com.amazonaws.services.kms.AWSKMSClient Maven / Gradle / Ivy
Show all versions of aws-java-sdk-kms Show documentation
/*
* Copyright 2015-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package com.amazonaws.services.kms;
import org.w3c.dom.*;
import java.net.*;
import java.util.*;
import javax.annotation.Generated;
import org.apache.commons.logging.*;
import com.amazonaws.*;
import com.amazonaws.annotation.SdkInternalApi;
import com.amazonaws.auth.*;
import com.amazonaws.handlers.*;
import com.amazonaws.http.*;
import com.amazonaws.internal.*;
import com.amazonaws.internal.auth.*;
import com.amazonaws.metrics.*;
import com.amazonaws.regions.*;
import com.amazonaws.transform.*;
import com.amazonaws.util.*;
import com.amazonaws.protocol.json.*;
import com.amazonaws.util.AWSRequestMetrics.Field;
import com.amazonaws.annotation.ThreadSafe;
import com.amazonaws.client.AwsSyncClientParams;
import com.amazonaws.client.builder.AdvancedConfig;
import com.amazonaws.services.kms.AWSKMSClientBuilder;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.kms.model.*;
import com.amazonaws.services.kms.model.transform.*;
/**
* Client for accessing KMS. All service calls made using this client are blocking, and will not return until the
* service call completes.
*
* AWS Key Management Service
*
* AWS Key Management Service (AWS KMS) is an encryption and key management web service. This guide describes the AWS
* KMS operations that you can call programmatically. For general information about AWS KMS, see the AWS Key Management Service Developer Guide
* .
*
*
*
* AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java,
* Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to AWS KMS and
* other AWS services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors,
* and retrying requests automatically. For more information about the AWS SDKs, including how to download and install
* them, see Tools for Amazon Web Services.
*
*
*
* We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS.
*
*
* Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher
* suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral
* Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
*
*
* Signing Requests
*
*
* Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you do
* not use your AWS account (root) access key ID and secret key for everyday work with AWS KMS. Instead, use the
* access key ID and secret access key for an IAM user. You can also use the AWS Security Token Service to generate
* temporary security credentials that you can use to sign requests.
*
*
* All AWS KMS operations require Signature Version 4.
*
*
* Logging API Requests
*
*
* AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related events for your AWS account and
* delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can
* determine what requests were made to AWS KMS, who made the request, when it was made, and so on. To learn more about
* CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
*
*
* Additional Resources
*
*
* For more information about credentials and request signing, see the following:
*
*
* -
*
* AWS Security Credentials -
* This topic provides general information about the types of credentials used for accessing AWS.
*
*
* -
*
* Temporary Security
* Credentials - This section of the IAM User Guide describes how to create and use temporary security
* credentials.
*
*
* -
*
* Signature Version 4 Signing
* Process - This set of topics walks you through the process of signing a request using an access key ID and a
* secret access key.
*
*
*
*
* Commonly Used API Operations
*
*
* Of the API operations discussed in this guide, the following will prove the most useful for most applications. You
* will likely perform operations other than these, such as creating keys and assigning policies, by using the console.
*
*
* -
*
* Encrypt
*
*
* -
*
* Decrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
*
*/
@ThreadSafe
@Generated("com.amazonaws:aws-java-sdk-code-generator")
public class AWSKMSClient extends AmazonWebServiceClient implements AWSKMS {
/** Provider for AWS credentials. */
private final AWSCredentialsProvider awsCredentialsProvider;
private static final Log log = LogFactory.getLog(AWSKMS.class);
/** Default signing name for the service. */
private static final String DEFAULT_SIGNING_NAME = "kms";
/** Client configuration factory providing ClientConfigurations tailored to this client */
protected static final ClientConfigurationFactory configFactory = new ClientConfigurationFactory();
private final AdvancedConfig advancedConfig;
private static final com.amazonaws.protocol.json.SdkJsonProtocolFactory protocolFactory = new com.amazonaws.protocol.json.SdkJsonProtocolFactory(
new JsonClientMetadata()
.withProtocolVersion("1.1")
.withSupportsCbor(false)
.withSupportsIon(false)
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CloudHsmClusterNotFoundException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CloudHsmClusterNotFoundExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("ExpiredImportTokenException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.ExpiredImportTokenExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CustomKeyStoreNotFoundException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CustomKeyStoreNotFoundExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("MalformedPolicyDocumentException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.MalformedPolicyDocumentExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("IncorrectKeyMaterialException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.IncorrectKeyMaterialExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidImportTokenException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidImportTokenExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidArnException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidArnExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("KMSInvalidSignatureException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.KMSInvalidSignatureExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("KMSInvalidStateException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.KMSInvalidStateExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CloudHsmClusterNotRelatedException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CloudHsmClusterNotRelatedExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CustomKeyStoreInvalidStateException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CustomKeyStoreInvalidStateExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("IncorrectTrustAnchorException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.IncorrectTrustAnchorExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("DisabledException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.DisabledExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("NotFoundException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.NotFoundExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CustomKeyStoreHasCMKsException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CustomKeyStoreHasCMKsExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("KeyUnavailableException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.KeyUnavailableExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("LimitExceededException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.LimitExceededExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CloudHsmClusterInUseException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CloudHsmClusterInUseExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidCiphertextException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidCiphertextExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidGrantIdException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidGrantIdExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("IncorrectKeyException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.IncorrectKeyExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidGrantTokenException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidGrantTokenExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("UnsupportedOperationException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.UnsupportedOperationExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CustomKeyStoreNameInUseException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CustomKeyStoreNameInUseExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("AlreadyExistsException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.AlreadyExistsExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("TagException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.TagExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidKeyUsageException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidKeyUsageExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CloudHsmClusterInvalidConfigurationException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CloudHsmClusterInvalidConfigurationExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidMarkerException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidMarkerExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("InvalidAliasNameException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.InvalidAliasNameExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("DependencyTimeoutException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.DependencyTimeoutExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("KMSInternalException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.KMSInternalExceptionUnmarshaller.getInstance()))
.addErrorMetadata(
new JsonErrorShapeMetadata().withErrorCode("CloudHsmClusterNotActiveException").withExceptionUnmarshaller(
com.amazonaws.services.kms.model.transform.CloudHsmClusterNotActiveExceptionUnmarshaller.getInstance()))
.withBaseServiceExceptionClass(com.amazonaws.services.kms.model.AWSKMSException.class));
/**
* Constructs a new client to invoke service methods on KMS. A credentials provider chain will be used that searches
* for credentials in this order:
*
* - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
* - Java System Properties - aws.accessKeyId and aws.secretKey
* - Instance profile credentials delivered through the Amazon EC2 metadata service
*
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @see DefaultAWSCredentialsProviderChain
* @deprecated use {@link AWSKMSClientBuilder#defaultClient()}
*/
@Deprecated
public AWSKMSClient() {
this(DefaultAWSCredentialsProviderChain.getInstance(), configFactory.getConfig());
}
/**
* Constructs a new client to invoke service methods on KMS. A credentials provider chain will be used that searches
* for credentials in this order:
*
* - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
* - Java System Properties - aws.accessKeyId and aws.secretKey
* - Instance profile credentials delivered through the Amazon EC2 metadata service
*
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param clientConfiguration
* The client configuration options controlling how this client connects to KMS (ex: proxy settings, retry
* counts, etc.).
*
* @see DefaultAWSCredentialsProviderChain
* @deprecated use {@link AWSKMSClientBuilder#withClientConfiguration(ClientConfiguration)}
*/
@Deprecated
public AWSKMSClient(ClientConfiguration clientConfiguration) {
this(DefaultAWSCredentialsProviderChain.getInstance(), clientConfiguration);
}
/**
* Constructs a new client to invoke service methods on KMS using the specified AWS account credentials.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param awsCredentials
* The AWS credentials (access key ID and secret key) to use when authenticating with AWS services.
* @deprecated use {@link AWSKMSClientBuilder#withCredentials(AWSCredentialsProvider)} for example:
* {@code AWSKMSClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials)).build();}
*/
@Deprecated
public AWSKMSClient(AWSCredentials awsCredentials) {
this(awsCredentials, configFactory.getConfig());
}
/**
* Constructs a new client to invoke service methods on KMS using the specified AWS account credentials and client
* configuration options.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param awsCredentials
* The AWS credentials (access key ID and secret key) to use when authenticating with AWS services.
* @param clientConfiguration
* The client configuration options controlling how this client connects to KMS (ex: proxy settings, retry
* counts, etc.).
* @deprecated use {@link AWSKMSClientBuilder#withCredentials(AWSCredentialsProvider)} and
* {@link AWSKMSClientBuilder#withClientConfiguration(ClientConfiguration)}
*/
@Deprecated
public AWSKMSClient(AWSCredentials awsCredentials, ClientConfiguration clientConfiguration) {
super(clientConfiguration);
this.awsCredentialsProvider = new StaticCredentialsProvider(awsCredentials);
this.advancedConfig = AdvancedConfig.EMPTY;
init();
}
/**
* Constructs a new client to invoke service methods on KMS using the specified AWS account credentials provider.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param awsCredentialsProvider
* The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
* @deprecated use {@link AWSKMSClientBuilder#withCredentials(AWSCredentialsProvider)}
*/
@Deprecated
public AWSKMSClient(AWSCredentialsProvider awsCredentialsProvider) {
this(awsCredentialsProvider, configFactory.getConfig());
}
/**
* Constructs a new client to invoke service methods on KMS using the specified AWS account credentials provider and
* client configuration options.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param awsCredentialsProvider
* The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
* @param clientConfiguration
* The client configuration options controlling how this client connects to KMS (ex: proxy settings, retry
* counts, etc.).
* @deprecated use {@link AWSKMSClientBuilder#withCredentials(AWSCredentialsProvider)} and
* {@link AWSKMSClientBuilder#withClientConfiguration(ClientConfiguration)}
*/
@Deprecated
public AWSKMSClient(AWSCredentialsProvider awsCredentialsProvider, ClientConfiguration clientConfiguration) {
this(awsCredentialsProvider, clientConfiguration, null);
}
/**
* Constructs a new client to invoke service methods on KMS using the specified AWS account credentials provider,
* client configuration options, and request metric collector.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param awsCredentialsProvider
* The AWS credentials provider which will provide credentials to authenticate requests with AWS services.
* @param clientConfiguration
* The client configuration options controlling how this client connects to KMS (ex: proxy settings, retry
* counts, etc.).
* @param requestMetricCollector
* optional request metric collector
* @deprecated use {@link AWSKMSClientBuilder#withCredentials(AWSCredentialsProvider)} and
* {@link AWSKMSClientBuilder#withClientConfiguration(ClientConfiguration)} and
* {@link AWSKMSClientBuilder#withMetricsCollector(RequestMetricCollector)}
*/
@Deprecated
public AWSKMSClient(AWSCredentialsProvider awsCredentialsProvider, ClientConfiguration clientConfiguration, RequestMetricCollector requestMetricCollector) {
super(clientConfiguration, requestMetricCollector);
this.awsCredentialsProvider = awsCredentialsProvider;
this.advancedConfig = AdvancedConfig.EMPTY;
init();
}
public static AWSKMSClientBuilder builder() {
return AWSKMSClientBuilder.standard();
}
/**
* Constructs a new client to invoke service methods on KMS using the specified parameters.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param clientParams
* Object providing client parameters.
*/
AWSKMSClient(AwsSyncClientParams clientParams) {
this(clientParams, false);
}
/**
* Constructs a new client to invoke service methods on KMS using the specified parameters.
*
*
* All service calls made using this new client object are blocking, and will not return until the service call
* completes.
*
* @param clientParams
* Object providing client parameters.
*/
AWSKMSClient(AwsSyncClientParams clientParams, boolean endpointDiscoveryEnabled) {
super(clientParams);
this.awsCredentialsProvider = clientParams.getCredentialsProvider();
this.advancedConfig = clientParams.getAdvancedConfig();
init();
}
private void init() {
setServiceNameIntern(DEFAULT_SIGNING_NAME);
setEndpointPrefix(ENDPOINT_PREFIX);
// calling this.setEndPoint(...) will also modify the signer accordingly
setEndpoint("https://kms.us-east-1.amazonaws.com/");
HandlerChainFactory chainFactory = new HandlerChainFactory();
requestHandler2s.addAll(chainFactory.newRequestHandlerChain("/com/amazonaws/services/kms/request.handlers"));
requestHandler2s.addAll(chainFactory.newRequestHandler2Chain("/com/amazonaws/services/kms/request.handler2s"));
requestHandler2s.addAll(chainFactory.getGlobalHandlers());
}
/**
*
* Cancels the deletion of a customer master key (CMK). When this operation succeeds, the key state of the CMK is
* Disabled. To enable the CMK, use EnableKey. You cannot perform this operation on a CMK in a
* different AWS account.
*
*
* For more information about scheduling and canceling deletion of a CMK, see Deleting Customer Master Keys
* in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param cancelKeyDeletionRequest
* @return Result of the CancelKeyDeletion operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.CancelKeyDeletion
* @see AWS API
* Documentation
*/
@Override
public CancelKeyDeletionResult cancelKeyDeletion(CancelKeyDeletionRequest request) {
request = beforeClientExecution(request);
return executeCancelKeyDeletion(request);
}
@SdkInternalApi
final CancelKeyDeletionResult executeCancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest) {
ExecutionContext executionContext = createExecutionContext(cancelKeyDeletionRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CancelKeyDeletionRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(cancelKeyDeletionRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "CancelKeyDeletion");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new CancelKeyDeletionResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Connects or reconnects a custom key store
* to its associated AWS CloudHSM cluster.
*
*
* The custom key store must be connected before you can create customer master keys (CMKs) in the key store or use
* the CMKs it contains. You can disconnect and reconnect a custom key store at any time.
*
*
* To connect a custom key store, its associated AWS CloudHSM cluster must have at least one active HSM. To get the
* number of active HSMs in a cluster, use the DescribeClusters
* operation. To add HSMs to the cluster, use the CreateHsm operation.
*
*
* The connection process can take an extended amount of time to complete; up to 20 minutes. This operation starts
* the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns
* an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the
* custom key store is connected. To get the connection state of the custom key store, use the
* DescribeCustomKeyStores operation.
*
*
* During the connection process, AWS KMS finds the AWS CloudHSM cluster that is associated with the custom key
* store, creates the connection infrastructure, connects to the cluster, logs into the AWS CloudHSM client as the
*
* kmsuser crypto user (CU), and rotates its password.
*
*
* The ConnectCustomKeyStore operation might fail for various reasons. To find the reason, use the
* DescribeCustomKeyStores operation and see the ConnectionErrorCode in the response. For help
* interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.
*
*
* To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, correct
* the error, use the UpdateCustomKeyStore operation if necessary, and then use
* ConnectCustomKeyStore again.
*
*
* If you are having trouble connecting or disconnecting a custom key store, see Troubleshooting a Custom Key
* Store in the AWS Key Management Service Developer Guide.
*
*
* @param connectCustomKeyStoreRequest
* @return Result of the ConnectCustomKeyStore operation returned by the service.
* @throws CloudHsmClusterNotActiveException
* The request was rejected because the AWS CloudHSM cluster that is associated with the custom key store is
* not active. Initialize and activate the cluster and try the command again. For detailed instructions, see
* Getting Started
* in the AWS CloudHSM User Guide.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState of the custom key store. To get the
* ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState is
* CONNECTED.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState is DISCONNECTED.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState of DISCONNECTING or FAILED. This operation is
* valid for all other ConnectionState values.
*
*
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS
* CloudHSM CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information
* about creating a private subnet for an AWS CloudHSM cluster, see Create a Private
* Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the AWS CloudHSM User Guide .
* @sample AWSKMS.ConnectCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public ConnectCustomKeyStoreResult connectCustomKeyStore(ConnectCustomKeyStoreRequest request) {
request = beforeClientExecution(request);
return executeConnectCustomKeyStore(request);
}
@SdkInternalApi
final ConnectCustomKeyStoreResult executeConnectCustomKeyStore(ConnectCustomKeyStoreRequest connectCustomKeyStoreRequest) {
ExecutionContext executionContext = createExecutionContext(connectCustomKeyStoreRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ConnectCustomKeyStoreRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(connectCustomKeyStoreRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ConnectCustomKeyStore");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new ConnectCustomKeyStoreResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Creates a display name for a customer managed customer master key (CMK). You can use an alias to identify a CMK
* in cryptographic operations, such as Encrypt and GenerateDataKey. You can change the CMK associated
* with the alias at any time.
*
*
* Aliases are easier to remember than key IDs. They can also help to simplify your applications. For example, if
* you use an alias in your code, you can change the CMK your code uses by associating a given alias with a
* different CMK.
*
*
* To run the same code in multiple AWS regions, use an alias in your code, such as
* alias/ApplicationKey. Then, in each AWS Region, create an alias/ApplicationKey alias
* that is associated with a CMK in that Region. When you run your code, it uses the
* alias/ApplicationKey CMK for that AWS Region without any Region-specific code.
*
*
* This operation does not return a response. To get the alias that you created, use the ListAliases
* operation.
*
*
* To use aliases successfully, be aware of the following information.
*
*
* -
*
* Each alias points to only one CMK at a time, although a single CMK can have multiple aliases. The alias and its
* associated CMK must be in the same AWS account and Region.
*
*
* -
*
* You can associate an alias with any customer managed CMK in the same AWS account and Region. However, you do not
* have permission to associate an alias with an AWS managed CMK or
* an AWS owned CMK.
*
*
* -
*
* To change the CMK associated with an alias, use the UpdateAlias operation. The current CMK and the new CMK
* must be the same type (both symmetric or both asymmetric) and they must have the same key usage (
* ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents cryptographic errors in code
* that uses aliases.
*
*
* -
*
* The alias name must begin with alias/ followed by a name, such as alias/ExampleAlias.
* It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name
* cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.
*
*
* -
*
* The alias name must be unique within an AWS Region. However, you can use the same alias name in multiple Regions
* of the same AWS account. Each instance of the alias is associated with a CMK in its Region.
*
*
* -
*
* After you create an alias, you cannot change its alias name. However, you can use the DeleteAlias
* operation to delete the alias and then create a new alias with the desired name.
*
*
* -
*
* You can use an alias name or alias ARN to identify a CMK in AWS KMS cryptographic operations and in the
* DescribeKey operation. However, you cannot use alias names or alias ARNs in API operations that manage
* CMKs, such as DisableKey or GetKeyPolicy. For information about the valid CMK identifiers for each
* AWS KMS API operation, see the descriptions of the KeyId parameter in the API operation
* documentation.
*
*
*
*
* Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK without affecting the
* CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases and
* alias ARNs of CMKs in each AWS account and Region, use the ListAliases operation.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param createAliasRequest
* @return Result of the CreateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws AlreadyExistsException
* The request was rejected because it attempted to create a resource that already exists.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidAliasNameException
* The request was rejected because the specified alias name is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key
* Management Service Developer Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.CreateAlias
* @see AWS API
* Documentation
*/
@Override
public CreateAliasResult createAlias(CreateAliasRequest request) {
request = beforeClientExecution(request);
return executeCreateAlias(request);
}
@SdkInternalApi
final CreateAliasResult executeCreateAlias(CreateAliasRequest createAliasRequest) {
ExecutionContext executionContext = createExecutionContext(createAliasRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateAliasRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(createAliasRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "CreateAlias");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new CreateAliasResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Creates a custom
* key store that is associated with an AWS CloudHSM cluster that you own
* and manage.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* Before you create the custom key store, you must assemble the required elements, including an AWS CloudHSM
* cluster that fulfills the requirements for a custom key store. For details about the required elements, see Assemble the
* Prerequisites in the AWS Key Management Service Developer Guide.
*
*
* When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your
* new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to
* its AWS CloudHSM cluster. Even if you are not going to use your custom key store immediately, you might want to
* connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
*
*
* For help with failures, see Troubleshooting a Custom Key
* Store in the AWS Key Management Service Developer Guide.
*
*
* @param createCustomKeyStoreRequest
* @return Result of the CreateCustomKeyStore operation returned by the service.
* @throws CloudHsmClusterInUseException
* The request was rejected because the specified AWS CloudHSM cluster is already associated with a custom
* key store or it shares a backup history with a cluster that is associated with a custom key store. Each
* custom key store must be associated with a different AWS CloudHSM cluster.
*
* Clusters that share a backup history have the same cluster certificate. To view the cluster certificate
* of a cluster, use the DescribeClusters operation.
* @throws CustomKeyStoreNameInUseException
* The request was rejected because the specified custom key store name is already assigned to another
* custom key store in the account. Try again with a custom key store name that is unique in the account.
* @throws CloudHsmClusterNotFoundException
* The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster
* ID. Retry the request with a different cluster ID.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CloudHsmClusterNotActiveException
* The request was rejected because the AWS CloudHSM cluster that is associated with the custom key store is
* not active. Initialize and activate the cluster and try the command again. For detailed instructions, see
* Getting Started
* in the AWS CloudHSM User Guide.
* @throws IncorrectTrustAnchorException
* The request was rejected because the trust anchor certificate in the request is not the trust anchor
* certificate for the specified AWS CloudHSM cluster.
*
*
* When you initialize
* the cluster, you create the trust anchor certificate and save it in the customerCA.crt
* file.
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS
* CloudHSM CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information
* about creating a private subnet for an AWS CloudHSM cluster, see Create a Private
* Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the AWS CloudHSM User Guide .
* @sample AWSKMS.CreateCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public CreateCustomKeyStoreResult createCustomKeyStore(CreateCustomKeyStoreRequest request) {
request = beforeClientExecution(request);
return executeCreateCustomKeyStore(request);
}
@SdkInternalApi
final CreateCustomKeyStoreResult executeCreateCustomKeyStore(CreateCustomKeyStoreRequest createCustomKeyStoreRequest) {
ExecutionContext executionContext = createExecutionContext(createCustomKeyStoreRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateCustomKeyStoreRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(createCustomKeyStoreRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "CreateCustomKeyStore");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new CreateCustomKeyStoreResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Adds a grant to a customer master key (CMK). The grant allows the grantee principal to use the CMK when the
* conditions specified in the grant are met. When setting permissions, grants are an alternative to key policies.
*
*
* To create a grant that allows a cryptographic operation only when the request includes a particular encryption
* context, use the Constraints parameter. For details, see GrantConstraints.
*
*
* You can create grants on symmetric and asymmetric CMKs. However, if the grant allows an operation that the CMK
* does not support, CreateGrant fails with a ValidationException.
*
*
* -
*
* Grants for symmetric CMKs cannot allow operations that are not supported for symmetric CMKs, including
* Sign, Verify, and GetPublicKey. (There are limited exceptions to this rule for legacy
* operations, but you should not create a grant for an operation that AWS KMS does not support.)
*
*
* -
*
* Grants for asymmetric CMKs cannot allow operations that are not supported for asymmetric CMKs, including
* operations that generate data
* keys or data key
* pairs, or operations related to automatic key rotation, imported key material, or
* CMKs in custom key
* stores.
*
*
* -
*
* Grants for asymmetric CMKs with a KeyUsage of ENCRYPT_DECRYPT cannot allow the
* Sign or Verify operations. Grants for asymmetric CMKs with a KeyUsage of
* SIGN_VERIFY cannot allow the Encrypt or Decrypt operations.
*
*
* -
*
* Grants for asymmetric CMKs cannot include an encryption context grant constraint. An encryption context is not
* supported on asymmetric CMKs.
*
*
*
*
* For information about symmetric and asymmetric CMKs, see Using Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
* To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the
* KeyId parameter. For more information about grants, see Grants in the AWS Key
* Management Service Developer Guide .
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param createGrantRequest
* @return Result of the CreateGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key
* Management Service Developer Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.CreateGrant
* @see AWS API
* Documentation
*/
@Override
public CreateGrantResult createGrant(CreateGrantRequest request) {
request = beforeClientExecution(request);
return executeCreateGrant(request);
}
@SdkInternalApi
final CreateGrantResult executeCreateGrant(CreateGrantRequest createGrantRequest) {
ExecutionContext executionContext = createExecutionContext(createGrantRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateGrantRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(createGrantRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "CreateGrant");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new CreateGrantResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Creates a unique customer managed customer master key
* (CMK) in your AWS account and Region. You cannot use this operation to create a CMK in a different AWS account.
*
*
* You can use the CreateKey operation to create symmetric or asymmetric CMKs.
*
*
* -
*
* Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS KMS unencrypted. To use the CMK, you
* must call AWS KMS. You can use a symmetric CMK to encrypt and decrypt small amounts of data, but they are
* typically used to generate data keys or data key
* pairs. For details, see GenerateDataKey and GenerateDataKeyPair.
*
*
* -
*
* Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an
* asymmetric CMK never leaves AWS KMS unencrypted. However, you can use the GetPublicKey operation to
* download the public key so it can be used outside of AWS KMS. CMKs with RSA key pairs can be used to encrypt or
* decrypt data or sign and verify messages (but not both). CMKs with ECC key pairs can be used only to sign and
* verify messages.
*
*
*
*
* For information about symmetric and asymmetric CMKs, see Using Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
* To create different types of CMKs, use the following guidance:
*
*
* - Asymmetric CMKs
* -
*
* To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify the type of key
* material in the CMK. Then, use the KeyUsage parameter to determine whether the CMK will be used to
* encrypt and decrypt or sign and verify. You can't change these properties after the CMK is created.
*
*
*
* - Symmetric CMKs
* -
*
* When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec or
* KeyUsage parameters. The default value for CustomerMasterKeySpec,
* SYMMETRIC_DEFAULT, and the default value for KeyUsage, ENCRYPT_DECRYPT,
* are the only valid values for symmetric CMKs.
*
*
*
* - Imported Key Material
* -
*
* To import your own key material, begin by creating a symmetric CMK with no key material. To do this, use the
* Origin parameter of CreateKey with a value of EXTERNAL. Next, use
* GetParametersForImport operation to get a public key and import token, and use the public key to encrypt
* your key material. Then, use ImportKeyMaterial with your import token to import the key material. For
* step-by-step instructions, see Importing Key Material in
* the AWS Key Management Service Developer Guide . You cannot import the key material into an
* asymmetric CMK.
*
*
*
* - Custom Key Stores
* -
*
* To create a symmetric CMK in a custom key store,
* use the CustomKeyStoreId parameter to specify the custom key store. You must also use the
* Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is
* associated with the custom key store must have at least two active HSMs in different Availability Zones in the
* AWS Region.
*
*
* You cannot create an asymmetric CMK in a custom key store. For information about custom key stores in AWS KMS see
* Using Custom Key
* Stores in the AWS Key Management Service Developer Guide .
*
*
*
*
* @param createKeyRequest
* @return Result of the CreateKey operation returned by the service.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key
* Management Service Developer Guide.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState of the custom key store. To get the
* ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState is
* CONNECTED.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState is DISCONNECTED.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState of DISCONNECTING or FAILED. This operation is
* valid for all other ConnectionState values.
*
*
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS
* CloudHSM CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information
* about creating a private subnet for an AWS CloudHSM cluster, see Create a Private
* Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the AWS CloudHSM User Guide .
* @sample AWSKMS.CreateKey
* @see AWS API
* Documentation
*/
@Override
public CreateKeyResult createKey(CreateKeyRequest request) {
request = beforeClientExecution(request);
return executeCreateKey(request);
}
@SdkInternalApi
final CreateKeyResult executeCreateKey(CreateKeyRequest createKeyRequest) {
ExecutionContext executionContext = createExecutionContext(createKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateKeyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(createKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "CreateKey");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new CreateKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public CreateKeyResult createKey() {
return createKey(new CreateKeyRequest());
}
/**
*
* Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) using any of the following
* operations:
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* You can use this operation to decrypt ciphertext that was encrypted under a symmetric or asymmetric CMK. When the
* CMK is asymmetric, you must specify the CMK and the encryption algorithm that was used to encrypt the ciphertext.
* For information about symmetric and asymmetric CMKs, see Using Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
* The Decrypt operation also decrypts ciphertext that was encrypted outside of AWS KMS by the public key in an AWS
* KMS asymmetric CMK. However, it cannot decrypt ciphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side
* encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
*
*
* If the ciphertext was encrypted under a symmetric CMK, you do not need to specify the CMK or the encryption
* algorithm. AWS KMS can get this information from metadata that it adds to the symmetric ciphertext blob. However,
* if you prefer, you can specify the KeyId to ensure that a particular CMK is used to decrypt the
* ciphertext. If you specify a different CMK than the one used to encrypt the ciphertext, the Decrypt
* operation fails.
*
*
* Whenever possible, use key policies to give users permission to call the Decrypt operation on a particular CMK,
* instead of using IAM policies. Otherwise, you might create an IAM user policy that gives the user Decrypt
* permission on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs in other accounts if the
* key policy for the cross-account CMK permits it. If you must use an IAM policy for Decrypt
* permissions, limit the user to particular CMKs or particular trusted accounts.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param decryptRequest
* @return Result of the Decrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidCiphertextException
* From the Decrypt or ReEncrypt operation, the request was rejected because the specified
* ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption
* context, is corrupted, missing, or otherwise invalid.
*
* From the ImportKeyMaterial operation, the request was rejected because AWS KMS could not decrypt
* the encrypted (wrapped) key material.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws IncorrectKeyException
* The request was rejected because the specified CMK cannot decrypt the data. The KeyId in a
* Decrypt request and the SourceKeyId in a ReEncrypt request must identify the
* same CMK that was used to encrypt the ciphertext.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.Decrypt
* @see AWS API
* Documentation
*/
@Override
public DecryptResult decrypt(DecryptRequest request) {
request = beforeClientExecution(request);
return executeDecrypt(request);
}
@SdkInternalApi
final DecryptResult executeDecrypt(DecryptRequest decryptRequest) {
ExecutionContext executionContext = createExecutionContext(decryptRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DecryptRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(decryptRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "Decrypt");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new DecryptResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Deletes the specified alias. You cannot perform this operation on an alias in a different AWS account.
*
*
* Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK without affecting the
* CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all
* CMKs, use the ListAliases operation.
*
*
* Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias to delete the current
* alias and CreateAlias to create a new alias. To associate an existing alias with a different customer
* master key (CMK), call UpdateAlias.
*
*
* @param deleteAliasRequest
* @return Result of the DeleteAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.DeleteAlias
* @see AWS API
* Documentation
*/
@Override
public DeleteAliasResult deleteAlias(DeleteAliasRequest request) {
request = beforeClientExecution(request);
return executeDeleteAlias(request);
}
@SdkInternalApi
final DeleteAliasResult executeDeleteAlias(DeleteAliasRequest deleteAliasRequest) {
ExecutionContext executionContext = createExecutionContext(deleteAliasRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DeleteAliasRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(deleteAliasRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DeleteAlias");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new DeleteAliasResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Deletes a custom
* key store. This operation does not delete the AWS CloudHSM cluster that is associated with the custom key
* store, or affect any users or keys in the cluster.
*
*
* The custom key store that you delete cannot contain any AWS KMS customer master keys
* (CMKs). Before deleting the key store, verify that you will never need to use any of the CMKs in the key
* store for any cryptographic operations. Then, use ScheduleKeyDeletion to delete the AWS KMS customer
* master keys (CMKs) from the key store. When the scheduled waiting period expires, the
* ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort to delete the key
* material from the associated cluster. However, you might need to manually delete
* the orphaned key material from the cluster and its backups.
*
*
* After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect the key store from AWS
* KMS. Then, you can delete the custom key store.
*
*
* Instead of deleting the custom key store, consider using DisconnectCustomKeyStore to disconnect it from
* AWS KMS. While the key store is disconnected, you cannot create or use the CMKs in the key store. But, you do not
* need to delete CMKs and you can reconnect a disconnected custom key store at any time.
*
*
* If the operation succeeds, it returns a JSON object with no properties.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* @param deleteCustomKeyStoreRequest
* @return Result of the DeleteCustomKeyStore operation returned by the service.
* @throws CustomKeyStoreHasCMKsException
* The request was rejected because the custom key store contains AWS KMS customer master keys (CMKs). After
* verifying that you do not need to use the CMKs, use the ScheduleKeyDeletion operation to delete
* the CMKs. After they are deleted, you can delete the custom key store.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState of the custom key store. To get the
* ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState is
* CONNECTED.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState is DISCONNECTED.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState of DISCONNECTING or FAILED. This operation is
* valid for all other ConnectionState values.
*
*
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.DeleteCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public DeleteCustomKeyStoreResult deleteCustomKeyStore(DeleteCustomKeyStoreRequest request) {
request = beforeClientExecution(request);
return executeDeleteCustomKeyStore(request);
}
@SdkInternalApi
final DeleteCustomKeyStoreResult executeDeleteCustomKeyStore(DeleteCustomKeyStoreRequest deleteCustomKeyStoreRequest) {
ExecutionContext executionContext = createExecutionContext(deleteCustomKeyStoreRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DeleteCustomKeyStoreRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(deleteCustomKeyStoreRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DeleteCustomKeyStore");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new DeleteCustomKeyStoreResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Deletes key material that you previously imported. This operation makes the specified customer master key (CMK)
* unusable. For more information about importing key material into AWS KMS, see Importing Key Material in
* the AWS Key Management Service Developer Guide. You cannot perform this operation on a CMK in a different
* AWS account.
*
*
* When the specified CMK is in the PendingDeletion state, this operation does not change the CMK's
* state. Otherwise, it changes the CMK's state to PendingImport.
*
*
* After you delete key material, you can use ImportKeyMaterial to reimport the same key material into the
* CMK.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param deleteImportedKeyMaterialRequest
* @return Result of the DeleteImportedKeyMaterial operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.DeleteImportedKeyMaterial
* @see AWS
* API Documentation
*/
@Override
public DeleteImportedKeyMaterialResult deleteImportedKeyMaterial(DeleteImportedKeyMaterialRequest request) {
request = beforeClientExecution(request);
return executeDeleteImportedKeyMaterial(request);
}
@SdkInternalApi
final DeleteImportedKeyMaterialResult executeDeleteImportedKeyMaterial(DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest) {
ExecutionContext executionContext = createExecutionContext(deleteImportedKeyMaterialRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DeleteImportedKeyMaterialRequestProtocolMarshaller(protocolFactory).marshall(super
.beforeMarshalling(deleteImportedKeyMaterialRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DeleteImportedKeyMaterial");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new DeleteImportedKeyMaterialResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Gets information about custom key stores
* in the account and region.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* By default, this operation returns information about all custom key stores in the account and region. To get only
* information about a particular custom key store, use either the CustomKeyStoreName or
* CustomKeyStoreId parameter (but not both).
*
*
* To determine whether the custom key store is connected to its AWS CloudHSM cluster, use the
* ConnectionState element in the response. If an attempt to connect the custom key store failed, the
* ConnectionState value is FAILED and the ConnectionErrorCode element in the
* response indicates the cause of the failure. For help interpreting the ConnectionErrorCode, see
* CustomKeyStoresListEntry.
*
*
* Custom key stores have a DISCONNECTED connection state if the key store has never been connected or
* you use the DisconnectCustomKeyStore operation to disconnect it. If your custom key store state is
* CONNECTED but you are having trouble using it, make sure that its associated AWS CloudHSM cluster is
* active and contains the minimum number of HSMs required for the operation, if any.
*
*
* For help repairing your custom key store, see the Troubleshooting Custom Key
* Stores topic in the AWS Key Management Service Developer Guide.
*
*
* @param describeCustomKeyStoresRequest
* @return Result of the DescribeCustomKeyStores operation returned by the service.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.DescribeCustomKeyStores
* @see AWS
* API Documentation
*/
@Override
public DescribeCustomKeyStoresResult describeCustomKeyStores(DescribeCustomKeyStoresRequest request) {
request = beforeClientExecution(request);
return executeDescribeCustomKeyStores(request);
}
@SdkInternalApi
final DescribeCustomKeyStoresResult executeDescribeCustomKeyStores(DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest) {
ExecutionContext executionContext = createExecutionContext(describeCustomKeyStoresRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DescribeCustomKeyStoresRequestProtocolMarshaller(protocolFactory).marshall(super
.beforeMarshalling(describeCustomKeyStoresRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DescribeCustomKeyStores");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new DescribeCustomKeyStoresResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Provides detailed information about a customer master key (CMK). You can run DescribeKey on a customer managed CMK
* or an AWS managed
* CMK.
*
*
* This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state,
* and the origin and expiration date (if any) of the key material. For CMKs in custom key stores, it includes
* information about the custom key store, such as the key store ID and the AWS CloudHSM cluster ID. It includes
* fields, like KeySpec, that help you distinguish symmetric from asymmetric CMKs. It also provides
* information that is particularly important to asymmetric CMKs, such as the key usage (encryption or signing) and
* the encryption algorithms or signing algorithms that the CMK supports.
*
*
* DescribeKey does not return the following information:
*
*
* -
*
* Aliases associated with the CMK. To get this information, use ListAliases.
*
*
* -
*
* Whether automatic key rotation is enabled on the CMK. To get this information, use GetKeyRotationStatus.
* Also, some key states prevent a CMK from being automatically rotated. For details, see How
* Automatic Key Rotation Works in AWS Key Management Service Developer Guide.
*
*
* -
*
* Tags on the CMK. To get this information, use ListResourceTags.
*
*
* -
*
* Key policies and grants on the CMK. To get this information, use GetKeyPolicy and ListGrants.
*
*
*
*
* If you call the DescribeKey operation on a predefined AWS alias, that is, an AWS alias with
* no key ID, AWS KMS creates an AWS managed CMK. Then,
* it associates the alias with the new CMK, and returns the KeyId and Arn of the new CMK
* in the response.
*
*
* To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of
* the KeyId parameter.
*
*
* @param describeKeyRequest
* @return Result of the DescribeKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.DescribeKey
* @see AWS API
* Documentation
*/
@Override
public DescribeKeyResult describeKey(DescribeKeyRequest request) {
request = beforeClientExecution(request);
return executeDescribeKey(request);
}
@SdkInternalApi
final DescribeKeyResult executeDescribeKey(DescribeKeyRequest describeKeyRequest) {
ExecutionContext executionContext = createExecutionContext(describeKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DescribeKeyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(describeKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DescribeKey");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new DescribeKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Sets the state of a customer master key (CMK) to disabled, thereby preventing its use for cryptographic
* operations. You cannot perform this operation on a CMK in a different AWS account.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects the Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide .
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param disableKeyRequest
* @return Result of the DisableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.DisableKey
* @see AWS API
* Documentation
*/
@Override
public DisableKeyResult disableKey(DisableKeyRequest request) {
request = beforeClientExecution(request);
return executeDisableKey(request);
}
@SdkInternalApi
final DisableKeyResult executeDisableKey(DisableKeyRequest disableKeyRequest) {
ExecutionContext executionContext = createExecutionContext(disableKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DisableKeyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(disableKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DisableKey");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new DisableKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Disables automatic rotation of
* the key material for the specified symmetric customer master key (CMK).
*
*
* You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
* You cannot perform this operation on a CMK in a different AWS account.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param disableKeyRotationRequest
* @return Result of the DisableKeyRotation operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @sample AWSKMS.DisableKeyRotation
* @see AWS API
* Documentation
*/
@Override
public DisableKeyRotationResult disableKeyRotation(DisableKeyRotationRequest request) {
request = beforeClientExecution(request);
return executeDisableKeyRotation(request);
}
@SdkInternalApi
final DisableKeyRotationResult executeDisableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest) {
ExecutionContext executionContext = createExecutionContext(disableKeyRotationRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DisableKeyRotationRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(disableKeyRotationRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DisableKeyRotation");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new DisableKeyRotationResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Disconnects the custom key store
* from its associated AWS CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key
* store and its customer master keys (CMKs), but you cannot create or use CMKs in the custom key store. You can
* reconnect the custom key store at any time.
*
*
*
* While a custom key store is disconnected, all attempts to create customer master keys (CMKs) in the custom key
* store or to use existing CMKs in cryptographic operations will fail. This action can prevent users from storing
* and accessing sensitive data.
*
*
*
*
* To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To
* reconnect a custom key store, use the ConnectCustomKeyStore operation.
*
*
* If the operation succeeds, it returns a JSON object with no properties.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* @param disconnectCustomKeyStoreRequest
* @return Result of the DisconnectCustomKeyStore operation returned by the service.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState of the custom key store. To get the
* ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState is
* CONNECTED.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState is DISCONNECTED.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState of DISCONNECTING or FAILED. This operation is
* valid for all other ConnectionState values.
*
*
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.DisconnectCustomKeyStore
* @see AWS
* API Documentation
*/
@Override
public DisconnectCustomKeyStoreResult disconnectCustomKeyStore(DisconnectCustomKeyStoreRequest request) {
request = beforeClientExecution(request);
return executeDisconnectCustomKeyStore(request);
}
@SdkInternalApi
final DisconnectCustomKeyStoreResult executeDisconnectCustomKeyStore(DisconnectCustomKeyStoreRequest disconnectCustomKeyStoreRequest) {
ExecutionContext executionContext = createExecutionContext(disconnectCustomKeyStoreRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DisconnectCustomKeyStoreRequestProtocolMarshaller(protocolFactory).marshall(super
.beforeMarshalling(disconnectCustomKeyStoreRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "DisconnectCustomKeyStore");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new DisconnectCustomKeyStoreResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Sets the key state of a customer master key (CMK) to enabled. This allows you to use the CMK for cryptographic
* operations. You cannot perform this operation on a CMK in a different AWS account.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param enableKeyRequest
* @return Result of the EnableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key
* Management Service Developer Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.EnableKey
* @see AWS API
* Documentation
*/
@Override
public EnableKeyResult enableKey(EnableKeyRequest request) {
request = beforeClientExecution(request);
return executeEnableKey(request);
}
@SdkInternalApi
final EnableKeyResult executeEnableKey(EnableKeyRequest enableKeyRequest) {
ExecutionContext executionContext = createExecutionContext(enableKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new EnableKeyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(enableKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "EnableKey");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new EnableKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Enables automatic rotation of
* the key material for the specified symmetric customer master key (CMK). You cannot perform this operation on
* a CMK in a different AWS account.
*
*
* You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param enableKeyRotationRequest
* @return Result of the EnableKeyRotation operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @sample AWSKMS.EnableKeyRotation
* @see AWS API
* Documentation
*/
@Override
public EnableKeyRotationResult enableKeyRotation(EnableKeyRotationRequest request) {
request = beforeClientExecution(request);
return executeEnableKeyRotation(request);
}
@SdkInternalApi
final EnableKeyRotationResult executeEnableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest) {
ExecutionContext executionContext = createExecutionContext(enableKeyRotationRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new EnableKeyRotationRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(enableKeyRotationRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "EnableKeyRotation");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new EnableKeyRotationResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Encrypts plaintext into ciphertext by using a customer master key (CMK). The Encrypt operation has
* two primary use cases:
*
*
* -
*
* You can encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other
* sensitive information.
*
*
* -
*
* You can use the Encrypt operation to move encrypted data from one AWS region to another. In the
* first region, generate a data key and use the plaintext key to encrypt the data. Then, in the new region, call
* the Encrypt method on same plaintext data key. Now, you can safely move the encrypted data and
* encrypted data key to the new region, and decrypt in the new region when necessary.
*
*
*
*
* You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and
* GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.
*
*
* When you encrypt data, you must specify a symmetric or asymmetric CMK to use in the encryption operation. The CMK
* must have a KeyUsage value of ENCRYPT_DECRYPT. To find the KeyUsage of a
* CMK, use the DescribeKey operation.
*
*
* If you use a symmetric CMK, you can use an encryption context to add additional security to your encryption
* operation. If you specify an EncryptionContext when encrypting data, you must specify the same
* encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt
* fails with an InvalidCiphertextException. For more information, see Encryption Context
* in the AWS Key Management Service Developer Guide.
*
*
* If you specify an asymmetric CMK, you must also specify the encryption algorithm. The algorithm must be
* compatible with the CMK type.
*
*
*
* When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm
* that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data.
* If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
*
*
* You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because
* AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated
* with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
*
*
*
* The maximum size of the data that you can encrypt varies with the type of CMK and the encryption algorithm that
* you choose.
*
*
* -
*
* Symmetric CMKs
*
*
* -
*
* SYMMETRIC_DEFAULT: 4096 bytes
*
*
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSAES_OAEP_SHA_1: 214 bytes
*
*
* -
*
* RSAES_OAEP_SHA_256: 190 bytes
*
*
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSAES_OAEP_SHA_1: 342 bytes
*
*
* -
*
* RSAES_OAEP_SHA_256: 318 bytes
*
*
*
*
* -
*
* RSA_4096
*
*
* -
*
* RSAES_OAEP_SHA_1: 470 bytes
*
*
* -
*
* RSAES_OAEP_SHA_256: 446 bytes
*
*
*
*
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in the value of
* the KeyId parameter.
*
*
* @param encryptRequest
* @return Result of the Encrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.Encrypt
* @see AWS API
* Documentation
*/
@Override
public EncryptResult encrypt(EncryptRequest request) {
request = beforeClientExecution(request);
return executeEncrypt(request);
}
@SdkInternalApi
final EncryptResult executeEncrypt(EncryptRequest encryptRequest) {
ExecutionContext executionContext = createExecutionContext(encryptRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new EncryptRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(encryptRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "Encrypt");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new EncryptResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Generates a unique symmetric data key. This operation returns a plaintext copy of the data key and a copy that is
* encrypted under a customer master key (CMK) that you specify. You can use the plaintext key to encrypt your data
* outside of AWS KMS and store the encrypted data key with the encrypted data.
*
*
* GenerateDataKey returns a unique data key for each request. The bytes in the key are not related to
* the caller or CMK that is used to encrypt the data key.
*
*
* To generate a data key, specify the symmetric CMK that will be used to encrypt the data key. You cannot use an
* asymmetric CMK to generate data keys.
*
*
* You must also specify the length of the data key. Use either the KeySpec or
* NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the
* KeySpec parameter.
*
*
* If the operation succeeds, the plaintext copy of the data key is in the Plaintext field of the
* response, and the encrypted copy of the data key in the CiphertextBlob field.
*
*
* To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an
* asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext
* operation. To get a cryptographically secure random byte string, use GenerateRandom.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException. For more information, see Encryption Context
* in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* We recommend that you use the following pattern to encrypt data locally in your application:
*
*
* -
*
* Use the GenerateDataKey operation to get a data encryption key.
*
*
* -
*
* Use the plaintext data key (returned in the Plaintext field of the response) to encrypt data
* locally, then erase the plaintext data key from memory.
*
*
* -
*
* Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside the
* locally encrypted data.
*
*
*
*
* To decrypt data locally:
*
*
* -
*
* Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the
* data key.
*
*
* -
*
* Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.
*
*
*
*
* @param generateDataKeyRequest
* @return Result of the GenerateDataKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GenerateDataKey
* @see AWS API
* Documentation
*/
@Override
public GenerateDataKeyResult generateDataKey(GenerateDataKeyRequest request) {
request = beforeClientExecution(request);
return executeGenerateDataKey(request);
}
@SdkInternalApi
final GenerateDataKeyResult executeGenerateDataKey(GenerateDataKeyRequest generateDataKeyRequest) {
ExecutionContext executionContext = createExecutionContext(generateDataKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateDataKeyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(generateDataKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GenerateDataKey");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new GenerateDataKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation returns a plaintext
* public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric CMK you
* specify. You can use the data key pair to perform asymmetric cryptography outside of AWS KMS.
*
*
* GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are not
* related to the caller or the CMK that is used to encrypt the private key.
*
*
* You can use the public key that GenerateDataKeyPair returns to encrypt data or verify a signature
* outside of AWS KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or
* sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
*
*
* To generate a data key pair, you must specify a symmetric customer master key (CMK) to encrypt the private key in
* a data key pair. You cannot use an asymmetric CMK. To get the type of your CMK, use the DescribeKey
* operation.
*
*
* If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a
* private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.
* GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an encrypted private key, but
* omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need
* to decrypt the data or sign a message, use the Decrypt operation to decrypt the encrypted private key in
* the data key pair.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException. For more information, see Encryption Context
* in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param generateDataKeyPairRequest
* @return Result of the GenerateDataKeyPair operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GenerateDataKeyPair
* @see AWS API
* Documentation
*/
@Override
public GenerateDataKeyPairResult generateDataKeyPair(GenerateDataKeyPairRequest request) {
request = beforeClientExecution(request);
return executeGenerateDataKeyPair(request);
}
@SdkInternalApi
final GenerateDataKeyPairResult executeGenerateDataKeyPair(GenerateDataKeyPairRequest generateDataKeyPairRequest) {
ExecutionContext executionContext = createExecutionContext(generateDataKeyPairRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateDataKeyPairRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(generateDataKeyPairRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GenerateDataKeyPair");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new GenerateDataKeyPairResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext operation
* returns a plaintext public key and a copy of the private key that is encrypted under the symmetric CMK you
* specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key.
*
*
* To generate a data key pair, you must specify a symmetric customer master key (CMK) to encrypt the private key in
* the data key pair. You cannot use an asymmetric CMK. To get the type of your CMK, use the KeySpec
* field in the DescribeKey response.
*
*
* You can use the public key that GenerateDataKeyPairWithoutPlaintext returns to encrypt data or
* verify a signature outside of AWS KMS. Then, store the encrypted private key with the data. When you are ready to
* decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
*
*
* GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each request. The bytes in
* the key are not related to the caller or CMK that is used to encrypt the private key.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException. For more information, see Encryption Context
* in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param generateDataKeyPairWithoutPlaintextRequest
* @return Result of the GenerateDataKeyPairWithoutPlaintext operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GenerateDataKeyPairWithoutPlaintext
* @see AWS API Documentation
*/
@Override
public GenerateDataKeyPairWithoutPlaintextResult generateDataKeyPairWithoutPlaintext(GenerateDataKeyPairWithoutPlaintextRequest request) {
request = beforeClientExecution(request);
return executeGenerateDataKeyPairWithoutPlaintext(request);
}
@SdkInternalApi
final GenerateDataKeyPairWithoutPlaintextResult executeGenerateDataKeyPairWithoutPlaintext(
GenerateDataKeyPairWithoutPlaintextRequest generateDataKeyPairWithoutPlaintextRequest) {
ExecutionContext executionContext = createExecutionContext(generateDataKeyPairWithoutPlaintextRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateDataKeyPairWithoutPlaintextRequestProtocolMarshaller(protocolFactory).marshall(super
.beforeMarshalling(generateDataKeyPairWithoutPlaintextRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GenerateDataKeyPairWithoutPlaintext");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new GenerateDataKeyPairWithoutPlaintextResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Generates a unique symmetric data key. This operation returns a data key that is encrypted under a customer
* master key (CMK) that you specify. To request an asymmetric data key pair, use the GenerateDataKeyPair or
* GenerateDataKeyPairWithoutPlaintext operations.
*
*
* GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that
* returns only the encrypted copy of the data key. This operation is useful for systems that need to encrypt data
* at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on
* the encrypted copy of the key.
*
*
* It's also useful in distributed systems with different levels of trust. For example, you might store encrypted
* data in containers. One component of your system creates new containers and stores an encrypted data key with
* each container. Then, a different component puts the data into the containers. That component first decrypts the
* data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then
* destroys the plaintext data key. In this system, the component that creates the containers never sees the
* plaintext data key.
*
*
* GenerateDataKeyWithoutPlaintext returns a unique data key for each request. The bytes in the keys
* are not related to the caller or CMK that is used to encrypt the private key.
*
*
* To generate a data key, you must specify the symmetric customer master key (CMK) that is used to encrypt the data
* key. You cannot use an asymmetric CMK to generate a data key. To get the type of your CMK, use the
* KeySpec field in the DescribeKey response. You must also specify the length of the data key
* using either the KeySpec or NumberOfBytes field (but not both). For common key lengths
* (128-bit and 256-bit symmetric keys), use the KeySpec parameter.
*
*
* If the operation succeeds, you will find the plaintext copy of the data key in the Plaintext field
* of the response, and the encrypted copy of the data key in the CiphertextBlob field.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException. For more information, see Encryption Context
* in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param generateDataKeyWithoutPlaintextRequest
* @return Result of the GenerateDataKeyWithoutPlaintext operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GenerateDataKeyWithoutPlaintext
* @see AWS API Documentation
*/
@Override
public GenerateDataKeyWithoutPlaintextResult generateDataKeyWithoutPlaintext(GenerateDataKeyWithoutPlaintextRequest request) {
request = beforeClientExecution(request);
return executeGenerateDataKeyWithoutPlaintext(request);
}
@SdkInternalApi
final GenerateDataKeyWithoutPlaintextResult executeGenerateDataKeyWithoutPlaintext(
GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest) {
ExecutionContext executionContext = createExecutionContext(generateDataKeyWithoutPlaintextRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateDataKeyWithoutPlaintextRequestProtocolMarshaller(protocolFactory).marshall(super
.beforeMarshalling(generateDataKeyWithoutPlaintextRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GenerateDataKeyWithoutPlaintext");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new GenerateDataKeyWithoutPlaintextResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Returns a random byte string that is cryptographically secure.
*
*
* By default, the random byte string is generated in AWS KMS. To generate the byte string in the AWS CloudHSM
* cluster that is associated with a custom key store,
* specify the custom key store ID.
*
*
* For more information about entropy and random number generation, see the AWS Key Management Service
* Cryptographic Details whitepaper.
*
*
* @param generateRandomRequest
* @return Result of the GenerateRandom operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState of the custom key store. To get the
* ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState is
* CONNECTED.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState is DISCONNECTED.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState of DISCONNECTING or FAILED. This operation is
* valid for all other ConnectionState values.
*
*
* @sample AWSKMS.GenerateRandom
* @see AWS API
* Documentation
*/
@Override
public GenerateRandomResult generateRandom(GenerateRandomRequest request) {
request = beforeClientExecution(request);
return executeGenerateRandom(request);
}
@SdkInternalApi
final GenerateRandomResult executeGenerateRandom(GenerateRandomRequest generateRandomRequest) {
ExecutionContext executionContext = createExecutionContext(generateRandomRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateRandomRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(generateRandomRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GenerateRandom");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new GenerateRandomResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public GenerateRandomResult generateRandom() {
return generateRandom(new GenerateRandomRequest());
}
/**
*
* Gets a key policy attached to the specified customer master key (CMK). You cannot perform this operation on a CMK
* in a different AWS account.
*
*
* @param getKeyPolicyRequest
* @return Result of the GetKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GetKeyPolicy
* @see AWS API
* Documentation
*/
@Override
public GetKeyPolicyResult getKeyPolicy(GetKeyPolicyRequest request) {
request = beforeClientExecution(request);
return executeGetKeyPolicy(request);
}
@SdkInternalApi
final GetKeyPolicyResult executeGetKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest) {
ExecutionContext executionContext = createExecutionContext(getKeyPolicyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GetKeyPolicyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(getKeyPolicyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GetKeyPolicy");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new GetKeyPolicyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Gets a Boolean value that indicates whether automatic rotation of the key
* material is enabled for the specified customer master key (CMK).
*
*
* You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in a custom key store.
* The key rotation status for these CMKs is always false.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* -
*
* Disabled: The key rotation status does not change when you disable a CMK. However, while the CMK is disabled, AWS
* KMS does not rotate the backing key.
*
*
* -
*
* Pending deletion: While a CMK is pending deletion, its key rotation status is false and AWS KMS does
* not rotate the backing key. If you cancel the deletion, the original key rotation status is restored.
*
*
*
*
* To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the
* KeyId parameter.
*
*
* @param getKeyRotationStatusRequest
* @return Result of the GetKeyRotationStatus operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @sample AWSKMS.GetKeyRotationStatus
* @see AWS API
* Documentation
*/
@Override
public GetKeyRotationStatusResult getKeyRotationStatus(GetKeyRotationStatusRequest request) {
request = beforeClientExecution(request);
return executeGetKeyRotationStatus(request);
}
@SdkInternalApi
final GetKeyRotationStatusResult executeGetKeyRotationStatus(GetKeyRotationStatusRequest getKeyRotationStatusRequest) {
ExecutionContext executionContext = createExecutionContext(getKeyRotationStatusRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GetKeyRotationStatusRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(getKeyRotationStatusRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GetKeyRotationStatus");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new GetKeyRotationStatusResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Returns the items you need to import key material into a symmetric, customer managed customer master key (CMK).
* For more information about importing key material into AWS KMS, see Importing Key Material in
* the AWS Key Management Service Developer Guide.
*
*
* This operation returns a public key and an import token. Use the public key to encrypt the symmetric key
* material. Store the import token to send with a subsequent ImportKeyMaterial request.
*
*
* You must specify the key ID of the symmetric CMK into which you will import key material. This CMK's
* Origin must be EXTERNAL. You must also specify the wrapping algorithm and type of
* wrapping key (public key) that you will use to encrypt the key material. You cannot perform this operation on an
* asymmetric CMK or on any CMK in a different AWS account.
*
*
* To import key material, you must use the public key and import token from the same response. These items are
* valid for 24 hours. The expiration date and time appear in the GetParametersForImport response. You
* cannot use an expired token in an ImportKeyMaterial request. If your key and token expire, send another
* GetParametersForImport request.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param getParametersForImportRequest
* @return Result of the GetParametersForImport operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GetParametersForImport
* @see AWS API
* Documentation
*/
@Override
public GetParametersForImportResult getParametersForImport(GetParametersForImportRequest request) {
request = beforeClientExecution(request);
return executeGetParametersForImport(request);
}
@SdkInternalApi
final GetParametersForImportResult executeGetParametersForImport(GetParametersForImportRequest getParametersForImportRequest) {
ExecutionContext executionContext = createExecutionContext(getParametersForImportRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GetParametersForImportRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(getParametersForImportRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GetParametersForImport");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false),
new GetParametersForImportResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Returns the public key of an asymmetric CMK. Unlike the private key of a asymmetric CMK, which never leaves AWS
* KMS unencrypted, callers with kms:GetPublicKey permission can download the public key of an
* asymmetric CMK. You can share the public key to allow others to encrypt messages and verify signatures outside of
* AWS KMS. For information about symmetric and asymmetric CMKs, see Using Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
* You do not need to download the public key. Instead, you can use the public key within AWS KMS by calling the
* Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric CMK. When you
* use the public key within AWS KMS, you benefit from the authentication, authorization, and logging that are part
* of every AWS KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features
* are not effective outside of AWS KMS. For details, see Special Considerations for Downloading Public Keys.
*
*
* To help you use the public key safely outside of AWS KMS, GetPublicKey returns important information
* about the public key in the response, including:
*
*
* -
*
* CustomerMasterKeySpec: The type of key material in the public key, such as RSA_4096 or
* ECC_NIST_P521.
*
*
* -
*
* KeyUsage: Whether the key is used for encryption or signing.
*
*
* -
*
* EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing algorithms for the key.
*
*
*
*
* Although AWS KMS cannot enforce these restrictions on external operations, it is crucial that you use this
* information to prevent the public key from being used improperly. For example, you can prevent a public signing
* key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is
* not supported by AWS KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification
* operation.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param getPublicKeyRequest
* @return Result of the GetPublicKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.GetPublicKey
* @see AWS API
* Documentation
*/
@Override
public GetPublicKeyResult getPublicKey(GetPublicKeyRequest request) {
request = beforeClientExecution(request);
return executeGetPublicKey(request);
}
@SdkInternalApi
final GetPublicKeyResult executeGetPublicKey(GetPublicKeyRequest getPublicKeyRequest) {
ExecutionContext executionContext = createExecutionContext(getPublicKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GetPublicKeyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(getPublicKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "GetPublicKey");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new GetPublicKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Imports key material into an existing symmetric AWS KMS customer master key (CMK) that was created without key
* material. After you successfully import key material into a CMK, you can reimport
* the same key material into that CMK, but you cannot import different key material.
*
*
* You cannot perform this operation on an asymmetric CMK or on any CMK in a different AWS account. For more
* information about creating CMKs with no key material and then importing key material, see Importing Key Material in
* the AWS Key Management Service Developer Guide.
*
*
* Before using this operation, call GetParametersForImport. Its response includes a public key and an import
* token. Use the public key to encrypt the key material. Then, submit the import token from the same
* GetParametersForImport response.
*
*
* When calling this operation, you must specify the following values:
*
*
* -
*
* The key ID or key ARN of a CMK with no key material. Its Origin must be EXTERNAL.
*
*
* To create a CMK with no key material, call CreateKey and set the value of its Origin
* parameter to EXTERNAL. To get the Origin of a CMK, call DescribeKey.)
*
*
* -
*
* The encrypted key material. To get the public key to encrypt the key material, call
* GetParametersForImport.
*
*
* -
*
* The import token that GetParametersForImport returned. You must use a public key and token from the same
* GetParametersForImport response.
*
*
* -
*
* Whether the key material expires and if so, when. If you set an expiration date, AWS KMS deletes the key material
* from the CMK on the specified date, and the CMK becomes unusable. To use the CMK again, you must reimport the
* same key material. The only way to change an expiration date is by reimporting the same key material and
* specifying a new expiration date.
*
*
*
*
* When this operation is successful, the key state of the CMK changes from PendingImport to
* Enabled, and you can use the CMK.
*
*
* If this operation fails, use the exception to help determine the problem. If the error is related to the key
* material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import
* token for the CMK and repeat the import procedure. For help, see How To
* Import Key Material in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param importKeyMaterialRequest
* @return Result of the ImportKeyMaterial operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws InvalidCiphertextException
* From the Decrypt or ReEncrypt operation, the request was rejected because the specified
* ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption
* context, is corrupted, missing, or otherwise invalid.
*
*
* From the ImportKeyMaterial operation, the request was rejected because AWS KMS could not decrypt
* the encrypted (wrapped) key material.
* @throws IncorrectKeyMaterialException
* The request was rejected because the key material in the request is, expired, invalid, or is not the same
* key material that was previously imported into this customer master key (CMK).
* @throws ExpiredImportTokenException
* The request was rejected because the specified import token is expired. Use GetParametersForImport
* to get a new import token and public key, use the new public key to encrypt the key material, and then
* try the request again.
* @throws InvalidImportTokenException
* The request was rejected because the provided import token is invalid or is associated with a different
* customer master key (CMK).
* @sample AWSKMS.ImportKeyMaterial
* @see AWS API
* Documentation
*/
@Override
public ImportKeyMaterialResult importKeyMaterial(ImportKeyMaterialRequest request) {
request = beforeClientExecution(request);
return executeImportKeyMaterial(request);
}
@SdkInternalApi
final ImportKeyMaterialResult executeImportKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest) {
ExecutionContext executionContext = createExecutionContext(importKeyMaterialRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ImportKeyMaterialRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(importKeyMaterialRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ImportKeyMaterial");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new ImportKeyMaterialResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Gets a list of aliases in the caller's AWS account and region. You cannot list aliases in other accounts. For
* more information about aliases, see CreateAlias.
*
*
* By default, the ListAliases command returns all aliases in the account and region. To get only the aliases that
* point to a particular customer master key (CMK), use the KeyId parameter.
*
*
* The ListAliases response can include aliases that you created and associated with your customer
* managed CMKs, and aliases that AWS created and associated with AWS managed CMKs in your account. You can
* recognize AWS aliases because their names have the format aws/<service-name>, such as
* aws/dynamodb.
*
*
* The response might also include aliases that have no TargetKeyId field. These are predefined aliases
* that AWS has created but has not yet associated with a CMK. Aliases that AWS creates in your account, including
* predefined aliases, do not count against your AWS KMS aliases limit.
*
*
* @param listAliasesRequest
* @return Result of the ListAliases operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @sample AWSKMS.ListAliases
* @see AWS API
* Documentation
*/
@Override
public ListAliasesResult listAliases(ListAliasesRequest request) {
request = beforeClientExecution(request);
return executeListAliases(request);
}
@SdkInternalApi
final ListAliasesResult executeListAliases(ListAliasesRequest listAliasesRequest) {
ExecutionContext executionContext = createExecutionContext(listAliasesRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListAliasesRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(listAliasesRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ListAliases");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new ListAliasesResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public ListAliasesResult listAliases() {
return listAliases(new ListAliasesRequest());
}
/**
*
* Gets a list of all grants for the specified customer master key (CMK).
*
*
* To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the
* KeyId parameter.
*
*
* @param listGrantsRequest
* @return Result of the ListGrants operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.ListGrants
* @see AWS API
* Documentation
*/
@Override
public ListGrantsResult listGrants(ListGrantsRequest request) {
request = beforeClientExecution(request);
return executeListGrants(request);
}
@SdkInternalApi
final ListGrantsResult executeListGrants(ListGrantsRequest listGrantsRequest) {
ExecutionContext executionContext = createExecutionContext(listGrantsRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListGrantsRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(listGrantsRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ListGrants");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new ListGrantsResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Gets the names of the key policies that are attached to a customer master key (CMK). This operation is designed
* to get policy names that you can use in a GetKeyPolicy operation. However, the only valid policy name is
* default. You cannot perform this operation on a CMK in a different AWS account.
*
*
* @param listKeyPoliciesRequest
* @return Result of the ListKeyPolicies operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.ListKeyPolicies
* @see AWS API
* Documentation
*/
@Override
public ListKeyPoliciesResult listKeyPolicies(ListKeyPoliciesRequest request) {
request = beforeClientExecution(request);
return executeListKeyPolicies(request);
}
@SdkInternalApi
final ListKeyPoliciesResult executeListKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest) {
ExecutionContext executionContext = createExecutionContext(listKeyPoliciesRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListKeyPoliciesRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(listKeyPoliciesRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ListKeyPolicies");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new ListKeyPoliciesResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Gets a list of all customer master keys (CMKs) in the caller's AWS account and Region.
*
*
* @param listKeysRequest
* @return Result of the ListKeys operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @sample AWSKMS.ListKeys
* @see AWS API
* Documentation
*/
@Override
public ListKeysResult listKeys(ListKeysRequest request) {
request = beforeClientExecution(request);
return executeListKeys(request);
}
@SdkInternalApi
final ListKeysResult executeListKeys(ListKeysRequest listKeysRequest) {
ExecutionContext executionContext = createExecutionContext(listKeysRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListKeysRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(listKeysRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ListKeys");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new ListKeysResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public ListKeysResult listKeys() {
return listKeys(new ListKeysRequest());
}
/**
*
* Returns a list of all tags for the specified customer master key (CMK).
*
*
* You cannot perform this operation on a CMK in a different AWS account.
*
*
* @param listResourceTagsRequest
* @return Result of the ListResourceTags operation returned by the service.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @sample AWSKMS.ListResourceTags
* @see AWS API
* Documentation
*/
@Override
public ListResourceTagsResult listResourceTags(ListResourceTagsRequest request) {
request = beforeClientExecution(request);
return executeListResourceTags(request);
}
@SdkInternalApi
final ListResourceTagsResult executeListResourceTags(ListResourceTagsRequest listResourceTagsRequest) {
ExecutionContext executionContext = createExecutionContext(listResourceTagsRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListResourceTagsRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(listResourceTagsRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ListResourceTags");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new ListResourceTagsResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Returns a list of all grants for which the grant's RetiringPrincipal matches the one specified.
*
*
* A typical use is to list all grants that you are able to retire. To retire a grant, use RetireGrant.
*
*
* @param listRetirableGrantsRequest
* @return Result of the ListRetirableGrants operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @sample AWSKMS.ListRetirableGrants
* @see AWS API
* Documentation
*/
@Override
public ListRetirableGrantsResult listRetirableGrants(ListRetirableGrantsRequest request) {
request = beforeClientExecution(request);
return executeListRetirableGrants(request);
}
@SdkInternalApi
final ListRetirableGrantsResult executeListRetirableGrants(ListRetirableGrantsRequest listRetirableGrantsRequest) {
ExecutionContext executionContext = createExecutionContext(listRetirableGrantsRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListRetirableGrantsRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(listRetirableGrantsRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ListRetirableGrants");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new ListRetirableGrantsResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Attaches a key policy to the specified customer master key (CMK). You cannot perform this operation on a CMK in a
* different AWS account.
*
*
* For more information about key policies, see Key Policies in the AWS Key
* Management Service Developer Guide.
*
*
* @param putKeyPolicyRequest
* @return Result of the PutKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key
* Management Service Developer Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.PutKeyPolicy
* @see AWS API
* Documentation
*/
@Override
public PutKeyPolicyResult putKeyPolicy(PutKeyPolicyRequest request) {
request = beforeClientExecution(request);
return executePutKeyPolicy(request);
}
@SdkInternalApi
final PutKeyPolicyResult executePutKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest) {
ExecutionContext executionContext = createExecutionContext(putKeyPolicyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new PutKeyPolicyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(putKeyPolicyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "PutKeyPolicy");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new PutKeyPolicyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can use this operation to change the
* customer master key (CMK) under which data is encrypted, such as when you manually
* rotate a CMK or change the CMK that protects a ciphertext. You can also use it to reencrypt ciphertext under
* the same CMK, such as to change the encryption context of a ciphertext.
*
*
* The ReEncrypt operation can decrypt ciphertext that was encrypted by using an AWS KMS CMK in an AWS
* KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was
* encrypted by using the public key of an asymmetric CMK outside of AWS KMS. However, it cannot decrypt ciphertext
* produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side
* encryption. These libraries return a ciphertext format that is incompatible with AWS KMS.
*
*
* When you use the ReEncrypt operation, you need to provide information for the decrypt operation and
* the subsequent encrypt operation.
*
*
* -
*
* If your ciphertext was encrypted under an asymmetric CMK, you must identify the source CMK, that is, the
* CMK that encrypted the ciphertext. You must also supply the encryption algorithm that was used. This information
* is required to decrypt the data.
*
*
* -
*
* It is optional, but you can specify a source CMK even when the ciphertext was encrypted under a symmetric CMK.
* This ensures that the ciphertext is decrypted only by using a particular CMK. If the CMK that you specify cannot
* decrypt the ciphertext, the ReEncrypt operation fails.
*
*
* -
*
* To reencrypt the data, you must specify the destination CMK, that is, the CMK that re-encrypts the data
* after it is decrypted. You can select a symmetric or asymmetric CMK. If the destination CMK is an asymmetric CMK,
* you must also provide the encryption algorithm. The algorithm that you choose must be compatible with the CMK.
*
*
*
* When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK and encryption algorithm
* that you choose. You will be required to provide the same CMK and encryption algorithm when you decrypt the data.
* If the CMK and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
*
*
* You are not required to supply the CMK ID and encryption algorithm when you decrypt with symmetric CMKs because
* AWS KMS stores this information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated
* with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
*
*
*
*
* Unlike other AWS KMS API operations, ReEncrypt callers must have two permissions:
*
*
* -
*
* kms:EncryptFrom permission on the source CMK
*
*
* -
*
* kms:EncryptTo permission on the destination CMK
*
*
*
*
* To permit reencryption from
*
*
* or to a CMK, include the "kms:ReEncrypt*" permission in your key policy. This permission is
* automatically included in the key policy when you use the console to create a CMK. But you must include it
* manually when you create a CMK programmatically or when you use the PutKeyPolicy operation set a key
* policy.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param reEncryptRequest
* @return Result of the ReEncrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws InvalidCiphertextException
* From the Decrypt or ReEncrypt operation, the request was rejected because the specified
* ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption
* context, is corrupted, missing, or otherwise invalid.
*
* From the ImportKeyMaterial operation, the request was rejected because AWS KMS could not decrypt
* the encrypted (wrapped) key material.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws IncorrectKeyException
* The request was rejected because the specified CMK cannot decrypt the data. The KeyId in a
* Decrypt request and the SourceKeyId in a ReEncrypt request must identify the
* same CMK that was used to encrypt the ciphertext.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.ReEncrypt
* @see AWS API
* Documentation
*/
@Override
public ReEncryptResult reEncrypt(ReEncryptRequest request) {
request = beforeClientExecution(request);
return executeReEncrypt(request);
}
@SdkInternalApi
final ReEncryptResult executeReEncrypt(ReEncryptRequest reEncryptRequest) {
ExecutionContext executionContext = createExecutionContext(reEncryptRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ReEncryptRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(reEncryptRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ReEncrypt");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new ReEncryptResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Retires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grant when
* you intend to actively deny operations that depend on it. The following are permitted to call this API:
*
*
* -
*
* The AWS account (root user) under which the grant was created
*
*
* -
*
* The RetiringPrincipal, if present in the grant
*
*
* -
*
* The GranteePrincipal, if RetireGrant is an operation specified in the grant
*
*
*
*
* You must identify the grant to retire by its grant token or by a combination of the grant ID and the Amazon
* Resource Name (ARN) of the customer master key (CMK). A grant token is a unique variable-length base64-encoded
* string. A grant ID is a 64 character unique identifier of a grant. The CreateGrant operation returns both.
*
*
* @param retireGrantRequest
* @return Result of the RetireGrant operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified GrantId is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.RetireGrant
* @see AWS API
* Documentation
*/
@Override
public RetireGrantResult retireGrant(RetireGrantRequest request) {
request = beforeClientExecution(request);
return executeRetireGrant(request);
}
@SdkInternalApi
final RetireGrantResult executeRetireGrant(RetireGrantRequest retireGrantRequest) {
ExecutionContext executionContext = createExecutionContext(retireGrantRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new RetireGrantRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(retireGrantRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "RetireGrant");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new RetireGrantResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public RetireGrantResult retireGrant() {
return retireGrant(new RetireGrantRequest());
}
/**
*
* Revokes the specified grant for the specified customer master key (CMK). You can revoke a grant to actively deny
* operations that depend on it.
*
*
* To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of the
* KeyId parameter.
*
*
* @param revokeGrantRequest
* @return Result of the RevokeGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified GrantId is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.RevokeGrant
* @see AWS API
* Documentation
*/
@Override
public RevokeGrantResult revokeGrant(RevokeGrantRequest request) {
request = beforeClientExecution(request);
return executeRevokeGrant(request);
}
@SdkInternalApi
final RevokeGrantResult executeRevokeGrant(RevokeGrantRequest revokeGrantRequest) {
ExecutionContext executionContext = createExecutionContext(revokeGrantRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new RevokeGrantRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(revokeGrantRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "RevokeGrant");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new RevokeGrantResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Schedules the deletion of a customer master key (CMK). You may provide a waiting period, specified in days,
* before deletion occurs. If you do not provide a waiting period, the default period of 30 days is used. When this
* operation is successful, the key state of the CMK changes to PendingDeletion. Before the waiting
* period ends, you can use CancelKeyDeletion to cancel the deletion of the CMK. After the waiting period
* ends, AWS KMS deletes the CMK and all AWS KMS data associated with it, including all aliases that refer to it.
*
*
*
* Deleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, all data that was
* encrypted under the CMK is unrecoverable. To prevent the use of a CMK without deleting it, use DisableKey.
*
*
*
* If you schedule deletion of a CMK from a custom key store,
* when the waiting period expires, ScheduleKeyDeletion deletes the CMK from AWS KMS. Then AWS KMS
* makes a best effort to delete the key material from the associated AWS CloudHSM cluster. However, you might need
* to manually delete
* the orphaned key material from the cluster and its backups.
*
*
* You cannot perform this operation on a CMK in a different AWS account.
*
*
* For more information about scheduling a CMK for deletion, see Deleting Customer Master Keys
* in the AWS Key Management Service Developer Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param scheduleKeyDeletionRequest
* @return Result of the ScheduleKeyDeletion operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.ScheduleKeyDeletion
* @see AWS API
* Documentation
*/
@Override
public ScheduleKeyDeletionResult scheduleKeyDeletion(ScheduleKeyDeletionRequest request) {
request = beforeClientExecution(request);
return executeScheduleKeyDeletion(request);
}
@SdkInternalApi
final ScheduleKeyDeletionResult executeScheduleKeyDeletion(ScheduleKeyDeletionRequest scheduleKeyDeletionRequest) {
ExecutionContext executionContext = createExecutionContext(scheduleKeyDeletionRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ScheduleKeyDeletionRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(scheduleKeyDeletionRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "ScheduleKeyDeletion");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new ScheduleKeyDeletionResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Creates a digital signature for a message or
* message digest by using the private key in an asymmetric CMK. To verify the signature, use the Verify
* operation, or use the public key in the same asymmetric CMK outside of AWS KMS. For information about symmetric
* and asymmetric CMKs, see Using Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
* Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is
* represented by an asymmetric customer master key (CMK). The key owner (or an authorized user) uses their private
* key to sign a message. Anyone with the public key can verify that the message was signed with that particular
* private key and that the message hasn't changed since it was signed.
*
*
* To use the Sign operation, provide the following information:
*
*
* -
*
* Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage value of
* SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey operation.
* The caller must have kms:Sign permission on the CMK.
*
*
* -
*
* Use the Message parameter to specify the message or message digest to sign. You can submit messages
* of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash
* digest in the Message parameter. To indicate whether the message is a full message or a digest, use
* the MessageType parameter.
*
*
* -
*
* Choose a signing algorithm that is compatible with the CMK.
*
*
*
*
*
* When signing a message, be sure to record the CMK and the signing algorithm. This information is required to
* verify the signature.
*
*
*
* To verify the signature that this operation generates, use the Verify operation. Or use the
* GetPublicKey operation to download the public key and then use the public key to verify the signature
* outside of AWS KMS.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param signRequest
* @return Result of the Sign operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.Sign
* @see AWS API Documentation
*/
@Override
public SignResult sign(SignRequest request) {
request = beforeClientExecution(request);
return executeSign(request);
}
@SdkInternalApi
final SignResult executeSign(SignRequest signRequest) {
ExecutionContext executionContext = createExecutionContext(signRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new SignRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(signRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "Sign");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new SignResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Adds or edits tags for a customer master key (CMK). You cannot perform this operation on a CMK in a different AWS
* account.
*
*
* Each tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag values can be
* empty (null) strings.
*
*
* You can only use a tag key once for each CMK. If you use the tag key again, AWS KMS replaces the current tag
* value with the specified value.
*
*
* For information about the rules that apply to tag keys and tag values, see User-Defined
* Tag Restrictions in the AWS Billing and Cost Management User Guide.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param tagResourceRequest
* @return Result of the TagResource operation returned by the service.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more information, see Limits in the AWS Key
* Management Service Developer Guide.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @sample AWSKMS.TagResource
* @see AWS API
* Documentation
*/
@Override
public TagResourceResult tagResource(TagResourceRequest request) {
request = beforeClientExecution(request);
return executeTagResource(request);
}
@SdkInternalApi
final TagResourceResult executeTagResource(TagResourceRequest tagResourceRequest) {
ExecutionContext executionContext = createExecutionContext(tagResourceRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new TagResourceRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(tagResourceRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "TagResource");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new TagResourceResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Removes the specified tags from the specified customer master key (CMK). You cannot perform this operation on a
* CMK in a different AWS account.
*
*
* To remove a tag, specify the tag key. To change the tag value of an existing tag key, use TagResource.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param untagResourceRequest
* @return Result of the UntagResource operation returned by the service.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @sample AWSKMS.UntagResource
* @see AWS API
* Documentation
*/
@Override
public UntagResourceResult untagResource(UntagResourceRequest request) {
request = beforeClientExecution(request);
return executeUntagResource(request);
}
@SdkInternalApi
final UntagResourceResult executeUntagResource(UntagResourceRequest untagResourceRequest) {
ExecutionContext executionContext = createExecutionContext(untagResourceRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new UntagResourceRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(untagResourceRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "UntagResource");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new UntagResourceResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Associates an existing AWS KMS alias with a different customer master key (CMK). Each alias is associated with
* only one CMK at a time, although a CMK can have multiple aliases. The alias and the CMK must be in the same AWS
* account and region. You cannot perform this operation on an alias in a different AWS account.
*
*
* The current and new CMK must be the same type (both symmetric or both asymmetric), and they must have the same
* key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code
* that uses aliases. If you must assign an alias to a different type of CMK, use DeleteAlias to delete the
* old alias and CreateAlias to create a new alias.
*
*
* You cannot use UpdateAlias to change an alias name. To change an alias name, use DeleteAlias
* to delete the old alias and CreateAlias to create a new alias.
*
*
* Because an alias is not a property of a CMK, you can create, update, and delete the aliases of a CMK without
* affecting the CMK. Also, aliases do not appear in the response from the DescribeKey operation. To get the
* aliases of all CMKs in the account, use the ListAliases operation.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param updateAliasRequest
* @return Result of the UpdateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.UpdateAlias
* @see AWS API
* Documentation
*/
@Override
public UpdateAliasResult updateAlias(UpdateAliasRequest request) {
request = beforeClientExecution(request);
return executeUpdateAlias(request);
}
@SdkInternalApi
final UpdateAliasResult executeUpdateAlias(UpdateAliasRequest updateAliasRequest) {
ExecutionContext executionContext = createExecutionContext(updateAliasRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new UpdateAliasRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(updateAliasRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "UpdateAlias");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new UpdateAliasResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the
* custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
*
*
* You can only update a custom key store that is disconnected. To disconnect the custom key store, use
* DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use
* ConnectCustomKeyStore. To find the connection state of a custom key store, use the
* DescribeCustomKeyStores operation.
*
*
* Use the parameters of UpdateCustomKeyStore to edit your keystore settings.
*
*
* -
*
* Use the NewCustomKeyStoreName parameter to change the friendly name of the custom key store to the value
* that you specify.
*
*
*
* -
*
* Use the KeyStorePassword parameter tell AWS KMS the current password of the
* kmsuser crypto user (CU) in the associated AWS CloudHSM cluster. You can use this parameter to
* fix
* connection failures that occur when AWS KMS cannot log into the associated cluster because the
* kmsuser password has changed. This value does not change the password in the AWS CloudHSM cluster.
*
*
*
* -
*
* Use the CloudHsmClusterId parameter to associate the custom key store with a different, but related, AWS
* CloudHSM cluster. You can use this parameter to repair a custom key store if its AWS CloudHSM cluster becomes
* corrupted or is deleted, or when you need to create or restore a cluster from a backup.
*
*
*
*
* If the operation succeeds, it returns a JSON object with no properties.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* @param updateCustomKeyStoreRequest
* @return Result of the UpdateCustomKeyStore operation returned by the service.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because AWS KMS cannot find a custom key store with the specified key store name
* or ID.
* @throws CustomKeyStoreNameInUseException
* The request was rejected because the specified custom key store name is already assigned to another
* custom key store in the account. Try again with a custom key store name that is unique in the account.
* @throws CloudHsmClusterNotFoundException
* The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster
* ID. Retry the request with a different cluster ID.
* @throws CloudHsmClusterNotRelatedException
* The request was rejected because the specified AWS CloudHSM cluster has a different cluster certificate
* than the original cluster. You cannot use the operation to specify an unrelated cluster.
*
* Specify a cluster that shares a backup history with the original cluster. This includes clusters that
* were created from a backup of the current cluster, and clusters that were created from the same backup
* that produced the current cluster.
*
*
* Clusters that share a backup history have the same cluster certificate. To view the cluster certificate
* of a cluster, use the DescribeClusters operation.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState of the custom key store. To get the
* ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
*
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState is
* CONNECTED.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState is DISCONNECTED.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState of DISCONNECTING or FAILED. This operation is
* valid for all other ConnectionState values.
*
*
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CloudHsmClusterNotActiveException
* The request was rejected because the AWS CloudHSM cluster that is associated with the custom key store is
* not active. Initialize and activate the cluster and try the command again. For detailed instructions, see
* Getting Started
* in the AWS CloudHSM User Guide.
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS
* CloudHSM CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information
* about creating a private subnet for an AWS CloudHSM cluster, see Create a Private
* Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the AWS CloudHSM User Guide .
* @sample AWSKMS.UpdateCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public UpdateCustomKeyStoreResult updateCustomKeyStore(UpdateCustomKeyStoreRequest request) {
request = beforeClientExecution(request);
return executeUpdateCustomKeyStore(request);
}
@SdkInternalApi
final UpdateCustomKeyStoreResult executeUpdateCustomKeyStore(UpdateCustomKeyStoreRequest updateCustomKeyStoreRequest) {
ExecutionContext executionContext = createExecutionContext(updateCustomKeyStoreRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new UpdateCustomKeyStoreRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(updateCustomKeyStoreRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "UpdateCustomKeyStore");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new UpdateCustomKeyStoreResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Updates the description of a customer master key (CMK). To see the description of a CMK, use DescribeKey.
*
*
* You cannot perform this operation on a CMK in a different AWS account.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param updateKeyDescriptionRequest
* @return Result of the UpdateKeyDescription operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @sample AWSKMS.UpdateKeyDescription
* @see AWS API
* Documentation
*/
@Override
public UpdateKeyDescriptionResult updateKeyDescription(UpdateKeyDescriptionRequest request) {
request = beforeClientExecution(request);
return executeUpdateKeyDescription(request);
}
@SdkInternalApi
final UpdateKeyDescriptionResult executeUpdateKeyDescription(UpdateKeyDescriptionRequest updateKeyDescriptionRequest) {
ExecutionContext executionContext = createExecutionContext(updateKeyDescriptionRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new UpdateKeyDescriptionRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(updateKeyDescriptionRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "UpdateKeyDescription");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true).withHasStreamingSuccessResponse(false), new UpdateKeyDescriptionResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Verifies a digital signature that was generated by the Sign operation.
*
*
*
* Verification confirms that an authorized user signed the message with the specified CMK and signing algorithm,
* and the message hasn't changed since it was signed. If the signature is verified, the value of the
* SignatureValid field in the response is True. If the signature verification fails, the
* Verify operation fails with an KMSInvalidSignatureException exception.
*
*
* A digital signature is generated by using the private key in an asymmetric CMK. The signature is verified by
* using the public key in the same asymmetric CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
* To verify a digital signature, you can use the Verify operation. Specify the same asymmetric CMK,
* message, and signing algorithm that were used to produce the signature.
*
*
* You can also verify the digital signature by using the public key of the CMK outside of AWS KMS. Use the
* GetPublicKey operation to download the public key in the asymmetric CMK and then use the public key to
* verify the signature outside of AWS KMS. The advantage of using the Verify operation is that it is
* performed within AWS KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it
* is logged in AWS CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the
* CMK to verify signatures.
*
*
* The CMK that you use for this operation must be in a compatible key state. For details, see How Key State Affects Use of a
* Customer Master Key in the AWS Key Management Service Developer Guide.
*
*
* @param verifyRequest
* @return Result of the Verify operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified CMK is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified CMK was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage value of the CMK is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the CMK (CustomerMasterKeySpec).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be
* ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be
* SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey
* operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a CMK, see How Key State Affects Use of
* a Customer Master Key in the AWS Key Management Service Developer Guide .
* @throws KMSInvalidSignatureException
* The request was rejected because the signature verification failed. Signature verification fails when it
* cannot confirm that signature was produced by signing the specified message with the specified CMK and
* signing algorithm.
* @sample AWSKMS.Verify
* @see AWS API
* Documentation
*/
@Override
public VerifyResult verify(VerifyRequest request) {
request = beforeClientExecution(request);
return executeVerify(request);
}
@SdkInternalApi
final VerifyResult executeVerify(VerifyRequest verifyRequest) {
ExecutionContext executionContext = createExecutionContext(verifyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new VerifyRequestProtocolMarshaller(protocolFactory).marshall(super.beforeMarshalling(verifyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
request.addHandlerContext(HandlerContextKey.SIGNING_REGION, getSigningRegion());
request.addHandlerContext(HandlerContextKey.SERVICE_ID, "KMS");
request.addHandlerContext(HandlerContextKey.OPERATION_NAME, "Verify");
request.addHandlerContext(HandlerContextKey.ADVANCED_CONFIG, advancedConfig);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true).withHasStreamingSuccessResponse(false), new VerifyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
* Returns additional metadata for a previously executed successful, request, typically used for debugging issues
* where a service isn't acting as expected. This data isn't considered part of the result data returned by an
* operation, so it's available through this separate, diagnostic interface.
*
* Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic
* information for an executed request, you should use this method to retrieve it as soon as possible after
* executing the request.
*
* @param request
* The originally executed request
*
* @return The response metadata for the specified request, or null if none is available.
*/
public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) {
return client.getResponseMetadataForRequest(request);
}
/**
* Normal invoke with authentication. Credentials are required and may be overriden at the request level.
**/
private Response invoke(Request request, HttpResponseHandler> responseHandler,
ExecutionContext executionContext) {
return invoke(request, responseHandler, executionContext, null, null);
}
/**
* Normal invoke with authentication. Credentials are required and may be overriden at the request level.
**/
private Response invoke(Request request, HttpResponseHandler> responseHandler,
ExecutionContext executionContext, URI cachedEndpoint, URI uriFromEndpointTrait) {
executionContext.setCredentialsProvider(CredentialUtils.getCredentialsProvider(request.getOriginalRequest(), awsCredentialsProvider));
return doInvoke(request, responseHandler, executionContext, cachedEndpoint, uriFromEndpointTrait);
}
/**
* Invoke with no authentication. Credentials are not required and any credentials set on the client or request will
* be ignored for this operation.
**/
private Response anonymousInvoke(Request request,
HttpResponseHandler> responseHandler, ExecutionContext executionContext) {
return doInvoke(request, responseHandler, executionContext, null, null);
}
/**
* Invoke the request using the http client. Assumes credentials (or lack thereof) have been configured in the
* ExecutionContext beforehand.
**/
private Response doInvoke(Request request, HttpResponseHandler> responseHandler,
ExecutionContext executionContext, URI discoveredEndpoint, URI uriFromEndpointTrait) {
if (discoveredEndpoint != null) {
request.setEndpoint(discoveredEndpoint);
request.getOriginalRequest().getRequestClientOptions().appendUserAgent("endpoint-discovery");
} else if (uriFromEndpointTrait != null) {
request.setEndpoint(uriFromEndpointTrait);
} else {
request.setEndpoint(endpoint);
}
request.setTimeOffset(timeOffset);
HttpResponseHandler errorResponseHandler = protocolFactory.createErrorResponseHandler(new JsonErrorResponseMetadata());
return client.execute(request, responseHandler, errorResponseHandler, executionContext);
}
@com.amazonaws.annotation.SdkInternalApi
static com.amazonaws.protocol.json.SdkJsonProtocolFactory getProtocolFactory() {
return protocolFactory;
}
}