com.amazonaws.services.kms.AWSKMSClient Maven / Gradle / Ivy
Show all versions of aws-java-sdk-kms Show documentation
/*
* Copyright 2010-2016 Amazon.com, Inc. or its affiliates. All Rights
* Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package com.amazonaws.services.kms;
import org.w3c.dom.*;
import java.net.*;
import java.util.*;
import java.util.Map.Entry;
import org.apache.commons.logging.*;
import com.amazonaws.*;
import com.amazonaws.auth.*;
import com.amazonaws.handlers.*;
import com.amazonaws.http.*;
import com.amazonaws.internal.*;
import com.amazonaws.metrics.*;
import com.amazonaws.regions.*;
import com.amazonaws.transform.*;
import com.amazonaws.util.*;
import com.amazonaws.protocol.json.*;
import com.amazonaws.util.AWSRequestMetrics.Field;
import com.amazonaws.annotation.ThreadSafe;
import com.amazonaws.services.kms.model.*;
import com.amazonaws.services.kms.model.transform.*;
/**
* Client for accessing KMS. All service calls made using this client are
* blocking, and will not return until the service call completes.
*
* AWS Key Management Service
*
* AWS Key Management Service (AWS KMS) is an encryption and key management web
* service. This guide describes the AWS KMS operations that you can call
* programmatically. For general information about AWS KMS, see the AWS Key
* Management Service Developer Guide.
*
*
*
* AWS provides SDKs that consist of libraries and sample code for various
* programming languages and platforms (Java, Ruby, .Net, iOS, Android, etc.).
* The SDKs provide a convenient way to create programmatic access to AWS KMS
* and other AWS services. For example, the SDKs take care of tasks such as
* signing requests (see below), managing errors, and retrying requests
* automatically. For more information about the AWS SDKs, including how to
* download and install them, see Tools
* for Amazon Web Services.
*
*
*
* We recommend that you use the AWS SDKs to make programmatic API calls to AWS
* KMS.
*
*
* Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS
* 1.2. Clients must also support cipher suites with Perfect Forward Secrecy
* (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral
* Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support
* these modes.
*
*
* Signing Requests
*
*
* Requests must be signed by using an access key ID and a secret access key. We
* strongly recommend that you do not use your AWS account (root) access
* key ID and secret key for everyday work with AWS KMS. Instead, use the access
* key ID and secret access key for an IAM user, or you can use the AWS Security
* Token Service to generate temporary security credentials that you can use to
* sign requests.
*
*
* All AWS KMS operations require Signature Version 4.
*
*
* Logging API Requests
*
*
* AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and
* related events for your AWS account and delivers them to an Amazon S3 bucket
* that you specify. By using the information collected by CloudTrail, you can
* determine what requests were made to AWS KMS, who made the request, when it
* was made, and so on. To learn more about CloudTrail, including how to turn it
* on and find your log files, see the AWS
* CloudTrail User Guide.
*
*
* Additional Resources
*
*
* For more information about credentials and request signing, see the
* following:
*
*
* -
*
* AWS Security Credentials - This topic provides general information about
* the types of credentials used for accessing AWS.
*
*
* -
*
* Temporary Security Credentials - This section of the IAM User
* Guide describes how to create and use temporary security credentials.
*
*
* -
*
* Signature Version 4 Signing Process - This set of topics walks you
* through the process of signing a request using an access key ID and a secret
* access key.
*
*
*
*
* Commonly Used APIs
*
*
* Of the APIs discussed in this guide, the following will prove the most useful
* for most applications. You will likely perform actions other than these, such
* as creating keys and assigning policies, by using the console.
*
*
* -
*
* Encrypt
*
*
* -
*
* Decrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
*
*/
@ThreadSafe
public class AWSKMSClient extends AmazonWebServiceClient implements AWSKMS {
/** Provider for AWS credentials. */
private AWSCredentialsProvider awsCredentialsProvider;
private static final Log log = LogFactory.getLog(AWSKMS.class);
/** Default signing name for the service. */
private static final String DEFAULT_SIGNING_NAME = "kms";
/** The region metadata service name for computing region endpoints. */
private static final String DEFAULT_ENDPOINT_PREFIX = "kms";
/**
* Client configuration factory providing ClientConfigurations tailored to
* this client
*/
protected static final ClientConfigurationFactory configFactory = new ClientConfigurationFactory();
private final SdkJsonProtocolFactory protocolFactory = new SdkJsonProtocolFactory(
new JsonClientMetadata()
.withProtocolVersion("1.1")
.withSupportsCbor(false)
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("DependencyTimeoutException")
.withModeledClass(
com.amazonaws.services.kms.model.DependencyTimeoutException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidGrantIdException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidGrantIdException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("LimitExceededException")
.withModeledClass(
com.amazonaws.services.kms.model.LimitExceededException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidAliasNameException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidAliasNameException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode(
"MalformedPolicyDocumentException")
.withModeledClass(
com.amazonaws.services.kms.model.MalformedPolicyDocumentException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode(
"UnsupportedOperationException")
.withModeledClass(
com.amazonaws.services.kms.model.UnsupportedOperationException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidGrantTokenException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidGrantTokenException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidMarkerException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidMarkerException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidArnException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidArnException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("DisabledException")
.withModeledClass(
com.amazonaws.services.kms.model.DisabledException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidCiphertextException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidCiphertextException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("AlreadyExistsException")
.withModeledClass(
com.amazonaws.services.kms.model.AlreadyExistsException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("KMSInternalException")
.withModeledClass(
com.amazonaws.services.kms.model.KMSInternalException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("NotFoundException")
.withModeledClass(
com.amazonaws.services.kms.model.NotFoundException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("InvalidKeyUsageException")
.withModeledClass(
com.amazonaws.services.kms.model.InvalidKeyUsageException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("KeyUnavailableException")
.withModeledClass(
com.amazonaws.services.kms.model.KeyUnavailableException.class))
.addErrorMetadata(
new JsonErrorShapeMetadata()
.withErrorCode("KMSInvalidStateException")
.withModeledClass(
com.amazonaws.services.kms.model.KMSInvalidStateException.class)));
/**
* Constructs a new client to invoke service methods on KMS. A credentials
* provider chain will be used that searches for credentials in this order:
*
* - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
* - Java System Properties - aws.accessKeyId and aws.secretKey
* - Instance profile credentials delivered through the Amazon EC2
* metadata service
*
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @see DefaultAWSCredentialsProviderChain
*/
public AWSKMSClient() {
this(new DefaultAWSCredentialsProviderChain(), configFactory
.getConfig());
}
/**
* Constructs a new client to invoke service methods on KMS. A credentials
* provider chain will be used that searches for credentials in this order:
*
* - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
* - Java System Properties - aws.accessKeyId and aws.secretKey
* - Instance profile credentials delivered through the Amazon EC2
* metadata service
*
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @param clientConfiguration
* The client configuration options controlling how this client
* connects to KMS (ex: proxy settings, retry counts, etc.).
*
* @see DefaultAWSCredentialsProviderChain
*/
public AWSKMSClient(ClientConfiguration clientConfiguration) {
this(new DefaultAWSCredentialsProviderChain(), clientConfiguration);
}
/**
* Constructs a new client to invoke service methods on KMS using the
* specified AWS account credentials.
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @param awsCredentials
* The AWS credentials (access key ID and secret key) to use when
* authenticating with AWS services.
*/
public AWSKMSClient(AWSCredentials awsCredentials) {
this(awsCredentials, configFactory.getConfig());
}
/**
* Constructs a new client to invoke service methods on KMS using the
* specified AWS account credentials and client configuration options.
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @param awsCredentials
* The AWS credentials (access key ID and secret key) to use when
* authenticating with AWS services.
* @param clientConfiguration
* The client configuration options controlling how this client
* connects to KMS (ex: proxy settings, retry counts, etc.).
*/
public AWSKMSClient(AWSCredentials awsCredentials,
ClientConfiguration clientConfiguration) {
super(clientConfiguration);
this.awsCredentialsProvider = new StaticCredentialsProvider(
awsCredentials);
init();
}
/**
* Constructs a new client to invoke service methods on KMS using the
* specified AWS account credentials provider.
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @param awsCredentialsProvider
* The AWS credentials provider which will provide credentials to
* authenticate requests with AWS services.
*/
public AWSKMSClient(AWSCredentialsProvider awsCredentialsProvider) {
this(awsCredentialsProvider, configFactory.getConfig());
}
/**
* Constructs a new client to invoke service methods on KMS using the
* specified AWS account credentials provider and client configuration
* options.
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @param awsCredentialsProvider
* The AWS credentials provider which will provide credentials to
* authenticate requests with AWS services.
* @param clientConfiguration
* The client configuration options controlling how this client
* connects to KMS (ex: proxy settings, retry counts, etc.).
*/
public AWSKMSClient(AWSCredentialsProvider awsCredentialsProvider,
ClientConfiguration clientConfiguration) {
this(awsCredentialsProvider, clientConfiguration, null);
}
/**
* Constructs a new client to invoke service methods on KMS using the
* specified AWS account credentials provider, client configuration options,
* and request metric collector.
*
*
* All service calls made using this new client object are blocking, and
* will not return until the service call completes.
*
* @param awsCredentialsProvider
* The AWS credentials provider which will provide credentials to
* authenticate requests with AWS services.
* @param clientConfiguration
* The client configuration options controlling how this client
* connects to KMS (ex: proxy settings, retry counts, etc.).
* @param requestMetricCollector
* optional request metric collector
*/
public AWSKMSClient(AWSCredentialsProvider awsCredentialsProvider,
ClientConfiguration clientConfiguration,
RequestMetricCollector requestMetricCollector) {
super(clientConfiguration, requestMetricCollector);
this.awsCredentialsProvider = awsCredentialsProvider;
init();
}
private void init() {
setServiceNameIntern(DEFAULT_SIGNING_NAME);
setEndpointPrefix(DEFAULT_ENDPOINT_PREFIX);
// calling this.setEndPoint(...) will also modify the signer accordingly
setEndpoint("https://kms.us-east-1.amazonaws.com/");
HandlerChainFactory chainFactory = new HandlerChainFactory();
requestHandler2s
.addAll(chainFactory
.newRequestHandlerChain("/com/amazonaws/services/kms/request.handlers"));
requestHandler2s
.addAll(chainFactory
.newRequestHandler2Chain("/com/amazonaws/services/kms/request.handler2s"));
}
/**
*
* Cancels the deletion of a customer master key (CMK). When this operation
* is successful, the CMK is set to the Disabled state. To
* enable a CMK, use EnableKey.
*
*
* For more information about scheduling and canceling deletion of a CMK,
* see Deleting Customer Master Keys in the AWS Key Management Service
* Developer Guide.
*
*
* @param cancelKeyDeletionRequest
* @return Result of the CancelKeyDeletion operation returned by the
* service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.CancelKeyDeletion
*/
@Override
public CancelKeyDeletionResult cancelKeyDeletion(
CancelKeyDeletionRequest cancelKeyDeletionRequest) {
ExecutionContext executionContext = createExecutionContext(cancelKeyDeletionRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CancelKeyDeletionRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(cancelKeyDeletionRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new CancelKeyDeletionResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Creates a display name for a customer master key. An alias can be used to
* identify a key and should be unique. The console enforces a one-to-one
* mapping between the alias and a key. An alias name can contain only
* alphanumeric characters, forward slashes (/), underscores (_), and dashes
* (-). An alias must start with the word "alias" followed by a forward
* slash (alias/). An alias that begins with "aws" after the forward slash
* (alias/aws...) is reserved by Amazon Web Services (AWS).
*
*
* The alias and the key it is mapped to must be in the same AWS account and
* the same region.
*
*
* To map an alias to a different key, call UpdateAlias.
*
*
* @param createAliasRequest
* @return Result of the CreateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws AlreadyExistsException
* The request was rejected because it attempted to create a
* resource that already exists.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidAliasNameException
* The request was rejected because the specified alias name is not
* valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more
* information, see Limits in the AWS Key Management Service Developer
* Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.CreateAlias
*/
@Override
public CreateAliasResult createAlias(CreateAliasRequest createAliasRequest) {
ExecutionContext executionContext = createExecutionContext(createAliasRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateAliasRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(createAliasRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new CreateAliasResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Adds a grant to a key to specify who can use the key and under what
* conditions. Grants are alternate permission mechanisms to key policies.
*
*
* For more information about grants, see Grants in the AWS Key Management Service Developer Guide.
*
*
* @param createGrantRequest
* @return Result of the CreateGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more
* information, see Limits in the AWS Key Management Service Developer
* Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.CreateGrant
*/
@Override
public CreateGrantResult createGrant(CreateGrantRequest createGrantRequest) {
ExecutionContext executionContext = createExecutionContext(createGrantRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateGrantRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(createGrantRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new CreateGrantResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Creates a customer master key (CMK).
*
*
* You can use a CMK to encrypt small amounts of data (4 KiB or less)
* directly, but CMKs are more commonly used to encrypt data encryption keys
* (DEKs), which are used to encrypt raw data. For more information about
* DEKs and the difference between CMKs and DEKs, see the following:
*
*
* -
*
* The GenerateDataKey operation
*
*
* -
*
* AWS
* Key Management Service Concepts in the AWS Key Management Service
* Developer Guide
*
*
*
*
* @param createKeyRequest
* @return Result of the CreateKey operation returned by the service.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not
* syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not
* supported.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more
* information, see Limits in the AWS Key Management Service Developer
* Guide.
* @sample AWSKMS.CreateKey
*/
@Override
public CreateKeyResult createKey(CreateKeyRequest createKeyRequest) {
ExecutionContext executionContext = createExecutionContext(createKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new CreateKeyRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(createKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new CreateKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public CreateKeyResult createKey() {
return createKey(new CreateKeyRequest());
}
/**
*
* Decrypts ciphertext. Ciphertext is plaintext that has been previously
* encrypted by using any of the following functions:
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
* Encrypt
*
*
*
*
* Note that if a caller has been granted access permissions to all keys
* (through, for example, IAM user policies that grant Decrypt
* permission on all resources), then ciphertext encrypted by using keys in
* other accounts where the key grants access to the caller can be
* decrypted. To remedy this, we recommend that you do not grant
* Decrypt access in an IAM user policy. Instead grant
* Decrypt access only in key policies. If you must grant
* Decrypt access in an IAM user policy, you should scope the
* resource to specific keys or to specific trusted accounts.
*
*
* @param decryptRequest
* @return Result of the Decrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws InvalidCiphertextException
* The request was rejected because the specified ciphertext has
* been corrupted or is otherwise invalid.
* @throws KeyUnavailableException
* The request was rejected because the key was not available. The
* request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.Decrypt
*/
@Override
public DecryptResult decrypt(DecryptRequest decryptRequest) {
ExecutionContext executionContext = createExecutionContext(decryptRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DecryptRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(decryptRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new DecryptResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Deletes the specified alias. To map an alias to a different key, call
* UpdateAlias.
*
*
* @param deleteAliasRequest
* @return Result of the DeleteAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.DeleteAlias
*/
@Override
public DeleteAliasResult deleteAlias(DeleteAliasRequest deleteAliasRequest) {
ExecutionContext executionContext = createExecutionContext(deleteAliasRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DeleteAliasRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(deleteAliasRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new DeleteAliasResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Provides detailed information about the specified customer master key.
*
*
* @param describeKeyRequest
* @return Result of the DescribeKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @sample AWSKMS.DescribeKey
*/
@Override
public DescribeKeyResult describeKey(DescribeKeyRequest describeKeyRequest) {
ExecutionContext executionContext = createExecutionContext(describeKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DescribeKeyRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(describeKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new DescribeKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Sets the state of a customer master key (CMK) to disabled, thereby
* preventing its use for cryptographic operations. For more information
* about how key state affects the use of a CMK, see How
* Key State Affects the Use of a Customer Master Key in the AWS Key
* Management Service Developer Guide.
*
*
* @param disableKeyRequest
* @return Result of the DisableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.DisableKey
*/
@Override
public DisableKeyResult disableKey(DisableKeyRequest disableKeyRequest) {
ExecutionContext executionContext = createExecutionContext(disableKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DisableKeyRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(disableKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new DisableKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Disables rotation of the specified key.
*
*
* @param disableKeyRotationRequest
* @return Result of the DisableKeyRotation operation returned by the
* service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.DisableKeyRotation
*/
@Override
public DisableKeyRotationResult disableKeyRotation(
DisableKeyRotationRequest disableKeyRotationRequest) {
ExecutionContext executionContext = createExecutionContext(disableKeyRotationRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new DisableKeyRotationRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(disableKeyRotationRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new DisableKeyRotationResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Marks a key as enabled, thereby permitting its use.
*
*
* @param enableKeyRequest
* @return Result of the EnableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more
* information, see Limits in the AWS Key Management Service Developer
* Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.EnableKey
*/
@Override
public EnableKeyResult enableKey(EnableKeyRequest enableKeyRequest) {
ExecutionContext executionContext = createExecutionContext(enableKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new EnableKeyRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(enableKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new EnableKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Enables rotation of the specified customer master key.
*
*
* @param enableKeyRotationRequest
* @return Result of the EnableKeyRotation operation returned by the
* service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.EnableKeyRotation
*/
@Override
public EnableKeyRotationResult enableKeyRotation(
EnableKeyRotationRequest enableKeyRotationRequest) {
ExecutionContext executionContext = createExecutionContext(enableKeyRotationRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new EnableKeyRotationRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(enableKeyRotationRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new EnableKeyRotationResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Encrypts plaintext into ciphertext by using a customer master key. The
* Encrypt function has two primary use cases:
*
*
* -
*
* You can encrypt up to 4 KB of arbitrary data such as an RSA key, a
* database password, or other sensitive customer information.
*
*
* -
*
* If you are moving encrypted data from one region to another, you can use
* this API to encrypt in the new region the plaintext data key that was
* used to encrypt the data in the original region. This provides you with
* an encrypted copy of the data key that can be decrypted in the new region
* and used there to decrypt the encrypted data.
*
*
*
*
* Unless you are moving encrypted data from one region to another, you
* don't use this function to encrypt a generated data key within a region.
* You retrieve data keys already encrypted by calling the
* GenerateDataKey or GenerateDataKeyWithoutPlaintext
* function. Data keys don't need to be encrypted again by calling
* Encrypt.
*
*
* If you want to encrypt data locally in your application, you can use the
* GenerateDataKey function to return a plaintext data
* encryption key and a copy of the key encrypted under the customer master
* key (CMK) of your choosing.
*
*
* @param encryptRequest
* @return Result of the Encrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws KeyUnavailableException
* The request was rejected because the key was not available. The
* request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified KeySpec parameter
* is not valid. The currently supported value is ENCRYPT/DECRYPT.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.Encrypt
*/
@Override
public EncryptResult encrypt(EncryptRequest encryptRequest) {
ExecutionContext executionContext = createExecutionContext(encryptRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new EncryptRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(encryptRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new EncryptResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Generates a data key that you can use in your application to locally
* encrypt data. This call returns a plaintext version of the key in the
* Plaintext field of the response object and an encrypted copy
* of the key in the CiphertextBlob field. The key is encrypted
* by using the master key specified by the KeyId field. To
* decrypt the encrypted key, pass it to the Decrypt API.
*
*
* We recommend that you use the following pattern to locally encrypt data:
* call the GenerateDataKey API, use the key returned in the
* Plaintext response field to locally encrypt data, and then
* erase the plaintext data key from memory. Store the encrypted data key
* (contained in the CiphertextBlob field) alongside of the
* locally encrypted data.
*
*
*
* You should not call the Encrypt function to re-encrypt your
* data keys within a region. GenerateDataKey always returns
* the data key encrypted and tied to the customer master key that will be
* used to decrypt it. There is no need to decrypt it twice.
*
*
*
* If you decide to use the optional EncryptionContext
* parameter, you must also store the context in full or at least store
* enough information along with the encrypted data to be able to
* reconstruct the context when submitting the ciphertext to the
* Decrypt API. It is a good practice to choose a context that
* you can reconstruct on the fly to better secure the ciphertext. For more
* information about how this parameter is used, see Encryption Context.
*
*
* To decrypt data, pass the encrypted data key to the Decrypt
* API. Decrypt uses the associated master key to decrypt the
* encrypted data key and returns it as plaintext. Use the plaintext data
* key to locally decrypt your data and then erase the key from memory. You
* must specify the encryption context, if any, that you specified when you
* generated the key. The encryption context is logged by CloudTrail, and
* you can use this log to help track the use of particular data.
*
*
* @param generateDataKeyRequest
* @return Result of the GenerateDataKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws KeyUnavailableException
* The request was rejected because the key was not available. The
* request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified KeySpec parameter
* is not valid. The currently supported value is ENCRYPT/DECRYPT.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.GenerateDataKey
*/
@Override
public GenerateDataKeyResult generateDataKey(
GenerateDataKeyRequest generateDataKeyRequest) {
ExecutionContext executionContext = createExecutionContext(generateDataKeyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateDataKeyRequestMarshaller(protocolFactory)
.marshall(super
.beforeMarshalling(generateDataKeyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new GenerateDataKeyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Returns a data key encrypted by a customer master key without the
* plaintext copy of that key. Otherwise, this API functions exactly like
* GenerateDataKey. You can use this API to, for example, satisfy an
* audit requirement that an encrypted key be made available without
* exposing the plaintext copy of that key.
*
*
* @param generateDataKeyWithoutPlaintextRequest
* @return Result of the GenerateDataKeyWithoutPlaintext operation returned
* by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws KeyUnavailableException
* The request was rejected because the key was not available. The
* request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified KeySpec parameter
* is not valid. The currently supported value is ENCRYPT/DECRYPT.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.GenerateDataKeyWithoutPlaintext
*/
@Override
public GenerateDataKeyWithoutPlaintextResult generateDataKeyWithoutPlaintext(
GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest) {
ExecutionContext executionContext = createExecutionContext(generateDataKeyWithoutPlaintextRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateDataKeyWithoutPlaintextRequestMarshaller(
protocolFactory)
.marshall(super
.beforeMarshalling(generateDataKeyWithoutPlaintextRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(
new JsonOperationMetadata().withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new GenerateDataKeyWithoutPlaintextResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Generates an unpredictable byte string.
*
*
* @param generateRandomRequest
* @return Result of the GenerateRandom operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @sample AWSKMS.GenerateRandom
*/
@Override
public GenerateRandomResult generateRandom(
GenerateRandomRequest generateRandomRequest) {
ExecutionContext executionContext = createExecutionContext(generateRandomRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GenerateRandomRequestMarshaller(protocolFactory)
.marshall(super
.beforeMarshalling(generateRandomRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new GenerateRandomResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public GenerateRandomResult generateRandom() {
return generateRandom(new GenerateRandomRequest());
}
/**
*
* Retrieves a policy attached to the specified key.
*
*
* @param getKeyPolicyRequest
* @return Result of the GetKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.GetKeyPolicy
*/
@Override
public GetKeyPolicyResult getKeyPolicy(
GetKeyPolicyRequest getKeyPolicyRequest) {
ExecutionContext executionContext = createExecutionContext(getKeyPolicyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GetKeyPolicyRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(getKeyPolicyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new GetKeyPolicyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Retrieves a Boolean value that indicates whether key rotation is enabled
* for the specified key.
*
*
* @param getKeyRotationStatusRequest
* @return Result of the GetKeyRotationStatus operation returned by the
* service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.GetKeyRotationStatus
*/
@Override
public GetKeyRotationStatusResult getKeyRotationStatus(
GetKeyRotationStatusRequest getKeyRotationStatusRequest) {
ExecutionContext executionContext = createExecutionContext(getKeyRotationStatusRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new GetKeyRotationStatusRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(getKeyRotationStatusRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new GetKeyRotationStatusResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Lists all of the key aliases in the account.
*
*
* @param listAliasesRequest
* @return Result of the ListAliases operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where
* pagination should next begin is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @sample AWSKMS.ListAliases
*/
@Override
public ListAliasesResult listAliases(ListAliasesRequest listAliasesRequest) {
ExecutionContext executionContext = createExecutionContext(listAliasesRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListAliasesRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(listAliasesRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ListAliasesResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public ListAliasesResult listAliases() {
return listAliases(new ListAliasesRequest());
}
/**
*
* List the grants for a specified key.
*
*
* @param listGrantsRequest
* @return Result of the ListGrants operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where
* pagination should next begin is not valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.ListGrants
*/
@Override
public ListGrantsResult listGrants(ListGrantsRequest listGrantsRequest) {
ExecutionContext executionContext = createExecutionContext(listGrantsRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListGrantsRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(listGrantsRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ListGrantsResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Retrieves a list of policies attached to a key.
*
*
* @param listKeyPoliciesRequest
* @return Result of the ListKeyPolicies operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.ListKeyPolicies
*/
@Override
public ListKeyPoliciesResult listKeyPolicies(
ListKeyPoliciesRequest listKeyPoliciesRequest) {
ExecutionContext executionContext = createExecutionContext(listKeyPoliciesRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListKeyPoliciesRequestMarshaller(protocolFactory)
.marshall(super
.beforeMarshalling(listKeyPoliciesRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ListKeyPoliciesResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Lists the customer master keys.
*
*
* @param listKeysRequest
* @return Result of the ListKeys operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @sample AWSKMS.ListKeys
*/
@Override
public ListKeysResult listKeys(ListKeysRequest listKeysRequest) {
ExecutionContext executionContext = createExecutionContext(listKeysRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListKeysRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(listKeysRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ListKeysResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public ListKeysResult listKeys() {
return listKeys(new ListKeysRequest());
}
/**
*
* Returns a list of all grants for which the grant's
* RetiringPrincipal matches the one specified.
*
*
* A typical use is to list all grants that you are able to retire. To
* retire a grant, use RetireGrant.
*
*
* @param listRetirableGrantsRequest
* @return Result of the ListRetirableGrants operation returned by the
* service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where
* pagination should next begin is not valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @sample AWSKMS.ListRetirableGrants
*/
@Override
public ListRetirableGrantsResult listRetirableGrants(
ListRetirableGrantsRequest listRetirableGrantsRequest) {
ExecutionContext executionContext = createExecutionContext(listRetirableGrantsRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ListRetirableGrantsRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(listRetirableGrantsRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ListRetirableGrantsResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Attaches a key policy to the specified customer master key (CMK).
*
*
* For more information about key policies, see Key Policies in the AWS Key Management Service Developer
* Guide.
*
*
* @param putKeyPolicyRequest
* @return Result of the PutKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not
* syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not
* supported.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws LimitExceededException
* The request was rejected because a limit was exceeded. For more
* information, see Limits in the AWS Key Management Service Developer
* Guide.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.PutKeyPolicy
*/
@Override
public PutKeyPolicyResult putKeyPolicy(
PutKeyPolicyRequest putKeyPolicyRequest) {
ExecutionContext executionContext = createExecutionContext(putKeyPolicyRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new PutKeyPolicyRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(putKeyPolicyRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new PutKeyPolicyResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Encrypts data on the server side with a new customer master key without
* exposing the plaintext of the data on the client side. The data is first
* decrypted and then encrypted. This operation can also be used to change
* the encryption context of a ciphertext.
*
*
* Unlike other actions, ReEncrypt is authorized twice - once
* as ReEncryptFrom on the source key and once as
* ReEncryptTo on the destination key. We therefore recommend
* that you include the "action":"kms:ReEncrypt*" statement in
* your key policies to permit re-encryption from or to the key. The
* statement is included automatically when you authorize use of the key
* through the console but must be included manually when you set a policy
* by using the PutKeyPolicy function.
*
*
* @param reEncryptRequest
* @return Result of the ReEncrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DisabledException
* The request was rejected because the specified key was marked as
* disabled.
* @throws InvalidCiphertextException
* The request was rejected because the specified ciphertext has
* been corrupted or is otherwise invalid.
* @throws KeyUnavailableException
* The request was rejected because the key was not available. The
* request can be retried.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected because the specified KeySpec parameter
* is not valid. The currently supported value is ENCRYPT/DECRYPT.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.ReEncrypt
*/
@Override
public ReEncryptResult reEncrypt(ReEncryptRequest reEncryptRequest) {
ExecutionContext executionContext = createExecutionContext(reEncryptRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ReEncryptRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(reEncryptRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ReEncryptResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Retires a grant. You can retire a grant when you're done using it to
* clean up. You should revoke a grant when you intend to actively deny
* operations that depend on it. The following are permitted to call this
* API:
*
*
* -
*
* The account that created the grant
*
*
* -
*
* The RetiringPrincipal, if present
*
*
* -
*
* The GranteePrincipal, if RetireGrant is a
* grantee operation
*
*
*
*
* The grant to retire must be identified by its grant token or by a
* combination of the key ARN and the grant ID. A grant token is a unique
* variable-length base64-encoded string. A grant ID is a 64 character
* unique identifier of a grant. Both are returned by the
* CreateGrant function.
*
*
* @param retireGrantRequest
* @return Result of the RetireGrant operation returned by the service.
* @throws InvalidGrantTokenException
* The request was rejected because a grant token provided as part
* of the request is invalid.
* @throws InvalidGrantIdException
* The request was rejected because the specified
* GrantId is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.RetireGrant
*/
@Override
public RetireGrantResult retireGrant(RetireGrantRequest retireGrantRequest) {
ExecutionContext executionContext = createExecutionContext(retireGrantRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new RetireGrantRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(retireGrantRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new RetireGrantResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
@Override
public RetireGrantResult retireGrant() {
return retireGrant(new RetireGrantRequest());
}
/**
*
* Revokes a grant. You can revoke a grant to actively deny operations that
* depend on it.
*
*
* @param revokeGrantRequest
* @return Result of the RevokeGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified
* GrantId is not valid.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.RevokeGrant
*/
@Override
public RevokeGrantResult revokeGrant(RevokeGrantRequest revokeGrantRequest) {
ExecutionContext executionContext = createExecutionContext(revokeGrantRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new RevokeGrantRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(revokeGrantRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new RevokeGrantResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Schedules the deletion of a customer master key (CMK). You may provide a
* waiting period, specified in days, before deletion occurs. If you do not
* provide a waiting period, the default period of 30 days is used. When
* this operation is successful, the state of the CMK changes to
* PendingDeletion. Before the waiting period ends, you can use
* CancelKeyDeletion to cancel the deletion of the CMK. After the
* waiting period ends, AWS KMS deletes the CMK and all AWS KMS data
* associated with it, including all aliases that point to it.
*
*
*
* Deleting a CMK is a destructive and potentially dangerous operation. When
* a CMK is deleted, all data that was encrypted under the CMK is rendered
* unrecoverable. To restrict the use of a CMK without deleting it, use
* DisableKey.
*
*
*
* For more information about scheduling a CMK for deletion, see Deleting Customer Master Keys in the AWS Key Management Service
* Developer Guide.
*
*
* @param scheduleKeyDeletionRequest
* @return Result of the ScheduleKeyDeletion operation returned by the
* service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.ScheduleKeyDeletion
*/
@Override
public ScheduleKeyDeletionResult scheduleKeyDeletion(
ScheduleKeyDeletionRequest scheduleKeyDeletionRequest) {
ExecutionContext executionContext = createExecutionContext(scheduleKeyDeletionRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new ScheduleKeyDeletionRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(scheduleKeyDeletionRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new ScheduleKeyDeletionResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Updates an alias to map it to a different key.
*
*
* An alias is not a property of a key. Therefore, an alias can be mapped to
* and unmapped from an existing key without changing the properties of the
* key.
*
*
* An alias name can contain only alphanumeric characters, forward slashes
* (/), underscores (_), and dashes (-). An alias must start with the word
* "alias" followed by a forward slash (alias/). An alias that begins with
* "aws" after the forward slash (alias/aws...) is reserved by Amazon Web
* Services (AWS).
*
*
* The alias and the key it is mapped to must be in the same AWS account and
* the same region.
*
*
* @param updateAliasRequest
* @return Result of the UpdateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.UpdateAlias
*/
@Override
public UpdateAliasResult updateAlias(UpdateAliasRequest updateAliasRequest) {
ExecutionContext executionContext = createExecutionContext(updateAliasRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new UpdateAliasRequestMarshaller(protocolFactory)
.marshall(super.beforeMarshalling(updateAliasRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new UpdateAliasResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
*
* Updates the description of a key.
*
*
* @param updateKeyDescriptionRequest
* @return Result of the UpdateKeyDescription operation returned by the
* service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource
* could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN was not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The
* request can be retried.
* @throws KMSInternalException
* The request was rejected because an internal exception occurred.
* The request can be retried.
* @throws KMSInvalidStateException
* The request was rejected because the state of the specified
* resource is not valid for this request.
*
* For more information about how key state affects the use of a
* customer master key (CMK), see How Key State Affects the Use of a Customer Master Key in
* the AWS Key Management Service Developer Guide.
* @sample AWSKMS.UpdateKeyDescription
*/
@Override
public UpdateKeyDescriptionResult updateKeyDescription(
UpdateKeyDescriptionRequest updateKeyDescriptionRequest) {
ExecutionContext executionContext = createExecutionContext(updateKeyDescriptionRequest);
AWSRequestMetrics awsRequestMetrics = executionContext
.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request request = null;
Response response = null;
try {
awsRequestMetrics.startEvent(Field.RequestMarshallTime);
try {
request = new UpdateKeyDescriptionRequestMarshaller(
protocolFactory).marshall(super
.beforeMarshalling(updateKeyDescriptionRequest));
// Binds the request metrics to the current request.
request.setAWSRequestMetrics(awsRequestMetrics);
} finally {
awsRequestMetrics.endEvent(Field.RequestMarshallTime);
}
HttpResponseHandler> responseHandler = protocolFactory
.createResponseHandler(new JsonOperationMetadata()
.withPayloadJson(true)
.withHasStreamingSuccessResponse(false),
new UpdateKeyDescriptionResultJsonUnmarshaller());
response = invoke(request, responseHandler, executionContext);
return response.getAwsResponse();
} finally {
endClientExecution(awsRequestMetrics, request, response);
}
}
/**
* Returns additional metadata for a previously executed successful,
* request, typically used for debugging issues where a service isn't acting
* as expected. This data isn't considered part of the result data returned
* by an operation, so it's available through this separate, diagnostic
* interface.
*
* Response metadata is only cached for a limited period of time, so if you
* need to access this extra diagnostic information for an executed request,
* you should use this method to retrieve it as soon as possible after
* executing the request.
*
* @param request
* The originally executed request
*
* @return The response metadata for the specified request, or null if none
* is available.
*/
public ResponseMetadata getCachedResponseMetadata(
AmazonWebServiceRequest request) {
return client.getResponseMetadataForRequest(request);
}
/**
* Normal invoke with authentication. Credentials are required and may be
* overriden at the request level.
**/
private Response invoke(
Request request,
HttpResponseHandler> responseHandler,
ExecutionContext executionContext) {
executionContext.setCredentialsProvider(CredentialUtils
.getCredentialsProvider(request.getOriginalRequest(),
awsCredentialsProvider));
return doInvoke(request, responseHandler, executionContext);
}
/**
* Invoke with no authentication. Credentials are not required and any
* credentials set on the client or request will be ignored for this
* operation.
**/
private Response anonymousInvoke(
Request request,
HttpResponseHandler> responseHandler,
ExecutionContext executionContext) {
return doInvoke(request, responseHandler, executionContext);
}
/**
* Invoke the request using the http client. Assumes credentials (or lack
* thereof) have been configured in the ExecutionContext beforehand.
**/
private Response doInvoke(
Request request,
HttpResponseHandler> responseHandler,
ExecutionContext executionContext) {
request.setEndpoint(endpoint);
request.setTimeOffset(timeOffset);
HttpResponseHandler errorResponseHandler = protocolFactory
.createErrorResponseHandler(new JsonErrorResponseMetadata());
return client.execute(request, responseHandler, errorResponseHandler,
executionContext);
}
}