can connect
9206	//    your custom key store to its AWS CloudHSM cluster, you must change the
9207	//    kmsuser account password and update the key store password value for the
9208	//    custom key store.
9209	//
9210	//    * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting
9211	//    to the custom key store.
9212	//
9213	//    * SUBNET_NOT_FOUND - A subnet in the AWS CloudHSM cluster configuration
9214	//    was deleted. If AWS KMS cannot find all of the subnets in the cluster
9215	//    configuration, attempts to connect the custom key store to the AWS CloudHSM
9216	//    cluster fail. To fix this error, create a cluster from a recent backup
9217	//    and associate it with your custom key store. (This process creates a new
9218	//    cluster configuration with a VPC and private subnets.) For details, see
9219	//    How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
9220	//    in the AWS Key Management Service Developer Guide.
9221	//
9222	//    * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated
9223	//    AWS CloudHSM cluster due to too many failed password attempts. Before
9224	//    you can connect your custom key store to its AWS CloudHSM cluster, you
9225	//    must change the kmsuser account password and update the key store password
9226	//    value for the custom key store.
9227	//
9228	//    * USER_LOGGED_IN - The kmsuser CU account is logged into the the associated
9229	//    AWS CloudHSM cluster. This prevents AWS KMS from rotating the kmsuser
9230	//    account password and logging into the cluster. Before you can connect
9231	//    your custom key store to its AWS CloudHSM cluster, you must log the kmsuser
9232	//    CU out of the cluster. If you changed the kmsuser password to log into
9233	//    the cluster, you must also and update the key store password value for
9234	//    the custom key store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2)
9235	//    in the AWS Key Management Service Developer Guide.
9236	//
9237	//    * USER_NOT_FOUND - AWS KMS cannot find a kmsuser CU account in the associated
9238	//    AWS CloudHSM cluster. Before you can connect your custom key store to
9239	//    its AWS CloudHSM cluster, you must create a kmsuser CU account in the
9240	//    cluster, and then update the key store password value for the custom key
9241	//    store.
9242	ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"`
9243
9244	// Indicates whether the custom key store is connected to its AWS CloudHSM cluster.
9245	//
9246	// You can create and use CMKs in your custom key stores only when its connection
9247	// state is CONNECTED.
9248	//
9249	// The value is DISCONNECTED if the key store has never been connected or you
9250	// use the DisconnectCustomKeyStore operation to disconnect it. If the value
9251	// is CONNECTED but you are having trouble using the custom key store, make
9252	// sure that its associated AWS CloudHSM cluster is active and contains at least
9253	// one active HSM.
9254	//
9255	// A value of FAILED indicates that an attempt to connect was unsuccessful.
9256	// The ConnectionErrorCode field in the response indicates the cause of the
9257	// failure. For help resolving a connection failure, see Troubleshooting a Custom
9258	// Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
9259	// in the AWS Key Management Service Developer Guide.
9260	ConnectionState *string `type:"string" enum:"ConnectionStateType"`
9261
9262	// The date and time when the custom key store was created.
9263	CreationDate *time.Time `type:"timestamp"`
9264
9265	// A unique identifier for the custom key store.
9266	CustomKeyStoreId *string `min:"1" type:"string"`
9267
9268	// The user-specified friendly name for the custom key store.
9269	CustomKeyStoreName *string `min:"1" type:"string"`
9270
9271	// The trust anchor certificate of the associated AWS CloudHSM cluster. When
9272	// you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
9273	// you create this certificate and save it in the customerCA.crt file.
9274	TrustAnchorCertificate *string `min:"1" type:"string"`
9275}
9276
9277// String returns the string representation
9278func (s CustomKeyStoresListEntry) String() string {
9279	return awsutil.Prettify(s)
9280}
9281
9282// GoString returns the string representation
9283func (s CustomKeyStoresListEntry) GoString() string {
9284	return s.String()
9285}
9286
9287// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
9288func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry {
9289	s.CloudHsmClusterId = &v
9290	return s
9291}
9292
9293// SetConnectionErrorCode sets the ConnectionErrorCode field's value.
9294func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry {
9295	s.ConnectionErrorCode = &v
9296	return s
9297}
9298
9299// SetConnectionState sets the ConnectionState field's value.
9300func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry {
9301	s.ConnectionState = &v
9302	return s
9303}
9304
9305// SetCreationDate sets the CreationDate field's value.
9306func (s *CustomKeyStoresListEntry) SetCreationDate(v time.Time) *CustomKeyStoresListEntry {
9307	s.CreationDate = &v
9308	return s
9309}
9310
9311// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
9312func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry {
9313	s.CustomKeyStoreId = &v
9314	return s
9315}
9316
9317// SetCustomKeyStoreName sets the CustomKeyStoreName field's value.
9318func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry {
9319	s.CustomKeyStoreName = &v
9320	return s
9321}
9322
9323// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.
9324func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry {
9325	s.TrustAnchorCertificate = &v
9326	return s
9327}
9328
9329type DecryptInput struct {
9330	_ struct{} `type:"structure"`
9331
9332	// Ciphertext to be decrypted. The blob includes metadata.
9333	//
9334	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
9335	//
9336	// CiphertextBlob is a required field
9337	CiphertextBlob []byte `min:"1" type:"blob" required:"true"`
9338
9339	// Specifies the encryption algorithm that will be used to decrypt the ciphertext.
9340	// Specify the same algorithm that was used to encrypt the data. If you specify
9341	// a different algorithm, the Decrypt operation fails.
9342	//
9343	// This parameter is required only when the ciphertext was encrypted under an
9344	// asymmetric CMK. The default value, SYMMETRIC_DEFAULT, represents the only
9345	// supported algorithm that is valid for symmetric CMKs.
9346	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
9347
9348	// Specifies the encryption context to use when decrypting the data. An encryption
9349	// context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
9350	// with a symmetric CMK. The standard asymmetric encryption algorithms that
9351	// AWS KMS uses do not support an encryption context.
9352	//
9353	// An encryption context is a collection of non-secret key-value pairs that
9354	// represents additional authenticated data. When you use an encryption context
9355	// to encrypt data, you must specify the same (an exact case-sensitive match)
9356	// encryption context to decrypt the data. An encryption context is optional
9357	// when encrypting with a symmetric CMK, but it is highly recommended.
9358	//
9359	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
9360	// in the AWS Key Management Service Developer Guide.
9361	EncryptionContext map[string]*string `type:"map"`
9362
9363	// A list of grant tokens.
9364	//
9365	// Use a grant token when your permission to call this operation comes from
9366	// a newly created grant that has not yet achieved eventual consistency. Use
9367	// a grant token when your permission to call this operation comes from a new
9368	// grant that has not yet achieved eventual consistency. For more information,
9369	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
9370	// in the AWS Key Management Service Developer Guide.
9371	GrantTokens []*string `type:"list"`
9372
9373	// Specifies the customer master key (CMK) that AWS KMS uses to decrypt the
9374	// ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext.
9375	//
9376	// This parameter is required only when the ciphertext was encrypted under an
9377	// asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from
9378	// metadata that it adds to the symmetric ciphertext blob. However, it is always
9379	// recommended as a best practice. This practice ensures that you use the CMK
9380	// that you intend.
9381	//
9382	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
9383	// using an alias name, prefix it with "alias/". To specify a CMK in a different
9384	// AWS account, you must use the key ARN or alias ARN.
9385	//
9386	// For example:
9387	//
9388	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
9389	//
9390	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
9391	//
9392	//    * Alias name: alias/ExampleAlias
9393	//
9394	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
9395	//
9396	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
9397	// get the alias name and alias ARN, use ListAliases.
9398	KeyId *string `min:"1" type:"string"`
9399}
9400
9401// String returns the string representation
9402func (s DecryptInput) String() string {
9403	return awsutil.Prettify(s)
9404}
9405
9406// GoString returns the string representation
9407func (s DecryptInput) GoString() string {
9408	return s.String()
9409}
9410
9411// Validate inspects the fields of the type to determine if they are valid.
9412func (s *DecryptInput) Validate() error {
9413	invalidParams := request.ErrInvalidParams{Context: "DecryptInput"}
9414	if s.CiphertextBlob == nil {
9415		invalidParams.Add(request.NewErrParamRequired("CiphertextBlob"))
9416	}
9417	if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 {
9418		invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1))
9419	}
9420	if s.KeyId != nil && len(*s.KeyId) < 1 {
9421		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
9422	}
9423
9424	if invalidParams.Len() > 0 {
9425		return invalidParams
9426	}
9427	return nil
9428}
9429
9430// SetCiphertextBlob sets the CiphertextBlob field's value.
9431func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput {
9432	s.CiphertextBlob = v
9433	return s
9434}
9435
9436// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.
9437func (s *DecryptInput) SetEncryptionAlgorithm(v string) *DecryptInput {
9438	s.EncryptionAlgorithm = &v
9439	return s
9440}
9441
9442// SetEncryptionContext sets the EncryptionContext field's value.
9443func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput {
9444	s.EncryptionContext = v
9445	return s
9446}
9447
9448// SetGrantTokens sets the GrantTokens field's value.
9449func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput {
9450	s.GrantTokens = v
9451	return s
9452}
9453
9454// SetKeyId sets the KeyId field's value.
9455func (s *DecryptInput) SetKeyId(v string) *DecryptInput {
9456	s.KeyId = &v
9457	return s
9458}
9459
9460type DecryptOutput struct {
9461	_ struct{} `type:"structure"`
9462
9463	// The encryption algorithm that was used to decrypt the ciphertext.
9464	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
9465
9466	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
9467	// of the CMK that was used to decrypt the ciphertext.
9468	KeyId *string `min:"1" type:"string"`
9469
9470	// Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value
9471	// is Base64-encoded. Otherwise, it is not Base64-encoded.
9472	//
9473	// Plaintext is automatically base64 encoded/decoded by the SDK.
9474	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
9475}
9476
9477// String returns the string representation
9478func (s DecryptOutput) String() string {
9479	return awsutil.Prettify(s)
9480}
9481
9482// GoString returns the string representation
9483func (s DecryptOutput) GoString() string {
9484	return s.String()
9485}
9486
9487// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.
9488func (s *DecryptOutput) SetEncryptionAlgorithm(v string) *DecryptOutput {
9489	s.EncryptionAlgorithm = &v
9490	return s
9491}
9492
9493// SetKeyId sets the KeyId field's value.
9494func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput {
9495	s.KeyId = &v
9496	return s
9497}
9498
9499// SetPlaintext sets the Plaintext field's value.
9500func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput {
9501	s.Plaintext = v
9502	return s
9503}
9504
9505type DeleteAliasInput struct {
9506	_ struct{} `type:"structure"`
9507
9508	// The alias to be deleted. The alias name must begin with alias/ followed by
9509	// the alias name, such as alias/ExampleAlias.
9510	//
9511	// AliasName is a required field
9512	AliasName *string `min:"1" type:"string" required:"true"`
9513}
9514
9515// String returns the string representation
9516func (s DeleteAliasInput) String() string {
9517	return awsutil.Prettify(s)
9518}
9519
9520// GoString returns the string representation
9521func (s DeleteAliasInput) GoString() string {
9522	return s.String()
9523}
9524
9525// Validate inspects the fields of the type to determine if they are valid.
9526func (s *DeleteAliasInput) Validate() error {
9527	invalidParams := request.ErrInvalidParams{Context: "DeleteAliasInput"}
9528	if s.AliasName == nil {
9529		invalidParams.Add(request.NewErrParamRequired("AliasName"))
9530	}
9531	if s.AliasName != nil && len(*s.AliasName) < 1 {
9532		invalidParams.Add(request.NewErrParamMinLen("AliasName", 1))
9533	}
9534
9535	if invalidParams.Len() > 0 {
9536		return invalidParams
9537	}
9538	return nil
9539}
9540
9541// SetAliasName sets the AliasName field's value.
9542func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput {
9543	s.AliasName = &v
9544	return s
9545}
9546
9547type DeleteAliasOutput struct {
9548	_ struct{} `type:"structure"`
9549}
9550
9551// String returns the string representation
9552func (s DeleteAliasOutput) String() string {
9553	return awsutil.Prettify(s)
9554}
9555
9556// GoString returns the string representation
9557func (s DeleteAliasOutput) GoString() string {
9558	return s.String()
9559}
9560
9561type DeleteCustomKeyStoreInput struct {
9562	_ struct{} `type:"structure"`
9563
9564	// Enter the ID of the custom key store you want to delete. To find the ID of
9565	// a custom key store, use the DescribeCustomKeyStores operation.
9566	//
9567	// CustomKeyStoreId is a required field
9568	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
9569}
9570
9571// String returns the string representation
9572func (s DeleteCustomKeyStoreInput) String() string {
9573	return awsutil.Prettify(s)
9574}
9575
9576// GoString returns the string representation
9577func (s DeleteCustomKeyStoreInput) GoString() string {
9578	return s.String()
9579}
9580
9581// Validate inspects the fields of the type to determine if they are valid.
9582func (s *DeleteCustomKeyStoreInput) Validate() error {
9583	invalidParams := request.ErrInvalidParams{Context: "DeleteCustomKeyStoreInput"}
9584	if s.CustomKeyStoreId == nil {
9585		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
9586	}
9587	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
9588		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
9589	}
9590
9591	if invalidParams.Len() > 0 {
9592		return invalidParams
9593	}
9594	return nil
9595}
9596
9597// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
9598func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput {
9599	s.CustomKeyStoreId = &v
9600	return s
9601}
9602
9603type DeleteCustomKeyStoreOutput struct {
9604	_ struct{} `type:"structure"`
9605}
9606
9607// String returns the string representation
9608func (s DeleteCustomKeyStoreOutput) String() string {
9609	return awsutil.Prettify(s)
9610}
9611
9612// GoString returns the string representation
9613func (s DeleteCustomKeyStoreOutput) GoString() string {
9614	return s.String()
9615}
9616
9617type DeleteImportedKeyMaterialInput struct {
9618	_ struct{} `type:"structure"`
9619
9620	// Identifies the CMK from which you are deleting imported key material. The
9621	// Origin of the CMK must be EXTERNAL.
9622	//
9623	// Specify the key ID or key ARN of the CMK.
9624	//
9625	// For example:
9626	//
9627	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
9628	//
9629	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
9630	//
9631	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
9632	//
9633	// KeyId is a required field
9634	KeyId *string `min:"1" type:"string" required:"true"`
9635}
9636
9637// String returns the string representation
9638func (s DeleteImportedKeyMaterialInput) String() string {
9639	return awsutil.Prettify(s)
9640}
9641
9642// GoString returns the string representation
9643func (s DeleteImportedKeyMaterialInput) GoString() string {
9644	return s.String()
9645}
9646
9647// Validate inspects the fields of the type to determine if they are valid.
9648func (s *DeleteImportedKeyMaterialInput) Validate() error {
9649	invalidParams := request.ErrInvalidParams{Context: "DeleteImportedKeyMaterialInput"}
9650	if s.KeyId == nil {
9651		invalidParams.Add(request.NewErrParamRequired("KeyId"))
9652	}
9653	if s.KeyId != nil && len(*s.KeyId) < 1 {
9654		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
9655	}
9656
9657	if invalidParams.Len() > 0 {
9658		return invalidParams
9659	}
9660	return nil
9661}
9662
9663// SetKeyId sets the KeyId field's value.
9664func (s *DeleteImportedKeyMaterialInput) SetKeyId(v string) *DeleteImportedKeyMaterialInput {
9665	s.KeyId = &v
9666	return s
9667}
9668
9669type DeleteImportedKeyMaterialOutput struct {
9670	_ struct{} `type:"structure"`
9671}
9672
9673// String returns the string representation
9674func (s DeleteImportedKeyMaterialOutput) String() string {
9675	return awsutil.Prettify(s)
9676}
9677
9678// GoString returns the string representation
9679func (s DeleteImportedKeyMaterialOutput) GoString() string {
9680	return s.String()
9681}
9682
9683// The system timed out while trying to fulfill the request. The request can
9684// be retried.
9685type DependencyTimeoutException struct {
9686	_            struct{}                  `type:"structure"`
9687	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
9688
9689	Message_ *string `locationName:"message" type:"string"`
9690}
9691
9692// String returns the string representation
9693func (s DependencyTimeoutException) String() string {
9694	return awsutil.Prettify(s)
9695}
9696
9697// GoString returns the string representation
9698func (s DependencyTimeoutException) GoString() string {
9699	return s.String()
9700}
9701
9702func newErrorDependencyTimeoutException(v protocol.ResponseMetadata) error {
9703	return &DependencyTimeoutException{
9704		RespMetadata: v,
9705	}
9706}
9707
9708// Code returns the exception type name.
9709func (s *DependencyTimeoutException) Code() string {
9710	return "DependencyTimeoutException"
9711}
9712
9713// Message returns the exception's message.
9714func (s *DependencyTimeoutException) Message() string {
9715	if s.Message_ != nil {
9716		return *s.Message_
9717	}
9718	return ""
9719}
9720
9721// OrigErr always returns nil, satisfies awserr.Error interface.
9722func (s *DependencyTimeoutException) OrigErr() error {
9723	return nil
9724}
9725
9726func (s *DependencyTimeoutException) Error() string {
9727	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
9728}
9729
9730// Status code returns the HTTP status code for the request's response error.
9731func (s *DependencyTimeoutException) StatusCode() int {
9732	return s.RespMetadata.StatusCode
9733}
9734
9735// RequestID returns the service's response RequestID for request.
9736func (s *DependencyTimeoutException) RequestID() string {
9737	return s.RespMetadata.RequestID
9738}
9739
9740type DescribeCustomKeyStoresInput struct {
9741	_ struct{} `type:"structure"`
9742
9743	// Gets only information about the specified custom key store. Enter the key
9744	// store ID.
9745	//
9746	// By default, this operation gets information about all custom key stores in
9747	// the account and Region. To limit the output to a particular custom key store,
9748	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
9749	// but not both.
9750	CustomKeyStoreId *string `min:"1" type:"string"`
9751
9752	// Gets only information about the specified custom key store. Enter the friendly
9753	// name of the custom key store.
9754	//
9755	// By default, this operation gets information about all custom key stores in
9756	// the account and Region. To limit the output to a particular custom key store,
9757	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
9758	// but not both.
9759	CustomKeyStoreName *string `min:"1" type:"string"`
9760
9761	// Use this parameter to specify the maximum number of items to return. When
9762	// this value is present, AWS KMS does not return more than the specified number
9763	// of items, but it might return fewer.
9764	Limit *int64 `min:"1" type:"integer"`
9765
9766	// Use this parameter in a subsequent request after you receive a response with
9767	// truncated results. Set it to the value of NextMarker from the truncated response
9768	// you just received.
9769	Marker *string `min:"1" type:"string"`
9770}
9771
9772// String returns the string representation
9773func (s DescribeCustomKeyStoresInput) String() string {
9774	return awsutil.Prettify(s)
9775}
9776
9777// GoString returns the string representation
9778func (s DescribeCustomKeyStoresInput) GoString() string {
9779	return s.String()
9780}
9781
9782// Validate inspects the fields of the type to determine if they are valid.
9783func (s *DescribeCustomKeyStoresInput) Validate() error {
9784	invalidParams := request.ErrInvalidParams{Context: "DescribeCustomKeyStoresInput"}
9785	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
9786		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
9787	}
9788	if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 {
9789		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1))
9790	}
9791	if s.Limit != nil && *s.Limit < 1 {
9792		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
9793	}
9794	if s.Marker != nil && len(*s.Marker) < 1 {
9795		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
9796	}
9797
9798	if invalidParams.Len() > 0 {
9799		return invalidParams
9800	}
9801	return nil
9802}
9803
9804// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
9805func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreId(v string) *DescribeCustomKeyStoresInput {
9806	s.CustomKeyStoreId = &v
9807	return s
9808}
9809
9810// SetCustomKeyStoreName sets the CustomKeyStoreName field's value.
9811func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreName(v string) *DescribeCustomKeyStoresInput {
9812	s.CustomKeyStoreName = &v
9813	return s
9814}
9815
9816// SetLimit sets the Limit field's value.
9817func (s *DescribeCustomKeyStoresInput) SetLimit(v int64) *DescribeCustomKeyStoresInput {
9818	s.Limit = &v
9819	return s
9820}
9821
9822// SetMarker sets the Marker field's value.
9823func (s *DescribeCustomKeyStoresInput) SetMarker(v string) *DescribeCustomKeyStoresInput {
9824	s.Marker = &v
9825	return s
9826}
9827
9828type DescribeCustomKeyStoresOutput struct {
9829	_ struct{} `type:"structure"`
9830
9831	// Contains metadata about each custom key store.
9832	CustomKeyStores []*CustomKeyStoresListEntry `type:"list"`
9833
9834	// When Truncated is true, this element is present and contains the value to
9835	// use for the Marker parameter in a subsequent request.
9836	NextMarker *string `min:"1" type:"string"`
9837
9838	// A flag that indicates whether there are more items in the list. When this
9839	// value is true, the list in this response is truncated. To get more items,
9840	// pass the value of the NextMarker element in thisresponse to the Marker parameter
9841	// in a subsequent request.
9842	Truncated *bool `type:"boolean"`
9843}
9844
9845// String returns the string representation
9846func (s DescribeCustomKeyStoresOutput) String() string {
9847	return awsutil.Prettify(s)
9848}
9849
9850// GoString returns the string representation
9851func (s DescribeCustomKeyStoresOutput) GoString() string {
9852	return s.String()
9853}
9854
9855// SetCustomKeyStores sets the CustomKeyStores field's value.
9856func (s *DescribeCustomKeyStoresOutput) SetCustomKeyStores(v []*CustomKeyStoresListEntry) *DescribeCustomKeyStoresOutput {
9857	s.CustomKeyStores = v
9858	return s
9859}
9860
9861// SetNextMarker sets the NextMarker field's value.
9862func (s *DescribeCustomKeyStoresOutput) SetNextMarker(v string) *DescribeCustomKeyStoresOutput {
9863	s.NextMarker = &v
9864	return s
9865}
9866
9867// SetTruncated sets the Truncated field's value.
9868func (s *DescribeCustomKeyStoresOutput) SetTruncated(v bool) *DescribeCustomKeyStoresOutput {
9869	s.Truncated = &v
9870	return s
9871}
9872
9873type DescribeKeyInput struct {
9874	_ struct{} `type:"structure"`
9875
9876	// A list of grant tokens.
9877	//
9878	// Use a grant token when your permission to call this operation comes from
9879	// a new grant that has not yet achieved eventual consistency. For more information,
9880	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
9881	// in the AWS Key Management Service Developer Guide.
9882	GrantTokens []*string `type:"list"`
9883
9884	// Describes the specified customer master key (CMK).
9885	//
9886	// If you specify a predefined AWS alias (an AWS alias with no key ID), KMS
9887	// associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys)
9888	// and returns its KeyId and Arn in the response.
9889	//
9890	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
9891	// using an alias name, prefix it with "alias/". To specify a CMK in a different
9892	// AWS account, you must use the key ARN or alias ARN.
9893	//
9894	// For example:
9895	//
9896	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
9897	//
9898	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
9899	//
9900	//    * Alias name: alias/ExampleAlias
9901	//
9902	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
9903	//
9904	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
9905	// get the alias name and alias ARN, use ListAliases.
9906	//
9907	// KeyId is a required field
9908	KeyId *string `min:"1" type:"string" required:"true"`
9909}
9910
9911// String returns the string representation
9912func (s DescribeKeyInput) String() string {
9913	return awsutil.Prettify(s)
9914}
9915
9916// GoString returns the string representation
9917func (s DescribeKeyInput) GoString() string {
9918	return s.String()
9919}
9920
9921// Validate inspects the fields of the type to determine if they are valid.
9922func (s *DescribeKeyInput) Validate() error {
9923	invalidParams := request.ErrInvalidParams{Context: "DescribeKeyInput"}
9924	if s.KeyId == nil {
9925		invalidParams.Add(request.NewErrParamRequired("KeyId"))
9926	}
9927	if s.KeyId != nil && len(*s.KeyId) < 1 {
9928		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
9929	}
9930
9931	if invalidParams.Len() > 0 {
9932		return invalidParams
9933	}
9934	return nil
9935}
9936
9937// SetGrantTokens sets the GrantTokens field's value.
9938func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput {
9939	s.GrantTokens = v
9940	return s
9941}
9942
9943// SetKeyId sets the KeyId field's value.
9944func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput {
9945	s.KeyId = &v
9946	return s
9947}
9948
9949type DescribeKeyOutput struct {
9950	_ struct{} `type:"structure"`
9951
9952	// Metadata associated with the key.
9953	KeyMetadata *KeyMetadata `type:"structure"`
9954}
9955
9956// String returns the string representation
9957func (s DescribeKeyOutput) String() string {
9958	return awsutil.Prettify(s)
9959}
9960
9961// GoString returns the string representation
9962func (s DescribeKeyOutput) GoString() string {
9963	return s.String()
9964}
9965
9966// SetKeyMetadata sets the KeyMetadata field's value.
9967func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput {
9968	s.KeyMetadata = v
9969	return s
9970}
9971
9972type DisableKeyInput struct {
9973	_ struct{} `type:"structure"`
9974
9975	// Identifies the customer master key (CMK) to disable.
9976	//
9977	// Specify the key ID or key ARN of the CMK.
9978	//
9979	// For example:
9980	//
9981	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
9982	//
9983	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
9984	//
9985	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
9986	//
9987	// KeyId is a required field
9988	KeyId *string `min:"1" type:"string" required:"true"`
9989}
9990
9991// String returns the string representation
9992func (s DisableKeyInput) String() string {
9993	return awsutil.Prettify(s)
9994}
9995
9996// GoString returns the string representation
9997func (s DisableKeyInput) GoString() string {
9998	return s.String()
9999}
10000
10001// Validate inspects the fields of the type to determine if they are valid.
10002func (s *DisableKeyInput) Validate() error {
10003	invalidParams := request.ErrInvalidParams{Context: "DisableKeyInput"}
10004	if s.KeyId == nil {
10005		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10006	}
10007	if s.KeyId != nil && len(*s.KeyId) < 1 {
10008		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10009	}
10010
10011	if invalidParams.Len() > 0 {
10012		return invalidParams
10013	}
10014	return nil
10015}
10016
10017// SetKeyId sets the KeyId field's value.
10018func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput {
10019	s.KeyId = &v
10020	return s
10021}
10022
10023type DisableKeyOutput struct {
10024	_ struct{} `type:"structure"`
10025}
10026
10027// String returns the string representation
10028func (s DisableKeyOutput) String() string {
10029	return awsutil.Prettify(s)
10030}
10031
10032// GoString returns the string representation
10033func (s DisableKeyOutput) GoString() string {
10034	return s.String()
10035}
10036
10037type DisableKeyRotationInput struct {
10038	_ struct{} `type:"structure"`
10039
10040	// Identifies a symmetric customer master key (CMK). You cannot enable or disable
10041	// automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks),
10042	// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
10043	// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
10044	//
10045	// Specify the key ID or key ARN of the CMK.
10046	//
10047	// For example:
10048	//
10049	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10050	//
10051	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10052	//
10053	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
10054	//
10055	// KeyId is a required field
10056	KeyId *string `min:"1" type:"string" required:"true"`
10057}
10058
10059// String returns the string representation
10060func (s DisableKeyRotationInput) String() string {
10061	return awsutil.Prettify(s)
10062}
10063
10064// GoString returns the string representation
10065func (s DisableKeyRotationInput) GoString() string {
10066	return s.String()
10067}
10068
10069// Validate inspects the fields of the type to determine if they are valid.
10070func (s *DisableKeyRotationInput) Validate() error {
10071	invalidParams := request.ErrInvalidParams{Context: "DisableKeyRotationInput"}
10072	if s.KeyId == nil {
10073		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10074	}
10075	if s.KeyId != nil && len(*s.KeyId) < 1 {
10076		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10077	}
10078
10079	if invalidParams.Len() > 0 {
10080		return invalidParams
10081	}
10082	return nil
10083}
10084
10085// SetKeyId sets the KeyId field's value.
10086func (s *DisableKeyRotationInput) SetKeyId(v string) *DisableKeyRotationInput {
10087	s.KeyId = &v
10088	return s
10089}
10090
10091type DisableKeyRotationOutput struct {
10092	_ struct{} `type:"structure"`
10093}
10094
10095// String returns the string representation
10096func (s DisableKeyRotationOutput) String() string {
10097	return awsutil.Prettify(s)
10098}
10099
10100// GoString returns the string representation
10101func (s DisableKeyRotationOutput) GoString() string {
10102	return s.String()
10103}
10104
10105// The request was rejected because the specified CMK is not enabled.
10106type DisabledException struct {
10107	_            struct{}                  `type:"structure"`
10108	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
10109
10110	Message_ *string `locationName:"message" type:"string"`
10111}
10112
10113// String returns the string representation
10114func (s DisabledException) String() string {
10115	return awsutil.Prettify(s)
10116}
10117
10118// GoString returns the string representation
10119func (s DisabledException) GoString() string {
10120	return s.String()
10121}
10122
10123func newErrorDisabledException(v protocol.ResponseMetadata) error {
10124	return &DisabledException{
10125		RespMetadata: v,
10126	}
10127}
10128
10129// Code returns the exception type name.
10130func (s *DisabledException) Code() string {
10131	return "DisabledException"
10132}
10133
10134// Message returns the exception's message.
10135func (s *DisabledException) Message() string {
10136	if s.Message_ != nil {
10137		return *s.Message_
10138	}
10139	return ""
10140}
10141
10142// OrigErr always returns nil, satisfies awserr.Error interface.
10143func (s *DisabledException) OrigErr() error {
10144	return nil
10145}
10146
10147func (s *DisabledException) Error() string {
10148	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
10149}
10150
10151// Status code returns the HTTP status code for the request's response error.
10152func (s *DisabledException) StatusCode() int {
10153	return s.RespMetadata.StatusCode
10154}
10155
10156// RequestID returns the service's response RequestID for request.
10157func (s *DisabledException) RequestID() string {
10158	return s.RespMetadata.RequestID
10159}
10160
10161type DisconnectCustomKeyStoreInput struct {
10162	_ struct{} `type:"structure"`
10163
10164	// Enter the ID of the custom key store you want to disconnect. To find the
10165	// ID of a custom key store, use the DescribeCustomKeyStores operation.
10166	//
10167	// CustomKeyStoreId is a required field
10168	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
10169}
10170
10171// String returns the string representation
10172func (s DisconnectCustomKeyStoreInput) String() string {
10173	return awsutil.Prettify(s)
10174}
10175
10176// GoString returns the string representation
10177func (s DisconnectCustomKeyStoreInput) GoString() string {
10178	return s.String()
10179}
10180
10181// Validate inspects the fields of the type to determine if they are valid.
10182func (s *DisconnectCustomKeyStoreInput) Validate() error {
10183	invalidParams := request.ErrInvalidParams{Context: "DisconnectCustomKeyStoreInput"}
10184	if s.CustomKeyStoreId == nil {
10185		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
10186	}
10187	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
10188		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
10189	}
10190
10191	if invalidParams.Len() > 0 {
10192		return invalidParams
10193	}
10194	return nil
10195}
10196
10197// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
10198func (s *DisconnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DisconnectCustomKeyStoreInput {
10199	s.CustomKeyStoreId = &v
10200	return s
10201}
10202
10203type DisconnectCustomKeyStoreOutput struct {
10204	_ struct{} `type:"structure"`
10205}
10206
10207// String returns the string representation
10208func (s DisconnectCustomKeyStoreOutput) String() string {
10209	return awsutil.Prettify(s)
10210}
10211
10212// GoString returns the string representation
10213func (s DisconnectCustomKeyStoreOutput) GoString() string {
10214	return s.String()
10215}
10216
10217type EnableKeyInput struct {
10218	_ struct{} `type:"structure"`
10219
10220	// Identifies the customer master key (CMK) to enable.
10221	//
10222	// Specify the key ID or key ARN of the CMK.
10223	//
10224	// For example:
10225	//
10226	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10227	//
10228	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10229	//
10230	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
10231	//
10232	// KeyId is a required field
10233	KeyId *string `min:"1" type:"string" required:"true"`
10234}
10235
10236// String returns the string representation
10237func (s EnableKeyInput) String() string {
10238	return awsutil.Prettify(s)
10239}
10240
10241// GoString returns the string representation
10242func (s EnableKeyInput) GoString() string {
10243	return s.String()
10244}
10245
10246// Validate inspects the fields of the type to determine if they are valid.
10247func (s *EnableKeyInput) Validate() error {
10248	invalidParams := request.ErrInvalidParams{Context: "EnableKeyInput"}
10249	if s.KeyId == nil {
10250		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10251	}
10252	if s.KeyId != nil && len(*s.KeyId) < 1 {
10253		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10254	}
10255
10256	if invalidParams.Len() > 0 {
10257		return invalidParams
10258	}
10259	return nil
10260}
10261
10262// SetKeyId sets the KeyId field's value.
10263func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput {
10264	s.KeyId = &v
10265	return s
10266}
10267
10268type EnableKeyOutput struct {
10269	_ struct{} `type:"structure"`
10270}
10271
10272// String returns the string representation
10273func (s EnableKeyOutput) String() string {
10274	return awsutil.Prettify(s)
10275}
10276
10277// GoString returns the string representation
10278func (s EnableKeyOutput) GoString() string {
10279	return s.String()
10280}
10281
10282type EnableKeyRotationInput struct {
10283	_ struct{} `type:"structure"`
10284
10285	// Identifies a symmetric customer master key (CMK). You cannot enable automatic
10286	// rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks),
10287	// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
10288	// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
10289	// To enable or disable automatic rotation of a set of related multi-Region
10290	// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key),
10291	// set the property on the primary key.
10292	//
10293	// Specify the key ID or key ARN of the CMK.
10294	//
10295	// For example:
10296	//
10297	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10298	//
10299	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10300	//
10301	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
10302	//
10303	// KeyId is a required field
10304	KeyId *string `min:"1" type:"string" required:"true"`
10305}
10306
10307// String returns the string representation
10308func (s EnableKeyRotationInput) String() string {
10309	return awsutil.Prettify(s)
10310}
10311
10312// GoString returns the string representation
10313func (s EnableKeyRotationInput) GoString() string {
10314	return s.String()
10315}
10316
10317// Validate inspects the fields of the type to determine if they are valid.
10318func (s *EnableKeyRotationInput) Validate() error {
10319	invalidParams := request.ErrInvalidParams{Context: "EnableKeyRotationInput"}
10320	if s.KeyId == nil {
10321		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10322	}
10323	if s.KeyId != nil && len(*s.KeyId) < 1 {
10324		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10325	}
10326
10327	if invalidParams.Len() > 0 {
10328		return invalidParams
10329	}
10330	return nil
10331}
10332
10333// SetKeyId sets the KeyId field's value.
10334func (s *EnableKeyRotationInput) SetKeyId(v string) *EnableKeyRotationInput {
10335	s.KeyId = &v
10336	return s
10337}
10338
10339type EnableKeyRotationOutput struct {
10340	_ struct{} `type:"structure"`
10341}
10342
10343// String returns the string representation
10344func (s EnableKeyRotationOutput) String() string {
10345	return awsutil.Prettify(s)
10346}
10347
10348// GoString returns the string representation
10349func (s EnableKeyRotationOutput) GoString() string {
10350	return s.String()
10351}
10352
10353type EncryptInput struct {
10354	_ struct{} `type:"structure"`
10355
10356	// Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext
10357	// message. The algorithm must be compatible with the CMK that you specify.
10358	//
10359	// This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT,
10360	// is the algorithm used for symmetric CMKs. If you are using an asymmetric
10361	// CMK, we recommend RSAES_OAEP_SHA_256.
10362	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
10363
10364	// Specifies the encryption context that will be used to encrypt the data. An
10365	// encryption context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
10366	// with a symmetric CMK. The standard asymmetric encryption algorithms that
10367	// AWS KMS uses do not support an encryption context.
10368	//
10369	// An encryption context is a collection of non-secret key-value pairs that
10370	// represents additional authenticated data. When you use an encryption context
10371	// to encrypt data, you must specify the same (an exact case-sensitive match)
10372	// encryption context to decrypt the data. An encryption context is optional
10373	// when encrypting with a symmetric CMK, but it is highly recommended.
10374	//
10375	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
10376	// in the AWS Key Management Service Developer Guide.
10377	EncryptionContext map[string]*string `type:"map"`
10378
10379	// A list of grant tokens.
10380	//
10381	// Use a grant token when your permission to call this operation comes from
10382	// a new grant that has not yet achieved eventual consistency. For more information,
10383	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
10384	// in the AWS Key Management Service Developer Guide.
10385	GrantTokens []*string `type:"list"`
10386
10387	// Identifies the customer master key (CMK) to use in the encryption operation.
10388	//
10389	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
10390	// using an alias name, prefix it with "alias/". To specify a CMK in a different
10391	// AWS account, you must use the key ARN or alias ARN.
10392	//
10393	// For example:
10394	//
10395	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10396	//
10397	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10398	//
10399	//    * Alias name: alias/ExampleAlias
10400	//
10401	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
10402	//
10403	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
10404	// get the alias name and alias ARN, use ListAliases.
10405	//
10406	// KeyId is a required field
10407	KeyId *string `min:"1" type:"string" required:"true"`
10408
10409	// Data to be encrypted.
10410	//
10411	// Plaintext is automatically base64 encoded/decoded by the SDK.
10412	//
10413	// Plaintext is a required field
10414	Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"`
10415}
10416
10417// String returns the string representation
10418func (s EncryptInput) String() string {
10419	return awsutil.Prettify(s)
10420}
10421
10422// GoString returns the string representation
10423func (s EncryptInput) GoString() string {
10424	return s.String()
10425}
10426
10427// Validate inspects the fields of the type to determine if they are valid.
10428func (s *EncryptInput) Validate() error {
10429	invalidParams := request.ErrInvalidParams{Context: "EncryptInput"}
10430	if s.KeyId == nil {
10431		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10432	}
10433	if s.KeyId != nil && len(*s.KeyId) < 1 {
10434		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10435	}
10436	if s.Plaintext == nil {
10437		invalidParams.Add(request.NewErrParamRequired("Plaintext"))
10438	}
10439	if s.Plaintext != nil && len(s.Plaintext) < 1 {
10440		invalidParams.Add(request.NewErrParamMinLen("Plaintext", 1))
10441	}
10442
10443	if invalidParams.Len() > 0 {
10444		return invalidParams
10445	}
10446	return nil
10447}
10448
10449// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.
10450func (s *EncryptInput) SetEncryptionAlgorithm(v string) *EncryptInput {
10451	s.EncryptionAlgorithm = &v
10452	return s
10453}
10454
10455// SetEncryptionContext sets the EncryptionContext field's value.
10456func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput {
10457	s.EncryptionContext = v
10458	return s
10459}
10460
10461// SetGrantTokens sets the GrantTokens field's value.
10462func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput {
10463	s.GrantTokens = v
10464	return s
10465}
10466
10467// SetKeyId sets the KeyId field's value.
10468func (s *EncryptInput) SetKeyId(v string) *EncryptInput {
10469	s.KeyId = &v
10470	return s
10471}
10472
10473// SetPlaintext sets the Plaintext field's value.
10474func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput {
10475	s.Plaintext = v
10476	return s
10477}
10478
10479type EncryptOutput struct {
10480	_ struct{} `type:"structure"`
10481
10482	// The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value
10483	// is Base64-encoded. Otherwise, it is not Base64-encoded.
10484	//
10485	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
10486	CiphertextBlob []byte `min:"1" type:"blob"`
10487
10488	// The encryption algorithm that was used to encrypt the plaintext.
10489	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
10490
10491	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
10492	// of the CMK that was used to encrypt the plaintext.
10493	KeyId *string `min:"1" type:"string"`
10494}
10495
10496// String returns the string representation
10497func (s EncryptOutput) String() string {
10498	return awsutil.Prettify(s)
10499}
10500
10501// GoString returns the string representation
10502func (s EncryptOutput) GoString() string {
10503	return s.String()
10504}
10505
10506// SetCiphertextBlob sets the CiphertextBlob field's value.
10507func (s *EncryptOutput) SetCiphertextBlob(v []byte) *EncryptOutput {
10508	s.CiphertextBlob = v
10509	return s
10510}
10511
10512// SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.
10513func (s *EncryptOutput) SetEncryptionAlgorithm(v string) *EncryptOutput {
10514	s.EncryptionAlgorithm = &v
10515	return s
10516}
10517
10518// SetKeyId sets the KeyId field's value.
10519func (s *EncryptOutput) SetKeyId(v string) *EncryptOutput {
10520	s.KeyId = &v
10521	return s
10522}
10523
10524// The request was rejected because the specified import token is expired. Use
10525// GetParametersForImport to get a new import token and public key, use the
10526// new public key to encrypt the key material, and then try the request again.
10527type ExpiredImportTokenException struct {
10528	_            struct{}                  `type:"structure"`
10529	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
10530
10531	Message_ *string `locationName:"message" type:"string"`
10532}
10533
10534// String returns the string representation
10535func (s ExpiredImportTokenException) String() string {
10536	return awsutil.Prettify(s)
10537}
10538
10539// GoString returns the string representation
10540func (s ExpiredImportTokenException) GoString() string {
10541	return s.String()
10542}
10543
10544func newErrorExpiredImportTokenException(v protocol.ResponseMetadata) error {
10545	return &ExpiredImportTokenException{
10546		RespMetadata: v,
10547	}
10548}
10549
10550// Code returns the exception type name.
10551func (s *ExpiredImportTokenException) Code() string {
10552	return "ExpiredImportTokenException"
10553}
10554
10555// Message returns the exception's message.
10556func (s *ExpiredImportTokenException) Message() string {
10557	if s.Message_ != nil {
10558		return *s.Message_
10559	}
10560	return ""
10561}
10562
10563// OrigErr always returns nil, satisfies awserr.Error interface.
10564func (s *ExpiredImportTokenException) OrigErr() error {
10565	return nil
10566}
10567
10568func (s *ExpiredImportTokenException) Error() string {
10569	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
10570}
10571
10572// Status code returns the HTTP status code for the request's response error.
10573func (s *ExpiredImportTokenException) StatusCode() int {
10574	return s.RespMetadata.StatusCode
10575}
10576
10577// RequestID returns the service's response RequestID for request.
10578func (s *ExpiredImportTokenException) RequestID() string {
10579	return s.RespMetadata.RequestID
10580}
10581
10582type GenerateDataKeyInput struct {
10583	_ struct{} `type:"structure"`
10584
10585	// Specifies the encryption context that will be used when encrypting the data
10586	// key.
10587	//
10588	// An encryption context is a collection of non-secret key-value pairs that
10589	// represents additional authenticated data. When you use an encryption context
10590	// to encrypt data, you must specify the same (an exact case-sensitive match)
10591	// encryption context to decrypt the data. An encryption context is optional
10592	// when encrypting with a symmetric CMK, but it is highly recommended.
10593	//
10594	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
10595	// in the AWS Key Management Service Developer Guide.
10596	EncryptionContext map[string]*string `type:"map"`
10597
10598	// A list of grant tokens.
10599	//
10600	// Use a grant token when your permission to call this operation comes from
10601	// a new grant that has not yet achieved eventual consistency. For more information,
10602	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
10603	// in the AWS Key Management Service Developer Guide.
10604	GrantTokens []*string `type:"list"`
10605
10606	// Identifies the symmetric CMK that encrypts the data key.
10607	//
10608	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
10609	// using an alias name, prefix it with "alias/". To specify a CMK in a different
10610	// AWS account, you must use the key ARN or alias ARN.
10611	//
10612	// For example:
10613	//
10614	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10615	//
10616	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10617	//
10618	//    * Alias name: alias/ExampleAlias
10619	//
10620	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
10621	//
10622	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
10623	// get the alias name and alias ARN, use ListAliases.
10624	//
10625	// KeyId is a required field
10626	KeyId *string `min:"1" type:"string" required:"true"`
10627
10628	// Specifies the length of the data key. Use AES_128 to generate a 128-bit symmetric
10629	// key, or AES_256 to generate a 256-bit symmetric key.
10630	//
10631	// You must specify either the KeySpec or the NumberOfBytes parameter (but not
10632	// both) in every GenerateDataKey request.
10633	KeySpec *string `type:"string" enum:"DataKeySpec"`
10634
10635	// Specifies the length of the data key in bytes. For example, use the value
10636	// 64 to generate a 512-bit data key (64 bytes is 512 bits). For 128-bit (16-byte)
10637	// and 256-bit (32-byte) data keys, use the KeySpec parameter.
10638	//
10639	// You must specify either the KeySpec or the NumberOfBytes parameter (but not
10640	// both) in every GenerateDataKey request.
10641	NumberOfBytes *int64 `min:"1" type:"integer"`
10642}
10643
10644// String returns the string representation
10645func (s GenerateDataKeyInput) String() string {
10646	return awsutil.Prettify(s)
10647}
10648
10649// GoString returns the string representation
10650func (s GenerateDataKeyInput) GoString() string {
10651	return s.String()
10652}
10653
10654// Validate inspects the fields of the type to determine if they are valid.
10655func (s *GenerateDataKeyInput) Validate() error {
10656	invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyInput"}
10657	if s.KeyId == nil {
10658		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10659	}
10660	if s.KeyId != nil && len(*s.KeyId) < 1 {
10661		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10662	}
10663	if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 {
10664		invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1))
10665	}
10666
10667	if invalidParams.Len() > 0 {
10668		return invalidParams
10669	}
10670	return nil
10671}
10672
10673// SetEncryptionContext sets the EncryptionContext field's value.
10674func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput {
10675	s.EncryptionContext = v
10676	return s
10677}
10678
10679// SetGrantTokens sets the GrantTokens field's value.
10680func (s *GenerateDataKeyInput) SetGrantTokens(v []*string) *GenerateDataKeyInput {
10681	s.GrantTokens = v
10682	return s
10683}
10684
10685// SetKeyId sets the KeyId field's value.
10686func (s *GenerateDataKeyInput) SetKeyId(v string) *GenerateDataKeyInput {
10687	s.KeyId = &v
10688	return s
10689}
10690
10691// SetKeySpec sets the KeySpec field's value.
10692func (s *GenerateDataKeyInput) SetKeySpec(v string) *GenerateDataKeyInput {
10693	s.KeySpec = &v
10694	return s
10695}
10696
10697// SetNumberOfBytes sets the NumberOfBytes field's value.
10698func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput {
10699	s.NumberOfBytes = &v
10700	return s
10701}
10702
10703type GenerateDataKeyOutput struct {
10704	_ struct{} `type:"structure"`
10705
10706	// The encrypted copy of the data key. When you use the HTTP API or the AWS
10707	// CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
10708	//
10709	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
10710	CiphertextBlob []byte `min:"1" type:"blob"`
10711
10712	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
10713	// of the CMK that encrypted the data key.
10714	KeyId *string `min:"1" type:"string"`
10715
10716	// The plaintext data key. When you use the HTTP API or the AWS CLI, the value
10717	// is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key
10718	// to encrypt your data outside of KMS. Then, remove it from memory as soon
10719	// as possible.
10720	//
10721	// Plaintext is automatically base64 encoded/decoded by the SDK.
10722	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
10723}
10724
10725// String returns the string representation
10726func (s GenerateDataKeyOutput) String() string {
10727	return awsutil.Prettify(s)
10728}
10729
10730// GoString returns the string representation
10731func (s GenerateDataKeyOutput) GoString() string {
10732	return s.String()
10733}
10734
10735// SetCiphertextBlob sets the CiphertextBlob field's value.
10736func (s *GenerateDataKeyOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyOutput {
10737	s.CiphertextBlob = v
10738	return s
10739}
10740
10741// SetKeyId sets the KeyId field's value.
10742func (s *GenerateDataKeyOutput) SetKeyId(v string) *GenerateDataKeyOutput {
10743	s.KeyId = &v
10744	return s
10745}
10746
10747// SetPlaintext sets the Plaintext field's value.
10748func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput {
10749	s.Plaintext = v
10750	return s
10751}
10752
10753type GenerateDataKeyPairInput struct {
10754	_ struct{} `type:"structure"`
10755
10756	// Specifies the encryption context that will be used when encrypting the private
10757	// key in the data key pair.
10758	//
10759	// An encryption context is a collection of non-secret key-value pairs that
10760	// represents additional authenticated data. When you use an encryption context
10761	// to encrypt data, you must specify the same (an exact case-sensitive match)
10762	// encryption context to decrypt the data. An encryption context is optional
10763	// when encrypting with a symmetric CMK, but it is highly recommended.
10764	//
10765	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
10766	// in the AWS Key Management Service Developer Guide.
10767	EncryptionContext map[string]*string `type:"map"`
10768
10769	// A list of grant tokens.
10770	//
10771	// Use a grant token when your permission to call this operation comes from
10772	// a new grant that has not yet achieved eventual consistency. For more information,
10773	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
10774	// in the AWS Key Management Service Developer Guide.
10775	GrantTokens []*string `type:"list"`
10776
10777	// Specifies the symmetric CMK that encrypts the private key in the data key
10778	// pair. You cannot specify an asymmetric CMK or a CMK in a custom key store.
10779	// To get the type and origin of your CMK, use the DescribeKey operation.
10780	//
10781	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
10782	// using an alias name, prefix it with "alias/". To specify a CMK in a different
10783	// AWS account, you must use the key ARN or alias ARN.
10784	//
10785	// For example:
10786	//
10787	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10788	//
10789	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10790	//
10791	//    * Alias name: alias/ExampleAlias
10792	//
10793	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
10794	//
10795	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
10796	// get the alias name and alias ARN, use ListAliases.
10797	//
10798	// KeyId is a required field
10799	KeyId *string `min:"1" type:"string" required:"true"`
10800
10801	// Determines the type of data key pair that is generated.
10802	//
10803	// The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt
10804	// and decrypt or to sign and verify (but not both), and the rule that permits
10805	// you to use ECC CMKs only to sign and verify, are not effective outside of
10806	// AWS KMS.
10807	//
10808	// KeyPairSpec is a required field
10809	KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"`
10810}
10811
10812// String returns the string representation
10813func (s GenerateDataKeyPairInput) String() string {
10814	return awsutil.Prettify(s)
10815}
10816
10817// GoString returns the string representation
10818func (s GenerateDataKeyPairInput) GoString() string {
10819	return s.String()
10820}
10821
10822// Validate inspects the fields of the type to determine if they are valid.
10823func (s *GenerateDataKeyPairInput) Validate() error {
10824	invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairInput"}
10825	if s.KeyId == nil {
10826		invalidParams.Add(request.NewErrParamRequired("KeyId"))
10827	}
10828	if s.KeyId != nil && len(*s.KeyId) < 1 {
10829		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
10830	}
10831	if s.KeyPairSpec == nil {
10832		invalidParams.Add(request.NewErrParamRequired("KeyPairSpec"))
10833	}
10834
10835	if invalidParams.Len() > 0 {
10836		return invalidParams
10837	}
10838	return nil
10839}
10840
10841// SetEncryptionContext sets the EncryptionContext field's value.
10842func (s *GenerateDataKeyPairInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairInput {
10843	s.EncryptionContext = v
10844	return s
10845}
10846
10847// SetGrantTokens sets the GrantTokens field's value.
10848func (s *GenerateDataKeyPairInput) SetGrantTokens(v []*string) *GenerateDataKeyPairInput {
10849	s.GrantTokens = v
10850	return s
10851}
10852
10853// SetKeyId sets the KeyId field's value.
10854func (s *GenerateDataKeyPairInput) SetKeyId(v string) *GenerateDataKeyPairInput {
10855	s.KeyId = &v
10856	return s
10857}
10858
10859// SetKeyPairSpec sets the KeyPairSpec field's value.
10860func (s *GenerateDataKeyPairInput) SetKeyPairSpec(v string) *GenerateDataKeyPairInput {
10861	s.KeyPairSpec = &v
10862	return s
10863}
10864
10865type GenerateDataKeyPairOutput struct {
10866	_ struct{} `type:"structure"`
10867
10868	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
10869	// of the CMK that encrypted the private key.
10870	KeyId *string `min:"1" type:"string"`
10871
10872	// The type of data key pair that was generated.
10873	KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"`
10874
10875	// The encrypted copy of the private key. When you use the HTTP API or the AWS
10876	// CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
10877	//
10878	// PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK.
10879	PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"`
10880
10881	// The plaintext copy of the private key. When you use the HTTP API or the AWS
10882	// CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
10883	//
10884	// PrivateKeyPlaintext is automatically base64 encoded/decoded by the SDK.
10885	PrivateKeyPlaintext []byte `min:"1" type:"blob" sensitive:"true"`
10886
10887	// The public key (in plaintext).
10888	//
10889	// PublicKey is automatically base64 encoded/decoded by the SDK.
10890	PublicKey []byte `min:"1" type:"blob"`
10891}
10892
10893// String returns the string representation
10894func (s GenerateDataKeyPairOutput) String() string {
10895	return awsutil.Prettify(s)
10896}
10897
10898// GoString returns the string representation
10899func (s GenerateDataKeyPairOutput) GoString() string {
10900	return s.String()
10901}
10902
10903// SetKeyId sets the KeyId field's value.
10904func (s *GenerateDataKeyPairOutput) SetKeyId(v string) *GenerateDataKeyPairOutput {
10905	s.KeyId = &v
10906	return s
10907}
10908
10909// SetKeyPairSpec sets the KeyPairSpec field's value.
10910func (s *GenerateDataKeyPairOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairOutput {
10911	s.KeyPairSpec = &v
10912	return s
10913}
10914
10915// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value.
10916func (s *GenerateDataKeyPairOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairOutput {
10917	s.PrivateKeyCiphertextBlob = v
10918	return s
10919}
10920
10921// SetPrivateKeyPlaintext sets the PrivateKeyPlaintext field's value.
10922func (s *GenerateDataKeyPairOutput) SetPrivateKeyPlaintext(v []byte) *GenerateDataKeyPairOutput {
10923	s.PrivateKeyPlaintext = v
10924	return s
10925}
10926
10927// SetPublicKey sets the PublicKey field's value.
10928func (s *GenerateDataKeyPairOutput) SetPublicKey(v []byte) *GenerateDataKeyPairOutput {
10929	s.PublicKey = v
10930	return s
10931}
10932
10933type GenerateDataKeyPairWithoutPlaintextInput struct {
10934	_ struct{} `type:"structure"`
10935
10936	// Specifies the encryption context that will be used when encrypting the private
10937	// key in the data key pair.
10938	//
10939	// An encryption context is a collection of non-secret key-value pairs that
10940	// represents additional authenticated data. When you use an encryption context
10941	// to encrypt data, you must specify the same (an exact case-sensitive match)
10942	// encryption context to decrypt the data. An encryption context is optional
10943	// when encrypting with a symmetric CMK, but it is highly recommended.
10944	//
10945	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
10946	// in the AWS Key Management Service Developer Guide.
10947	EncryptionContext map[string]*string `type:"map"`
10948
10949	// A list of grant tokens.
10950	//
10951	// Use a grant token when your permission to call this operation comes from
10952	// a new grant that has not yet achieved eventual consistency. For more information,
10953	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
10954	// in the AWS Key Management Service Developer Guide.
10955	GrantTokens []*string `type:"list"`
10956
10957	// Specifies the CMK that encrypts the private key in the data key pair. You
10958	// must specify a symmetric CMK. You cannot use an asymmetric CMK or a CMK in
10959	// a custom key store. To get the type and origin of your CMK, use the DescribeKey
10960	// operation.
10961	//
10962	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
10963	// using an alias name, prefix it with "alias/". To specify a CMK in a different
10964	// AWS account, you must use the key ARN or alias ARN.
10965	//
10966	// For example:
10967	//
10968	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
10969	//
10970	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
10971	//
10972	//    * Alias name: alias/ExampleAlias
10973	//
10974	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
10975	//
10976	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
10977	// get the alias name and alias ARN, use ListAliases.
10978	//
10979	// KeyId is a required field
10980	KeyId *string `min:"1" type:"string" required:"true"`
10981
10982	// Determines the type of data key pair that is generated.
10983	//
10984	// The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt
10985	// and decrypt or to sign and verify (but not both), and the rule that permits
10986	// you to use ECC CMKs only to sign and verify, are not effective outside of
10987	// AWS KMS.
10988	//
10989	// KeyPairSpec is a required field
10990	KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"`
10991}
10992
10993// String returns the string representation
10994func (s GenerateDataKeyPairWithoutPlaintextInput) String() string {
10995	return awsutil.Prettify(s)
10996}
10997
10998// GoString returns the string representation
10999func (s GenerateDataKeyPairWithoutPlaintextInput) GoString() string {
11000	return s.String()
11001}
11002
11003// Validate inspects the fields of the type to determine if they are valid.
11004func (s *GenerateDataKeyPairWithoutPlaintextInput) Validate() error {
11005	invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyPairWithoutPlaintextInput"}
11006	if s.KeyId == nil {
11007		invalidParams.Add(request.NewErrParamRequired("KeyId"))
11008	}
11009	if s.KeyId != nil && len(*s.KeyId) < 1 {
11010		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
11011	}
11012	if s.KeyPairSpec == nil {
11013		invalidParams.Add(request.NewErrParamRequired("KeyPairSpec"))
11014	}
11015
11016	if invalidParams.Len() > 0 {
11017		return invalidParams
11018	}
11019	return nil
11020}
11021
11022// SetEncryptionContext sets the EncryptionContext field's value.
11023func (s *GenerateDataKeyPairWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyPairWithoutPlaintextInput {
11024	s.EncryptionContext = v
11025	return s
11026}
11027
11028// SetGrantTokens sets the GrantTokens field's value.
11029func (s *GenerateDataKeyPairWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyPairWithoutPlaintextInput {
11030	s.GrantTokens = v
11031	return s
11032}
11033
11034// SetKeyId sets the KeyId field's value.
11035func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextInput {
11036	s.KeyId = &v
11037	return s
11038}
11039
11040// SetKeyPairSpec sets the KeyPairSpec field's value.
11041func (s *GenerateDataKeyPairWithoutPlaintextInput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextInput {
11042	s.KeyPairSpec = &v
11043	return s
11044}
11045
11046type GenerateDataKeyPairWithoutPlaintextOutput struct {
11047	_ struct{} `type:"structure"`
11048
11049	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
11050	// of the CMK that encrypted the private key.
11051	KeyId *string `min:"1" type:"string"`
11052
11053	// The type of data key pair that was generated.
11054	KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"`
11055
11056	// The encrypted copy of the private key. When you use the HTTP API or the AWS
11057	// CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
11058	//
11059	// PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK.
11060	PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"`
11061
11062	// The public key (in plaintext).
11063	//
11064	// PublicKey is automatically base64 encoded/decoded by the SDK.
11065	PublicKey []byte `min:"1" type:"blob"`
11066}
11067
11068// String returns the string representation
11069func (s GenerateDataKeyPairWithoutPlaintextOutput) String() string {
11070	return awsutil.Prettify(s)
11071}
11072
11073// GoString returns the string representation
11074func (s GenerateDataKeyPairWithoutPlaintextOutput) GoString() string {
11075	return s.String()
11076}
11077
11078// SetKeyId sets the KeyId field's value.
11079func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyPairWithoutPlaintextOutput {
11080	s.KeyId = &v
11081	return s
11082}
11083
11084// SetKeyPairSpec sets the KeyPairSpec field's value.
11085func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetKeyPairSpec(v string) *GenerateDataKeyPairWithoutPlaintextOutput {
11086	s.KeyPairSpec = &v
11087	return s
11088}
11089
11090// SetPrivateKeyCiphertextBlob sets the PrivateKeyCiphertextBlob field's value.
11091func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPrivateKeyCiphertextBlob(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput {
11092	s.PrivateKeyCiphertextBlob = v
11093	return s
11094}
11095
11096// SetPublicKey sets the PublicKey field's value.
11097func (s *GenerateDataKeyPairWithoutPlaintextOutput) SetPublicKey(v []byte) *GenerateDataKeyPairWithoutPlaintextOutput {
11098	s.PublicKey = v
11099	return s
11100}
11101
11102type GenerateDataKeyWithoutPlaintextInput struct {
11103	_ struct{} `type:"structure"`
11104
11105	// Specifies the encryption context that will be used when encrypting the data
11106	// key.
11107	//
11108	// An encryption context is a collection of non-secret key-value pairs that
11109	// represents additional authenticated data. When you use an encryption context
11110	// to encrypt data, you must specify the same (an exact case-sensitive match)
11111	// encryption context to decrypt the data. An encryption context is optional
11112	// when encrypting with a symmetric CMK, but it is highly recommended.
11113	//
11114	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
11115	// in the AWS Key Management Service Developer Guide.
11116	EncryptionContext map[string]*string `type:"map"`
11117
11118	// A list of grant tokens.
11119	//
11120	// Use a grant token when your permission to call this operation comes from
11121	// a new grant that has not yet achieved eventual consistency. For more information,
11122	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
11123	// in the AWS Key Management Service Developer Guide.
11124	GrantTokens []*string `type:"list"`
11125
11126	// The identifier of the symmetric customer master key (CMK) that encrypts the
11127	// data key.
11128	//
11129	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
11130	// using an alias name, prefix it with "alias/". To specify a CMK in a different
11131	// AWS account, you must use the key ARN or alias ARN.
11132	//
11133	// For example:
11134	//
11135	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
11136	//
11137	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
11138	//
11139	//    * Alias name: alias/ExampleAlias
11140	//
11141	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
11142	//
11143	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
11144	// get the alias name and alias ARN, use ListAliases.
11145	//
11146	// KeyId is a required field
11147	KeyId *string `min:"1" type:"string" required:"true"`
11148
11149	// The length of the data key. Use AES_128 to generate a 128-bit symmetric key,
11150	// or AES_256 to generate a 256-bit symmetric key.
11151	KeySpec *string `type:"string" enum:"DataKeySpec"`
11152
11153	// The length of the data key in bytes. For example, use the value 64 to generate
11154	// a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit
11155	// and 256-bit symmetric keys), we recommend that you use the KeySpec field
11156	// instead of this one.
11157	NumberOfBytes *int64 `min:"1" type:"integer"`
11158}
11159
11160// String returns the string representation
11161func (s GenerateDataKeyWithoutPlaintextInput) String() string {
11162	return awsutil.Prettify(s)
11163}
11164
11165// GoString returns the string representation
11166func (s GenerateDataKeyWithoutPlaintextInput) GoString() string {
11167	return s.String()
11168}
11169
11170// Validate inspects the fields of the type to determine if they are valid.
11171func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error {
11172	invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyWithoutPlaintextInput"}
11173	if s.KeyId == nil {
11174		invalidParams.Add(request.NewErrParamRequired("KeyId"))
11175	}
11176	if s.KeyId != nil && len(*s.KeyId) < 1 {
11177		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
11178	}
11179	if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 {
11180		invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1))
11181	}
11182
11183	if invalidParams.Len() > 0 {
11184		return invalidParams
11185	}
11186	return nil
11187}
11188
11189// SetEncryptionContext sets the EncryptionContext field's value.
11190func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput {
11191	s.EncryptionContext = v
11192	return s
11193}
11194
11195// SetGrantTokens sets the GrantTokens field's value.
11196func (s *GenerateDataKeyWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyWithoutPlaintextInput {
11197	s.GrantTokens = v
11198	return s
11199}
11200
11201// SetKeyId sets the KeyId field's value.
11202func (s *GenerateDataKeyWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextInput {
11203	s.KeyId = &v
11204	return s
11205}
11206
11207// SetKeySpec sets the KeySpec field's value.
11208func (s *GenerateDataKeyWithoutPlaintextInput) SetKeySpec(v string) *GenerateDataKeyWithoutPlaintextInput {
11209	s.KeySpec = &v
11210	return s
11211}
11212
11213// SetNumberOfBytes sets the NumberOfBytes field's value.
11214func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *GenerateDataKeyWithoutPlaintextInput {
11215	s.NumberOfBytes = &v
11216	return s
11217}
11218
11219type GenerateDataKeyWithoutPlaintextOutput struct {
11220	_ struct{} `type:"structure"`
11221
11222	// The encrypted data key. When you use the HTTP API or the AWS CLI, the value
11223	// is Base64-encoded. Otherwise, it is not Base64-encoded.
11224	//
11225	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
11226	CiphertextBlob []byte `min:"1" type:"blob"`
11227
11228	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
11229	// of the CMK that encrypted the data key.
11230	KeyId *string `min:"1" type:"string"`
11231}
11232
11233// String returns the string representation
11234func (s GenerateDataKeyWithoutPlaintextOutput) String() string {
11235	return awsutil.Prettify(s)
11236}
11237
11238// GoString returns the string representation
11239func (s GenerateDataKeyWithoutPlaintextOutput) GoString() string {
11240	return s.String()
11241}
11242
11243// SetCiphertextBlob sets the CiphertextBlob field's value.
11244func (s *GenerateDataKeyWithoutPlaintextOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyWithoutPlaintextOutput {
11245	s.CiphertextBlob = v
11246	return s
11247}
11248
11249// SetKeyId sets the KeyId field's value.
11250func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextOutput {
11251	s.KeyId = &v
11252	return s
11253}
11254
11255type GenerateRandomInput struct {
11256	_ struct{} `type:"structure"`
11257
11258	// Generates the random byte string in the AWS CloudHSM cluster that is associated
11259	// with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
11260	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
11261	CustomKeyStoreId *string `min:"1" type:"string"`
11262
11263	// The length of the byte string.
11264	NumberOfBytes *int64 `min:"1" type:"integer"`
11265}
11266
11267// String returns the string representation
11268func (s GenerateRandomInput) String() string {
11269	return awsutil.Prettify(s)
11270}
11271
11272// GoString returns the string representation
11273func (s GenerateRandomInput) GoString() string {
11274	return s.String()
11275}
11276
11277// Validate inspects the fields of the type to determine if they are valid.
11278func (s *GenerateRandomInput) Validate() error {
11279	invalidParams := request.ErrInvalidParams{Context: "GenerateRandomInput"}
11280	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
11281		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
11282	}
11283	if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 {
11284		invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1))
11285	}
11286
11287	if invalidParams.Len() > 0 {
11288		return invalidParams
11289	}
11290	return nil
11291}
11292
11293// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
11294func (s *GenerateRandomInput) SetCustomKeyStoreId(v string) *GenerateRandomInput {
11295	s.CustomKeyStoreId = &v
11296	return s
11297}
11298
11299// SetNumberOfBytes sets the NumberOfBytes field's value.
11300func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput {
11301	s.NumberOfBytes = &v
11302	return s
11303}
11304
11305type GenerateRandomOutput struct {
11306	_ struct{} `type:"structure"`
11307
11308	// The random byte string. When you use the HTTP API or the AWS CLI, the value
11309	// is Base64-encoded. Otherwise, it is not Base64-encoded.
11310	//
11311	// Plaintext is automatically base64 encoded/decoded by the SDK.
11312	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
11313}
11314
11315// String returns the string representation
11316func (s GenerateRandomOutput) String() string {
11317	return awsutil.Prettify(s)
11318}
11319
11320// GoString returns the string representation
11321func (s GenerateRandomOutput) GoString() string {
11322	return s.String()
11323}
11324
11325// SetPlaintext sets the Plaintext field's value.
11326func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput {
11327	s.Plaintext = v
11328	return s
11329}
11330
11331type GetKeyPolicyInput struct {
11332	_ struct{} `type:"structure"`
11333
11334	// Gets the key policy for the specified customer master key (CMK).
11335	//
11336	// Specify the key ID or key ARN of the CMK.
11337	//
11338	// For example:
11339	//
11340	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
11341	//
11342	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
11343	//
11344	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
11345	//
11346	// KeyId is a required field
11347	KeyId *string `min:"1" type:"string" required:"true"`
11348
11349	// Specifies the name of the key policy. The only valid name is default. To
11350	// get the names of key policies, use ListKeyPolicies.
11351	//
11352	// PolicyName is a required field
11353	PolicyName *string `min:"1" type:"string" required:"true"`
11354}
11355
11356// String returns the string representation
11357func (s GetKeyPolicyInput) String() string {
11358	return awsutil.Prettify(s)
11359}
11360
11361// GoString returns the string representation
11362func (s GetKeyPolicyInput) GoString() string {
11363	return s.String()
11364}
11365
11366// Validate inspects the fields of the type to determine if they are valid.
11367func (s *GetKeyPolicyInput) Validate() error {
11368	invalidParams := request.ErrInvalidParams{Context: "GetKeyPolicyInput"}
11369	if s.KeyId == nil {
11370		invalidParams.Add(request.NewErrParamRequired("KeyId"))
11371	}
11372	if s.KeyId != nil && len(*s.KeyId) < 1 {
11373		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
11374	}
11375	if s.PolicyName == nil {
11376		invalidParams.Add(request.NewErrParamRequired("PolicyName"))
11377	}
11378	if s.PolicyName != nil && len(*s.PolicyName) < 1 {
11379		invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1))
11380	}
11381
11382	if invalidParams.Len() > 0 {
11383		return invalidParams
11384	}
11385	return nil
11386}
11387
11388// SetKeyId sets the KeyId field's value.
11389func (s *GetKeyPolicyInput) SetKeyId(v string) *GetKeyPolicyInput {
11390	s.KeyId = &v
11391	return s
11392}
11393
11394// SetPolicyName sets the PolicyName field's value.
11395func (s *GetKeyPolicyInput) SetPolicyName(v string) *GetKeyPolicyInput {
11396	s.PolicyName = &v
11397	return s
11398}
11399
11400type GetKeyPolicyOutput struct {
11401	_ struct{} `type:"structure"`
11402
11403	// A key policy document in JSON format.
11404	Policy *string `min:"1" type:"string"`
11405}
11406
11407// String returns the string representation
11408func (s GetKeyPolicyOutput) String() string {
11409	return awsutil.Prettify(s)
11410}
11411
11412// GoString returns the string representation
11413func (s GetKeyPolicyOutput) GoString() string {
11414	return s.String()
11415}
11416
11417// SetPolicy sets the Policy field's value.
11418func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput {
11419	s.Policy = &v
11420	return s
11421}
11422
11423type GetKeyRotationStatusInput struct {
11424	_ struct{} `type:"structure"`
11425
11426	// Gets the rotation status for the specified customer master key (CMK).
11427	//
11428	// Specify the key ID or key ARN of the CMK. To specify a CMK in a different
11429	// AWS account, you must use the key ARN.
11430	//
11431	// For example:
11432	//
11433	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
11434	//
11435	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
11436	//
11437	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
11438	//
11439	// KeyId is a required field
11440	KeyId *string `min:"1" type:"string" required:"true"`
11441}
11442
11443// String returns the string representation
11444func (s GetKeyRotationStatusInput) String() string {
11445	return awsutil.Prettify(s)
11446}
11447
11448// GoString returns the string representation
11449func (s GetKeyRotationStatusInput) GoString() string {
11450	return s.String()
11451}
11452
11453// Validate inspects the fields of the type to determine if they are valid.
11454func (s *GetKeyRotationStatusInput) Validate() error {
11455	invalidParams := request.ErrInvalidParams{Context: "GetKeyRotationStatusInput"}
11456	if s.KeyId == nil {
11457		invalidParams.Add(request.NewErrParamRequired("KeyId"))
11458	}
11459	if s.KeyId != nil && len(*s.KeyId) < 1 {
11460		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
11461	}
11462
11463	if invalidParams.Len() > 0 {
11464		return invalidParams
11465	}
11466	return nil
11467}
11468
11469// SetKeyId sets the KeyId field's value.
11470func (s *GetKeyRotationStatusInput) SetKeyId(v string) *GetKeyRotationStatusInput {
11471	s.KeyId = &v
11472	return s
11473}
11474
11475type GetKeyRotationStatusOutput struct {
11476	_ struct{} `type:"structure"`
11477
11478	// A Boolean value that specifies whether key rotation is enabled.
11479	KeyRotationEnabled *bool `type:"boolean"`
11480}
11481
11482// String returns the string representation
11483func (s GetKeyRotationStatusOutput) String() string {
11484	return awsutil.Prettify(s)
11485}
11486
11487// GoString returns the string representation
11488func (s GetKeyRotationStatusOutput) GoString() string {
11489	return s.String()
11490}
11491
11492// SetKeyRotationEnabled sets the KeyRotationEnabled field's value.
11493func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotationStatusOutput {
11494	s.KeyRotationEnabled = &v
11495	return s
11496}
11497
11498type GetParametersForImportInput struct {
11499	_ struct{} `type:"structure"`
11500
11501	// The identifier of the symmetric CMK into which you will import key material.
11502	// The Origin of the CMK must be EXTERNAL.
11503	//
11504	// Specify the key ID or key ARN of the CMK.
11505	//
11506	// For example:
11507	//
11508	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
11509	//
11510	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
11511	//
11512	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
11513	//
11514	// KeyId is a required field
11515	KeyId *string `min:"1" type:"string" required:"true"`
11516
11517	// The algorithm you will use to encrypt the key material before importing it
11518	// with ImportKeyMaterial. For more information, see Encrypt the Key Material
11519	// (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html)
11520	// in the AWS Key Management Service Developer Guide.
11521	//
11522	// WrappingAlgorithm is a required field
11523	WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"`
11524
11525	// The type of wrapping key (public key) to return in the response. Only 2048-bit
11526	// RSA public keys are supported.
11527	//
11528	// WrappingKeySpec is a required field
11529	WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"`
11530}
11531
11532// String returns the string representation
11533func (s GetParametersForImportInput) String() string {
11534	return awsutil.Prettify(s)
11535}
11536
11537// GoString returns the string representation
11538func (s GetParametersForImportInput) GoString() string {
11539	return s.String()
11540}
11541
11542// Validate inspects the fields of the type to determine if they are valid.
11543func (s *GetParametersForImportInput) Validate() error {
11544	invalidParams := request.ErrInvalidParams{Context: "GetParametersForImportInput"}
11545	if s.KeyId == nil {
11546		invalidParams.Add(request.NewErrParamRequired("KeyId"))
11547	}
11548	if s.KeyId != nil && len(*s.KeyId) < 1 {
11549		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
11550	}
11551	if s.WrappingAlgorithm == nil {
11552		invalidParams.Add(request.NewErrParamRequired("WrappingAlgorithm"))
11553	}
11554	if s.WrappingKeySpec == nil {
11555		invalidParams.Add(request.NewErrParamRequired("WrappingKeySpec"))
11556	}
11557
11558	if invalidParams.Len() > 0 {
11559		return invalidParams
11560	}
11561	return nil
11562}
11563
11564// SetKeyId sets the KeyId field's value.
11565func (s *GetParametersForImportInput) SetKeyId(v string) *GetParametersForImportInput {
11566	s.KeyId = &v
11567	return s
11568}
11569
11570// SetWrappingAlgorithm sets the WrappingAlgorithm field's value.
11571func (s *GetParametersForImportInput) SetWrappingAlgorithm(v string) *GetParametersForImportInput {
11572	s.WrappingAlgorithm = &v
11573	return s
11574}
11575
11576// SetWrappingKeySpec sets the WrappingKeySpec field's value.
11577func (s *GetParametersForImportInput) SetWrappingKeySpec(v string) *GetParametersForImportInput {
11578	s.WrappingKeySpec = &v
11579	return s
11580}
11581
11582type GetParametersForImportOutput struct {
11583	_ struct{} `type:"structure"`
11584
11585	// The import token to send in a subsequent ImportKeyMaterial request.
11586	//
11587	// ImportToken is automatically base64 encoded/decoded by the SDK.
11588	ImportToken []byte `min:"1" type:"blob"`
11589
11590	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
11591	// of the CMK to use in a subsequent ImportKeyMaterial request. This is the
11592	// same CMK specified in the GetParametersForImport request.
11593	KeyId *string `min:"1" type:"string"`
11594
11595	// The time at which the import token and public key are no longer valid. After
11596	// this time, you cannot use them to make an ImportKeyMaterial request and you
11597	// must send another GetParametersForImport request to get new ones.
11598	ParametersValidTo *time.Time `type:"timestamp"`
11599
11600	// The public key to use to encrypt the key material before importing it with
11601	// ImportKeyMaterial.
11602	//
11603	// PublicKey is automatically base64 encoded/decoded by the SDK.
11604	PublicKey []byte `min:"1" type:"blob" sensitive:"true"`
11605}
11606
11607// String returns the string representation
11608func (s GetParametersForImportOutput) String() string {
11609	return awsutil.Prettify(s)
11610}
11611
11612// GoString returns the string representation
11613func (s GetParametersForImportOutput) GoString() string {
11614	return s.String()
11615}
11616
11617// SetImportToken sets the ImportToken field's value.
11618func (s *GetParametersForImportOutput) SetImportToken(v []byte) *GetParametersForImportOutput {
11619	s.ImportToken = v
11620	return s
11621}
11622
11623// SetKeyId sets the KeyId field's value.
11624func (s *GetParametersForImportOutput) SetKeyId(v string) *GetParametersForImportOutput {
11625	s.KeyId = &v
11626	return s
11627}
11628
11629// SetParametersValidTo sets the ParametersValidTo field's value.
11630func (s *GetParametersForImportOutput) SetParametersValidTo(v time.Time) *GetParametersForImportOutput {
11631	s.ParametersValidTo = &v
11632	return s
11633}
11634
11635// SetPublicKey sets the PublicKey field's value.
11636func (s *GetParametersForImportOutput) SetPublicKey(v []byte) *GetParametersForImportOutput {
11637	s.PublicKey = v
11638	return s
11639}
11640
11641type GetPublicKeyInput struct {
11642	_ struct{} `type:"structure"`
11643
11644	// A list of grant tokens.
11645	//
11646	// Use a grant token when your permission to call this operation comes from
11647	// a new grant that has not yet achieved eventual consistency. For more information,
11648	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
11649	// in the AWS Key Management Service Developer Guide.
11650	GrantTokens []*string `type:"list"`
11651
11652	// Identifies the asymmetric CMK that includes the public key.
11653	//
11654	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
11655	// using an alias name, prefix it with "alias/". To specify a CMK in a different
11656	// AWS account, you must use the key ARN or alias ARN.
11657	//
11658	// For example:
11659	//
11660	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
11661	//
11662	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
11663	//
11664	//    * Alias name: alias/ExampleAlias
11665	//
11666	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
11667	//
11668	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
11669	// get the alias name and alias ARN, use ListAliases.
11670	//
11671	// KeyId is a required field
11672	KeyId *string `min:"1" type:"string" required:"true"`
11673}
11674
11675// String returns the string representation
11676func (s GetPublicKeyInput) String() string {
11677	return awsutil.Prettify(s)
11678}
11679
11680// GoString returns the string representation
11681func (s GetPublicKeyInput) GoString() string {
11682	return s.String()
11683}
11684
11685// Validate inspects the fields of the type to determine if they are valid.
11686func (s *GetPublicKeyInput) Validate() error {
11687	invalidParams := request.ErrInvalidParams{Context: "GetPublicKeyInput"}
11688	if s.KeyId == nil {
11689		invalidParams.Add(request.NewErrParamRequired("KeyId"))
11690	}
11691	if s.KeyId != nil && len(*s.KeyId) < 1 {
11692		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
11693	}
11694
11695	if invalidParams.Len() > 0 {
11696		return invalidParams
11697	}
11698	return nil
11699}
11700
11701// SetGrantTokens sets the GrantTokens field's value.
11702func (s *GetPublicKeyInput) SetGrantTokens(v []*string) *GetPublicKeyInput {
11703	s.GrantTokens = v
11704	return s
11705}
11706
11707// SetKeyId sets the KeyId field's value.
11708func (s *GetPublicKeyInput) SetKeyId(v string) *GetPublicKeyInput {
11709	s.KeyId = &v
11710	return s
11711}
11712
11713type GetPublicKeyOutput struct {
11714	_ struct{} `type:"structure"`
11715
11716	// The type of the of the public key that was downloaded.
11717	CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"`
11718
11719	// The encryption algorithms that AWS KMS supports for this key.
11720	//
11721	// This information is critical. If a public key encrypts data outside of AWS
11722	// KMS by using an unsupported encryption algorithm, the ciphertext cannot be
11723	// decrypted.
11724	//
11725	// This field appears in the response only when the KeyUsage of the public key
11726	// is ENCRYPT_DECRYPT.
11727	EncryptionAlgorithms []*string `type:"list"`
11728
11729	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
11730	// of the asymmetric CMK from which the public key was downloaded.
11731	KeyId *string `min:"1" type:"string"`
11732
11733	// The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or
11734	// SIGN_VERIFY.
11735	//
11736	// This information is critical. If a public key with SIGN_VERIFY key usage
11737	// encrypts data outside of AWS KMS, the ciphertext cannot be decrypted.
11738	KeyUsage *string `type:"string" enum:"KeyUsageType"`
11739
11740	// The exported public key.
11741	//
11742	// The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo
11743	// (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280). When
11744	// you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise,
11745	// it is not Base64-encoded.
11746	//
11747	// PublicKey is automatically base64 encoded/decoded by the SDK.
11748	PublicKey []byte `min:"1" type:"blob"`
11749
11750	// The signing algorithms that AWS KMS supports for this key.
11751	//
11752	// This field appears in the response only when the KeyUsage of the public key
11753	// is SIGN_VERIFY.
11754	SigningAlgorithms []*string `type:"list"`
11755}
11756
11757// String returns the string representation
11758func (s GetPublicKeyOutput) String() string {
11759	return awsutil.Prettify(s)
11760}
11761
11762// GoString returns the string representation
11763func (s GetPublicKeyOutput) GoString() string {
11764	return s.String()
11765}
11766
11767// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value.
11768func (s *GetPublicKeyOutput) SetCustomerMasterKeySpec(v string) *GetPublicKeyOutput {
11769	s.CustomerMasterKeySpec = &v
11770	return s
11771}
11772
11773// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value.
11774func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyOutput {
11775	s.EncryptionAlgorithms = v
11776	return s
11777}
11778
11779// SetKeyId sets the KeyId field's value.
11780func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput {
11781	s.KeyId = &v
11782	return s
11783}
11784
11785// SetKeyUsage sets the KeyUsage field's value.
11786func (s *GetPublicKeyOutput) SetKeyUsage(v string) *GetPublicKeyOutput {
11787	s.KeyUsage = &v
11788	return s
11789}
11790
11791// SetPublicKey sets the PublicKey field's value.
11792func (s *GetPublicKeyOutput) SetPublicKey(v []byte) *GetPublicKeyOutput {
11793	s.PublicKey = v
11794	return s
11795}
11796
11797// SetSigningAlgorithms sets the SigningAlgorithms field's value.
11798func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutput {
11799	s.SigningAlgorithms = v
11800	return s
11801}
11802
11803// Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
11804// in the grant only when the operation request includes the specified encryption
11805// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context).
11806//
11807// AWS KMS applies the grant constraints only to cryptographic operations that
11808// support an encryption context, that is, all cryptographic operations with
11809// a symmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks).
11810// Grant constraints are not applied to operations that do not support an encryption
11811// context, such as cryptographic operations with asymmetric CMKs and management
11812// operations, such as DescribeKey or RetireGrant.
11813//
11814// In a cryptographic operation, the encryption context in the decryption operation
11815// must be an exact, case-sensitive match for the keys and values in the encryption
11816// context of the encryption operation. Only the order of the pairs can vary.
11817//
11818// However, in a grant constraint, the key in each key-value pair is not case
11819// sensitive, but the value is case sensitive.
11820//
11821// To avoid confusion, do not use multiple encryption context pairs that differ
11822// only by case. To require a fully case-sensitive encryption context, use the
11823// kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM
11824// or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context)
11825// in the AWS Key Management Service Developer Guide .
11826type GrantConstraints struct {
11827	_ struct{} `type:"structure"`
11828
11829	// A list of key-value pairs that must match the encryption context in the cryptographic
11830	// operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
11831	// request. The grant allows the operation only when the encryption context
11832	// in the request is the same as the encryption context specified in this constraint.
11833	EncryptionContextEquals map[string]*string `type:"map"`
11834
11835	// A list of key-value pairs that must be included in the encryption context
11836	// of the cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
11837	// request. The grant allows the cryptographic operation only when the encryption
11838	// context in the request includes the key-value pairs specified in this constraint,
11839	// although it can include additional key-value pairs.
11840	EncryptionContextSubset map[string]*string `type:"map"`
11841}
11842
11843// String returns the string representation
11844func (s GrantConstraints) String() string {
11845	return awsutil.Prettify(s)
11846}
11847
11848// GoString returns the string representation
11849func (s GrantConstraints) GoString() string {
11850	return s.String()
11851}
11852
11853// SetEncryptionContextEquals sets the EncryptionContextEquals field's value.
11854func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints {
11855	s.EncryptionContextEquals = v
11856	return s
11857}
11858
11859// SetEncryptionContextSubset sets the EncryptionContextSubset field's value.
11860func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints {
11861	s.EncryptionContextSubset = v
11862	return s
11863}
11864
11865// Contains information about a grant.
11866type GrantListEntry struct {
11867	_ struct{} `type:"structure"`
11868
11869	// A list of key-value pairs that must be present in the encryption context
11870	// of certain subsequent operations that the grant allows.
11871	Constraints *GrantConstraints `type:"structure"`
11872
11873	// The date and time when the grant was created.
11874	CreationDate *time.Time `type:"timestamp"`
11875
11876	// The unique identifier for the grant.
11877	GrantId *string `min:"1" type:"string"`
11878
11879	// The identity that gets the permissions in the grant.
11880	//
11881	// The GranteePrincipal field in the ListGrants response usually contains the
11882	// user or role designated as the grantee principal in the grant. However, when
11883	// the grantee principal in the grant is an AWS service, the GranteePrincipal
11884	// field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services),
11885	// which might represent several different grantee principals.
11886	GranteePrincipal *string `min:"1" type:"string"`
11887
11888	// The AWS account under which the grant was issued.
11889	IssuingAccount *string `min:"1" type:"string"`
11890
11891	// The unique identifier for the customer master key (CMK) to which the grant
11892	// applies.
11893	KeyId *string `min:"1" type:"string"`
11894
11895	// The friendly name that identifies the grant. If a name was provided in the
11896	// CreateGrant request, that name is returned. Otherwise this value is null.
11897	Name *string `min:"1" type:"string"`
11898
11899	// The list of operations permitted by the grant.
11900	Operations []*string `type:"list"`
11901
11902	// The principal that can retire the grant.
11903	RetiringPrincipal *string `min:"1" type:"string"`
11904}
11905
11906// String returns the string representation
11907func (s GrantListEntry) String() string {
11908	return awsutil.Prettify(s)
11909}
11910
11911// GoString returns the string representation
11912func (s GrantListEntry) GoString() string {
11913	return s.String()
11914}
11915
11916// SetConstraints sets the Constraints field's value.
11917func (s *GrantListEntry) SetConstraints(v *GrantConstraints) *GrantListEntry {
11918	s.Constraints = v
11919	return s
11920}
11921
11922// SetCreationDate sets the CreationDate field's value.
11923func (s *GrantListEntry) SetCreationDate(v time.Time) *GrantListEntry {
11924	s.CreationDate = &v
11925	return s
11926}
11927
11928// SetGrantId sets the GrantId field's value.
11929func (s *GrantListEntry) SetGrantId(v string) *GrantListEntry {
11930	s.GrantId = &v
11931	return s
11932}
11933
11934// SetGranteePrincipal sets the GranteePrincipal field's value.
11935func (s *GrantListEntry) SetGranteePrincipal(v string) *GrantListEntry {
11936	s.GranteePrincipal = &v
11937	return s
11938}
11939
11940// SetIssuingAccount sets the IssuingAccount field's value.
11941func (s *GrantListEntry) SetIssuingAccount(v string) *GrantListEntry {
11942	s.IssuingAccount = &v
11943	return s
11944}
11945
11946// SetKeyId sets the KeyId field's value.
11947func (s *GrantListEntry) SetKeyId(v string) *GrantListEntry {
11948	s.KeyId = &v
11949	return s
11950}
11951
11952// SetName sets the Name field's value.
11953func (s *GrantListEntry) SetName(v string) *GrantListEntry {
11954	s.Name = &v
11955	return s
11956}
11957
11958// SetOperations sets the Operations field's value.
11959func (s *GrantListEntry) SetOperations(v []*string) *GrantListEntry {
11960	s.Operations = v
11961	return s
11962}
11963
11964// SetRetiringPrincipal sets the RetiringPrincipal field's value.
11965func (s *GrantListEntry) SetRetiringPrincipal(v string) *GrantListEntry {
11966	s.RetiringPrincipal = &v
11967	return s
11968}
11969
11970type ImportKeyMaterialInput struct {
11971	_ struct{} `type:"structure"`
11972
11973	// The encrypted key material to import. The key material must be encrypted
11974	// with the public wrapping key that GetParametersForImport returned, using
11975	// the wrapping algorithm that you specified in the same GetParametersForImport
11976	// request.
11977	//
11978	// EncryptedKeyMaterial is automatically base64 encoded/decoded by the SDK.
11979	//
11980	// EncryptedKeyMaterial is a required field
11981	EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"`
11982
11983	// Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES,
11984	// in which case you must include the ValidTo parameter. When this parameter
11985	// is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.
11986	ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
11987
11988	// The import token that you received in the response to a previous GetParametersForImport
11989	// request. It must be from the same response that contained the public key
11990	// that you used to encrypt the key material.
11991	//
11992	// ImportToken is automatically base64 encoded/decoded by the SDK.
11993	//
11994	// ImportToken is a required field
11995	ImportToken []byte `min:"1" type:"blob" required:"true"`
11996
11997	// The identifier of the symmetric CMK that receives the imported key material.
11998	// The CMK's Origin must be EXTERNAL. This must be the same CMK specified in
11999	// the KeyID parameter of the corresponding GetParametersForImport request.
12000	//
12001	// Specify the key ID or key ARN of the CMK.
12002	//
12003	// For example:
12004	//
12005	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
12006	//
12007	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
12008	//
12009	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
12010	//
12011	// KeyId is a required field
12012	KeyId *string `min:"1" type:"string" required:"true"`
12013
12014	// The time at which the imported key material expires. When the key material
12015	// expires, AWS KMS deletes the key material and the CMK becomes unusable. You
12016	// must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE.
12017	// Otherwise it is required.
12018	ValidTo *time.Time `type:"timestamp"`
12019}
12020
12021// String returns the string representation
12022func (s ImportKeyMaterialInput) String() string {
12023	return awsutil.Prettify(s)
12024}
12025
12026// GoString returns the string representation
12027func (s ImportKeyMaterialInput) GoString() string {
12028	return s.String()
12029}
12030
12031// Validate inspects the fields of the type to determine if they are valid.
12032func (s *ImportKeyMaterialInput) Validate() error {
12033	invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterialInput"}
12034	if s.EncryptedKeyMaterial == nil {
12035		invalidParams.Add(request.NewErrParamRequired("EncryptedKeyMaterial"))
12036	}
12037	if s.EncryptedKeyMaterial != nil && len(s.EncryptedKeyMaterial) < 1 {
12038		invalidParams.Add(request.NewErrParamMinLen("EncryptedKeyMaterial", 1))
12039	}
12040	if s.ImportToken == nil {
12041		invalidParams.Add(request.NewErrParamRequired("ImportToken"))
12042	}
12043	if s.ImportToken != nil && len(s.ImportToken) < 1 {
12044		invalidParams.Add(request.NewErrParamMinLen("ImportToken", 1))
12045	}
12046	if s.KeyId == nil {
12047		invalidParams.Add(request.NewErrParamRequired("KeyId"))
12048	}
12049	if s.KeyId != nil && len(*s.KeyId) < 1 {
12050		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
12051	}
12052
12053	if invalidParams.Len() > 0 {
12054		return invalidParams
12055	}
12056	return nil
12057}
12058
12059// SetEncryptedKeyMaterial sets the EncryptedKeyMaterial field's value.
12060func (s *ImportKeyMaterialInput) SetEncryptedKeyMaterial(v []byte) *ImportKeyMaterialInput {
12061	s.EncryptedKeyMaterial = v
12062	return s
12063}
12064
12065// SetExpirationModel sets the ExpirationModel field's value.
12066func (s *ImportKeyMaterialInput) SetExpirationModel(v string) *ImportKeyMaterialInput {
12067	s.ExpirationModel = &v
12068	return s
12069}
12070
12071// SetImportToken sets the ImportToken field's value.
12072func (s *ImportKeyMaterialInput) SetImportToken(v []byte) *ImportKeyMaterialInput {
12073	s.ImportToken = v
12074	return s
12075}
12076
12077// SetKeyId sets the KeyId field's value.
12078func (s *ImportKeyMaterialInput) SetKeyId(v string) *ImportKeyMaterialInput {
12079	s.KeyId = &v
12080	return s
12081}
12082
12083// SetValidTo sets the ValidTo field's value.
12084func (s *ImportKeyMaterialInput) SetValidTo(v time.Time) *ImportKeyMaterialInput {
12085	s.ValidTo = &v
12086	return s
12087}
12088
12089type ImportKeyMaterialOutput struct {
12090	_ struct{} `type:"structure"`
12091}
12092
12093// String returns the string representation
12094func (s ImportKeyMaterialOutput) String() string {
12095	return awsutil.Prettify(s)
12096}
12097
12098// GoString returns the string representation
12099func (s ImportKeyMaterialOutput) GoString() string {
12100	return s.String()
12101}
12102
12103// The request was rejected because the specified CMK cannot decrypt the data.
12104// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request
12105// must identify the same CMK that was used to encrypt the ciphertext.
12106type IncorrectKeyException struct {
12107	_            struct{}                  `type:"structure"`
12108	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12109
12110	Message_ *string `locationName:"message" type:"string"`
12111}
12112
12113// String returns the string representation
12114func (s IncorrectKeyException) String() string {
12115	return awsutil.Prettify(s)
12116}
12117
12118// GoString returns the string representation
12119func (s IncorrectKeyException) GoString() string {
12120	return s.String()
12121}
12122
12123func newErrorIncorrectKeyException(v protocol.ResponseMetadata) error {
12124	return &IncorrectKeyException{
12125		RespMetadata: v,
12126	}
12127}
12128
12129// Code returns the exception type name.
12130func (s *IncorrectKeyException) Code() string {
12131	return "IncorrectKeyException"
12132}
12133
12134// Message returns the exception's message.
12135func (s *IncorrectKeyException) Message() string {
12136	if s.Message_ != nil {
12137		return *s.Message_
12138	}
12139	return ""
12140}
12141
12142// OrigErr always returns nil, satisfies awserr.Error interface.
12143func (s *IncorrectKeyException) OrigErr() error {
12144	return nil
12145}
12146
12147func (s *IncorrectKeyException) Error() string {
12148	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12149}
12150
12151// Status code returns the HTTP status code for the request's response error.
12152func (s *IncorrectKeyException) StatusCode() int {
12153	return s.RespMetadata.StatusCode
12154}
12155
12156// RequestID returns the service's response RequestID for request.
12157func (s *IncorrectKeyException) RequestID() string {
12158	return s.RespMetadata.RequestID
12159}
12160
12161// The request was rejected because the key material in the request is, expired,
12162// invalid, or is not the same key material that was previously imported into
12163// this customer master key (CMK).
12164type IncorrectKeyMaterialException struct {
12165	_            struct{}                  `type:"structure"`
12166	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12167
12168	Message_ *string `locationName:"message" type:"string"`
12169}
12170
12171// String returns the string representation
12172func (s IncorrectKeyMaterialException) String() string {
12173	return awsutil.Prettify(s)
12174}
12175
12176// GoString returns the string representation
12177func (s IncorrectKeyMaterialException) GoString() string {
12178	return s.String()
12179}
12180
12181func newErrorIncorrectKeyMaterialException(v protocol.ResponseMetadata) error {
12182	return &IncorrectKeyMaterialException{
12183		RespMetadata: v,
12184	}
12185}
12186
12187// Code returns the exception type name.
12188func (s *IncorrectKeyMaterialException) Code() string {
12189	return "IncorrectKeyMaterialException"
12190}
12191
12192// Message returns the exception's message.
12193func (s *IncorrectKeyMaterialException) Message() string {
12194	if s.Message_ != nil {
12195		return *s.Message_
12196	}
12197	return ""
12198}
12199
12200// OrigErr always returns nil, satisfies awserr.Error interface.
12201func (s *IncorrectKeyMaterialException) OrigErr() error {
12202	return nil
12203}
12204
12205func (s *IncorrectKeyMaterialException) Error() string {
12206	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12207}
12208
12209// Status code returns the HTTP status code for the request's response error.
12210func (s *IncorrectKeyMaterialException) StatusCode() int {
12211	return s.RespMetadata.StatusCode
12212}
12213
12214// RequestID returns the service's response RequestID for request.
12215func (s *IncorrectKeyMaterialException) RequestID() string {
12216	return s.RespMetadata.RequestID
12217}
12218
12219// The request was rejected because the trust anchor certificate in the request
12220// is not the trust anchor certificate for the specified AWS CloudHSM cluster.
12221//
12222// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
12223// you create the trust anchor certificate and save it in the customerCA.crt
12224// file.
12225type IncorrectTrustAnchorException struct {
12226	_            struct{}                  `type:"structure"`
12227	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12228
12229	Message_ *string `locationName:"message" type:"string"`
12230}
12231
12232// String returns the string representation
12233func (s IncorrectTrustAnchorException) String() string {
12234	return awsutil.Prettify(s)
12235}
12236
12237// GoString returns the string representation
12238func (s IncorrectTrustAnchorException) GoString() string {
12239	return s.String()
12240}
12241
12242func newErrorIncorrectTrustAnchorException(v protocol.ResponseMetadata) error {
12243	return &IncorrectTrustAnchorException{
12244		RespMetadata: v,
12245	}
12246}
12247
12248// Code returns the exception type name.
12249func (s *IncorrectTrustAnchorException) Code() string {
12250	return "IncorrectTrustAnchorException"
12251}
12252
12253// Message returns the exception's message.
12254func (s *IncorrectTrustAnchorException) Message() string {
12255	if s.Message_ != nil {
12256		return *s.Message_
12257	}
12258	return ""
12259}
12260
12261// OrigErr always returns nil, satisfies awserr.Error interface.
12262func (s *IncorrectTrustAnchorException) OrigErr() error {
12263	return nil
12264}
12265
12266func (s *IncorrectTrustAnchorException) Error() string {
12267	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12268}
12269
12270// Status code returns the HTTP status code for the request's response error.
12271func (s *IncorrectTrustAnchorException) StatusCode() int {
12272	return s.RespMetadata.StatusCode
12273}
12274
12275// RequestID returns the service's response RequestID for request.
12276func (s *IncorrectTrustAnchorException) RequestID() string {
12277	return s.RespMetadata.RequestID
12278}
12279
12280// The request was rejected because an internal exception occurred. The request
12281// can be retried.
12282type InternalException struct {
12283	_            struct{}                  `type:"structure"`
12284	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12285
12286	Message_ *string `locationName:"message" type:"string"`
12287}
12288
12289// String returns the string representation
12290func (s InternalException) String() string {
12291	return awsutil.Prettify(s)
12292}
12293
12294// GoString returns the string representation
12295func (s InternalException) GoString() string {
12296	return s.String()
12297}
12298
12299func newErrorInternalException(v protocol.ResponseMetadata) error {
12300	return &InternalException{
12301		RespMetadata: v,
12302	}
12303}
12304
12305// Code returns the exception type name.
12306func (s *InternalException) Code() string {
12307	return "KMSInternalException"
12308}
12309
12310// Message returns the exception's message.
12311func (s *InternalException) Message() string {
12312	if s.Message_ != nil {
12313		return *s.Message_
12314	}
12315	return ""
12316}
12317
12318// OrigErr always returns nil, satisfies awserr.Error interface.
12319func (s *InternalException) OrigErr() error {
12320	return nil
12321}
12322
12323func (s *InternalException) Error() string {
12324	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12325}
12326
12327// Status code returns the HTTP status code for the request's response error.
12328func (s *InternalException) StatusCode() int {
12329	return s.RespMetadata.StatusCode
12330}
12331
12332// RequestID returns the service's response RequestID for request.
12333func (s *InternalException) RequestID() string {
12334	return s.RespMetadata.RequestID
12335}
12336
12337// The request was rejected because the specified alias name is not valid.
12338type InvalidAliasNameException struct {
12339	_            struct{}                  `type:"structure"`
12340	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12341
12342	Message_ *string `locationName:"message" type:"string"`
12343}
12344
12345// String returns the string representation
12346func (s InvalidAliasNameException) String() string {
12347	return awsutil.Prettify(s)
12348}
12349
12350// GoString returns the string representation
12351func (s InvalidAliasNameException) GoString() string {
12352	return s.String()
12353}
12354
12355func newErrorInvalidAliasNameException(v protocol.ResponseMetadata) error {
12356	return &InvalidAliasNameException{
12357		RespMetadata: v,
12358	}
12359}
12360
12361// Code returns the exception type name.
12362func (s *InvalidAliasNameException) Code() string {
12363	return "InvalidAliasNameException"
12364}
12365
12366// Message returns the exception's message.
12367func (s *InvalidAliasNameException) Message() string {
12368	if s.Message_ != nil {
12369		return *s.Message_
12370	}
12371	return ""
12372}
12373
12374// OrigErr always returns nil, satisfies awserr.Error interface.
12375func (s *InvalidAliasNameException) OrigErr() error {
12376	return nil
12377}
12378
12379func (s *InvalidAliasNameException) Error() string {
12380	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12381}
12382
12383// Status code returns the HTTP status code for the request's response error.
12384func (s *InvalidAliasNameException) StatusCode() int {
12385	return s.RespMetadata.StatusCode
12386}
12387
12388// RequestID returns the service's response RequestID for request.
12389func (s *InvalidAliasNameException) RequestID() string {
12390	return s.RespMetadata.RequestID
12391}
12392
12393// The request was rejected because a specified ARN, or an ARN in a key policy,
12394// is not valid.
12395type InvalidArnException struct {
12396	_            struct{}                  `type:"structure"`
12397	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12398
12399	Message_ *string `locationName:"message" type:"string"`
12400}
12401
12402// String returns the string representation
12403func (s InvalidArnException) String() string {
12404	return awsutil.Prettify(s)
12405}
12406
12407// GoString returns the string representation
12408func (s InvalidArnException) GoString() string {
12409	return s.String()
12410}
12411
12412func newErrorInvalidArnException(v protocol.ResponseMetadata) error {
12413	return &InvalidArnException{
12414		RespMetadata: v,
12415	}
12416}
12417
12418// Code returns the exception type name.
12419func (s *InvalidArnException) Code() string {
12420	return "InvalidArnException"
12421}
12422
12423// Message returns the exception's message.
12424func (s *InvalidArnException) Message() string {
12425	if s.Message_ != nil {
12426		return *s.Message_
12427	}
12428	return ""
12429}
12430
12431// OrigErr always returns nil, satisfies awserr.Error interface.
12432func (s *InvalidArnException) OrigErr() error {
12433	return nil
12434}
12435
12436func (s *InvalidArnException) Error() string {
12437	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12438}
12439
12440// Status code returns the HTTP status code for the request's response error.
12441func (s *InvalidArnException) StatusCode() int {
12442	return s.RespMetadata.StatusCode
12443}
12444
12445// RequestID returns the service's response RequestID for request.
12446func (s *InvalidArnException) RequestID() string {
12447	return s.RespMetadata.RequestID
12448}
12449
12450// From the Decrypt or ReEncrypt operation, the request was rejected because
12451// the specified ciphertext, or additional authenticated data incorporated into
12452// the ciphertext, such as the encryption context, is corrupted, missing, or
12453// otherwise invalid.
12454//
12455// From the ImportKeyMaterial operation, the request was rejected because AWS
12456// KMS could not decrypt the encrypted (wrapped) key material.
12457type InvalidCiphertextException struct {
12458	_            struct{}                  `type:"structure"`
12459	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12460
12461	Message_ *string `locationName:"message" type:"string"`
12462}
12463
12464// String returns the string representation
12465func (s InvalidCiphertextException) String() string {
12466	return awsutil.Prettify(s)
12467}
12468
12469// GoString returns the string representation
12470func (s InvalidCiphertextException) GoString() string {
12471	return s.String()
12472}
12473
12474func newErrorInvalidCiphertextException(v protocol.ResponseMetadata) error {
12475	return &InvalidCiphertextException{
12476		RespMetadata: v,
12477	}
12478}
12479
12480// Code returns the exception type name.
12481func (s *InvalidCiphertextException) Code() string {
12482	return "InvalidCiphertextException"
12483}
12484
12485// Message returns the exception's message.
12486func (s *InvalidCiphertextException) Message() string {
12487	if s.Message_ != nil {
12488		return *s.Message_
12489	}
12490	return ""
12491}
12492
12493// OrigErr always returns nil, satisfies awserr.Error interface.
12494func (s *InvalidCiphertextException) OrigErr() error {
12495	return nil
12496}
12497
12498func (s *InvalidCiphertextException) Error() string {
12499	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12500}
12501
12502// Status code returns the HTTP status code for the request's response error.
12503func (s *InvalidCiphertextException) StatusCode() int {
12504	return s.RespMetadata.StatusCode
12505}
12506
12507// RequestID returns the service's response RequestID for request.
12508func (s *InvalidCiphertextException) RequestID() string {
12509	return s.RespMetadata.RequestID
12510}
12511
12512// The request was rejected because the specified GrantId is not valid.
12513type InvalidGrantIdException struct {
12514	_            struct{}                  `type:"structure"`
12515	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12516
12517	Message_ *string `locationName:"message" type:"string"`
12518}
12519
12520// String returns the string representation
12521func (s InvalidGrantIdException) String() string {
12522	return awsutil.Prettify(s)
12523}
12524
12525// GoString returns the string representation
12526func (s InvalidGrantIdException) GoString() string {
12527	return s.String()
12528}
12529
12530func newErrorInvalidGrantIdException(v protocol.ResponseMetadata) error {
12531	return &InvalidGrantIdException{
12532		RespMetadata: v,
12533	}
12534}
12535
12536// Code returns the exception type name.
12537func (s *InvalidGrantIdException) Code() string {
12538	return "InvalidGrantIdException"
12539}
12540
12541// Message returns the exception's message.
12542func (s *InvalidGrantIdException) Message() string {
12543	if s.Message_ != nil {
12544		return *s.Message_
12545	}
12546	return ""
12547}
12548
12549// OrigErr always returns nil, satisfies awserr.Error interface.
12550func (s *InvalidGrantIdException) OrigErr() error {
12551	return nil
12552}
12553
12554func (s *InvalidGrantIdException) Error() string {
12555	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12556}
12557
12558// Status code returns the HTTP status code for the request's response error.
12559func (s *InvalidGrantIdException) StatusCode() int {
12560	return s.RespMetadata.StatusCode
12561}
12562
12563// RequestID returns the service's response RequestID for request.
12564func (s *InvalidGrantIdException) RequestID() string {
12565	return s.RespMetadata.RequestID
12566}
12567
12568// The request was rejected because the specified grant token is not valid.
12569type InvalidGrantTokenException struct {
12570	_            struct{}                  `type:"structure"`
12571	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12572
12573	Message_ *string `locationName:"message" type:"string"`
12574}
12575
12576// String returns the string representation
12577func (s InvalidGrantTokenException) String() string {
12578	return awsutil.Prettify(s)
12579}
12580
12581// GoString returns the string representation
12582func (s InvalidGrantTokenException) GoString() string {
12583	return s.String()
12584}
12585
12586func newErrorInvalidGrantTokenException(v protocol.ResponseMetadata) error {
12587	return &InvalidGrantTokenException{
12588		RespMetadata: v,
12589	}
12590}
12591
12592// Code returns the exception type name.
12593func (s *InvalidGrantTokenException) Code() string {
12594	return "InvalidGrantTokenException"
12595}
12596
12597// Message returns the exception's message.
12598func (s *InvalidGrantTokenException) Message() string {
12599	if s.Message_ != nil {
12600		return *s.Message_
12601	}
12602	return ""
12603}
12604
12605// OrigErr always returns nil, satisfies awserr.Error interface.
12606func (s *InvalidGrantTokenException) OrigErr() error {
12607	return nil
12608}
12609
12610func (s *InvalidGrantTokenException) Error() string {
12611	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12612}
12613
12614// Status code returns the HTTP status code for the request's response error.
12615func (s *InvalidGrantTokenException) StatusCode() int {
12616	return s.RespMetadata.StatusCode
12617}
12618
12619// RequestID returns the service's response RequestID for request.
12620func (s *InvalidGrantTokenException) RequestID() string {
12621	return s.RespMetadata.RequestID
12622}
12623
12624// The request was rejected because the provided import token is invalid or
12625// is associated with a different customer master key (CMK).
12626type InvalidImportTokenException struct {
12627	_            struct{}                  `type:"structure"`
12628	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12629
12630	Message_ *string `locationName:"message" type:"string"`
12631}
12632
12633// String returns the string representation
12634func (s InvalidImportTokenException) String() string {
12635	return awsutil.Prettify(s)
12636}
12637
12638// GoString returns the string representation
12639func (s InvalidImportTokenException) GoString() string {
12640	return s.String()
12641}
12642
12643func newErrorInvalidImportTokenException(v protocol.ResponseMetadata) error {
12644	return &InvalidImportTokenException{
12645		RespMetadata: v,
12646	}
12647}
12648
12649// Code returns the exception type name.
12650func (s *InvalidImportTokenException) Code() string {
12651	return "InvalidImportTokenException"
12652}
12653
12654// Message returns the exception's message.
12655func (s *InvalidImportTokenException) Message() string {
12656	if s.Message_ != nil {
12657		return *s.Message_
12658	}
12659	return ""
12660}
12661
12662// OrigErr always returns nil, satisfies awserr.Error interface.
12663func (s *InvalidImportTokenException) OrigErr() error {
12664	return nil
12665}
12666
12667func (s *InvalidImportTokenException) Error() string {
12668	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12669}
12670
12671// Status code returns the HTTP status code for the request's response error.
12672func (s *InvalidImportTokenException) StatusCode() int {
12673	return s.RespMetadata.StatusCode
12674}
12675
12676// RequestID returns the service's response RequestID for request.
12677func (s *InvalidImportTokenException) RequestID() string {
12678	return s.RespMetadata.RequestID
12679}
12680
12681// The request was rejected for one of the following reasons:
12682//
12683//    * The KeyUsage value of the CMK is incompatible with the API operation.
12684//
12685//    * The encryption algorithm or signing algorithm specified for the operation
12686//    is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
12687//
12688// For encrypting, decrypting, re-encrypting, and generating data keys, the
12689// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
12690// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
12691//
12692// To find the encryption or signing algorithms supported for a particular CMK,
12693// use the DescribeKey operation.
12694type InvalidKeyUsageException struct {
12695	_            struct{}                  `type:"structure"`
12696	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12697
12698	Message_ *string `locationName:"message" type:"string"`
12699}
12700
12701// String returns the string representation
12702func (s InvalidKeyUsageException) String() string {
12703	return awsutil.Prettify(s)
12704}
12705
12706// GoString returns the string representation
12707func (s InvalidKeyUsageException) GoString() string {
12708	return s.String()
12709}
12710
12711func newErrorInvalidKeyUsageException(v protocol.ResponseMetadata) error {
12712	return &InvalidKeyUsageException{
12713		RespMetadata: v,
12714	}
12715}
12716
12717// Code returns the exception type name.
12718func (s *InvalidKeyUsageException) Code() string {
12719	return "InvalidKeyUsageException"
12720}
12721
12722// Message returns the exception's message.
12723func (s *InvalidKeyUsageException) Message() string {
12724	if s.Message_ != nil {
12725		return *s.Message_
12726	}
12727	return ""
12728}
12729
12730// OrigErr always returns nil, satisfies awserr.Error interface.
12731func (s *InvalidKeyUsageException) OrigErr() error {
12732	return nil
12733}
12734
12735func (s *InvalidKeyUsageException) Error() string {
12736	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12737}
12738
12739// Status code returns the HTTP status code for the request's response error.
12740func (s *InvalidKeyUsageException) StatusCode() int {
12741	return s.RespMetadata.StatusCode
12742}
12743
12744// RequestID returns the service's response RequestID for request.
12745func (s *InvalidKeyUsageException) RequestID() string {
12746	return s.RespMetadata.RequestID
12747}
12748
12749// The request was rejected because the marker that specifies where pagination
12750// should next begin is not valid.
12751type InvalidMarkerException struct {
12752	_            struct{}                  `type:"structure"`
12753	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12754
12755	Message_ *string `locationName:"message" type:"string"`
12756}
12757
12758// String returns the string representation
12759func (s InvalidMarkerException) String() string {
12760	return awsutil.Prettify(s)
12761}
12762
12763// GoString returns the string representation
12764func (s InvalidMarkerException) GoString() string {
12765	return s.String()
12766}
12767
12768func newErrorInvalidMarkerException(v protocol.ResponseMetadata) error {
12769	return &InvalidMarkerException{
12770		RespMetadata: v,
12771	}
12772}
12773
12774// Code returns the exception type name.
12775func (s *InvalidMarkerException) Code() string {
12776	return "InvalidMarkerException"
12777}
12778
12779// Message returns the exception's message.
12780func (s *InvalidMarkerException) Message() string {
12781	if s.Message_ != nil {
12782		return *s.Message_
12783	}
12784	return ""
12785}
12786
12787// OrigErr always returns nil, satisfies awserr.Error interface.
12788func (s *InvalidMarkerException) OrigErr() error {
12789	return nil
12790}
12791
12792func (s *InvalidMarkerException) Error() string {
12793	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12794}
12795
12796// Status code returns the HTTP status code for the request's response error.
12797func (s *InvalidMarkerException) StatusCode() int {
12798	return s.RespMetadata.StatusCode
12799}
12800
12801// RequestID returns the service's response RequestID for request.
12802func (s *InvalidMarkerException) RequestID() string {
12803	return s.RespMetadata.RequestID
12804}
12805
12806// The request was rejected because the state of the specified resource is not
12807// valid for this request.
12808//
12809// For more information about how key state affects the use of a CMK, see How
12810// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
12811// in the AWS Key Management Service Developer Guide .
12812type InvalidStateException struct {
12813	_            struct{}                  `type:"structure"`
12814	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12815
12816	Message_ *string `locationName:"message" type:"string"`
12817}
12818
12819// String returns the string representation
12820func (s InvalidStateException) String() string {
12821	return awsutil.Prettify(s)
12822}
12823
12824// GoString returns the string representation
12825func (s InvalidStateException) GoString() string {
12826	return s.String()
12827}
12828
12829func newErrorInvalidStateException(v protocol.ResponseMetadata) error {
12830	return &InvalidStateException{
12831		RespMetadata: v,
12832	}
12833}
12834
12835// Code returns the exception type name.
12836func (s *InvalidStateException) Code() string {
12837	return "KMSInvalidStateException"
12838}
12839
12840// Message returns the exception's message.
12841func (s *InvalidStateException) Message() string {
12842	if s.Message_ != nil {
12843		return *s.Message_
12844	}
12845	return ""
12846}
12847
12848// OrigErr always returns nil, satisfies awserr.Error interface.
12849func (s *InvalidStateException) OrigErr() error {
12850	return nil
12851}
12852
12853func (s *InvalidStateException) Error() string {
12854	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12855}
12856
12857// Status code returns the HTTP status code for the request's response error.
12858func (s *InvalidStateException) StatusCode() int {
12859	return s.RespMetadata.StatusCode
12860}
12861
12862// RequestID returns the service's response RequestID for request.
12863func (s *InvalidStateException) RequestID() string {
12864	return s.RespMetadata.RequestID
12865}
12866
12867// The request was rejected because the signature verification failed. Signature
12868// verification fails when it cannot confirm that signature was produced by
12869// signing the specified message with the specified CMK and signing algorithm.
12870type KMSInvalidSignatureException struct {
12871	_            struct{}                  `type:"structure"`
12872	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
12873
12874	Message_ *string `locationName:"message" type:"string"`
12875}
12876
12877// String returns the string representation
12878func (s KMSInvalidSignatureException) String() string {
12879	return awsutil.Prettify(s)
12880}
12881
12882// GoString returns the string representation
12883func (s KMSInvalidSignatureException) GoString() string {
12884	return s.String()
12885}
12886
12887func newErrorKMSInvalidSignatureException(v protocol.ResponseMetadata) error {
12888	return &KMSInvalidSignatureException{
12889		RespMetadata: v,
12890	}
12891}
12892
12893// Code returns the exception type name.
12894func (s *KMSInvalidSignatureException) Code() string {
12895	return "KMSInvalidSignatureException"
12896}
12897
12898// Message returns the exception's message.
12899func (s *KMSInvalidSignatureException) Message() string {
12900	if s.Message_ != nil {
12901		return *s.Message_
12902	}
12903	return ""
12904}
12905
12906// OrigErr always returns nil, satisfies awserr.Error interface.
12907func (s *KMSInvalidSignatureException) OrigErr() error {
12908	return nil
12909}
12910
12911func (s *KMSInvalidSignatureException) Error() string {
12912	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
12913}
12914
12915// Status code returns the HTTP status code for the request's response error.
12916func (s *KMSInvalidSignatureException) StatusCode() int {
12917	return s.RespMetadata.StatusCode
12918}
12919
12920// RequestID returns the service's response RequestID for request.
12921func (s *KMSInvalidSignatureException) RequestID() string {
12922	return s.RespMetadata.RequestID
12923}
12924
12925// Contains information about each entry in the key list.
12926type KeyListEntry struct {
12927	_ struct{} `type:"structure"`
12928
12929	// ARN of the key.
12930	KeyArn *string `min:"20" type:"string"`
12931
12932	// Unique identifier of the key.
12933	KeyId *string `min:"1" type:"string"`
12934}
12935
12936// String returns the string representation
12937func (s KeyListEntry) String() string {
12938	return awsutil.Prettify(s)
12939}
12940
12941// GoString returns the string representation
12942func (s KeyListEntry) GoString() string {
12943	return s.String()
12944}
12945
12946// SetKeyArn sets the KeyArn field's value.
12947func (s *KeyListEntry) SetKeyArn(v string) *KeyListEntry {
12948	s.KeyArn = &v
12949	return s
12950}
12951
12952// SetKeyId sets the KeyId field's value.
12953func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry {
12954	s.KeyId = &v
12955	return s
12956}
12957
12958// Contains metadata about a customer master key (CMK).
12959//
12960// This data type is used as a response element for the CreateKey and DescribeKey
12961// operations.
12962type KeyMetadata struct {
12963	_ struct{} `type:"structure"`
12964
12965	// The twelve-digit account ID of the AWS account that owns the CMK.
12966	AWSAccountId *string `type:"string"`
12967
12968	// The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management
12969	// Service (AWS KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms)
12970	// in the Example ARNs section of the AWS General Reference.
12971	Arn *string `min:"20" type:"string"`
12972
12973	// The cluster ID of the AWS CloudHSM cluster that contains the key material
12974	// for the CMK. When you create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html),
12975	// AWS KMS creates the key material for the CMK in the associated AWS CloudHSM
12976	// cluster. This value is present only when the CMK is created in a custom key
12977	// store.
12978	CloudHsmClusterId *string `min:"19" type:"string"`
12979
12980	// The date and time when the CMK was created.
12981	CreationDate *time.Time `type:"timestamp"`
12982
12983	// A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
12984	// that contains the CMK. This value is present only when the CMK is created
12985	// in a custom key store.
12986	CustomKeyStoreId *string `min:"1" type:"string"`
12987
12988	// Describes the type of key material in the CMK.
12989	CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"`
12990
12991	// The date and time after which AWS KMS deletes this CMK. This value is present
12992	// only when the CMK is scheduled for deletion, that is, when its KeyState is
12993	// PendingDeletion.
12994	//
12995	// When the primary key in a multi-Region key is scheduled for deletion but
12996	// still has replica keys, its key state is PendingReplicaDeletion and the length
12997	// of its waiting period is displayed in the PendingDeletionWindowInDays field.
12998	DeletionDate *time.Time `type:"timestamp"`
12999
13000	// The description of the CMK.
13001	Description *string `type:"string"`
13002
13003	// Specifies whether the CMK is enabled. When KeyState is Enabled this value
13004	// is true, otherwise it is false.
13005	Enabled *bool `type:"boolean"`
13006
13007	// The encryption algorithms that the CMK supports. You cannot use the CMK with
13008	// other encryption algorithms within AWS KMS.
13009	//
13010	// This value is present only when the KeyUsage of the CMK is ENCRYPT_DECRYPT.
13011	EncryptionAlgorithms []*string `type:"list"`
13012
13013	// Specifies whether the CMK's key material expires. This value is present only
13014	// when Origin is EXTERNAL, otherwise this value is omitted.
13015	ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
13016
13017	// The globally unique identifier for the CMK.
13018	//
13019	// KeyId is a required field
13020	KeyId *string `min:"1" type:"string" required:"true"`
13021
13022	// The manager of the CMK. CMKs in your AWS account are either customer managed
13023	// or AWS managed. For more information about the difference, see Customer Master
13024	// Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys)
13025	// in the AWS Key Management Service Developer Guide.
13026	KeyManager *string `type:"string" enum:"KeyManagerType"`
13027
13028	// The current status of the CMK.
13029	//
13030	// For more information about how key state affects the use of a CMK, see Key
13031	// state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
13032	// in the AWS Key Management Service Developer Guide.
13033	KeyState *string `type:"string" enum:"KeyState"`
13034
13035	// The cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
13036	// for which you can use the CMK.
13037	KeyUsage *string `type:"string" enum:"KeyUsageType"`
13038
13039	// Indicates whether the CMK is a multi-Region (True) or regional (False) key.
13040	// This value is True for multi-Region primary and replica CMKs and False for
13041	// regional CMKs.
13042	//
13043	// For more information about multi-Region keys, see Using multi-Region keys
13044	// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
13045	// in the AWS Key Management Service Developer Guide.
13046	MultiRegion *bool `type:"boolean"`
13047
13048	// Lists the primary and replica CMKs in same multi-Region CMK. This field is
13049	// present only when the value of the MultiRegion field is True.
13050	//
13051	// For more information about any listed CMK, use the DescribeKey operation.
13052	//
13053	//    * MultiRegionKeyType indicates whether the CMK is a PRIMARY or REPLICA
13054	//    key.
13055	//
13056	//    * PrimaryKey displays the key ARN and Region of the primary key. This
13057	//    field displays the current CMK if it is the primary key.
13058	//
13059	//    * ReplicaKeys displays the key ARNs and Regions of all replica keys. This
13060	//    field includes the current CMK if it is a replica key.
13061	MultiRegionConfiguration *MultiRegionConfiguration `type:"structure"`
13062
13063	// The source of the CMK's key material. When this value is AWS_KMS, AWS KMS
13064	// created the key material. When this value is EXTERNAL, the key material was
13065	// imported from your existing key management infrastructure or the CMK lacks
13066	// key material. When this value is AWS_CLOUDHSM, the key material was created
13067	// in the AWS CloudHSM cluster associated with a custom key store.
13068	Origin *string `type:"string" enum:"OriginType"`
13069
13070	// The waiting period before the primary key in a multi-Region key is deleted.
13071	// This waiting period begins when the last of its replica keys is deleted.
13072	// This value is present only when the KeyState of the CMK is PendingReplicaDeletion.
13073	// That indicates that the CMK is the primary key in a multi-Region key, it
13074	// is scheduled for deletion, and it still has existing replica keys.
13075	//
13076	// When a regional CMK or a replica key in a multi-Region key is scheduled for
13077	// deletion, its deletion date is displayed in the DeletionDate field. However,
13078	// when the primary key in a multi-Region key is scheduled for deletion, its
13079	// waiting period doesn't begin until all of its replica keys are deleted. This
13080	// value displays that waiting period. When the last replica key in the multi-Region
13081	// key is deleted, the KeyState of the scheduled primary key changes from PendingReplicaDeletion
13082	// to PendingDeletion and the deletion date appears in the DeletionDate field.
13083	PendingDeletionWindowInDays *int64 `min:"1" type:"integer"`
13084
13085	// The signing algorithms that the CMK supports. You cannot use the CMK with
13086	// other signing algorithms within AWS KMS.
13087	//
13088	// This field appears only when the KeyUsage of the CMK is SIGN_VERIFY.
13089	SigningAlgorithms []*string `type:"list"`
13090
13091	// The time at which the imported key material expires. When the key material
13092	// expires, AWS KMS deletes the key material and the CMK becomes unusable. This
13093	// value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel
13094	// is KEY_MATERIAL_EXPIRES, otherwise this value is omitted.
13095	ValidTo *time.Time `type:"timestamp"`
13096}
13097
13098// String returns the string representation
13099func (s KeyMetadata) String() string {
13100	return awsutil.Prettify(s)
13101}
13102
13103// GoString returns the string representation
13104func (s KeyMetadata) GoString() string {
13105	return s.String()
13106}
13107
13108// SetAWSAccountId sets the AWSAccountId field's value.
13109func (s *KeyMetadata) SetAWSAccountId(v string) *KeyMetadata {
13110	s.AWSAccountId = &v
13111	return s
13112}
13113
13114// SetArn sets the Arn field's value.
13115func (s *KeyMetadata) SetArn(v string) *KeyMetadata {
13116	s.Arn = &v
13117	return s
13118}
13119
13120// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
13121func (s *KeyMetadata) SetCloudHsmClusterId(v string) *KeyMetadata {
13122	s.CloudHsmClusterId = &v
13123	return s
13124}
13125
13126// SetCreationDate sets the CreationDate field's value.
13127func (s *KeyMetadata) SetCreationDate(v time.Time) *KeyMetadata {
13128	s.CreationDate = &v
13129	return s
13130}
13131
13132// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
13133func (s *KeyMetadata) SetCustomKeyStoreId(v string) *KeyMetadata {
13134	s.CustomKeyStoreId = &v
13135	return s
13136}
13137
13138// SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value.
13139func (s *KeyMetadata) SetCustomerMasterKeySpec(v string) *KeyMetadata {
13140	s.CustomerMasterKeySpec = &v
13141	return s
13142}
13143
13144// SetDeletionDate sets the DeletionDate field's value.
13145func (s *KeyMetadata) SetDeletionDate(v time.Time) *KeyMetadata {
13146	s.DeletionDate = &v
13147	return s
13148}
13149
13150// SetDescription sets the Description field's value.
13151func (s *KeyMetadata) SetDescription(v string) *KeyMetadata {
13152	s.Description = &v
13153	return s
13154}
13155
13156// SetEnabled sets the Enabled field's value.
13157func (s *KeyMetadata) SetEnabled(v bool) *KeyMetadata {
13158	s.Enabled = &v
13159	return s
13160}
13161
13162// SetEncryptionAlgorithms sets the EncryptionAlgorithms field's value.
13163func (s *KeyMetadata) SetEncryptionAlgorithms(v []*string) *KeyMetadata {
13164	s.EncryptionAlgorithms = v
13165	return s
13166}
13167
13168// SetExpirationModel sets the ExpirationModel field's value.
13169func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata {
13170	s.ExpirationModel = &v
13171	return s
13172}
13173
13174// SetKeyId sets the KeyId field's value.
13175func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata {
13176	s.KeyId = &v
13177	return s
13178}
13179
13180// SetKeyManager sets the KeyManager field's value.
13181func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata {
13182	s.KeyManager = &v
13183	return s
13184}
13185
13186// SetKeyState sets the KeyState field's value.
13187func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata {
13188	s.KeyState = &v
13189	return s
13190}
13191
13192// SetKeyUsage sets the KeyUsage field's value.
13193func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata {
13194	s.KeyUsage = &v
13195	return s
13196}
13197
13198// SetMultiRegion sets the MultiRegion field's value.
13199func (s *KeyMetadata) SetMultiRegion(v bool) *KeyMetadata {
13200	s.MultiRegion = &v
13201	return s
13202}
13203
13204// SetMultiRegionConfiguration sets the MultiRegionConfiguration field's value.
13205func (s *KeyMetadata) SetMultiRegionConfiguration(v *MultiRegionConfiguration) *KeyMetadata {
13206	s.MultiRegionConfiguration = v
13207	return s
13208}
13209
13210// SetOrigin sets the Origin field's value.
13211func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata {
13212	s.Origin = &v
13213	return s
13214}
13215
13216// SetPendingDeletionWindowInDays sets the PendingDeletionWindowInDays field's value.
13217func (s *KeyMetadata) SetPendingDeletionWindowInDays(v int64) *KeyMetadata {
13218	s.PendingDeletionWindowInDays = &v
13219	return s
13220}
13221
13222// SetSigningAlgorithms sets the SigningAlgorithms field's value.
13223func (s *KeyMetadata) SetSigningAlgorithms(v []*string) *KeyMetadata {
13224	s.SigningAlgorithms = v
13225	return s
13226}
13227
13228// SetValidTo sets the ValidTo field's value.
13229func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata {
13230	s.ValidTo = &v
13231	return s
13232}
13233
13234// The request was rejected because the specified CMK was not available. You
13235// can retry the request.
13236type KeyUnavailableException struct {
13237	_            struct{}                  `type:"structure"`
13238	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
13239
13240	Message_ *string `locationName:"message" type:"string"`
13241}
13242
13243// String returns the string representation
13244func (s KeyUnavailableException) String() string {
13245	return awsutil.Prettify(s)
13246}
13247
13248// GoString returns the string representation
13249func (s KeyUnavailableException) GoString() string {
13250	return s.String()
13251}
13252
13253func newErrorKeyUnavailableException(v protocol.ResponseMetadata) error {
13254	return &KeyUnavailableException{
13255		RespMetadata: v,
13256	}
13257}
13258
13259// Code returns the exception type name.
13260func (s *KeyUnavailableException) Code() string {
13261	return "KeyUnavailableException"
13262}
13263
13264// Message returns the exception's message.
13265func (s *KeyUnavailableException) Message() string {
13266	if s.Message_ != nil {
13267		return *s.Message_
13268	}
13269	return ""
13270}
13271
13272// OrigErr always returns nil, satisfies awserr.Error interface.
13273func (s *KeyUnavailableException) OrigErr() error {
13274	return nil
13275}
13276
13277func (s *KeyUnavailableException) Error() string {
13278	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
13279}
13280
13281// Status code returns the HTTP status code for the request's response error.
13282func (s *KeyUnavailableException) StatusCode() int {
13283	return s.RespMetadata.StatusCode
13284}
13285
13286// RequestID returns the service's response RequestID for request.
13287func (s *KeyUnavailableException) RequestID() string {
13288	return s.RespMetadata.RequestID
13289}
13290
13291// The request was rejected because a quota was exceeded. For more information,
13292// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
13293// in the AWS Key Management Service Developer Guide.
13294type LimitExceededException struct {
13295	_            struct{}                  `type:"structure"`
13296	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
13297
13298	Message_ *string `locationName:"message" type:"string"`
13299}
13300
13301// String returns the string representation
13302func (s LimitExceededException) String() string {
13303	return awsutil.Prettify(s)
13304}
13305
13306// GoString returns the string representation
13307func (s LimitExceededException) GoString() string {
13308	return s.String()
13309}
13310
13311func newErrorLimitExceededException(v protocol.ResponseMetadata) error {
13312	return &LimitExceededException{
13313		RespMetadata: v,
13314	}
13315}
13316
13317// Code returns the exception type name.
13318func (s *LimitExceededException) Code() string {
13319	return "LimitExceededException"
13320}
13321
13322// Message returns the exception's message.
13323func (s *LimitExceededException) Message() string {
13324	if s.Message_ != nil {
13325		return *s.Message_
13326	}
13327	return ""
13328}
13329
13330// OrigErr always returns nil, satisfies awserr.Error interface.
13331func (s *LimitExceededException) OrigErr() error {
13332	return nil
13333}
13334
13335func (s *LimitExceededException) Error() string {
13336	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
13337}
13338
13339// Status code returns the HTTP status code for the request's response error.
13340func (s *LimitExceededException) StatusCode() int {
13341	return s.RespMetadata.StatusCode
13342}
13343
13344// RequestID returns the service's response RequestID for request.
13345func (s *LimitExceededException) RequestID() string {
13346	return s.RespMetadata.RequestID
13347}
13348
13349type ListAliasesInput struct {
13350	_ struct{} `type:"structure"`
13351
13352	// Lists only aliases that are associated with the specified CMK. Enter a CMK
13353	// in your AWS account.
13354	//
13355	// This parameter is optional. If you omit it, ListAliases returns all aliases
13356	// in the account and Region.
13357	//
13358	// Specify the key ID or key ARN of the CMK.
13359	//
13360	// For example:
13361	//
13362	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
13363	//
13364	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
13365	//
13366	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
13367	KeyId *string `min:"1" type:"string"`
13368
13369	// Use this parameter to specify the maximum number of items to return. When
13370	// this value is present, AWS KMS does not return more than the specified number
13371	// of items, but it might return fewer.
13372	//
13373	// This value is optional. If you include a value, it must be between 1 and
13374	// 100, inclusive. If you do not include a value, it defaults to 50.
13375	Limit *int64 `min:"1" type:"integer"`
13376
13377	// Use this parameter in a subsequent request after you receive a response with
13378	// truncated results. Set it to the value of NextMarker from the truncated response
13379	// you just received.
13380	Marker *string `min:"1" type:"string"`
13381}
13382
13383// String returns the string representation
13384func (s ListAliasesInput) String() string {
13385	return awsutil.Prettify(s)
13386}
13387
13388// GoString returns the string representation
13389func (s ListAliasesInput) GoString() string {
13390	return s.String()
13391}
13392
13393// Validate inspects the fields of the type to determine if they are valid.
13394func (s *ListAliasesInput) Validate() error {
13395	invalidParams := request.ErrInvalidParams{Context: "ListAliasesInput"}
13396	if s.KeyId != nil && len(*s.KeyId) < 1 {
13397		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
13398	}
13399	if s.Limit != nil && *s.Limit < 1 {
13400		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
13401	}
13402	if s.Marker != nil && len(*s.Marker) < 1 {
13403		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
13404	}
13405
13406	if invalidParams.Len() > 0 {
13407		return invalidParams
13408	}
13409	return nil
13410}
13411
13412// SetKeyId sets the KeyId field's value.
13413func (s *ListAliasesInput) SetKeyId(v string) *ListAliasesInput {
13414	s.KeyId = &v
13415	return s
13416}
13417
13418// SetLimit sets the Limit field's value.
13419func (s *ListAliasesInput) SetLimit(v int64) *ListAliasesInput {
13420	s.Limit = &v
13421	return s
13422}
13423
13424// SetMarker sets the Marker field's value.
13425func (s *ListAliasesInput) SetMarker(v string) *ListAliasesInput {
13426	s.Marker = &v
13427	return s
13428}
13429
13430type ListAliasesOutput struct {
13431	_ struct{} `type:"structure"`
13432
13433	// A list of aliases.
13434	Aliases []*AliasListEntry `type:"list"`
13435
13436	// When Truncated is true, this element is present and contains the value to
13437	// use for the Marker parameter in a subsequent request.
13438	NextMarker *string `min:"1" type:"string"`
13439
13440	// A flag that indicates whether there are more items in the list. When this
13441	// value is true, the list in this response is truncated. To get more items,
13442	// pass the value of the NextMarker element in thisresponse to the Marker parameter
13443	// in a subsequent request.
13444	Truncated *bool `type:"boolean"`
13445}
13446
13447// String returns the string representation
13448func (s ListAliasesOutput) String() string {
13449	return awsutil.Prettify(s)
13450}
13451
13452// GoString returns the string representation
13453func (s ListAliasesOutput) GoString() string {
13454	return s.String()
13455}
13456
13457// SetAliases sets the Aliases field's value.
13458func (s *ListAliasesOutput) SetAliases(v []*AliasListEntry) *ListAliasesOutput {
13459	s.Aliases = v
13460	return s
13461}
13462
13463// SetNextMarker sets the NextMarker field's value.
13464func (s *ListAliasesOutput) SetNextMarker(v string) *ListAliasesOutput {
13465	s.NextMarker = &v
13466	return s
13467}
13468
13469// SetTruncated sets the Truncated field's value.
13470func (s *ListAliasesOutput) SetTruncated(v bool) *ListAliasesOutput {
13471	s.Truncated = &v
13472	return s
13473}
13474
13475type ListGrantsInput struct {
13476	_ struct{} `type:"structure"`
13477
13478	// Returns only the grant with the specified grant ID. The grant ID uniquely
13479	// identifies the grant.
13480	GrantId *string `min:"1" type:"string"`
13481
13482	// Returns only grants where the specified principal is the grantee principal
13483	// for the grant.
13484	GranteePrincipal *string `min:"1" type:"string"`
13485
13486	// Returns only grants for the specified customer master key (CMK). This parameter
13487	// is required.
13488	//
13489	// Specify the key ID or key ARN of the CMK. To specify a CMK in a different
13490	// AWS account, you must use the key ARN.
13491	//
13492	// For example:
13493	//
13494	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
13495	//
13496	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
13497	//
13498	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
13499	//
13500	// KeyId is a required field
13501	KeyId *string `min:"1" type:"string" required:"true"`
13502
13503	// Use this parameter to specify the maximum number of items to return. When
13504	// this value is present, AWS KMS does not return more than the specified number
13505	// of items, but it might return fewer.
13506	//
13507	// This value is optional. If you include a value, it must be between 1 and
13508	// 100, inclusive. If you do not include a value, it defaults to 50.
13509	Limit *int64 `min:"1" type:"integer"`
13510
13511	// Use this parameter in a subsequent request after you receive a response with
13512	// truncated results. Set it to the value of NextMarker from the truncated response
13513	// you just received.
13514	Marker *string `min:"1" type:"string"`
13515}
13516
13517// String returns the string representation
13518func (s ListGrantsInput) String() string {
13519	return awsutil.Prettify(s)
13520}
13521
13522// GoString returns the string representation
13523func (s ListGrantsInput) GoString() string {
13524	return s.String()
13525}
13526
13527// Validate inspects the fields of the type to determine if they are valid.
13528func (s *ListGrantsInput) Validate() error {
13529	invalidParams := request.ErrInvalidParams{Context: "ListGrantsInput"}
13530	if s.GrantId != nil && len(*s.GrantId) < 1 {
13531		invalidParams.Add(request.NewErrParamMinLen("GrantId", 1))
13532	}
13533	if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 {
13534		invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1))
13535	}
13536	if s.KeyId == nil {
13537		invalidParams.Add(request.NewErrParamRequired("KeyId"))
13538	}
13539	if s.KeyId != nil && len(*s.KeyId) < 1 {
13540		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
13541	}
13542	if s.Limit != nil && *s.Limit < 1 {
13543		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
13544	}
13545	if s.Marker != nil && len(*s.Marker) < 1 {
13546		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
13547	}
13548
13549	if invalidParams.Len() > 0 {
13550		return invalidParams
13551	}
13552	return nil
13553}
13554
13555// SetGrantId sets the GrantId field's value.
13556func (s *ListGrantsInput) SetGrantId(v string) *ListGrantsInput {
13557	s.GrantId = &v
13558	return s
13559}
13560
13561// SetGranteePrincipal sets the GranteePrincipal field's value.
13562func (s *ListGrantsInput) SetGranteePrincipal(v string) *ListGrantsInput {
13563	s.GranteePrincipal = &v
13564	return s
13565}
13566
13567// SetKeyId sets the KeyId field's value.
13568func (s *ListGrantsInput) SetKeyId(v string) *ListGrantsInput {
13569	s.KeyId = &v
13570	return s
13571}
13572
13573// SetLimit sets the Limit field's value.
13574func (s *ListGrantsInput) SetLimit(v int64) *ListGrantsInput {
13575	s.Limit = &v
13576	return s
13577}
13578
13579// SetMarker sets the Marker field's value.
13580func (s *ListGrantsInput) SetMarker(v string) *ListGrantsInput {
13581	s.Marker = &v
13582	return s
13583}
13584
13585type ListGrantsResponse struct {
13586	_ struct{} `type:"structure"`
13587
13588	// A list of grants.
13589	Grants []*GrantListEntry `type:"list"`
13590
13591	// When Truncated is true, this element is present and contains the value to
13592	// use for the Marker parameter in a subsequent request.
13593	NextMarker *string `min:"1" type:"string"`
13594
13595	// A flag that indicates whether there are more items in the list. When this
13596	// value is true, the list in this response is truncated. To get more items,
13597	// pass the value of the NextMarker element in thisresponse to the Marker parameter
13598	// in a subsequent request.
13599	Truncated *bool `type:"boolean"`
13600}
13601
13602// String returns the string representation
13603func (s ListGrantsResponse) String() string {
13604	return awsutil.Prettify(s)
13605}
13606
13607// GoString returns the string representation
13608func (s ListGrantsResponse) GoString() string {
13609	return s.String()
13610}
13611
13612// SetGrants sets the Grants field's value.
13613func (s *ListGrantsResponse) SetGrants(v []*GrantListEntry) *ListGrantsResponse {
13614	s.Grants = v
13615	return s
13616}
13617
13618// SetNextMarker sets the NextMarker field's value.
13619func (s *ListGrantsResponse) SetNextMarker(v string) *ListGrantsResponse {
13620	s.NextMarker = &v
13621	return s
13622}
13623
13624// SetTruncated sets the Truncated field's value.
13625func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse {
13626	s.Truncated = &v
13627	return s
13628}
13629
13630type ListKeyPoliciesInput struct {
13631	_ struct{} `type:"structure"`
13632
13633	// Gets the names of key policies for the specified customer master key (CMK).
13634	//
13635	// Specify the key ID or key ARN of the CMK.
13636	//
13637	// For example:
13638	//
13639	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
13640	//
13641	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
13642	//
13643	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
13644	//
13645	// KeyId is a required field
13646	KeyId *string `min:"1" type:"string" required:"true"`
13647
13648	// Use this parameter to specify the maximum number of items to return. When
13649	// this value is present, AWS KMS does not return more than the specified number
13650	// of items, but it might return fewer.
13651	//
13652	// This value is optional. If you include a value, it must be between 1 and
13653	// 1000, inclusive. If you do not include a value, it defaults to 100.
13654	//
13655	// Only one policy can be attached to a key.
13656	Limit *int64 `min:"1" type:"integer"`
13657
13658	// Use this parameter in a subsequent request after you receive a response with
13659	// truncated results. Set it to the value of NextMarker from the truncated response
13660	// you just received.
13661	Marker *string `min:"1" type:"string"`
13662}
13663
13664// String returns the string representation
13665func (s ListKeyPoliciesInput) String() string {
13666	return awsutil.Prettify(s)
13667}
13668
13669// GoString returns the string representation
13670func (s ListKeyPoliciesInput) GoString() string {
13671	return s.String()
13672}
13673
13674// Validate inspects the fields of the type to determine if they are valid.
13675func (s *ListKeyPoliciesInput) Validate() error {
13676	invalidParams := request.ErrInvalidParams{Context: "ListKeyPoliciesInput"}
13677	if s.KeyId == nil {
13678		invalidParams.Add(request.NewErrParamRequired("KeyId"))
13679	}
13680	if s.KeyId != nil && len(*s.KeyId) < 1 {
13681		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
13682	}
13683	if s.Limit != nil && *s.Limit < 1 {
13684		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
13685	}
13686	if s.Marker != nil && len(*s.Marker) < 1 {
13687		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
13688	}
13689
13690	if invalidParams.Len() > 0 {
13691		return invalidParams
13692	}
13693	return nil
13694}
13695
13696// SetKeyId sets the KeyId field's value.
13697func (s *ListKeyPoliciesInput) SetKeyId(v string) *ListKeyPoliciesInput {
13698	s.KeyId = &v
13699	return s
13700}
13701
13702// SetLimit sets the Limit field's value.
13703func (s *ListKeyPoliciesInput) SetLimit(v int64) *ListKeyPoliciesInput {
13704	s.Limit = &v
13705	return s
13706}
13707
13708// SetMarker sets the Marker field's value.
13709func (s *ListKeyPoliciesInput) SetMarker(v string) *ListKeyPoliciesInput {
13710	s.Marker = &v
13711	return s
13712}
13713
13714type ListKeyPoliciesOutput struct {
13715	_ struct{} `type:"structure"`
13716
13717	// When Truncated is true, this element is present and contains the value to
13718	// use for the Marker parameter in a subsequent request.
13719	NextMarker *string `min:"1" type:"string"`
13720
13721	// A list of key policy names. The only valid value is default.
13722	PolicyNames []*string `type:"list"`
13723
13724	// A flag that indicates whether there are more items in the list. When this
13725	// value is true, the list in this response is truncated. To get more items,
13726	// pass the value of the NextMarker element in thisresponse to the Marker parameter
13727	// in a subsequent request.
13728	Truncated *bool `type:"boolean"`
13729}
13730
13731// String returns the string representation
13732func (s ListKeyPoliciesOutput) String() string {
13733	return awsutil.Prettify(s)
13734}
13735
13736// GoString returns the string representation
13737func (s ListKeyPoliciesOutput) GoString() string {
13738	return s.String()
13739}
13740
13741// SetNextMarker sets the NextMarker field's value.
13742func (s *ListKeyPoliciesOutput) SetNextMarker(v string) *ListKeyPoliciesOutput {
13743	s.NextMarker = &v
13744	return s
13745}
13746
13747// SetPolicyNames sets the PolicyNames field's value.
13748func (s *ListKeyPoliciesOutput) SetPolicyNames(v []*string) *ListKeyPoliciesOutput {
13749	s.PolicyNames = v
13750	return s
13751}
13752
13753// SetTruncated sets the Truncated field's value.
13754func (s *ListKeyPoliciesOutput) SetTruncated(v bool) *ListKeyPoliciesOutput {
13755	s.Truncated = &v
13756	return s
13757}
13758
13759type ListKeysInput struct {
13760	_ struct{} `type:"structure"`
13761
13762	// Use this parameter to specify the maximum number of items to return. When
13763	// this value is present, AWS KMS does not return more than the specified number
13764	// of items, but it might return fewer.
13765	//
13766	// This value is optional. If you include a value, it must be between 1 and
13767	// 1000, inclusive. If you do not include a value, it defaults to 100.
13768	Limit *int64 `min:"1" type:"integer"`
13769
13770	// Use this parameter in a subsequent request after you receive a response with
13771	// truncated results. Set it to the value of NextMarker from the truncated response
13772	// you just received.
13773	Marker *string `min:"1" type:"string"`
13774}
13775
13776// String returns the string representation
13777func (s ListKeysInput) String() string {
13778	return awsutil.Prettify(s)
13779}
13780
13781// GoString returns the string representation
13782func (s ListKeysInput) GoString() string {
13783	return s.String()
13784}
13785
13786// Validate inspects the fields of the type to determine if they are valid.
13787func (s *ListKeysInput) Validate() error {
13788	invalidParams := request.ErrInvalidParams{Context: "ListKeysInput"}
13789	if s.Limit != nil && *s.Limit < 1 {
13790		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
13791	}
13792	if s.Marker != nil && len(*s.Marker) < 1 {
13793		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
13794	}
13795
13796	if invalidParams.Len() > 0 {
13797		return invalidParams
13798	}
13799	return nil
13800}
13801
13802// SetLimit sets the Limit field's value.
13803func (s *ListKeysInput) SetLimit(v int64) *ListKeysInput {
13804	s.Limit = &v
13805	return s
13806}
13807
13808// SetMarker sets the Marker field's value.
13809func (s *ListKeysInput) SetMarker(v string) *ListKeysInput {
13810	s.Marker = &v
13811	return s
13812}
13813
13814type ListKeysOutput struct {
13815	_ struct{} `type:"structure"`
13816
13817	// A list of customer master keys (CMKs).
13818	Keys []*KeyListEntry `type:"list"`
13819
13820	// When Truncated is true, this element is present and contains the value to
13821	// use for the Marker parameter in a subsequent request.
13822	NextMarker *string `min:"1" type:"string"`
13823
13824	// A flag that indicates whether there are more items in the list. When this
13825	// value is true, the list in this response is truncated. To get more items,
13826	// pass the value of the NextMarker element in thisresponse to the Marker parameter
13827	// in a subsequent request.
13828	Truncated *bool `type:"boolean"`
13829}
13830
13831// String returns the string representation
13832func (s ListKeysOutput) String() string {
13833	return awsutil.Prettify(s)
13834}
13835
13836// GoString returns the string representation
13837func (s ListKeysOutput) GoString() string {
13838	return s.String()
13839}
13840
13841// SetKeys sets the Keys field's value.
13842func (s *ListKeysOutput) SetKeys(v []*KeyListEntry) *ListKeysOutput {
13843	s.Keys = v
13844	return s
13845}
13846
13847// SetNextMarker sets the NextMarker field's value.
13848func (s *ListKeysOutput) SetNextMarker(v string) *ListKeysOutput {
13849	s.NextMarker = &v
13850	return s
13851}
13852
13853// SetTruncated sets the Truncated field's value.
13854func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput {
13855	s.Truncated = &v
13856	return s
13857}
13858
13859type ListResourceTagsInput struct {
13860	_ struct{} `type:"structure"`
13861
13862	// Gets tags on the specified customer master key (CMK).
13863	//
13864	// Specify the key ID or key ARN of the CMK.
13865	//
13866	// For example:
13867	//
13868	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
13869	//
13870	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
13871	//
13872	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
13873	//
13874	// KeyId is a required field
13875	KeyId *string `min:"1" type:"string" required:"true"`
13876
13877	// Use this parameter to specify the maximum number of items to return. When
13878	// this value is present, AWS KMS does not return more than the specified number
13879	// of items, but it might return fewer.
13880	//
13881	// This value is optional. If you include a value, it must be between 1 and
13882	// 50, inclusive. If you do not include a value, it defaults to 50.
13883	Limit *int64 `min:"1" type:"integer"`
13884
13885	// Use this parameter in a subsequent request after you receive a response with
13886	// truncated results. Set it to the value of NextMarker from the truncated response
13887	// you just received.
13888	//
13889	// Do not attempt to construct this value. Use only the value of NextMarker
13890	// from the truncated response you just received.
13891	Marker *string `min:"1" type:"string"`
13892}
13893
13894// String returns the string representation
13895func (s ListResourceTagsInput) String() string {
13896	return awsutil.Prettify(s)
13897}
13898
13899// GoString returns the string representation
13900func (s ListResourceTagsInput) GoString() string {
13901	return s.String()
13902}
13903
13904// Validate inspects the fields of the type to determine if they are valid.
13905func (s *ListResourceTagsInput) Validate() error {
13906	invalidParams := request.ErrInvalidParams{Context: "ListResourceTagsInput"}
13907	if s.KeyId == nil {
13908		invalidParams.Add(request.NewErrParamRequired("KeyId"))
13909	}
13910	if s.KeyId != nil && len(*s.KeyId) < 1 {
13911		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
13912	}
13913	if s.Limit != nil && *s.Limit < 1 {
13914		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
13915	}
13916	if s.Marker != nil && len(*s.Marker) < 1 {
13917		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
13918	}
13919
13920	if invalidParams.Len() > 0 {
13921		return invalidParams
13922	}
13923	return nil
13924}
13925
13926// SetKeyId sets the KeyId field's value.
13927func (s *ListResourceTagsInput) SetKeyId(v string) *ListResourceTagsInput {
13928	s.KeyId = &v
13929	return s
13930}
13931
13932// SetLimit sets the Limit field's value.
13933func (s *ListResourceTagsInput) SetLimit(v int64) *ListResourceTagsInput {
13934	s.Limit = &v
13935	return s
13936}
13937
13938// SetMarker sets the Marker field's value.
13939func (s *ListResourceTagsInput) SetMarker(v string) *ListResourceTagsInput {
13940	s.Marker = &v
13941	return s
13942}
13943
13944type ListResourceTagsOutput struct {
13945	_ struct{} `type:"structure"`
13946
13947	// When Truncated is true, this element is present and contains the value to
13948	// use for the Marker parameter in a subsequent request.
13949	//
13950	// Do not assume or infer any information from this value.
13951	NextMarker *string `min:"1" type:"string"`
13952
13953	// A list of tags. Each tag consists of a tag key and a tag value.
13954	//
13955	// Tagging or untagging a CMK can allow or deny permission to the CMK. For details,
13956	// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
13957	// in the AWS Key Management Service Developer Guide.
13958	Tags []*Tag `type:"list"`
13959
13960	// A flag that indicates whether there are more items in the list. When this
13961	// value is true, the list in this response is truncated. To get more items,
13962	// pass the value of the NextMarker element in thisresponse to the Marker parameter
13963	// in a subsequent request.
13964	Truncated *bool `type:"boolean"`
13965}
13966
13967// String returns the string representation
13968func (s ListResourceTagsOutput) String() string {
13969	return awsutil.Prettify(s)
13970}
13971
13972// GoString returns the string representation
13973func (s ListResourceTagsOutput) GoString() string {
13974	return s.String()
13975}
13976
13977// SetNextMarker sets the NextMarker field's value.
13978func (s *ListResourceTagsOutput) SetNextMarker(v string) *ListResourceTagsOutput {
13979	s.NextMarker = &v
13980	return s
13981}
13982
13983// SetTags sets the Tags field's value.
13984func (s *ListResourceTagsOutput) SetTags(v []*Tag) *ListResourceTagsOutput {
13985	s.Tags = v
13986	return s
13987}
13988
13989// SetTruncated sets the Truncated field's value.
13990func (s *ListResourceTagsOutput) SetTruncated(v bool) *ListResourceTagsOutput {
13991	s.Truncated = &v
13992	return s
13993}
13994
13995type ListRetirableGrantsInput struct {
13996	_ struct{} `type:"structure"`
13997
13998	// Use this parameter to specify the maximum number of items to return. When
13999	// this value is present, AWS KMS does not return more than the specified number
14000	// of items, but it might return fewer.
14001	//
14002	// This value is optional. If you include a value, it must be between 1 and
14003	// 100, inclusive. If you do not include a value, it defaults to 50.
14004	Limit *int64 `min:"1" type:"integer"`
14005
14006	// Use this parameter in a subsequent request after you receive a response with
14007	// truncated results. Set it to the value of NextMarker from the truncated response
14008	// you just received.
14009	Marker *string `min:"1" type:"string"`
14010
14011	// The retiring principal for which to list grants. Enter a principal in your
14012	// AWS account.
14013	//
14014	// To specify the retiring principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
14015	// of an AWS principal. Valid AWS principals include AWS accounts (root), IAM
14016	// users, federated users, and assumed role users. For examples of the ARN syntax
14017	// for specifying a principal, see AWS Identity and Access Management (IAM)
14018	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
14019	// in the Example ARNs section of the Amazon Web Services General Reference.
14020	//
14021	// RetiringPrincipal is a required field
14022	RetiringPrincipal *string `min:"1" type:"string" required:"true"`
14023}
14024
14025// String returns the string representation
14026func (s ListRetirableGrantsInput) String() string {
14027	return awsutil.Prettify(s)
14028}
14029
14030// GoString returns the string representation
14031func (s ListRetirableGrantsInput) GoString() string {
14032	return s.String()
14033}
14034
14035// Validate inspects the fields of the type to determine if they are valid.
14036func (s *ListRetirableGrantsInput) Validate() error {
14037	invalidParams := request.ErrInvalidParams{Context: "ListRetirableGrantsInput"}
14038	if s.Limit != nil && *s.Limit < 1 {
14039		invalidParams.Add(request.NewErrParamMinValue("Limit", 1))
14040	}
14041	if s.Marker != nil && len(*s.Marker) < 1 {
14042		invalidParams.Add(request.NewErrParamMinLen("Marker", 1))
14043	}
14044	if s.RetiringPrincipal == nil {
14045		invalidParams.Add(request.NewErrParamRequired("RetiringPrincipal"))
14046	}
14047	if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 {
14048		invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1))
14049	}
14050
14051	if invalidParams.Len() > 0 {
14052		return invalidParams
14053	}
14054	return nil
14055}
14056
14057// SetLimit sets the Limit field's value.
14058func (s *ListRetirableGrantsInput) SetLimit(v int64) *ListRetirableGrantsInput {
14059	s.Limit = &v
14060	return s
14061}
14062
14063// SetMarker sets the Marker field's value.
14064func (s *ListRetirableGrantsInput) SetMarker(v string) *ListRetirableGrantsInput {
14065	s.Marker = &v
14066	return s
14067}
14068
14069// SetRetiringPrincipal sets the RetiringPrincipal field's value.
14070func (s *ListRetirableGrantsInput) SetRetiringPrincipal(v string) *ListRetirableGrantsInput {
14071	s.RetiringPrincipal = &v
14072	return s
14073}
14074
14075// The request was rejected because the specified policy is not syntactically
14076// or semantically correct.
14077type MalformedPolicyDocumentException struct {
14078	_            struct{}                  `type:"structure"`
14079	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
14080
14081	Message_ *string `locationName:"message" type:"string"`
14082}
14083
14084// String returns the string representation
14085func (s MalformedPolicyDocumentException) String() string {
14086	return awsutil.Prettify(s)
14087}
14088
14089// GoString returns the string representation
14090func (s MalformedPolicyDocumentException) GoString() string {
14091	return s.String()
14092}
14093
14094func newErrorMalformedPolicyDocumentException(v protocol.ResponseMetadata) error {
14095	return &MalformedPolicyDocumentException{
14096		RespMetadata: v,
14097	}
14098}
14099
14100// Code returns the exception type name.
14101func (s *MalformedPolicyDocumentException) Code() string {
14102	return "MalformedPolicyDocumentException"
14103}
14104
14105// Message returns the exception's message.
14106func (s *MalformedPolicyDocumentException) Message() string {
14107	if s.Message_ != nil {
14108		return *s.Message_
14109	}
14110	return ""
14111}
14112
14113// OrigErr always returns nil, satisfies awserr.Error interface.
14114func (s *MalformedPolicyDocumentException) OrigErr() error {
14115	return nil
14116}
14117
14118func (s *MalformedPolicyDocumentException) Error() string {
14119	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
14120}
14121
14122// Status code returns the HTTP status code for the request's response error.
14123func (s *MalformedPolicyDocumentException) StatusCode() int {
14124	return s.RespMetadata.StatusCode
14125}
14126
14127// RequestID returns the service's response RequestID for request.
14128func (s *MalformedPolicyDocumentException) RequestID() string {
14129	return s.RespMetadata.RequestID
14130}
14131
14132// Describes the configuration of this multi-Region CMK. This field appears
14133// only when the CMK is a primary or replica of a multi-Region CMK.
14134//
14135// For more information about any listed CMK, use the DescribeKey operation.
14136type MultiRegionConfiguration struct {
14137	_ struct{} `type:"structure"`
14138
14139	// Indicates whether the CMK is a PRIMARY or REPLICA key.
14140	MultiRegionKeyType *string `type:"string" enum:"MultiRegionKeyType"`
14141
14142	// Displays the key ARN and Region of the primary key. This field includes the
14143	// current CMK if it is the primary key.
14144	PrimaryKey *MultiRegionKey `type:"structure"`
14145
14146	// displays the key ARNs and Regions of all replica keys. This field includes
14147	// the current CMK if it is a replica key.
14148	ReplicaKeys []*MultiRegionKey `type:"list"`
14149}
14150
14151// String returns the string representation
14152func (s MultiRegionConfiguration) String() string {
14153	return awsutil.Prettify(s)
14154}
14155
14156// GoString returns the string representation
14157func (s MultiRegionConfiguration) GoString() string {
14158	return s.String()
14159}
14160
14161// SetMultiRegionKeyType sets the MultiRegionKeyType field's value.
14162func (s *MultiRegionConfiguration) SetMultiRegionKeyType(v string) *MultiRegionConfiguration {
14163	s.MultiRegionKeyType = &v
14164	return s
14165}
14166
14167// SetPrimaryKey sets the PrimaryKey field's value.
14168func (s *MultiRegionConfiguration) SetPrimaryKey(v *MultiRegionKey) *MultiRegionConfiguration {
14169	s.PrimaryKey = v
14170	return s
14171}
14172
14173// SetReplicaKeys sets the ReplicaKeys field's value.
14174func (s *MultiRegionConfiguration) SetReplicaKeys(v []*MultiRegionKey) *MultiRegionConfiguration {
14175	s.ReplicaKeys = v
14176	return s
14177}
14178
14179// Describes the primary or replica key in a multi-Region key.
14180type MultiRegionKey struct {
14181	_ struct{} `type:"structure"`
14182
14183	// Displays the key ARN of a primary or replica key of a multi-Region key.
14184	Arn *string `min:"20" type:"string"`
14185
14186	// Displays the AWS Region of a primary or replica key in a multi-Region key.
14187	Region *string `min:"1" type:"string"`
14188}
14189
14190// String returns the string representation
14191func (s MultiRegionKey) String() string {
14192	return awsutil.Prettify(s)
14193}
14194
14195// GoString returns the string representation
14196func (s MultiRegionKey) GoString() string {
14197	return s.String()
14198}
14199
14200// SetArn sets the Arn field's value.
14201func (s *MultiRegionKey) SetArn(v string) *MultiRegionKey {
14202	s.Arn = &v
14203	return s
14204}
14205
14206// SetRegion sets the Region field's value.
14207func (s *MultiRegionKey) SetRegion(v string) *MultiRegionKey {
14208	s.Region = &v
14209	return s
14210}
14211
14212// The request was rejected because the specified entity or resource could not
14213// be found.
14214type NotFoundException struct {
14215	_            struct{}                  `type:"structure"`
14216	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
14217
14218	Message_ *string `locationName:"message" type:"string"`
14219}
14220
14221// String returns the string representation
14222func (s NotFoundException) String() string {
14223	return awsutil.Prettify(s)
14224}
14225
14226// GoString returns the string representation
14227func (s NotFoundException) GoString() string {
14228	return s.String()
14229}
14230
14231func newErrorNotFoundException(v protocol.ResponseMetadata) error {
14232	return &NotFoundException{
14233		RespMetadata: v,
14234	}
14235}
14236
14237// Code returns the exception type name.
14238func (s *NotFoundException) Code() string {
14239	return "NotFoundException"
14240}
14241
14242// Message returns the exception's message.
14243func (s *NotFoundException) Message() string {
14244	if s.Message_ != nil {
14245		return *s.Message_
14246	}
14247	return ""
14248}
14249
14250// OrigErr always returns nil, satisfies awserr.Error interface.
14251func (s *NotFoundException) OrigErr() error {
14252	return nil
14253}
14254
14255func (s *NotFoundException) Error() string {
14256	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
14257}
14258
14259// Status code returns the HTTP status code for the request's response error.
14260func (s *NotFoundException) StatusCode() int {
14261	return s.RespMetadata.StatusCode
14262}
14263
14264// RequestID returns the service's response RequestID for request.
14265func (s *NotFoundException) RequestID() string {
14266	return s.RespMetadata.RequestID
14267}
14268
14269type PutKeyPolicyInput struct {
14270	_ struct{} `type:"structure"`
14271
14272	// A flag to indicate whether to bypass the key policy lockout safety check.
14273	//
14274	// Setting this value to true increases the risk that the CMK becomes unmanageable.
14275	// Do not set this value to true indiscriminately.
14276	//
14277	// For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
14278	// section in the AWS Key Management Service Developer Guide.
14279	//
14280	// Use this parameter only when you intend to prevent the principal that is
14281	// making the request from making a subsequent PutKeyPolicy request on the CMK.
14282	//
14283	// The default value is false.
14284	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`
14285
14286	// Sets the key policy on the specified customer master key (CMK).
14287	//
14288	// Specify the key ID or key ARN of the CMK.
14289	//
14290	// For example:
14291	//
14292	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
14293	//
14294	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
14295	//
14296	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
14297	//
14298	// KeyId is a required field
14299	KeyId *string `min:"1" type:"string" required:"true"`
14300
14301	// The key policy to attach to the CMK.
14302	//
14303	// The key policy must meet the following criteria:
14304	//
14305	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
14306	//    must allow the principal that is making the PutKeyPolicy request to make
14307	//    a subsequent PutKeyPolicy request on the CMK. This reduces the risk that
14308	//    the CMK becomes unmanageable. For more information, refer to the scenario
14309	//    in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
14310	//    section of the AWS Key Management Service Developer Guide.
14311	//
14312	//    * Each statement in the key policy must contain one or more principals.
14313	//    The principals in the key policy must exist and be visible to AWS KMS.
14314	//    When you create a new AWS principal (for example, an IAM user or role),
14315	//    you might need to enforce a delay before including the new principal in
14316	//    a key policy because the new principal might not be immediately visible
14317	//    to AWS KMS. For more information, see Changes that I make are not always
14318	//    immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
14319	//    in the AWS Identity and Access Management User Guide.
14320	//
14321	// The key policy cannot exceed 32 kilobytes (32768 bytes). For more information,
14322	// see Resource Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html)
14323	// in the AWS Key Management Service Developer Guide.
14324	//
14325	// Policy is a required field
14326	Policy *string `min:"1" type:"string" required:"true"`
14327
14328	// The name of the key policy. The only valid value is default.
14329	//
14330	// PolicyName is a required field
14331	PolicyName *string `min:"1" type:"string" required:"true"`
14332}
14333
14334// String returns the string representation
14335func (s PutKeyPolicyInput) String() string {
14336	return awsutil.Prettify(s)
14337}
14338
14339// GoString returns the string representation
14340func (s PutKeyPolicyInput) GoString() string {
14341	return s.String()
14342}
14343
14344// Validate inspects the fields of the type to determine if they are valid.
14345func (s *PutKeyPolicyInput) Validate() error {
14346	invalidParams := request.ErrInvalidParams{Context: "PutKeyPolicyInput"}
14347	if s.KeyId == nil {
14348		invalidParams.Add(request.NewErrParamRequired("KeyId"))
14349	}
14350	if s.KeyId != nil && len(*s.KeyId) < 1 {
14351		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
14352	}
14353	if s.Policy == nil {
14354		invalidParams.Add(request.NewErrParamRequired("Policy"))
14355	}
14356	if s.Policy != nil && len(*s.Policy) < 1 {
14357		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
14358	}
14359	if s.PolicyName == nil {
14360		invalidParams.Add(request.NewErrParamRequired("PolicyName"))
14361	}
14362	if s.PolicyName != nil && len(*s.PolicyName) < 1 {
14363		invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1))
14364	}
14365
14366	if invalidParams.Len() > 0 {
14367		return invalidParams
14368	}
14369	return nil
14370}
14371
14372// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value.
14373func (s *PutKeyPolicyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *PutKeyPolicyInput {
14374	s.BypassPolicyLockoutSafetyCheck = &v
14375	return s
14376}
14377
14378// SetKeyId sets the KeyId field's value.
14379func (s *PutKeyPolicyInput) SetKeyId(v string) *PutKeyPolicyInput {
14380	s.KeyId = &v
14381	return s
14382}
14383
14384// SetPolicy sets the Policy field's value.
14385func (s *PutKeyPolicyInput) SetPolicy(v string) *PutKeyPolicyInput {
14386	s.Policy = &v
14387	return s
14388}
14389
14390// SetPolicyName sets the PolicyName field's value.
14391func (s *PutKeyPolicyInput) SetPolicyName(v string) *PutKeyPolicyInput {
14392	s.PolicyName = &v
14393	return s
14394}
14395
14396type PutKeyPolicyOutput struct {
14397	_ struct{} `type:"structure"`
14398}
14399
14400// String returns the string representation
14401func (s PutKeyPolicyOutput) String() string {
14402	return awsutil.Prettify(s)
14403}
14404
14405// GoString returns the string representation
14406func (s PutKeyPolicyOutput) GoString() string {
14407	return s.String()
14408}
14409
14410type ReEncryptInput struct {
14411	_ struct{} `type:"structure"`
14412
14413	// Ciphertext of the data to reencrypt.
14414	//
14415	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
14416	//
14417	// CiphertextBlob is a required field
14418	CiphertextBlob []byte `min:"1" type:"blob" required:"true"`
14419
14420	// Specifies the encryption algorithm that AWS KMS will use to reecrypt the
14421	// data after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents
14422	// the encryption algorithm used for symmetric CMKs.
14423	//
14424	// This parameter is required only when the destination CMK is an asymmetric
14425	// CMK.
14426	DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
14427
14428	// Specifies that encryption context to use when the reencrypting the data.
14429	//
14430	// A destination encryption context is valid only when the destination CMK is
14431	// a symmetric CMK. The standard ciphertext format for asymmetric CMKs does
14432	// not include fields for metadata.
14433	//
14434	// An encryption context is a collection of non-secret key-value pairs that
14435	// represents additional authenticated data. When you use an encryption context
14436	// to encrypt data, you must specify the same (an exact case-sensitive match)
14437	// encryption context to decrypt the data. An encryption context is optional
14438	// when encrypting with a symmetric CMK, but it is highly recommended.
14439	//
14440	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
14441	// in the AWS Key Management Service Developer Guide.
14442	DestinationEncryptionContext map[string]*string `type:"map"`
14443
14444	// A unique identifier for the CMK that is used to reencrypt the data. Specify
14445	// a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To
14446	// find the KeyUsage value of a CMK, use the DescribeKey operation.
14447	//
14448	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
14449	// using an alias name, prefix it with "alias/". To specify a CMK in a different
14450	// AWS account, you must use the key ARN or alias ARN.
14451	//
14452	// For example:
14453	//
14454	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
14455	//
14456	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
14457	//
14458	//    * Alias name: alias/ExampleAlias
14459	//
14460	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
14461	//
14462	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
14463	// get the alias name and alias ARN, use ListAliases.
14464	//
14465	// DestinationKeyId is a required field
14466	DestinationKeyId *string `min:"1" type:"string" required:"true"`
14467
14468	// A list of grant tokens.
14469	//
14470	// Use a grant token when your permission to call this operation comes from
14471	// a new grant that has not yet achieved eventual consistency. For more information,
14472	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
14473	// in the AWS Key Management Service Developer Guide.
14474	GrantTokens []*string `type:"list"`
14475
14476	// Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext
14477	// before it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents
14478	// the algorithm used for symmetric CMKs.
14479	//
14480	// Specify the same algorithm that was used to encrypt the ciphertext. If you
14481	// specify a different algorithm, the decrypt attempt fails.
14482	//
14483	// This parameter is required only when the ciphertext was encrypted under an
14484	// asymmetric CMK.
14485	SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
14486
14487	// Specifies the encryption context to use to decrypt the ciphertext. Enter
14488	// the same encryption context that was used to encrypt the ciphertext.
14489	//
14490	// An encryption context is a collection of non-secret key-value pairs that
14491	// represents additional authenticated data. When you use an encryption context
14492	// to encrypt data, you must specify the same (an exact case-sensitive match)
14493	// encryption context to decrypt the data. An encryption context is optional
14494	// when encrypting with a symmetric CMK, but it is highly recommended.
14495	//
14496	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
14497	// in the AWS Key Management Service Developer Guide.
14498	SourceEncryptionContext map[string]*string `type:"map"`
14499
14500	// Specifies the customer master key (CMK) that AWS KMS will use to decrypt
14501	// the ciphertext before it is re-encrypted. Enter a key ID of the CMK that
14502	// was used to encrypt the ciphertext.
14503	//
14504	// This parameter is required only when the ciphertext was encrypted under an
14505	// asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from
14506	// metadata that it adds to the symmetric ciphertext blob. However, it is always
14507	// recommended as a best practice. This practice ensures that you use the CMK
14508	// that you intend.
14509	//
14510	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
14511	// using an alias name, prefix it with "alias/". To specify a CMK in a different
14512	// AWS account, you must use the key ARN or alias ARN.
14513	//
14514	// For example:
14515	//
14516	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
14517	//
14518	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
14519	//
14520	//    * Alias name: alias/ExampleAlias
14521	//
14522	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
14523	//
14524	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
14525	// get the alias name and alias ARN, use ListAliases.
14526	SourceKeyId *string `min:"1" type:"string"`
14527}
14528
14529// String returns the string representation
14530func (s ReEncryptInput) String() string {
14531	return awsutil.Prettify(s)
14532}
14533
14534// GoString returns the string representation
14535func (s ReEncryptInput) GoString() string {
14536	return s.String()
14537}
14538
14539// Validate inspects the fields of the type to determine if they are valid.
14540func (s *ReEncryptInput) Validate() error {
14541	invalidParams := request.ErrInvalidParams{Context: "ReEncryptInput"}
14542	if s.CiphertextBlob == nil {
14543		invalidParams.Add(request.NewErrParamRequired("CiphertextBlob"))
14544	}
14545	if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 {
14546		invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1))
14547	}
14548	if s.DestinationKeyId == nil {
14549		invalidParams.Add(request.NewErrParamRequired("DestinationKeyId"))
14550	}
14551	if s.DestinationKeyId != nil && len(*s.DestinationKeyId) < 1 {
14552		invalidParams.Add(request.NewErrParamMinLen("DestinationKeyId", 1))
14553	}
14554	if s.SourceKeyId != nil && len(*s.SourceKeyId) < 1 {
14555		invalidParams.Add(request.NewErrParamMinLen("SourceKeyId", 1))
14556	}
14557
14558	if invalidParams.Len() > 0 {
14559		return invalidParams
14560	}
14561	return nil
14562}
14563
14564// SetCiphertextBlob sets the CiphertextBlob field's value.
14565func (s *ReEncryptInput) SetCiphertextBlob(v []byte) *ReEncryptInput {
14566	s.CiphertextBlob = v
14567	return s
14568}
14569
14570// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value.
14571func (s *ReEncryptInput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptInput {
14572	s.DestinationEncryptionAlgorithm = &v
14573	return s
14574}
14575
14576// SetDestinationEncryptionContext sets the DestinationEncryptionContext field's value.
14577func (s *ReEncryptInput) SetDestinationEncryptionContext(v map[string]*string) *ReEncryptInput {
14578	s.DestinationEncryptionContext = v
14579	return s
14580}
14581
14582// SetDestinationKeyId sets the DestinationKeyId field's value.
14583func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput {
14584	s.DestinationKeyId = &v
14585	return s
14586}
14587
14588// SetGrantTokens sets the GrantTokens field's value.
14589func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput {
14590	s.GrantTokens = v
14591	return s
14592}
14593
14594// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value.
14595func (s *ReEncryptInput) SetSourceEncryptionAlgorithm(v string) *ReEncryptInput {
14596	s.SourceEncryptionAlgorithm = &v
14597	return s
14598}
14599
14600// SetSourceEncryptionContext sets the SourceEncryptionContext field's value.
14601func (s *ReEncryptInput) SetSourceEncryptionContext(v map[string]*string) *ReEncryptInput {
14602	s.SourceEncryptionContext = v
14603	return s
14604}
14605
14606// SetSourceKeyId sets the SourceKeyId field's value.
14607func (s *ReEncryptInput) SetSourceKeyId(v string) *ReEncryptInput {
14608	s.SourceKeyId = &v
14609	return s
14610}
14611
14612type ReEncryptOutput struct {
14613	_ struct{} `type:"structure"`
14614
14615	// The reencrypted data. When you use the HTTP API or the AWS CLI, the value
14616	// is Base64-encoded. Otherwise, it is not Base64-encoded.
14617	//
14618	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
14619	CiphertextBlob []byte `min:"1" type:"blob"`
14620
14621	// The encryption algorithm that was used to reencrypt the data.
14622	DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
14623
14624	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
14625	// of the CMK that was used to reencrypt the data.
14626	KeyId *string `min:"1" type:"string"`
14627
14628	// The encryption algorithm that was used to decrypt the ciphertext before it
14629	// was reencrypted.
14630	SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`
14631
14632	// Unique identifier of the CMK used to originally encrypt the data.
14633	SourceKeyId *string `min:"1" type:"string"`
14634}
14635
14636// String returns the string representation
14637func (s ReEncryptOutput) String() string {
14638	return awsutil.Prettify(s)
14639}
14640
14641// GoString returns the string representation
14642func (s ReEncryptOutput) GoString() string {
14643	return s.String()
14644}
14645
14646// SetCiphertextBlob sets the CiphertextBlob field's value.
14647func (s *ReEncryptOutput) SetCiphertextBlob(v []byte) *ReEncryptOutput {
14648	s.CiphertextBlob = v
14649	return s
14650}
14651
14652// SetDestinationEncryptionAlgorithm sets the DestinationEncryptionAlgorithm field's value.
14653func (s *ReEncryptOutput) SetDestinationEncryptionAlgorithm(v string) *ReEncryptOutput {
14654	s.DestinationEncryptionAlgorithm = &v
14655	return s
14656}
14657
14658// SetKeyId sets the KeyId field's value.
14659func (s *ReEncryptOutput) SetKeyId(v string) *ReEncryptOutput {
14660	s.KeyId = &v
14661	return s
14662}
14663
14664// SetSourceEncryptionAlgorithm sets the SourceEncryptionAlgorithm field's value.
14665func (s *ReEncryptOutput) SetSourceEncryptionAlgorithm(v string) *ReEncryptOutput {
14666	s.SourceEncryptionAlgorithm = &v
14667	return s
14668}
14669
14670// SetSourceKeyId sets the SourceKeyId field's value.
14671func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput {
14672	s.SourceKeyId = &v
14673	return s
14674}
14675
14676type ReplicateKeyInput struct {
14677	_ struct{} `type:"structure"`
14678
14679	// A flag to indicate whether to bypass the key policy lockout safety check.
14680	//
14681	// Setting this value to true increases the risk that the CMK becomes unmanageable.
14682	// Do not set this value to true indiscriminately.
14683	//
14684	// For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
14685	// section in the AWS Key Management Service Developer Guide.
14686	//
14687	// Use this parameter only when you intend to prevent the principal that is
14688	// making the request from making a subsequent PutKeyPolicy request on the CMK.
14689	//
14690	// The default value is false.
14691	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`
14692
14693	// A description of the CMK. Use a description that helps you decide whether
14694	// the CMK is appropriate for a task. The default value is an empty string (no
14695	// description).
14696	//
14697	// The description is not a shared property of multi-Region keys. You can specify
14698	// the same description or a different description for each key in a set of
14699	// related multi-Region keys. AWS KMS does not synchronize this property.
14700	Description *string `type:"string"`
14701
14702	// Identifies the multi-Region primary key that is being replicated. To determine
14703	// whether a CMK is a multi-Region primary key, use the DescribeKey operation
14704	// to check the value of the MultiRegionKeyType property.
14705	//
14706	// Specify the key ID or key ARN of a multi-Region primary key.
14707	//
14708	// For example:
14709	//
14710	//    * Key ID: mrk-1234abcd12ab34cd56ef1234567890ab
14711	//
14712	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
14713	//
14714	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
14715	//
14716	// KeyId is a required field
14717	KeyId *string `min:"1" type:"string" required:"true"`
14718
14719	// The key policy to attach to the CMK. This parameter is optional. If you do
14720	// not provide a key policy, AWS KMS attaches the default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)
14721	// to the CMK.
14722	//
14723	// The key policy is not a shared property of multi-Region keys. You can specify
14724	// the same key policy or a different key policy for each key in a set of related
14725	// multi-Region keys. AWS KMS does not synchronize this property.
14726	//
14727	// If you provide a key policy, it must meet the following criteria:
14728	//
14729	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
14730	//    must give the caller kms:PutKeyPolicy permission on the replica CMK. This
14731	//    reduces the risk that the CMK becomes unmanageable. For more information,
14732	//    refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
14733	//    section of the AWS Key Management Service Developer Guide .
14734	//
14735	//    * Each statement in the key policy must contain one or more principals.
14736	//    The principals in the key policy must exist and be visible to AWS KMS.
14737	//    When you create a new AWS principal (for example, an IAM user or role),
14738	//    you might need to enforce a delay before including the new principal in
14739	//    a key policy because the new principal might not be immediately visible
14740	//    to AWS KMS. For more information, see Changes that I make are not always
14741	//    immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
14742	//    in the AWS Identity and Access Management User Guide.
14743	//
14744	//    * The key policy size quota is 32 kilobytes (32768 bytes).
14745	Policy *string `min:"1" type:"string"`
14746
14747	// The Region ID of the AWS Region for this replica key.
14748	//
14749	// Enter the Region ID, such as us-east-1 or ap-southeast-2. For a list of AWS
14750	// Regions in which AWS KMS is supported, see AWS KMS service endpoints (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region)
14751	// in the Amazon Web Services General Reference.
14752	//
14753	// The replica must be in a different AWS Region than its primary key and other
14754	// replicas of that primary key, but in the same AWS partition. AWS KMS must
14755	// be available in the replica Region. If the Region is not enabled by default,
14756	// the AWS account must be enabled in the Region.
14757	//
14758	// For information about AWS partitions, see Amazon Resource Names (ARNs) in
14759	// the Amazon Web Services General Reference. (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
14760	// For information about enabling and disabling Regions, see Enabling a Region
14761	// (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable)
14762	// and Disabling a Region (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable)
14763	// in the Amazon Web Services General Reference.
14764	//
14765	// ReplicaRegion is a required field
14766	ReplicaRegion *string `min:"1" type:"string" required:"true"`
14767
14768	// Assigns one or more tags to the replica key. Use this parameter to tag the
14769	// CMK when it is created. To tag an existing CMK, use the TagResource operation.
14770	//
14771	// Tagging or untagging a CMK can allow or deny permission to the CMK. For details,
14772	// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
14773	// in the AWS Key Management Service Developer Guide.
14774	//
14775	// To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
14776	// permission in an IAM policy.
14777	//
14778	// Tags are not a shared property of multi-Region keys. You can specify the
14779	// same tags or different tags for each key in a set of related multi-Region
14780	// keys. AWS KMS does not synchronize this property.
14781	//
14782	// Each tag consists of a tag key and a tag value. Both the tag key and the
14783	// tag value are required, but the tag value can be an empty (null) string.
14784	// You cannot have more than one tag on a CMK with the same tag key. If you
14785	// specify an existing tag key with a different tag value, AWS KMS replaces
14786	// the current tag value with the specified one.
14787	//
14788	// When you assign tags to an AWS resource, AWS generates a cost allocation
14789	// report with usage and costs aggregated by tags. Tags can also be used to
14790	// control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
14791	Tags []*Tag `type:"list"`
14792}
14793
14794// String returns the string representation
14795func (s ReplicateKeyInput) String() string {
14796	return awsutil.Prettify(s)
14797}
14798
14799// GoString returns the string representation
14800func (s ReplicateKeyInput) GoString() string {
14801	return s.String()
14802}
14803
14804// Validate inspects the fields of the type to determine if they are valid.
14805func (s *ReplicateKeyInput) Validate() error {
14806	invalidParams := request.ErrInvalidParams{Context: "ReplicateKeyInput"}
14807	if s.KeyId == nil {
14808		invalidParams.Add(request.NewErrParamRequired("KeyId"))
14809	}
14810	if s.KeyId != nil && len(*s.KeyId) < 1 {
14811		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
14812	}
14813	if s.Policy != nil && len(*s.Policy) < 1 {
14814		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
14815	}
14816	if s.ReplicaRegion == nil {
14817		invalidParams.Add(request.NewErrParamRequired("ReplicaRegion"))
14818	}
14819	if s.ReplicaRegion != nil && len(*s.ReplicaRegion) < 1 {
14820		invalidParams.Add(request.NewErrParamMinLen("ReplicaRegion", 1))
14821	}
14822	if s.Tags != nil {
14823		for i, v := range s.Tags {
14824			if v == nil {
14825				continue
14826			}
14827			if err := v.Validate(); err != nil {
14828				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
14829			}
14830		}
14831	}
14832
14833	if invalidParams.Len() > 0 {
14834		return invalidParams
14835	}
14836	return nil
14837}
14838
14839// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value.
14840func (s *ReplicateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *ReplicateKeyInput {
14841	s.BypassPolicyLockoutSafetyCheck = &v
14842	return s
14843}
14844
14845// SetDescription sets the Description field's value.
14846func (s *ReplicateKeyInput) SetDescription(v string) *ReplicateKeyInput {
14847	s.Description = &v
14848	return s
14849}
14850
14851// SetKeyId sets the KeyId field's value.
14852func (s *ReplicateKeyInput) SetKeyId(v string) *ReplicateKeyInput {
14853	s.KeyId = &v
14854	return s
14855}
14856
14857// SetPolicy sets the Policy field's value.
14858func (s *ReplicateKeyInput) SetPolicy(v string) *ReplicateKeyInput {
14859	s.Policy = &v
14860	return s
14861}
14862
14863// SetReplicaRegion sets the ReplicaRegion field's value.
14864func (s *ReplicateKeyInput) SetReplicaRegion(v string) *ReplicateKeyInput {
14865	s.ReplicaRegion = &v
14866	return s
14867}
14868
14869// SetTags sets the Tags field's value.
14870func (s *ReplicateKeyInput) SetTags(v []*Tag) *ReplicateKeyInput {
14871	s.Tags = v
14872	return s
14873}
14874
14875type ReplicateKeyOutput struct {
14876	_ struct{} `type:"structure"`
14877
14878	// Displays details about the new replica CMK, including its Amazon Resource
14879	// Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
14880	// and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html).
14881	// It also includes the ARN and AWS Region of its primary key and other replica
14882	// keys.
14883	ReplicaKeyMetadata *KeyMetadata `type:"structure"`
14884
14885	// The key policy of the new replica key. The value is a key policy document
14886	// in JSON format.
14887	ReplicaPolicy *string `min:"1" type:"string"`
14888
14889	// The tags on the new replica key. The value is a list of tag key and tag value
14890	// pairs.
14891	ReplicaTags []*Tag `type:"list"`
14892}
14893
14894// String returns the string representation
14895func (s ReplicateKeyOutput) String() string {
14896	return awsutil.Prettify(s)
14897}
14898
14899// GoString returns the string representation
14900func (s ReplicateKeyOutput) GoString() string {
14901	return s.String()
14902}
14903
14904// SetReplicaKeyMetadata sets the ReplicaKeyMetadata field's value.
14905func (s *ReplicateKeyOutput) SetReplicaKeyMetadata(v *KeyMetadata) *ReplicateKeyOutput {
14906	s.ReplicaKeyMetadata = v
14907	return s
14908}
14909
14910// SetReplicaPolicy sets the ReplicaPolicy field's value.
14911func (s *ReplicateKeyOutput) SetReplicaPolicy(v string) *ReplicateKeyOutput {
14912	s.ReplicaPolicy = &v
14913	return s
14914}
14915
14916// SetReplicaTags sets the ReplicaTags field's value.
14917func (s *ReplicateKeyOutput) SetReplicaTags(v []*Tag) *ReplicateKeyOutput {
14918	s.ReplicaTags = v
14919	return s
14920}
14921
14922type RetireGrantInput struct {
14923	_ struct{} `type:"structure"`
14924
14925	// Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants,
14926	// or ListRetirableGrants.
14927	//
14928	//    * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
14929	GrantId *string `min:"1" type:"string"`
14930
14931	// Identifies the grant to be retired. You can use a grant token to identify
14932	// a new grant even before it has achieved eventual consistency.
14933	//
14934	// Only the CreateGrant operation returns a grant token. For details, see Grant
14935	// token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
14936	// and Eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency)
14937	// in the AWS Key Management Service Developer Guide.
14938	GrantToken *string `min:"1" type:"string"`
14939
14940	// The key ARN CMK associated with the grant. To find the key ARN, use the ListKeys
14941	// operation.
14942	//
14943	// For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab
14944	KeyId *string `min:"1" type:"string"`
14945}
14946
14947// String returns the string representation
14948func (s RetireGrantInput) String() string {
14949	return awsutil.Prettify(s)
14950}
14951
14952// GoString returns the string representation
14953func (s RetireGrantInput) GoString() string {
14954	return s.String()
14955}
14956
14957// Validate inspects the fields of the type to determine if they are valid.
14958func (s *RetireGrantInput) Validate() error {
14959	invalidParams := request.ErrInvalidParams{Context: "RetireGrantInput"}
14960	if s.GrantId != nil && len(*s.GrantId) < 1 {
14961		invalidParams.Add(request.NewErrParamMinLen("GrantId", 1))
14962	}
14963	if s.GrantToken != nil && len(*s.GrantToken) < 1 {
14964		invalidParams.Add(request.NewErrParamMinLen("GrantToken", 1))
14965	}
14966	if s.KeyId != nil && len(*s.KeyId) < 1 {
14967		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
14968	}
14969
14970	if invalidParams.Len() > 0 {
14971		return invalidParams
14972	}
14973	return nil
14974}
14975
14976// SetGrantId sets the GrantId field's value.
14977func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput {
14978	s.GrantId = &v
14979	return s
14980}
14981
14982// SetGrantToken sets the GrantToken field's value.
14983func (s *RetireGrantInput) SetGrantToken(v string) *RetireGrantInput {
14984	s.GrantToken = &v
14985	return s
14986}
14987
14988// SetKeyId sets the KeyId field's value.
14989func (s *RetireGrantInput) SetKeyId(v string) *RetireGrantInput {
14990	s.KeyId = &v
14991	return s
14992}
14993
14994type RetireGrantOutput struct {
14995	_ struct{} `type:"structure"`
14996}
14997
14998// String returns the string representation
14999func (s RetireGrantOutput) String() string {
15000	return awsutil.Prettify(s)
15001}
15002
15003// GoString returns the string representation
15004func (s RetireGrantOutput) GoString() string {
15005	return s.String()
15006}
15007
15008type RevokeGrantInput struct {
15009	_ struct{} `type:"structure"`
15010
15011	// Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants,
15012	// or ListRetirableGrants.
15013	//
15014	// GrantId is a required field
15015	GrantId *string `min:"1" type:"string" required:"true"`
15016
15017	// A unique identifier for the customer master key (CMK) associated with the
15018	// grant. To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15019	//
15020	// Specify the key ID or key ARN of the CMK. To specify a CMK in a different
15021	// AWS account, you must use the key ARN.
15022	//
15023	// For example:
15024	//
15025	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15026	//
15027	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15028	//
15029	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15030	//
15031	// KeyId is a required field
15032	KeyId *string `min:"1" type:"string" required:"true"`
15033}
15034
15035// String returns the string representation
15036func (s RevokeGrantInput) String() string {
15037	return awsutil.Prettify(s)
15038}
15039
15040// GoString returns the string representation
15041func (s RevokeGrantInput) GoString() string {
15042	return s.String()
15043}
15044
15045// Validate inspects the fields of the type to determine if they are valid.
15046func (s *RevokeGrantInput) Validate() error {
15047	invalidParams := request.ErrInvalidParams{Context: "RevokeGrantInput"}
15048	if s.GrantId == nil {
15049		invalidParams.Add(request.NewErrParamRequired("GrantId"))
15050	}
15051	if s.GrantId != nil && len(*s.GrantId) < 1 {
15052		invalidParams.Add(request.NewErrParamMinLen("GrantId", 1))
15053	}
15054	if s.KeyId == nil {
15055		invalidParams.Add(request.NewErrParamRequired("KeyId"))
15056	}
15057	if s.KeyId != nil && len(*s.KeyId) < 1 {
15058		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
15059	}
15060
15061	if invalidParams.Len() > 0 {
15062		return invalidParams
15063	}
15064	return nil
15065}
15066
15067// SetGrantId sets the GrantId field's value.
15068func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput {
15069	s.GrantId = &v
15070	return s
15071}
15072
15073// SetKeyId sets the KeyId field's value.
15074func (s *RevokeGrantInput) SetKeyId(v string) *RevokeGrantInput {
15075	s.KeyId = &v
15076	return s
15077}
15078
15079type RevokeGrantOutput struct {
15080	_ struct{} `type:"structure"`
15081}
15082
15083// String returns the string representation
15084func (s RevokeGrantOutput) String() string {
15085	return awsutil.Prettify(s)
15086}
15087
15088// GoString returns the string representation
15089func (s RevokeGrantOutput) GoString() string {
15090	return s.String()
15091}
15092
15093type ScheduleKeyDeletionInput struct {
15094	_ struct{} `type:"structure"`
15095
15096	// The unique identifier of the customer master key (CMK) to delete.
15097	//
15098	// Specify the key ID or key ARN of the CMK.
15099	//
15100	// For example:
15101	//
15102	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15103	//
15104	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15105	//
15106	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15107	//
15108	// KeyId is a required field
15109	KeyId *string `min:"1" type:"string" required:"true"`
15110
15111	// The waiting period, specified in number of days. After the waiting period
15112	// ends, AWS KMS deletes the customer master key (CMK).
15113	//
15114	// If the CMK is a multi-Region primary key with replicas, the waiting period
15115	// begins when the last of its replica keys is deleted. Otherwise, the waiting
15116	// period begins immediately.
15117	//
15118	// This value is optional. If you include a value, it must be between 7 and
15119	// 30, inclusive. If you do not include a value, it defaults to 30.
15120	PendingWindowInDays *int64 `min:"1" type:"integer"`
15121}
15122
15123// String returns the string representation
15124func (s ScheduleKeyDeletionInput) String() string {
15125	return awsutil.Prettify(s)
15126}
15127
15128// GoString returns the string representation
15129func (s ScheduleKeyDeletionInput) GoString() string {
15130	return s.String()
15131}
15132
15133// Validate inspects the fields of the type to determine if they are valid.
15134func (s *ScheduleKeyDeletionInput) Validate() error {
15135	invalidParams := request.ErrInvalidParams{Context: "ScheduleKeyDeletionInput"}
15136	if s.KeyId == nil {
15137		invalidParams.Add(request.NewErrParamRequired("KeyId"))
15138	}
15139	if s.KeyId != nil && len(*s.KeyId) < 1 {
15140		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
15141	}
15142	if s.PendingWindowInDays != nil && *s.PendingWindowInDays < 1 {
15143		invalidParams.Add(request.NewErrParamMinValue("PendingWindowInDays", 1))
15144	}
15145
15146	if invalidParams.Len() > 0 {
15147		return invalidParams
15148	}
15149	return nil
15150}
15151
15152// SetKeyId sets the KeyId field's value.
15153func (s *ScheduleKeyDeletionInput) SetKeyId(v string) *ScheduleKeyDeletionInput {
15154	s.KeyId = &v
15155	return s
15156}
15157
15158// SetPendingWindowInDays sets the PendingWindowInDays field's value.
15159func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionInput {
15160	s.PendingWindowInDays = &v
15161	return s
15162}
15163
15164type ScheduleKeyDeletionOutput struct {
15165	_ struct{} `type:"structure"`
15166
15167	// The date and time after which AWS KMS deletes the customer master key (CMK).
15168	//
15169	// If the CMK is a multi-Region primary key with replica keys, this field does
15170	// not appear. The deletion date for the primary key isn't known until its last
15171	// replica key is deleted.
15172	DeletionDate *time.Time `type:"timestamp"`
15173
15174	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
15175	// of the CMK whose deletion is scheduled.
15176	KeyId *string `min:"1" type:"string"`
15177
15178	// The current status of the CMK.
15179	//
15180	// For more information about how key state affects the use of a CMK, see Key
15181	// state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
15182	// in the AWS Key Management Service Developer Guide.
15183	KeyState *string `type:"string" enum:"KeyState"`
15184
15185	// The waiting period before the CMK is deleted.
15186	//
15187	// If the CMK is a multi-Region primary key with replicas, the waiting period
15188	// begins when the last of its replica keys is deleted. Otherwise, the waiting
15189	// period begins immediately.
15190	PendingWindowInDays *int64 `min:"1" type:"integer"`
15191}
15192
15193// String returns the string representation
15194func (s ScheduleKeyDeletionOutput) String() string {
15195	return awsutil.Prettify(s)
15196}
15197
15198// GoString returns the string representation
15199func (s ScheduleKeyDeletionOutput) GoString() string {
15200	return s.String()
15201}
15202
15203// SetDeletionDate sets the DeletionDate field's value.
15204func (s *ScheduleKeyDeletionOutput) SetDeletionDate(v time.Time) *ScheduleKeyDeletionOutput {
15205	s.DeletionDate = &v
15206	return s
15207}
15208
15209// SetKeyId sets the KeyId field's value.
15210func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutput {
15211	s.KeyId = &v
15212	return s
15213}
15214
15215// SetKeyState sets the KeyState field's value.
15216func (s *ScheduleKeyDeletionOutput) SetKeyState(v string) *ScheduleKeyDeletionOutput {
15217	s.KeyState = &v
15218	return s
15219}
15220
15221// SetPendingWindowInDays sets the PendingWindowInDays field's value.
15222func (s *ScheduleKeyDeletionOutput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionOutput {
15223	s.PendingWindowInDays = &v
15224	return s
15225}
15226
15227type SignInput struct {
15228	_ struct{} `type:"structure"`
15229
15230	// A list of grant tokens.
15231	//
15232	// Use a grant token when your permission to call this operation comes from
15233	// a new grant that has not yet achieved eventual consistency. For more information,
15234	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
15235	// in the AWS Key Management Service Developer Guide.
15236	GrantTokens []*string `type:"list"`
15237
15238	// Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric
15239	// CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY.
15240	// To find the KeyUsage of a CMK, use the DescribeKey operation.
15241	//
15242	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
15243	// using an alias name, prefix it with "alias/". To specify a CMK in a different
15244	// AWS account, you must use the key ARN or alias ARN.
15245	//
15246	// For example:
15247	//
15248	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15249	//
15250	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15251	//
15252	//    * Alias name: alias/ExampleAlias
15253	//
15254	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
15255	//
15256	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
15257	// get the alias name and alias ARN, use ListAliases.
15258	//
15259	// KeyId is a required field
15260	KeyId *string `min:"1" type:"string" required:"true"`
15261
15262	// Specifies the message or message digest to sign. Messages can be 0-4096 bytes.
15263	// To sign a larger message, provide the message digest.
15264	//
15265	// If you provide a message, AWS KMS generates a hash digest of the message
15266	// and then signs it.
15267	//
15268	// Message is automatically base64 encoded/decoded by the SDK.
15269	//
15270	// Message is a required field
15271	Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"`
15272
15273	// Tells AWS KMS whether the value of the Message parameter is a message or
15274	// message digest. The default value, RAW, indicates a message. To indicate
15275	// a message digest, enter DIGEST.
15276	MessageType *string `type:"string" enum:"MessageType"`
15277
15278	// Specifies the signing algorithm to use when signing the message.
15279	//
15280	// Choose an algorithm that is compatible with the type and size of the specified
15281	// asymmetric CMK.
15282	//
15283	// SigningAlgorithm is a required field
15284	SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"`
15285}
15286
15287// String returns the string representation
15288func (s SignInput) String() string {
15289	return awsutil.Prettify(s)
15290}
15291
15292// GoString returns the string representation
15293func (s SignInput) GoString() string {
15294	return s.String()
15295}
15296
15297// Validate inspects the fields of the type to determine if they are valid.
15298func (s *SignInput) Validate() error {
15299	invalidParams := request.ErrInvalidParams{Context: "SignInput"}
15300	if s.KeyId == nil {
15301		invalidParams.Add(request.NewErrParamRequired("KeyId"))
15302	}
15303	if s.KeyId != nil && len(*s.KeyId) < 1 {
15304		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
15305	}
15306	if s.Message == nil {
15307		invalidParams.Add(request.NewErrParamRequired("Message"))
15308	}
15309	if s.Message != nil && len(s.Message) < 1 {
15310		invalidParams.Add(request.NewErrParamMinLen("Message", 1))
15311	}
15312	if s.SigningAlgorithm == nil {
15313		invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm"))
15314	}
15315
15316	if invalidParams.Len() > 0 {
15317		return invalidParams
15318	}
15319	return nil
15320}
15321
15322// SetGrantTokens sets the GrantTokens field's value.
15323func (s *SignInput) SetGrantTokens(v []*string) *SignInput {
15324	s.GrantTokens = v
15325	return s
15326}
15327
15328// SetKeyId sets the KeyId field's value.
15329func (s *SignInput) SetKeyId(v string) *SignInput {
15330	s.KeyId = &v
15331	return s
15332}
15333
15334// SetMessage sets the Message field's value.
15335func (s *SignInput) SetMessage(v []byte) *SignInput {
15336	s.Message = v
15337	return s
15338}
15339
15340// SetMessageType sets the MessageType field's value.
15341func (s *SignInput) SetMessageType(v string) *SignInput {
15342	s.MessageType = &v
15343	return s
15344}
15345
15346// SetSigningAlgorithm sets the SigningAlgorithm field's value.
15347func (s *SignInput) SetSigningAlgorithm(v string) *SignInput {
15348	s.SigningAlgorithm = &v
15349	return s
15350}
15351
15352type SignOutput struct {
15353	_ struct{} `type:"structure"`
15354
15355	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
15356	// of the asymmetric CMK that was used to sign the message.
15357	KeyId *string `min:"1" type:"string"`
15358
15359	// The cryptographic signature that was generated for the message.
15360	//
15361	//    * When used with the supported RSA signing algorithms, the encoding of
15362	//    this value is defined by PKCS #1 in RFC 8017 (https://tools.ietf.org/html/rfc8017).
15363	//
15364	//    * When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing
15365	//    algorithms, this value is a DER-encoded object as defined by ANS X9.62–2005
15366	//    and RFC 3279 Section 2.2.3 (https://tools.ietf.org/html/rfc3279#section-2.2.3).
15367	//    This is the most commonly used signature format and is appropriate for
15368	//    most uses.
15369	//
15370	// When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise,
15371	// it is not Base64-encoded.
15372	//
15373	// Signature is automatically base64 encoded/decoded by the SDK.
15374	Signature []byte `min:"1" type:"blob"`
15375
15376	// The signing algorithm that was used to sign the message.
15377	SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"`
15378}
15379
15380// String returns the string representation
15381func (s SignOutput) String() string {
15382	return awsutil.Prettify(s)
15383}
15384
15385// GoString returns the string representation
15386func (s SignOutput) GoString() string {
15387	return s.String()
15388}
15389
15390// SetKeyId sets the KeyId field's value.
15391func (s *SignOutput) SetKeyId(v string) *SignOutput {
15392	s.KeyId = &v
15393	return s
15394}
15395
15396// SetSignature sets the Signature field's value.
15397func (s *SignOutput) SetSignature(v []byte) *SignOutput {
15398	s.Signature = v
15399	return s
15400}
15401
15402// SetSigningAlgorithm sets the SigningAlgorithm field's value.
15403func (s *SignOutput) SetSigningAlgorithm(v string) *SignOutput {
15404	s.SigningAlgorithm = &v
15405	return s
15406}
15407
15408// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and
15409// tag values are both required, but tag values can be empty (null) strings.
15410//
15411// For information about the rules that apply to tag keys and tag values, see
15412// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html)
15413// in the AWS Billing and Cost Management User Guide.
15414type Tag struct {
15415	_ struct{} `type:"structure"`
15416
15417	// The key of the tag.
15418	//
15419	// TagKey is a required field
15420	TagKey *string `min:"1" type:"string" required:"true"`
15421
15422	// The value of the tag.
15423	//
15424	// TagValue is a required field
15425	TagValue *string `type:"string" required:"true"`
15426}
15427
15428// String returns the string representation
15429func (s Tag) String() string {
15430	return awsutil.Prettify(s)
15431}
15432
15433// GoString returns the string representation
15434func (s Tag) GoString() string {
15435	return s.String()
15436}
15437
15438// Validate inspects the fields of the type to determine if they are valid.
15439func (s *Tag) Validate() error {
15440	invalidParams := request.ErrInvalidParams{Context: "Tag"}
15441	if s.TagKey == nil {
15442		invalidParams.Add(request.NewErrParamRequired("TagKey"))
15443	}
15444	if s.TagKey != nil && len(*s.TagKey) < 1 {
15445		invalidParams.Add(request.NewErrParamMinLen("TagKey", 1))
15446	}
15447	if s.TagValue == nil {
15448		invalidParams.Add(request.NewErrParamRequired("TagValue"))
15449	}
15450
15451	if invalidParams.Len() > 0 {
15452		return invalidParams
15453	}
15454	return nil
15455}
15456
15457// SetTagKey sets the TagKey field's value.
15458func (s *Tag) SetTagKey(v string) *Tag {
15459	s.TagKey = &v
15460	return s
15461}
15462
15463// SetTagValue sets the TagValue field's value.
15464func (s *Tag) SetTagValue(v string) *Tag {
15465	s.TagValue = &v
15466	return s
15467}
15468
15469// The request was rejected because one or more tags are not valid.
15470type TagException struct {
15471	_            struct{}                  `type:"structure"`
15472	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
15473
15474	Message_ *string `locationName:"message" type:"string"`
15475}
15476
15477// String returns the string representation
15478func (s TagException) String() string {
15479	return awsutil.Prettify(s)
15480}
15481
15482// GoString returns the string representation
15483func (s TagException) GoString() string {
15484	return s.String()
15485}
15486
15487func newErrorTagException(v protocol.ResponseMetadata) error {
15488	return &TagException{
15489		RespMetadata: v,
15490	}
15491}
15492
15493// Code returns the exception type name.
15494func (s *TagException) Code() string {
15495	return "TagException"
15496}
15497
15498// Message returns the exception's message.
15499func (s *TagException) Message() string {
15500	if s.Message_ != nil {
15501		return *s.Message_
15502	}
15503	return ""
15504}
15505
15506// OrigErr always returns nil, satisfies awserr.Error interface.
15507func (s *TagException) OrigErr() error {
15508	return nil
15509}
15510
15511func (s *TagException) Error() string {
15512	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
15513}
15514
15515// Status code returns the HTTP status code for the request's response error.
15516func (s *TagException) StatusCode() int {
15517	return s.RespMetadata.StatusCode
15518}
15519
15520// RequestID returns the service's response RequestID for request.
15521func (s *TagException) RequestID() string {
15522	return s.RespMetadata.RequestID
15523}
15524
15525type TagResourceInput struct {
15526	_ struct{} `type:"structure"`
15527
15528	// Identifies a customer managed CMK in the account and Region.
15529	//
15530	// Specify the key ID or key ARN of the CMK.
15531	//
15532	// For example:
15533	//
15534	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15535	//
15536	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15537	//
15538	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15539	//
15540	// KeyId is a required field
15541	KeyId *string `min:"1" type:"string" required:"true"`
15542
15543	// One or more tags.
15544	//
15545	// Each tag consists of a tag key and a tag value. The tag value can be an empty
15546	// (null) string.
15547	//
15548	// You cannot have more than one tag on a CMK with the same tag key. If you
15549	// specify an existing tag key with a different tag value, AWS KMS replaces
15550	// the current tag value with the specified one.
15551	//
15552	// Tags is a required field
15553	Tags []*Tag `type:"list" required:"true"`
15554}
15555
15556// String returns the string representation
15557func (s TagResourceInput) String() string {
15558	return awsutil.Prettify(s)
15559}
15560
15561// GoString returns the string representation
15562func (s TagResourceInput) GoString() string {
15563	return s.String()
15564}
15565
15566// Validate inspects the fields of the type to determine if they are valid.
15567func (s *TagResourceInput) Validate() error {
15568	invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"}
15569	if s.KeyId == nil {
15570		invalidParams.Add(request.NewErrParamRequired("KeyId"))
15571	}
15572	if s.KeyId != nil && len(*s.KeyId) < 1 {
15573		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
15574	}
15575	if s.Tags == nil {
15576		invalidParams.Add(request.NewErrParamRequired("Tags"))
15577	}
15578	if s.Tags != nil {
15579		for i, v := range s.Tags {
15580			if v == nil {
15581				continue
15582			}
15583			if err := v.Validate(); err != nil {
15584				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
15585			}
15586		}
15587	}
15588
15589	if invalidParams.Len() > 0 {
15590		return invalidParams
15591	}
15592	return nil
15593}
15594
15595// SetKeyId sets the KeyId field's value.
15596func (s *TagResourceInput) SetKeyId(v string) *TagResourceInput {
15597	s.KeyId = &v
15598	return s
15599}
15600
15601// SetTags sets the Tags field's value.
15602func (s *TagResourceInput) SetTags(v []*Tag) *TagResourceInput {
15603	s.Tags = v
15604	return s
15605}
15606
15607type TagResourceOutput struct {
15608	_ struct{} `type:"structure"`
15609}
15610
15611// String returns the string representation
15612func (s TagResourceOutput) String() string {
15613	return awsutil.Prettify(s)
15614}
15615
15616// GoString returns the string representation
15617func (s TagResourceOutput) GoString() string {
15618	return s.String()
15619}
15620
15621// The request was rejected because a specified parameter is not supported or
15622// a specified resource is not valid for this operation.
15623type UnsupportedOperationException struct {
15624	_            struct{}                  `type:"structure"`
15625	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`
15626
15627	Message_ *string `locationName:"message" type:"string"`
15628}
15629
15630// String returns the string representation
15631func (s UnsupportedOperationException) String() string {
15632	return awsutil.Prettify(s)
15633}
15634
15635// GoString returns the string representation
15636func (s UnsupportedOperationException) GoString() string {
15637	return s.String()
15638}
15639
15640func newErrorUnsupportedOperationException(v protocol.ResponseMetadata) error {
15641	return &UnsupportedOperationException{
15642		RespMetadata: v,
15643	}
15644}
15645
15646// Code returns the exception type name.
15647func (s *UnsupportedOperationException) Code() string {
15648	return "UnsupportedOperationException"
15649}
15650
15651// Message returns the exception's message.
15652func (s *UnsupportedOperationException) Message() string {
15653	if s.Message_ != nil {
15654		return *s.Message_
15655	}
15656	return ""
15657}
15658
15659// OrigErr always returns nil, satisfies awserr.Error interface.
15660func (s *UnsupportedOperationException) OrigErr() error {
15661	return nil
15662}
15663
15664func (s *UnsupportedOperationException) Error() string {
15665	return fmt.Sprintf("%s: %s", s.Code(), s.Message())
15666}
15667
15668// Status code returns the HTTP status code for the request's response error.
15669func (s *UnsupportedOperationException) StatusCode() int {
15670	return s.RespMetadata.StatusCode
15671}
15672
15673// RequestID returns the service's response RequestID for request.
15674func (s *UnsupportedOperationException) RequestID() string {
15675	return s.RespMetadata.RequestID
15676}
15677
15678type UntagResourceInput struct {
15679	_ struct{} `type:"structure"`
15680
15681	// Identifies the CMK from which you are removing tags.
15682	//
15683	// Specify the key ID or key ARN of the CMK.
15684	//
15685	// For example:
15686	//
15687	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15688	//
15689	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15690	//
15691	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15692	//
15693	// KeyId is a required field
15694	KeyId *string `min:"1" type:"string" required:"true"`
15695
15696	// One or more tag keys. Specify only the tag keys, not the tag values.
15697	//
15698	// TagKeys is a required field
15699	TagKeys []*string `type:"list" required:"true"`
15700}
15701
15702// String returns the string representation
15703func (s UntagResourceInput) String() string {
15704	return awsutil.Prettify(s)
15705}
15706
15707// GoString returns the string representation
15708func (s UntagResourceInput) GoString() string {
15709	return s.String()
15710}
15711
15712// Validate inspects the fields of the type to determine if they are valid.
15713func (s *UntagResourceInput) Validate() error {
15714	invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"}
15715	if s.KeyId == nil {
15716		invalidParams.Add(request.NewErrParamRequired("KeyId"))
15717	}
15718	if s.KeyId != nil && len(*s.KeyId) < 1 {
15719		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
15720	}
15721	if s.TagKeys == nil {
15722		invalidParams.Add(request.NewErrParamRequired("TagKeys"))
15723	}
15724
15725	if invalidParams.Len() > 0 {
15726		return invalidParams
15727	}
15728	return nil
15729}
15730
15731// SetKeyId sets the KeyId field's value.
15732func (s *UntagResourceInput) SetKeyId(v string) *UntagResourceInput {
15733	s.KeyId = &v
15734	return s
15735}
15736
15737// SetTagKeys sets the TagKeys field's value.
15738func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput {
15739	s.TagKeys = v
15740	return s
15741}
15742
15743type UntagResourceOutput struct {
15744	_ struct{} `type:"structure"`
15745}
15746
15747// String returns the string representation
15748func (s UntagResourceOutput) String() string {
15749	return awsutil.Prettify(s)
15750}
15751
15752// GoString returns the string representation
15753func (s UntagResourceOutput) GoString() string {
15754	return s.String()
15755}
15756
15757type UpdateAliasInput struct {
15758	_ struct{} `type:"structure"`
15759
15760	// Identifies the alias that is changing its CMK. This value must begin with
15761	// alias/ followed by the alias name, such as alias/ExampleAlias. You cannot
15762	// use UpdateAlias to change the alias name.
15763	//
15764	// AliasName is a required field
15765	AliasName *string `min:"1" type:"string" required:"true"`
15766
15767	// Identifies the customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)
15768	// to associate with the alias. You don't have permission to associate an alias
15769	// with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
15770	//
15771	// The CMK must be in the same AWS account and Region as the alias. Also, the
15772	// new target CMK must be the same type as the current target CMK (both symmetric
15773	// or both asymmetric) and they must have the same key usage.
15774	//
15775	// Specify the key ID or key ARN of the CMK.
15776	//
15777	// For example:
15778	//
15779	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15780	//
15781	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15782	//
15783	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15784	//
15785	// To verify that the alias is mapped to the correct CMK, use ListAliases.
15786	//
15787	// TargetKeyId is a required field
15788	TargetKeyId *string `min:"1" type:"string" required:"true"`
15789}
15790
15791// String returns the string representation
15792func (s UpdateAliasInput) String() string {
15793	return awsutil.Prettify(s)
15794}
15795
15796// GoString returns the string representation
15797func (s UpdateAliasInput) GoString() string {
15798	return s.String()
15799}
15800
15801// Validate inspects the fields of the type to determine if they are valid.
15802func (s *UpdateAliasInput) Validate() error {
15803	invalidParams := request.ErrInvalidParams{Context: "UpdateAliasInput"}
15804	if s.AliasName == nil {
15805		invalidParams.Add(request.NewErrParamRequired("AliasName"))
15806	}
15807	if s.AliasName != nil && len(*s.AliasName) < 1 {
15808		invalidParams.Add(request.NewErrParamMinLen("AliasName", 1))
15809	}
15810	if s.TargetKeyId == nil {
15811		invalidParams.Add(request.NewErrParamRequired("TargetKeyId"))
15812	}
15813	if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 {
15814		invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1))
15815	}
15816
15817	if invalidParams.Len() > 0 {
15818		return invalidParams
15819	}
15820	return nil
15821}
15822
15823// SetAliasName sets the AliasName field's value.
15824func (s *UpdateAliasInput) SetAliasName(v string) *UpdateAliasInput {
15825	s.AliasName = &v
15826	return s
15827}
15828
15829// SetTargetKeyId sets the TargetKeyId field's value.
15830func (s *UpdateAliasInput) SetTargetKeyId(v string) *UpdateAliasInput {
15831	s.TargetKeyId = &v
15832	return s
15833}
15834
15835type UpdateAliasOutput struct {
15836	_ struct{} `type:"structure"`
15837}
15838
15839// String returns the string representation
15840func (s UpdateAliasOutput) String() string {
15841	return awsutil.Prettify(s)
15842}
15843
15844// GoString returns the string representation
15845func (s UpdateAliasOutput) GoString() string {
15846	return s.String()
15847}
15848
15849type UpdateCustomKeyStoreInput struct {
15850	_ struct{} `type:"structure"`
15851
15852	// Associates the custom key store with a related AWS CloudHSM cluster.
15853	//
15854	// Enter the cluster ID of the cluster that you used to create the custom key
15855	// store or a cluster that shares a backup history and has the same cluster
15856	// certificate as the original cluster. You cannot use this parameter to associate
15857	// a custom key store with an unrelated cluster. In addition, the replacement
15858	// cluster must fulfill the requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
15859	// for a cluster associated with a custom key store. To view the cluster certificate
15860	// of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
15861	// operation.
15862	CloudHsmClusterId *string `min:"19" type:"string"`
15863
15864	// Identifies the custom key store that you want to update. Enter the ID of
15865	// the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores
15866	// operation.
15867	//
15868	// CustomKeyStoreId is a required field
15869	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
15870
15871	// Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM
15872	// cluster that is associated with the custom key store.
15873	//
15874	// This parameter tells AWS KMS the current password of the kmsuser crypto user
15875	// (CU). It does not set or change the password of any users in the AWS CloudHSM
15876	// cluster.
15877	KeyStorePassword *string `min:"7" type:"string" sensitive:"true"`
15878
15879	// Changes the friendly name of the custom key store to the value that you specify.
15880	// The custom key store name must be unique in the AWS account.
15881	NewCustomKeyStoreName *string `min:"1" type:"string"`
15882}
15883
15884// String returns the string representation
15885func (s UpdateCustomKeyStoreInput) String() string {
15886	return awsutil.Prettify(s)
15887}
15888
15889// GoString returns the string representation
15890func (s UpdateCustomKeyStoreInput) GoString() string {
15891	return s.String()
15892}
15893
15894// Validate inspects the fields of the type to determine if they are valid.
15895func (s *UpdateCustomKeyStoreInput) Validate() error {
15896	invalidParams := request.ErrInvalidParams{Context: "UpdateCustomKeyStoreInput"}
15897	if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 {
15898		invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19))
15899	}
15900	if s.CustomKeyStoreId == nil {
15901		invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId"))
15902	}
15903	if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 {
15904		invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1))
15905	}
15906	if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 7 {
15907		invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 7))
15908	}
15909	if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 {
15910		invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1))
15911	}
15912
15913	if invalidParams.Len() > 0 {
15914		return invalidParams
15915	}
15916	return nil
15917}
15918
15919// SetCloudHsmClusterId sets the CloudHsmClusterId field's value.
15920func (s *UpdateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *UpdateCustomKeyStoreInput {
15921	s.CloudHsmClusterId = &v
15922	return s
15923}
15924
15925// SetCustomKeyStoreId sets the CustomKeyStoreId field's value.
15926func (s *UpdateCustomKeyStoreInput) SetCustomKeyStoreId(v string) *UpdateCustomKeyStoreInput {
15927	s.CustomKeyStoreId = &v
15928	return s
15929}
15930
15931// SetKeyStorePassword sets the KeyStorePassword field's value.
15932func (s *UpdateCustomKeyStoreInput) SetKeyStorePassword(v string) *UpdateCustomKeyStoreInput {
15933	s.KeyStorePassword = &v
15934	return s
15935}
15936
15937// SetNewCustomKeyStoreName sets the NewCustomKeyStoreName field's value.
15938func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCustomKeyStoreInput {
15939	s.NewCustomKeyStoreName = &v
15940	return s
15941}
15942
15943type UpdateCustomKeyStoreOutput struct {
15944	_ struct{} `type:"structure"`
15945}
15946
15947// String returns the string representation
15948func (s UpdateCustomKeyStoreOutput) String() string {
15949	return awsutil.Prettify(s)
15950}
15951
15952// GoString returns the string representation
15953func (s UpdateCustomKeyStoreOutput) GoString() string {
15954	return s.String()
15955}
15956
15957type UpdateKeyDescriptionInput struct {
15958	_ struct{} `type:"structure"`
15959
15960	// New description for the CMK.
15961	//
15962	// Description is a required field
15963	Description *string `type:"string" required:"true"`
15964
15965	// Updates the description of the specified customer master key (CMK).
15966	//
15967	// Specify the key ID or key ARN of the CMK.
15968	//
15969	// For example:
15970	//
15971	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
15972	//
15973	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
15974	//
15975	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
15976	//
15977	// KeyId is a required field
15978	KeyId *string `min:"1" type:"string" required:"true"`
15979}
15980
15981// String returns the string representation
15982func (s UpdateKeyDescriptionInput) String() string {
15983	return awsutil.Prettify(s)
15984}
15985
15986// GoString returns the string representation
15987func (s UpdateKeyDescriptionInput) GoString() string {
15988	return s.String()
15989}
15990
15991// Validate inspects the fields of the type to determine if they are valid.
15992func (s *UpdateKeyDescriptionInput) Validate() error {
15993	invalidParams := request.ErrInvalidParams{Context: "UpdateKeyDescriptionInput"}
15994	if s.Description == nil {
15995		invalidParams.Add(request.NewErrParamRequired("Description"))
15996	}
15997	if s.KeyId == nil {
15998		invalidParams.Add(request.NewErrParamRequired("KeyId"))
15999	}
16000	if s.KeyId != nil && len(*s.KeyId) < 1 {
16001		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
16002	}
16003
16004	if invalidParams.Len() > 0 {
16005		return invalidParams
16006	}
16007	return nil
16008}
16009
16010// SetDescription sets the Description field's value.
16011func (s *UpdateKeyDescriptionInput) SetDescription(v string) *UpdateKeyDescriptionInput {
16012	s.Description = &v
16013	return s
16014}
16015
16016// SetKeyId sets the KeyId field's value.
16017func (s *UpdateKeyDescriptionInput) SetKeyId(v string) *UpdateKeyDescriptionInput {
16018	s.KeyId = &v
16019	return s
16020}
16021
16022type UpdateKeyDescriptionOutput struct {
16023	_ struct{} `type:"structure"`
16024}
16025
16026// String returns the string representation
16027func (s UpdateKeyDescriptionOutput) String() string {
16028	return awsutil.Prettify(s)
16029}
16030
16031// GoString returns the string representation
16032func (s UpdateKeyDescriptionOutput) GoString() string {
16033	return s.String()
16034}
16035
16036type UpdatePrimaryRegionInput struct {
16037	_ struct{} `type:"structure"`
16038
16039	// Identifies the current primary key. When the operation completes, this CMK
16040	// will be a replica key.
16041	//
16042	// Specify the key ID or key ARN of a multi-Region primary key.
16043	//
16044	// For example:
16045	//
16046	//    * Key ID: mrk-1234abcd12ab34cd56ef1234567890ab
16047	//
16048	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab
16049	//
16050	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.
16051	//
16052	// KeyId is a required field
16053	KeyId *string `min:"1" type:"string" required:"true"`
16054
16055	// The AWS Region of the new primary key. Enter the Region ID, such as us-east-1
16056	// or ap-southeast-2. There must be an existing replica key in this Region.
16057	//
16058	// When the operation completes, the multi-Region key in this Region will be
16059	// the primary key.
16060	//
16061	// PrimaryRegion is a required field
16062	PrimaryRegion *string `min:"1" type:"string" required:"true"`
16063}
16064
16065// String returns the string representation
16066func (s UpdatePrimaryRegionInput) String() string {
16067	return awsutil.Prettify(s)
16068}
16069
16070// GoString returns the string representation
16071func (s UpdatePrimaryRegionInput) GoString() string {
16072	return s.String()
16073}
16074
16075// Validate inspects the fields of the type to determine if they are valid.
16076func (s *UpdatePrimaryRegionInput) Validate() error {
16077	invalidParams := request.ErrInvalidParams{Context: "UpdatePrimaryRegionInput"}
16078	if s.KeyId == nil {
16079		invalidParams.Add(request.NewErrParamRequired("KeyId"))
16080	}
16081	if s.KeyId != nil && len(*s.KeyId) < 1 {
16082		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
16083	}
16084	if s.PrimaryRegion == nil {
16085		invalidParams.Add(request.NewErrParamRequired("PrimaryRegion"))
16086	}
16087	if s.PrimaryRegion != nil && len(*s.PrimaryRegion) < 1 {
16088		invalidParams.Add(request.NewErrParamMinLen("PrimaryRegion", 1))
16089	}
16090
16091	if invalidParams.Len() > 0 {
16092		return invalidParams
16093	}
16094	return nil
16095}
16096
16097// SetKeyId sets the KeyId field's value.
16098func (s *UpdatePrimaryRegionInput) SetKeyId(v string) *UpdatePrimaryRegionInput {
16099	s.KeyId = &v
16100	return s
16101}
16102
16103// SetPrimaryRegion sets the PrimaryRegion field's value.
16104func (s *UpdatePrimaryRegionInput) SetPrimaryRegion(v string) *UpdatePrimaryRegionInput {
16105	s.PrimaryRegion = &v
16106	return s
16107}
16108
16109type UpdatePrimaryRegionOutput struct {
16110	_ struct{} `type:"structure"`
16111}
16112
16113// String returns the string representation
16114func (s UpdatePrimaryRegionOutput) String() string {
16115	return awsutil.Prettify(s)
16116}
16117
16118// GoString returns the string representation
16119func (s UpdatePrimaryRegionOutput) GoString() string {
16120	return s.String()
16121}
16122
16123type VerifyInput struct {
16124	_ struct{} `type:"structure"`
16125
16126	// A list of grant tokens.
16127	//
16128	// Use a grant token when your permission to call this operation comes from
16129	// a new grant that has not yet achieved eventual consistency. For more information,
16130	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token)
16131	// in the AWS Key Management Service Developer Guide.
16132	GrantTokens []*string `type:"list"`
16133
16134	// Identifies the asymmetric CMK that will be used to verify the signature.
16135	// This must be the same CMK that was used to generate the signature. If you
16136	// specify a different CMK, the signature verification fails.
16137	//
16138	// To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When
16139	// using an alias name, prefix it with "alias/". To specify a CMK in a different
16140	// AWS account, you must use the key ARN or alias ARN.
16141	//
16142	// For example:
16143	//
16144	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
16145	//
16146	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
16147	//
16148	//    * Alias name: alias/ExampleAlias
16149	//
16150	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
16151	//
16152	// To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To
16153	// get the alias name and alias ARN, use ListAliases.
16154	//
16155	// KeyId is a required field
16156	KeyId *string `min:"1" type:"string" required:"true"`
16157
16158	// Specifies the message that was signed. You can submit a raw message of up
16159	// to 4096 bytes, or a hash digest of the message. If you submit a digest, use
16160	// the MessageType parameter with a value of DIGEST.
16161	//
16162	// If the message specified here is different from the message that was signed,
16163	// the signature verification fails. A message and its hash digest are considered
16164	// to be the same message.
16165	//
16166	// Message is automatically base64 encoded/decoded by the SDK.
16167	//
16168	// Message is a required field
16169	Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"`
16170
16171	// Tells AWS KMS whether the value of the Message parameter is a message or
16172	// message digest. The default value, RAW, indicates a message. To indicate
16173	// a message digest, enter DIGEST.
16174	//
16175	// Use the DIGEST value only when the value of the Message parameter is a message
16176	// digest. If you use the DIGEST value with a raw message, the security of the
16177	// verification operation can be compromised.
16178	MessageType *string `type:"string" enum:"MessageType"`
16179
16180	// The signature that the Sign operation generated.
16181	//
16182	// Signature is automatically base64 encoded/decoded by the SDK.
16183	//
16184	// Signature is a required field
16185	Signature []byte `min:"1" type:"blob" required:"true"`
16186
16187	// The signing algorithm that was used to sign the message. If you submit a
16188	// different algorithm, the signature verification fails.
16189	//
16190	// SigningAlgorithm is a required field
16191	SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"`
16192}
16193
16194// String returns the string representation
16195func (s VerifyInput) String() string {
16196	return awsutil.Prettify(s)
16197}
16198
16199// GoString returns the string representation
16200func (s VerifyInput) GoString() string {
16201	return s.String()
16202}
16203
16204// Validate inspects the fields of the type to determine if they are valid.
16205func (s *VerifyInput) Validate() error {
16206	invalidParams := request.ErrInvalidParams{Context: "VerifyInput"}
16207	if s.KeyId == nil {
16208		invalidParams.Add(request.NewErrParamRequired("KeyId"))
16209	}
16210	if s.KeyId != nil && len(*s.KeyId) < 1 {
16211		invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
16212	}
16213	if s.Message == nil {
16214		invalidParams.Add(request.NewErrParamRequired("Message"))
16215	}
16216	if s.Message != nil && len(s.Message) < 1 {
16217		invalidParams.Add(request.NewErrParamMinLen("Message", 1))
16218	}
16219	if s.Signature == nil {
16220		invalidParams.Add(request.NewErrParamRequired("Signature"))
16221	}
16222	if s.Signature != nil && len(s.Signature) < 1 {
16223		invalidParams.Add(request.NewErrParamMinLen("Signature", 1))
16224	}
16225	if s.SigningAlgorithm == nil {
16226		invalidParams.Add(request.NewErrParamRequired("SigningAlgorithm"))
16227	}
16228
16229	if invalidParams.Len() > 0 {
16230		return invalidParams
16231	}
16232	return nil
16233}
16234
16235// SetGrantTokens sets the GrantTokens field's value.
16236func (s *VerifyInput) SetGrantTokens(v []*string) *VerifyInput {
16237	s.GrantTokens = v
16238	return s
16239}
16240
16241// SetKeyId sets the KeyId field's value.
16242func (s *VerifyInput) SetKeyId(v string) *VerifyInput {
16243	s.KeyId = &v
16244	return s
16245}
16246
16247// SetMessage sets the Message field's value.
16248func (s *VerifyInput) SetMessage(v []byte) *VerifyInput {
16249	s.Message = v
16250	return s
16251}
16252
16253// SetMessageType sets the MessageType field's value.
16254func (s *VerifyInput) SetMessageType(v string) *VerifyInput {
16255	s.MessageType = &v
16256	return s
16257}
16258
16259// SetSignature sets the Signature field's value.
16260func (s *VerifyInput) SetSignature(v []byte) *VerifyInput {
16261	s.Signature = v
16262	return s
16263}
16264
16265// SetSigningAlgorithm sets the SigningAlgorithm field's value.
16266func (s *VerifyInput) SetSigningAlgorithm(v string) *VerifyInput {
16267	s.SigningAlgorithm = &v
16268	return s
16269}
16270
16271type VerifyOutput struct {
16272	_ struct{} `type:"structure"`
16273
16274	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
16275	// of the asymmetric CMK that was used to verify the signature.
16276	KeyId *string `min:"1" type:"string"`
16277
16278	// A Boolean value that indicates whether the signature was verified. A value
16279	// of True indicates that the Signature was produced by signing the Message
16280	// with the specified KeyID and SigningAlgorithm. If the signature is not verified,
16281	// the Verify operation fails with a KMSInvalidSignatureException exception.
16282	SignatureValid *bool `type:"boolean"`
16283
16284	// The signing algorithm that was used to verify the signature.
16285	SigningAlgorithm *string `type:"string" enum:"SigningAlgorithmSpec"`
16286}
16287
16288// String returns the string representation
16289func (s VerifyOutput) String() string {
16290	return awsutil.Prettify(s)
16291}
16292
16293// GoString returns the string representation
16294func (s VerifyOutput) GoString() string {
16295	return s.String()
16296}
16297
16298// SetKeyId sets the KeyId field's value.
16299func (s *VerifyOutput) SetKeyId(v string) *VerifyOutput {
16300	s.KeyId = &v
16301	return s
16302}
16303
16304// SetSignatureValid sets the SignatureValid field's value.
16305func (s *VerifyOutput) SetSignatureValid(v bool) *VerifyOutput {
16306	s.SignatureValid = &v
16307	return s
16308}
16309
16310// SetSigningAlgorithm sets the SigningAlgorithm field's value.
16311func (s *VerifyOutput) SetSigningAlgorithm(v string) *VerifyOutput {
16312	s.SigningAlgorithm = &v
16313	return s
16314}
16315
16316const (
16317	// AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value
16318	AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5"
16319
16320	// AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value
16321	AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1"
16322
16323	// AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value
16324	AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256"
16325)
16326
16327// AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum
16328func AlgorithmSpec_Values() []string {
16329	return []string{
16330		AlgorithmSpecRsaesPkcs1V15,
16331		AlgorithmSpecRsaesOaepSha1,
16332		AlgorithmSpecRsaesOaepSha256,
16333	}
16334}
16335
16336const (
16337	// ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value
16338	ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS"
16339
16340	// ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value
16341	ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND"
16342
16343	// ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value
16344	ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS"
16345
16346	// ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value
16347	ConnectionErrorCodeTypeInternalError = "INTERNAL_ERROR"
16348
16349	// ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value
16350	ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS"
16351
16352	// ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value
16353	ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT"
16354
16355	// ConnectionErrorCodeTypeUserNotFound is a ConnectionErrorCodeType enum value
16356	ConnectionErrorCodeTypeUserNotFound = "USER_NOT_FOUND"
16357
16358	// ConnectionErrorCodeTypeUserLoggedIn is a ConnectionErrorCodeType enum value
16359	ConnectionErrorCodeTypeUserLoggedIn = "USER_LOGGED_IN"
16360
16361	// ConnectionErrorCodeTypeSubnetNotFound is a ConnectionErrorCodeType enum value
16362	ConnectionErrorCodeTypeSubnetNotFound = "SUBNET_NOT_FOUND"
16363)
16364
16365// ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum
16366func ConnectionErrorCodeType_Values() []string {
16367	return []string{
16368		ConnectionErrorCodeTypeInvalidCredentials,
16369		ConnectionErrorCodeTypeClusterNotFound,
16370		ConnectionErrorCodeTypeNetworkErrors,
16371		ConnectionErrorCodeTypeInternalError,
16372		ConnectionErrorCodeTypeInsufficientCloudhsmHsms,
16373		ConnectionErrorCodeTypeUserLockedOut,
16374		ConnectionErrorCodeTypeUserNotFound,
16375		ConnectionErrorCodeTypeUserLoggedIn,
16376		ConnectionErrorCodeTypeSubnetNotFound,
16377	}
16378}
16379
16380const (
16381	// ConnectionStateTypeConnected is a ConnectionStateType enum value
16382	ConnectionStateTypeConnected = "CONNECTED"
16383
16384	// ConnectionStateTypeConnecting is a ConnectionStateType enum value
16385	ConnectionStateTypeConnecting = "CONNECTING"
16386
16387	// ConnectionStateTypeFailed is a ConnectionStateType enum value
16388	ConnectionStateTypeFailed = "FAILED"
16389
16390	// ConnectionStateTypeDisconnected is a ConnectionStateType enum value
16391	ConnectionStateTypeDisconnected = "DISCONNECTED"
16392
16393	// ConnectionStateTypeDisconnecting is a ConnectionStateType enum value
16394	ConnectionStateTypeDisconnecting = "DISCONNECTING"
16395)
16396
16397// ConnectionStateType_Values returns all elements of the ConnectionStateType enum
16398func ConnectionStateType_Values() []string {
16399	return []string{
16400		ConnectionStateTypeConnected,
16401		ConnectionStateTypeConnecting,
16402		ConnectionStateTypeFailed,
16403		ConnectionStateTypeDisconnected,
16404		ConnectionStateTypeDisconnecting,
16405	}
16406}
16407
16408const (
16409	// CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value
16410	CustomerMasterKeySpecRsa2048 = "RSA_2048"
16411
16412	// CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value
16413	CustomerMasterKeySpecRsa3072 = "RSA_3072"
16414
16415	// CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value
16416	CustomerMasterKeySpecRsa4096 = "RSA_4096"
16417
16418	// CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value
16419	CustomerMasterKeySpecEccNistP256 = "ECC_NIST_P256"
16420
16421	// CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value
16422	CustomerMasterKeySpecEccNistP384 = "ECC_NIST_P384"
16423
16424	// CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value
16425	CustomerMasterKeySpecEccNistP521 = "ECC_NIST_P521"
16426
16427	// CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value
16428	CustomerMasterKeySpecEccSecgP256k1 = "ECC_SECG_P256K1"
16429
16430	// CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value
16431	CustomerMasterKeySpecSymmetricDefault = "SYMMETRIC_DEFAULT"
16432)
16433
16434// CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum
16435func CustomerMasterKeySpec_Values() []string {
16436	return []string{
16437		CustomerMasterKeySpecRsa2048,
16438		CustomerMasterKeySpecRsa3072,
16439		CustomerMasterKeySpecRsa4096,
16440		CustomerMasterKeySpecEccNistP256,
16441		CustomerMasterKeySpecEccNistP384,
16442		CustomerMasterKeySpecEccNistP521,
16443		CustomerMasterKeySpecEccSecgP256k1,
16444		CustomerMasterKeySpecSymmetricDefault,
16445	}
16446}
16447
16448const (
16449	// DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value
16450	DataKeyPairSpecRsa2048 = "RSA_2048"
16451
16452	// DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value
16453	DataKeyPairSpecRsa3072 = "RSA_3072"
16454
16455	// DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value
16456	DataKeyPairSpecRsa4096 = "RSA_4096"
16457
16458	// DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value
16459	DataKeyPairSpecEccNistP256 = "ECC_NIST_P256"
16460
16461	// DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value
16462	DataKeyPairSpecEccNistP384 = "ECC_NIST_P384"
16463
16464	// DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value
16465	DataKeyPairSpecEccNistP521 = "ECC_NIST_P521"
16466
16467	// DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value
16468	DataKeyPairSpecEccSecgP256k1 = "ECC_SECG_P256K1"
16469)
16470
16471// DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum
16472func DataKeyPairSpec_Values() []string {
16473	return []string{
16474		DataKeyPairSpecRsa2048,
16475		DataKeyPairSpecRsa3072,
16476		DataKeyPairSpecRsa4096,
16477		DataKeyPairSpecEccNistP256,
16478		DataKeyPairSpecEccNistP384,
16479		DataKeyPairSpecEccNistP521,
16480		DataKeyPairSpecEccSecgP256k1,
16481	}
16482}
16483
16484const (
16485	// DataKeySpecAes256 is a DataKeySpec enum value
16486	DataKeySpecAes256 = "AES_256"
16487
16488	// DataKeySpecAes128 is a DataKeySpec enum value
16489	DataKeySpecAes128 = "AES_128"
16490)
16491
16492// DataKeySpec_Values returns all elements of the DataKeySpec enum
16493func DataKeySpec_Values() []string {
16494	return []string{
16495		DataKeySpecAes256,
16496		DataKeySpecAes128,
16497	}
16498}
16499
16500const (
16501	// EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value
16502	EncryptionAlgorithmSpecSymmetricDefault = "SYMMETRIC_DEFAULT"
16503
16504	// EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value
16505	EncryptionAlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1"
16506
16507	// EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value
16508	EncryptionAlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256"
16509)
16510
16511// EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum
16512func EncryptionAlgorithmSpec_Values() []string {
16513	return []string{
16514		EncryptionAlgorithmSpecSymmetricDefault,
16515		EncryptionAlgorithmSpecRsaesOaepSha1,
16516		EncryptionAlgorithmSpecRsaesOaepSha256,
16517	}
16518}
16519
16520const (
16521	// ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value
16522	ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES"
16523
16524	// ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value
16525	ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE"
16526)
16527
16528// ExpirationModelType_Values returns all elements of the ExpirationModelType enum
16529func ExpirationModelType_Values() []string {
16530	return []string{
16531		ExpirationModelTypeKeyMaterialExpires,
16532		ExpirationModelTypeKeyMaterialDoesNotExpire,
16533	}
16534}
16535
16536const (
16537	// GrantOperationDecrypt is a GrantOperation enum value
16538	GrantOperationDecrypt = "Decrypt"
16539
16540	// GrantOperationEncrypt is a GrantOperation enum value
16541	GrantOperationEncrypt = "Encrypt"
16542
16543	// GrantOperationGenerateDataKey is a GrantOperation enum value
16544	GrantOperationGenerateDataKey = "GenerateDataKey"
16545
16546	// GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value
16547	GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext"
16548
16549	// GrantOperationReEncryptFrom is a GrantOperation enum value
16550	GrantOperationReEncryptFrom = "ReEncryptFrom"
16551
16552	// GrantOperationReEncryptTo is a GrantOperation enum value
16553	GrantOperationReEncryptTo = "ReEncryptTo"
16554
16555	// GrantOperationSign is a GrantOperation enum value
16556	GrantOperationSign = "Sign"
16557
16558	// GrantOperationVerify is a GrantOperation enum value
16559	GrantOperationVerify = "Verify"
16560
16561	// GrantOperationGetPublicKey is a GrantOperation enum value
16562	GrantOperationGetPublicKey = "GetPublicKey"
16563
16564	// GrantOperationCreateGrant is a GrantOperation enum value
16565	GrantOperationCreateGrant = "CreateGrant"
16566
16567	// GrantOperationRetireGrant is a GrantOperation enum value
16568	GrantOperationRetireGrant = "RetireGrant"
16569
16570	// GrantOperationDescribeKey is a GrantOperation enum value
16571	GrantOperationDescribeKey = "DescribeKey"
16572
16573	// GrantOperationGenerateDataKeyPair is a GrantOperation enum value
16574	GrantOperationGenerateDataKeyPair = "GenerateDataKeyPair"
16575
16576	// GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value
16577	GrantOperationGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext"
16578)
16579
16580// GrantOperation_Values returns all elements of the GrantOperation enum
16581func GrantOperation_Values() []string {
16582	return []string{
16583		GrantOperationDecrypt,
16584		GrantOperationEncrypt,
16585		GrantOperationGenerateDataKey,
16586		GrantOperationGenerateDataKeyWithoutPlaintext,
16587		GrantOperationReEncryptFrom,
16588		GrantOperationReEncryptTo,
16589		GrantOperationSign,
16590		GrantOperationVerify,
16591		GrantOperationGetPublicKey,
16592		GrantOperationCreateGrant,
16593		GrantOperationRetireGrant,
16594		GrantOperationDescribeKey,
16595		GrantOperationGenerateDataKeyPair,
16596		GrantOperationGenerateDataKeyPairWithoutPlaintext,
16597	}
16598}
16599
16600const (
16601	// KeyManagerTypeAws is a KeyManagerType enum value
16602	KeyManagerTypeAws = "AWS"
16603
16604	// KeyManagerTypeCustomer is a KeyManagerType enum value
16605	KeyManagerTypeCustomer = "CUSTOMER"
16606)
16607
16608// KeyManagerType_Values returns all elements of the KeyManagerType enum
16609func KeyManagerType_Values() []string {
16610	return []string{
16611		KeyManagerTypeAws,
16612		KeyManagerTypeCustomer,
16613	}
16614}
16615
16616const (
16617	// KeyStateCreating is a KeyState enum value
16618	KeyStateCreating = "Creating"
16619
16620	// KeyStateEnabled is a KeyState enum value
16621	KeyStateEnabled = "Enabled"
16622
16623	// KeyStateDisabled is a KeyState enum value
16624	KeyStateDisabled = "Disabled"
16625
16626	// KeyStatePendingDeletion is a KeyState enum value
16627	KeyStatePendingDeletion = "PendingDeletion"
16628
16629	// KeyStatePendingImport is a KeyState enum value
16630	KeyStatePendingImport = "PendingImport"
16631
16632	// KeyStatePendingReplicaDeletion is a KeyState enum value
16633	KeyStatePendingReplicaDeletion = "PendingReplicaDeletion"
16634
16635	// KeyStateUnavailable is a KeyState enum value
16636	KeyStateUnavailable = "Unavailable"
16637
16638	// KeyStateUpdating is a KeyState enum value
16639	KeyStateUpdating = "Updating"
16640)
16641
16642// KeyState_Values returns all elements of the KeyState enum
16643func KeyState_Values() []string {
16644	return []string{
16645		KeyStateCreating,
16646		KeyStateEnabled,
16647		KeyStateDisabled,
16648		KeyStatePendingDeletion,
16649		KeyStatePendingImport,
16650		KeyStatePendingReplicaDeletion,
16651		KeyStateUnavailable,
16652		KeyStateUpdating,
16653	}
16654}
16655
16656const (
16657	// KeyUsageTypeSignVerify is a KeyUsageType enum value
16658	KeyUsageTypeSignVerify = "SIGN_VERIFY"
16659
16660	// KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value
16661	KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT"
16662)
16663
16664// KeyUsageType_Values returns all elements of the KeyUsageType enum
16665func KeyUsageType_Values() []string {
16666	return []string{
16667		KeyUsageTypeSignVerify,
16668		KeyUsageTypeEncryptDecrypt,
16669	}
16670}
16671
16672const (
16673	// MessageTypeRaw is a MessageType enum value
16674	MessageTypeRaw = "RAW"
16675
16676	// MessageTypeDigest is a MessageType enum value
16677	MessageTypeDigest = "DIGEST"
16678)
16679
16680// MessageType_Values returns all elements of the MessageType enum
16681func MessageType_Values() []string {
16682	return []string{
16683		MessageTypeRaw,
16684		MessageTypeDigest,
16685	}
16686}
16687
16688const (
16689	// MultiRegionKeyTypePrimary is a MultiRegionKeyType enum value
16690	MultiRegionKeyTypePrimary = "PRIMARY"
16691
16692	// MultiRegionKeyTypeReplica is a MultiRegionKeyType enum value
16693	MultiRegionKeyTypeReplica = "REPLICA"
16694)
16695
16696// MultiRegionKeyType_Values returns all elements of the MultiRegionKeyType enum
16697func MultiRegionKeyType_Values() []string {
16698	return []string{
16699		MultiRegionKeyTypePrimary,
16700		MultiRegionKeyTypeReplica,
16701	}
16702}
16703
16704const (
16705	// OriginTypeAwsKms is a OriginType enum value
16706	OriginTypeAwsKms = "AWS_KMS"
16707
16708	// OriginTypeExternal is a OriginType enum value
16709	OriginTypeExternal = "EXTERNAL"
16710
16711	// OriginTypeAwsCloudhsm is a OriginType enum value
16712	OriginTypeAwsCloudhsm = "AWS_CLOUDHSM"
16713)
16714
16715// OriginType_Values returns all elements of the OriginType enum
16716func OriginType_Values() []string {
16717	return []string{
16718		OriginTypeAwsKms,
16719		OriginTypeExternal,
16720		OriginTypeAwsCloudhsm,
16721	}
16722}
16723
16724const (
16725	// SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value
16726	SigningAlgorithmSpecRsassaPssSha256 = "RSASSA_PSS_SHA_256"
16727
16728	// SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value
16729	SigningAlgorithmSpecRsassaPssSha384 = "RSASSA_PSS_SHA_384"
16730
16731	// SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value
16732	SigningAlgorithmSpecRsassaPssSha512 = "RSASSA_PSS_SHA_512"
16733
16734	// SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value
16735	SigningAlgorithmSpecRsassaPkcs1V15Sha256 = "RSASSA_PKCS1_V1_5_SHA_256"
16736
16737	// SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value
16738	SigningAlgorithmSpecRsassaPkcs1V15Sha384 = "RSASSA_PKCS1_V1_5_SHA_384"
16739
16740	// SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value
16741	SigningAlgorithmSpecRsassaPkcs1V15Sha512 = "RSASSA_PKCS1_V1_5_SHA_512"
16742
16743	// SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value
16744	SigningAlgorithmSpecEcdsaSha256 = "ECDSA_SHA_256"
16745
16746	// SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value
16747	SigningAlgorithmSpecEcdsaSha384 = "ECDSA_SHA_384"
16748
16749	// SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value
16750	SigningAlgorithmSpecEcdsaSha512 = "ECDSA_SHA_512"
16751)
16752
16753// SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum
16754func SigningAlgorithmSpec_Values() []string {
16755	return []string{
16756		SigningAlgorithmSpecRsassaPssSha256,
16757		SigningAlgorithmSpecRsassaPssSha384,
16758		SigningAlgorithmSpecRsassaPssSha512,
16759		SigningAlgorithmSpecRsassaPkcs1V15Sha256,
16760		SigningAlgorithmSpecRsassaPkcs1V15Sha384,
16761		SigningAlgorithmSpecRsassaPkcs1V15Sha512,
16762		SigningAlgorithmSpecEcdsaSha256,
16763		SigningAlgorithmSpecEcdsaSha384,
16764		SigningAlgorithmSpecEcdsaSha512,
16765	}
16766}
16767
16768const (
16769	// WrappingKeySpecRsa2048 is a WrappingKeySpec enum value
16770	WrappingKeySpecRsa2048 = "RSA_2048"
16771)
16772
16773// WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum
16774func WrappingKeySpec_Values() []string {
16775	return []string{
16776		WrappingKeySpecRsa2048,
16777	}
16778}
16779