software.amazon.awssdk.services.kms.model.CreateKeyRequest Maven / Gradle / Ivy
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package software.amazon.awssdk.services.kms.model;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import software.amazon.awssdk.annotations.Generated;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.core.SdkField;
import software.amazon.awssdk.core.SdkPojo;
import software.amazon.awssdk.core.protocol.MarshallLocation;
import software.amazon.awssdk.core.protocol.MarshallingType;
import software.amazon.awssdk.core.traits.ListTrait;
import software.amazon.awssdk.core.traits.LocationTrait;
import software.amazon.awssdk.core.util.DefaultSdkAutoConstructList;
import software.amazon.awssdk.core.util.SdkAutoConstructList;
import software.amazon.awssdk.utils.ToString;
import software.amazon.awssdk.utils.builder.CopyableBuilder;
import software.amazon.awssdk.utils.builder.ToCopyableBuilder;
/**
*/
@Generated("software.amazon.awssdk:codegen")
public final class CreateKeyRequest extends KmsRequest implements ToCopyableBuilder {
private static final SdkField POLICY_FIELD = SdkField. builder(MarshallingType.STRING)
.getter(getter(CreateKeyRequest::policy)).setter(setter(Builder::policy))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("Policy").build()).build();
private static final SdkField DESCRIPTION_FIELD = SdkField. builder(MarshallingType.STRING)
.getter(getter(CreateKeyRequest::description)).setter(setter(Builder::description))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("Description").build()).build();
private static final SdkField KEY_USAGE_FIELD = SdkField. builder(MarshallingType.STRING)
.getter(getter(CreateKeyRequest::keyUsageAsString)).setter(setter(Builder::keyUsage))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("KeyUsage").build()).build();
private static final SdkField CUSTOMER_MASTER_KEY_SPEC_FIELD = SdkField. builder(MarshallingType.STRING)
.getter(getter(CreateKeyRequest::customerMasterKeySpecAsString)).setter(setter(Builder::customerMasterKeySpec))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("CustomerMasterKeySpec").build())
.build();
private static final SdkField ORIGIN_FIELD = SdkField. builder(MarshallingType.STRING)
.getter(getter(CreateKeyRequest::originAsString)).setter(setter(Builder::origin))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("Origin").build()).build();
private static final SdkField CUSTOM_KEY_STORE_ID_FIELD = SdkField. builder(MarshallingType.STRING)
.getter(getter(CreateKeyRequest::customKeyStoreId)).setter(setter(Builder::customKeyStoreId))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("CustomKeyStoreId").build()).build();
private static final SdkField BYPASS_POLICY_LOCKOUT_SAFETY_CHECK_FIELD = SdkField
. builder(MarshallingType.BOOLEAN)
.getter(getter(CreateKeyRequest::bypassPolicyLockoutSafetyCheck))
.setter(setter(Builder::bypassPolicyLockoutSafetyCheck))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("BypassPolicyLockoutSafetyCheck")
.build()).build();
private static final SdkField> TAGS_FIELD = SdkField
.> builder(MarshallingType.LIST)
.getter(getter(CreateKeyRequest::tags))
.setter(setter(Builder::tags))
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD).locationName("Tags").build(),
ListTrait
.builder()
.memberLocationName(null)
.memberFieldInfo(
SdkField. builder(MarshallingType.SDK_POJO)
.constructor(Tag::builder)
.traits(LocationTrait.builder().location(MarshallLocation.PAYLOAD)
.locationName("member").build()).build()).build()).build();
private static final List> SDK_FIELDS = Collections.unmodifiableList(Arrays.asList(POLICY_FIELD,
DESCRIPTION_FIELD, KEY_USAGE_FIELD, CUSTOMER_MASTER_KEY_SPEC_FIELD, ORIGIN_FIELD, CUSTOM_KEY_STORE_ID_FIELD,
BYPASS_POLICY_LOCKOUT_SAFETY_CHECK_FIELD, TAGS_FIELD));
private final String policy;
private final String description;
private final String keyUsage;
private final String customerMasterKeySpec;
private final String origin;
private final String customKeyStoreId;
private final Boolean bypassPolicyLockoutSafetyCheck;
private final List tags;
private CreateKeyRequest(BuilderImpl builder) {
super(builder);
this.policy = builder.policy;
this.description = builder.description;
this.keyUsage = builder.keyUsage;
this.customerMasterKeySpec = builder.customerMasterKeySpec;
this.origin = builder.origin;
this.customKeyStoreId = builder.customKeyStoreId;
this.bypassPolicyLockoutSafetyCheck = builder.bypassPolicyLockoutSafetyCheck;
this.tags = builder.tags;
}
/**
*
* The key policy to attach to the CMK.
*
*
* If you provide a key policy, it must meet the following criteria:
*
*
* -
*
* If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the principal
* that is making the CreateKey request to make a subsequent PutKeyPolicy request on the CMK.
* This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide .
*
*
* -
*
* Each statement in the key policy must contain one or more principals. The principals in the key policy must exist
* and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need
* to enforce a delay before including the new principal in a key policy because the new principal might not be
* immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User
* Guide.
*
*
*
*
* If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more information, see
* Default Key
* Policy in the AWS Key Management Service Developer Guide.
*
*
* The key policy size quota is 32 kilobytes (32768 bytes).
*
*
* @return The key policy to attach to the CMK.
*
* If you provide a key policy, it must meet the following criteria:
*
*
* -
*
* If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the
* principal that is making the CreateKey request to make a subsequent PutKeyPolicy
* request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer
* to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide .
*
*
* -
*
* Each statement in the key policy must contain one or more principals. The principals in the key policy
* must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or
* role), you might need to enforce a delay before including the new principal in a key policy because the
* new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management
* User Guide.
*
*
*
*
* If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more
* information, see Default
* Key Policy in the AWS Key Management Service Developer Guide.
*
*
* The key policy size quota is 32 kilobytes (32768 bytes).
*/
public String policy() {
return policy;
}
/**
*
* A description of the CMK.
*
*
* Use a description that helps you decide whether the CMK is appropriate for a task.
*
*
* @return A description of the CMK.
*
* Use a description that helps you decide whether the CMK is appropriate for a task.
*/
public String description() {
return description;
}
/**
*
* Determines the cryptographic
* operations for which you can use the CMK. The default value is ENCRYPT_DECRYPT. This parameter
* is required only for asymmetric CMKs. You can't change the KeyUsage value after the CMK is created.
*
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
*
*
* If the service returns an enum value that is not available in the current SDK version, {@link #keyUsage} will
* return {@link KeyUsageType#UNKNOWN_TO_SDK_VERSION}. The raw value returned by the service is available from
* {@link #keyUsageAsString}.
*
*
* @return Determines the cryptographic operations for which you can use the CMK. The default value is
* ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You can't change the
* KeyUsage value after the CMK is created.
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or
* SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
* @see KeyUsageType
*/
public KeyUsageType keyUsage() {
return KeyUsageType.fromValue(keyUsage);
}
/**
*
* Determines the cryptographic
* operations for which you can use the CMK. The default value is ENCRYPT_DECRYPT. This parameter
* is required only for asymmetric CMKs. You can't change the KeyUsage value after the CMK is created.
*
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
*
*
* If the service returns an enum value that is not available in the current SDK version, {@link #keyUsage} will
* return {@link KeyUsageType#UNKNOWN_TO_SDK_VERSION}. The raw value returned by the service is available from
* {@link #keyUsageAsString}.
*
*
* @return Determines the cryptographic operations for which you can use the CMK. The default value is
* ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You can't change the
* KeyUsage value after the CMK is created.
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or
* SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
* @see KeyUsageType
*/
public String keyUsageAsString() {
return keyUsage;
}
/**
*
* Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK with a
* 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK, see How to Choose Your CMK
* Configuration in the AWS Key Management Service Developer Guide.
*
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an asymmetric key
* pair. It also determines the encryption algorithms or signing algorithms that the CMK supports. You can't change
* the CustomerMasterKeySpec after the CMK is created. To further restrict the algorithms that can be
* used with the CMK, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated with AWS
* KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs. For help
* determining whether a CMK is symmetric or asymmetric, see Identifying Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
*
*
* If the service returns an enum value that is not available in the current SDK version,
* {@link #customerMasterKeySpec} will return {@link CustomerMasterKeySpec#UNKNOWN_TO_SDK_VERSION}. The raw value
* returned by the service is available from {@link #customerMasterKeySpecAsString}.
*
*
* @return Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK
* with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK,
* see How to Choose
* Your CMK Configuration in the AWS Key Management Service Developer Guide.
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an
* asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the CMK
* supports. You can't change the CustomerMasterKeySpec after the CMK is created. To further
* restrict the algorithms that can be used with the CMK, use a condition key in its key policy or IAM
* policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated
* with AWS KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs.
* For help determining whether a CMK is symmetric or asymmetric, see Identifying Symmetric
* and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
* @see CustomerMasterKeySpec
*/
public CustomerMasterKeySpec customerMasterKeySpec() {
return CustomerMasterKeySpec.fromValue(customerMasterKeySpec);
}
/**
*
* Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK with a
* 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK, see How to Choose Your CMK
* Configuration in the AWS Key Management Service Developer Guide.
*
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an asymmetric key
* pair. It also determines the encryption algorithms or signing algorithms that the CMK supports. You can't change
* the CustomerMasterKeySpec after the CMK is created. To further restrict the algorithms that can be
* used with the CMK, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated with AWS
* KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs. For help
* determining whether a CMK is symmetric or asymmetric, see Identifying Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
*
*
* If the service returns an enum value that is not available in the current SDK version,
* {@link #customerMasterKeySpec} will return {@link CustomerMasterKeySpec#UNKNOWN_TO_SDK_VERSION}. The raw value
* returned by the service is available from {@link #customerMasterKeySpecAsString}.
*
*
* @return Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK
* with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK,
* see How to Choose
* Your CMK Configuration in the AWS Key Management Service Developer Guide.
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an
* asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the CMK
* supports. You can't change the CustomerMasterKeySpec after the CMK is created. To further
* restrict the algorithms that can be used with the CMK, use a condition key in its key policy or IAM
* policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated
* with AWS KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs.
* For help determining whether a CMK is symmetric or asymmetric, see Identifying Symmetric
* and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
* @see CustomerMasterKeySpec
*/
public String customerMasterKeySpecAsString() {
return customerMasterKeySpec;
}
/**
*
* The source of the key material for the CMK. You cannot change the origin after you create the CMK. The default is
* AWS_KMS, which means AWS KMS creates the key material.
*
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that you can
* import key material from your existing key management infrastructure. For more information about importing key
* material into AWS KMS, see Importing Key Material in
* the AWS Key Management Service Developer Guide. This value is valid only for symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key store
* and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for symmetric
* CMKs.
*
*
* If the service returns an enum value that is not available in the current SDK version, {@link #origin} will
* return {@link OriginType#UNKNOWN_TO_SDK_VERSION}. The raw value returned by the service is available from
* {@link #originAsString}.
*
*
* @return The source of the key material for the CMK. You cannot change the origin after you create the CMK. The
* default is AWS_KMS, which means AWS KMS creates the key material.
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that you
* can import key material from your existing key management infrastructure. For more information about
* importing key material into AWS KMS, see Importing Key
* Material in the AWS Key Management Service Developer Guide. This value is valid only for
* symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key
* store and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for
* symmetric CMKs.
* @see OriginType
*/
public OriginType origin() {
return OriginType.fromValue(origin);
}
/**
*
* The source of the key material for the CMK. You cannot change the origin after you create the CMK. The default is
* AWS_KMS, which means AWS KMS creates the key material.
*
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that you can
* import key material from your existing key management infrastructure. For more information about importing key
* material into AWS KMS, see Importing Key Material in
* the AWS Key Management Service Developer Guide. This value is valid only for symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key store
* and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for symmetric
* CMKs.
*
*
* If the service returns an enum value that is not available in the current SDK version, {@link #origin} will
* return {@link OriginType#UNKNOWN_TO_SDK_VERSION}. The raw value returned by the service is available from
* {@link #originAsString}.
*
*
* @return The source of the key material for the CMK. You cannot change the origin after you create the CMK. The
* default is AWS_KMS, which means AWS KMS creates the key material.
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that you
* can import key material from your existing key management infrastructure. For more information about
* importing key material into AWS KMS, see Importing Key
* Material in the AWS Key Management Service Developer Guide. This value is valid only for
* symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key
* store and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for
* symmetric CMKs.
* @see OriginType
*/
public String originAsString() {
return origin;
}
/**
*
* Creates the CMK in the specified custom key store
* and the key material in its associated AWS CloudHSM cluster. To create a CMK in a custom key store, you must also
* specify the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM cluster
* that is associated with the custom key store must have at least two active HSMs, each in a different Availability
* Zone in the Region.
*
*
* This parameter is valid only for symmetric CMKs. You cannot create an asymmetric CMK in a custom key store.
*
*
* To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
*
*
* The response includes the custom key store ID and the ID of the AWS CloudHSM cluster.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* @return Creates the CMK in the specified custom key
* store and the key material in its associated AWS CloudHSM cluster. To create a CMK in a custom key
* store, you must also specify the Origin parameter with a value of AWS_CLOUDHSM.
* The AWS CloudHSM cluster that is associated with the custom key store must have at least two active HSMs,
* each in a different Availability Zone in the Region.
*
* This parameter is valid only for symmetric CMKs. You cannot create an asymmetric CMK in a custom key
* store.
*
*
* To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
*
*
* The response includes the custom key store ID and the ID of the AWS CloudHSM cluster.
*
*
* This operation is part of the Custom Key
* Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS
* with the isolation and control of a single-tenant key store.
*/
public String customKeyStoreId() {
return customKeyStoreId;
}
/**
*
* A flag to indicate whether to bypass the key policy lockout safety check.
*
*
*
* Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to true
* indiscriminately.
*
*
* For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide .
*
*
*
* Use this parameter only when you include a policy in the request and you intend to prevent the principal that is
* making the request from making a subsequent PutKeyPolicy request on the CMK.
*
*
* The default value is false.
*
*
* @return A flag to indicate whether to bypass the key policy lockout safety check.
*
* Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to
* true indiscriminately.
*
*
* For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide .
*
*
*
* Use this parameter only when you include a policy in the request and you intend to prevent the principal
* that is making the request from making a subsequent PutKeyPolicy request on the CMK.
*
*
* The default value is false.
*/
public Boolean bypassPolicyLockoutSafetyCheck() {
return bypassPolicyLockoutSafetyCheck;
}
/**
* Returns true if the Tags property was specified by the sender (it may be empty), or false if the sender did not
* specify the value (it will be empty). For responses returned by the SDK, the sender is the AWS service.
*/
public boolean hasTags() {
return tags != null && !(tags instanceof SdkAutoConstructList);
}
/**
*
* One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are
* required, but the tag value can be an empty (null) string.
*
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated by
* tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the TagResource
* operation.
*
*
* Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
*
*
* You can use {@link #hasTags()} to see if a value was sent in this field.
*
*
* @return One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are
* required, but the tag value can be an empty (null) string.
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs
* aggregated by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the
* TagResource operation.
*/
public List tags() {
return tags;
}
@Override
public Builder toBuilder() {
return new BuilderImpl(this);
}
public static Builder builder() {
return new BuilderImpl();
}
public static Class serializableBuilderClass() {
return BuilderImpl.class;
}
@Override
public int hashCode() {
int hashCode = 1;
hashCode = 31 * hashCode + super.hashCode();
hashCode = 31 * hashCode + Objects.hashCode(policy());
hashCode = 31 * hashCode + Objects.hashCode(description());
hashCode = 31 * hashCode + Objects.hashCode(keyUsageAsString());
hashCode = 31 * hashCode + Objects.hashCode(customerMasterKeySpecAsString());
hashCode = 31 * hashCode + Objects.hashCode(originAsString());
hashCode = 31 * hashCode + Objects.hashCode(customKeyStoreId());
hashCode = 31 * hashCode + Objects.hashCode(bypassPolicyLockoutSafetyCheck());
hashCode = 31 * hashCode + Objects.hashCode(tags());
return hashCode;
}
@Override
public boolean equals(Object obj) {
return super.equals(obj) && equalsBySdkFields(obj);
}
@Override
public boolean equalsBySdkFields(Object obj) {
if (this == obj) {
return true;
}
if (obj == null) {
return false;
}
if (!(obj instanceof CreateKeyRequest)) {
return false;
}
CreateKeyRequest other = (CreateKeyRequest) obj;
return Objects.equals(policy(), other.policy()) && Objects.equals(description(), other.description())
&& Objects.equals(keyUsageAsString(), other.keyUsageAsString())
&& Objects.equals(customerMasterKeySpecAsString(), other.customerMasterKeySpecAsString())
&& Objects.equals(originAsString(), other.originAsString())
&& Objects.equals(customKeyStoreId(), other.customKeyStoreId())
&& Objects.equals(bypassPolicyLockoutSafetyCheck(), other.bypassPolicyLockoutSafetyCheck())
&& Objects.equals(tags(), other.tags());
}
/**
* Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be
* redacted from this string using a placeholder value.
*/
@Override
public String toString() {
return ToString.builder("CreateKeyRequest").add("Policy", policy()).add("Description", description())
.add("KeyUsage", keyUsageAsString()).add("CustomerMasterKeySpec", customerMasterKeySpecAsString())
.add("Origin", originAsString()).add("CustomKeyStoreId", customKeyStoreId())
.add("BypassPolicyLockoutSafetyCheck", bypassPolicyLockoutSafetyCheck()).add("Tags", tags()).build();
}
public Optional getValueForField(String fieldName, Class clazz) {
switch (fieldName) {
case "Policy":
return Optional.ofNullable(clazz.cast(policy()));
case "Description":
return Optional.ofNullable(clazz.cast(description()));
case "KeyUsage":
return Optional.ofNullable(clazz.cast(keyUsageAsString()));
case "CustomerMasterKeySpec":
return Optional.ofNullable(clazz.cast(customerMasterKeySpecAsString()));
case "Origin":
return Optional.ofNullable(clazz.cast(originAsString()));
case "CustomKeyStoreId":
return Optional.ofNullable(clazz.cast(customKeyStoreId()));
case "BypassPolicyLockoutSafetyCheck":
return Optional.ofNullable(clazz.cast(bypassPolicyLockoutSafetyCheck()));
case "Tags":
return Optional.ofNullable(clazz.cast(tags()));
default:
return Optional.empty();
}
}
@Override
public List> sdkFields() {
return SDK_FIELDS;
}
private static Function getter(Function g) {
return obj -> g.apply((CreateKeyRequest) obj);
}
private static BiConsumer setter(BiConsumer s) {
return (obj, val) -> s.accept((Builder) obj, val);
}
public interface Builder extends KmsRequest.Builder, SdkPojo, CopyableBuilder {
/**
*
* The key policy to attach to the CMK.
*
*
* If you provide a key policy, it must meet the following criteria:
*
*
* -
*
* If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the principal
* that is making the CreateKey request to make a subsequent PutKeyPolicy request on the
* CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in
* the Default Key Policy section of the AWS Key Management Service Developer Guide .
*
*
* -
*
* Each statement in the key policy must contain one or more principals. The principals in the key policy must
* exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you
* might need to enforce a delay before including the new principal in a key policy because the new principal
* might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User
* Guide.
*
*
*
*
* If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more information,
* see Default Key
* Policy in the AWS Key Management Service Developer Guide.
*
*
* The key policy size quota is 32 kilobytes (32768 bytes).
*
*
* @param policy
* The key policy to attach to the CMK.
*
* If you provide a key policy, it must meet the following criteria:
*
*
* -
*
* If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the
* principal that is making the CreateKey request to make a subsequent PutKeyPolicy
* request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information,
* refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide .
*
*
* -
*
* Each statement in the key policy must contain one or more principals. The principals in the key policy
* must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or
* role), you might need to enforce a delay before including the new principal in a key policy because
* the new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access
* Management User Guide.
*
*
*
*
* If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For more
* information, see Default Key Policy in the AWS Key Management Service Developer Guide.
*
*
* The key policy size quota is 32 kilobytes (32768 bytes).
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder policy(String policy);
/**
*
* A description of the CMK.
*
*
* Use a description that helps you decide whether the CMK is appropriate for a task.
*
*
* @param description
* A description of the CMK.
*
* Use a description that helps you decide whether the CMK is appropriate for a task.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder description(String description);
/**
*
* Determines the cryptographic operations for which you can use the CMK. The default value is
* ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You can't change the
* KeyUsage value after the CMK is created.
*
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
*
*
* @param keyUsage
* Determines the cryptographic operations for which you can use the CMK. The default value is
* ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You can't change
* the KeyUsage value after the CMK is created.
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or
* SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
* @see KeyUsageType
* @return Returns a reference to this object so that method calls can be chained together.
* @see KeyUsageType
*/
Builder keyUsage(String keyUsage);
/**
*
* Determines the cryptographic operations for which you can use the CMK. The default value is
* ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You can't change the
* KeyUsage value after the CMK is created.
*
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
*
*
* @param keyUsage
* Determines the cryptographic operations for which you can use the CMK. The default value is
* ENCRYPT_DECRYPT. This parameter is required only for asymmetric CMKs. You can't change
* the KeyUsage value after the CMK is created.
*
* Select only one valid value.
*
*
* -
*
* For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT.
*
*
* -
*
* For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or
* SIGN_VERIFY.
*
*
* -
*
* For asymmetric CMKs with ECC key material, specify SIGN_VERIFY.
*
*
* @see KeyUsageType
* @return Returns a reference to this object so that method calls can be chained together.
* @see KeyUsageType
*/
Builder keyUsage(KeyUsageType keyUsage);
/**
*
* Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK with a
* 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK, see How to Choose Your CMK
* Configuration in the AWS Key Management Service Developer Guide.
*
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an asymmetric
* key pair. It also determines the encryption algorithms or signing algorithms that the CMK supports. You can't
* change the CustomerMasterKeySpec after the CMK is created. To further restrict the algorithms
* that can be used with the CMK, use a condition key in its key policy or IAM policy. For more information, see
* kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated with
* AWS KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs. For help
* determining whether a CMK is symmetric or asymmetric, see Identifying Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
*
*
* @param customerMasterKeySpec
* Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK
* with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK,
* see How to
* Choose Your CMK Configuration in the AWS Key Management Service Developer Guide.
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an
* asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the CMK
* supports. You can't change the CustomerMasterKeySpec after the CMK is created. To further
* restrict the algorithms that can be used with the CMK, use a condition key in its key policy or IAM
* policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated
* with AWS KMS use symmetric CMKs to protect your data. These services do not support asymmetric
* CMKs. For help determining whether a CMK is symmetric or asymmetric, see Identifying
* Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
* @see CustomerMasterKeySpec
* @return Returns a reference to this object so that method calls can be chained together.
* @see CustomerMasterKeySpec
*/
Builder customerMasterKeySpec(String customerMasterKeySpec);
/**
*
* Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK with a
* 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK, see How to Choose Your CMK
* Configuration in the AWS Key Management Service Developer Guide.
*
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an asymmetric
* key pair. It also determines the encryption algorithms or signing algorithms that the CMK supports. You can't
* change the CustomerMasterKeySpec after the CMK is created. To further restrict the algorithms
* that can be used with the CMK, use a condition key in its key policy or IAM policy. For more information, see
* kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated with
* AWS KMS use symmetric CMKs to protect your data. These services do not support asymmetric CMKs. For help
* determining whether a CMK is symmetric or asymmetric, see Identifying Symmetric and
* Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
*
*
* @param customerMasterKeySpec
* Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, creates a CMK
* with a 256-bit symmetric key for encryption and decryption. For help choosing a key spec for your CMK,
* see How to
* Choose Your CMK Configuration in the AWS Key Management Service Developer Guide.
*
* The CustomerMasterKeySpec determines whether the CMK contains a symmetric key or an
* asymmetric key pair. It also determines the encryption algorithms or signing algorithms that the CMK
* supports. You can't change the CustomerMasterKeySpec after the CMK is created. To further
* restrict the algorithms that can be used with the CMK, use a condition key in its key policy or IAM
* policy. For more information, see kms:EncryptionAlgorithm or kms:Signing Algorithm in the AWS Key Management Service Developer Guide.
*
*
*
* AWS services that are integrated
* with AWS KMS use symmetric CMKs to protect your data. These services do not support asymmetric
* CMKs. For help determining whether a CMK is symmetric or asymmetric, see Identifying
* Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer Guide.
*
*
*
* AWS KMS supports the following key specs for CMKs:
*
*
* -
*
* Symmetric key (default)
*
*
* -
*
* SYMMETRIC_DEFAULT (AES-256-GCM)
*
*
*
*
* -
*
* Asymmetric RSA key pairs
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSA_4096
*
*
*
*
* -
*
* Asymmetric NIST-recommended elliptic curve key pairs
*
*
* -
*
* ECC_NIST_P256 (secp256r1)
*
*
* -
*
* ECC_NIST_P384 (secp384r1)
*
*
* -
*
* ECC_NIST_P521 (secp521r1)
*
*
*
*
* -
*
* Other asymmetric elliptic curve key pairs
*
*
* -
*
* ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
*
*
*
*
* @see CustomerMasterKeySpec
* @return Returns a reference to this object so that method calls can be chained together.
* @see CustomerMasterKeySpec
*/
Builder customerMasterKeySpec(CustomerMasterKeySpec customerMasterKeySpec);
/**
*
* The source of the key material for the CMK. You cannot change the origin after you create the CMK. The
* default is AWS_KMS, which means AWS KMS creates the key material.
*
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that you can
* import key material from your existing key management infrastructure. For more information about importing
* key material into AWS KMS, see Importing Key Material
* in the AWS Key Management Service Developer Guide. This value is valid only for symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key
* store and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for
* symmetric CMKs.
*
*
* @param origin
* The source of the key material for the CMK. You cannot change the origin after you create the CMK. The
* default is AWS_KMS, which means AWS KMS creates the key material.
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that
* you can import key material from your existing key management infrastructure. For more information
* about importing key material into AWS KMS, see Importing Key
* Material in the AWS Key Management Service Developer Guide. This value is valid only for
* symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key
* store and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for
* symmetric CMKs.
* @see OriginType
* @return Returns a reference to this object so that method calls can be chained together.
* @see OriginType
*/
Builder origin(String origin);
/**
*
* The source of the key material for the CMK. You cannot change the origin after you create the CMK. The
* default is AWS_KMS, which means AWS KMS creates the key material.
*
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that you can
* import key material from your existing key management infrastructure. For more information about importing
* key material into AWS KMS, see Importing Key Material
* in the AWS Key Management Service Developer Guide. This value is valid only for symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key
* store and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for
* symmetric CMKs.
*
*
* @param origin
* The source of the key material for the CMK. You cannot change the origin after you create the CMK. The
* default is AWS_KMS, which means AWS KMS creates the key material.
*
* When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material so that
* you can import key material from your existing key management infrastructure. For more information
* about importing key material into AWS KMS, see Importing Key
* Material in the AWS Key Management Service Developer Guide. This value is valid only for
* symmetric CMKs.
*
*
* When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom key
* store and creates its key material in the associated AWS CloudHSM cluster. You must also use the
* CustomKeyStoreId parameter to identify the custom key store. This value is valid only for
* symmetric CMKs.
* @see OriginType
* @return Returns a reference to this object so that method calls can be chained together.
* @see OriginType
*/
Builder origin(OriginType origin);
/**
*
* Creates the CMK in the specified custom key
* store and the key material in its associated AWS CloudHSM cluster. To create a CMK in a custom key store,
* you must also specify the Origin parameter with a value of AWS_CLOUDHSM. The AWS
* CloudHSM cluster that is associated with the custom key store must have at least two active HSMs, each in a
* different Availability Zone in the Region.
*
*
* This parameter is valid only for symmetric CMKs. You cannot create an asymmetric CMK in a custom key store.
*
*
* To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
*
*
* The response includes the custom key store ID and the ID of the AWS CloudHSM cluster.
*
*
* This operation is part of the Custom Key Store
* feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the
* isolation and control of a single-tenant key store.
*
*
* @param customKeyStoreId
* Creates the CMK in the specified custom key
* store and the key material in its associated AWS CloudHSM cluster. To create a CMK in a custom key
* store, you must also specify the Origin parameter with a value of
* AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with the custom key store must
* have at least two active HSMs, each in a different Availability Zone in the Region.
*
* This parameter is valid only for symmetric CMKs. You cannot create an asymmetric CMK in a custom key
* store.
*
*
* To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
*
*
* The response includes the custom key store ID and the ID of the AWS CloudHSM cluster.
*
*
* This operation is part of the Custom Key
* Store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS
* KMS with the isolation and control of a single-tenant key store.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder customKeyStoreId(String customKeyStoreId);
/**
*
* A flag to indicate whether to bypass the key policy lockout safety check.
*
*
*
* Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to
* true indiscriminately.
*
*
* For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide .
*
*
*
* Use this parameter only when you include a policy in the request and you intend to prevent the principal that
* is making the request from making a subsequent PutKeyPolicy request on the CMK.
*
*
* The default value is false.
*
*
* @param bypassPolicyLockoutSafetyCheck
* A flag to indicate whether to bypass the key policy lockout safety check.
*
* Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value
* to true indiscriminately.
*
*
* For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide .
*
*
*
* Use this parameter only when you include a policy in the request and you intend to prevent the
* principal that is making the request from making a subsequent PutKeyPolicy request on the CMK.
*
*
* The default value is false.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder bypassPolicyLockoutSafetyCheck(Boolean bypassPolicyLockoutSafetyCheck);
/**
*
* One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are
* required, but the tag value can be an empty (null) string.
*
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated
* by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the
* TagResource operation.
*
*
* @param tags
* One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value
* are required, but the tag value can be an empty (null) string.
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs
* aggregated by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the
* TagResource operation.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder tags(Collection tags);
/**
*
* One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are
* required, but the tag value can be an empty (null) string.
*
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated
* by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the
* TagResource operation.
*
*
* @param tags
* One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value
* are required, but the tag value can be an empty (null) string.
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs
* aggregated by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the
* TagResource operation.
* @return Returns a reference to this object so that method calls can be chained together.
*/
Builder tags(Tag... tags);
/**
*
* One or more tags. Each tag consists of a tag key and a tag value. Both the tag key and the tag value are
* required, but the tag value can be an empty (null) string.
*
*
* When you add tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated
* by tags. For information about adding, changing, deleting and listing tags for CMKs, see Tagging Keys.
*
*
* Use this parameter to tag the CMK when it is created. To add tags to an existing CMK, use the
* TagResource operation.
*
* This is a convenience that creates an instance of the {@link List.Builder} avoiding the need to create
* one manually via {@link List#builder()}.
*
* When the {@link Consumer} completes, {@link List.Builder#build()} is called immediately and its result
* is passed to {@link #tags(List)}.
*
* @param tags
* a consumer that will call methods on {@link List.Builder}
* @return Returns a reference to this object so that method calls can be chained together.
* @see #tags(List)
*/
Builder tags(Consumer... tags);
@Override
Builder overrideConfiguration(AwsRequestOverrideConfiguration overrideConfiguration);
@Override
Builder overrideConfiguration(Consumer builderConsumer);
}
static final class BuilderImpl extends KmsRequest.BuilderImpl implements Builder {
private String policy;
private String description;
private String keyUsage;
private String customerMasterKeySpec;
private String origin;
private String customKeyStoreId;
private Boolean bypassPolicyLockoutSafetyCheck;
private List tags = DefaultSdkAutoConstructList.getInstance();
private BuilderImpl() {
}
private BuilderImpl(CreateKeyRequest model) {
super(model);
policy(model.policy);
description(model.description);
keyUsage(model.keyUsage);
customerMasterKeySpec(model.customerMasterKeySpec);
origin(model.origin);
customKeyStoreId(model.customKeyStoreId);
bypassPolicyLockoutSafetyCheck(model.bypassPolicyLockoutSafetyCheck);
tags(model.tags);
}
public final String getPolicy() {
return policy;
}
@Override
public final Builder policy(String policy) {
this.policy = policy;
return this;
}
public final void setPolicy(String policy) {
this.policy = policy;
}
public final String getDescription() {
return description;
}
@Override
public final Builder description(String description) {
this.description = description;
return this;
}
public final void setDescription(String description) {
this.description = description;
}
public final String getKeyUsage() {
return keyUsage;
}
@Override
public final Builder keyUsage(String keyUsage) {
this.keyUsage = keyUsage;
return this;
}
@Override
public final Builder keyUsage(KeyUsageType keyUsage) {
this.keyUsage(keyUsage == null ? null : keyUsage.toString());
return this;
}
public final void setKeyUsage(String keyUsage) {
this.keyUsage = keyUsage;
}
public final String getCustomerMasterKeySpec() {
return customerMasterKeySpec;
}
@Override
public final Builder customerMasterKeySpec(String customerMasterKeySpec) {
this.customerMasterKeySpec = customerMasterKeySpec;
return this;
}
@Override
public final Builder customerMasterKeySpec(CustomerMasterKeySpec customerMasterKeySpec) {
this.customerMasterKeySpec(customerMasterKeySpec == null ? null : customerMasterKeySpec.toString());
return this;
}
public final void setCustomerMasterKeySpec(String customerMasterKeySpec) {
this.customerMasterKeySpec = customerMasterKeySpec;
}
public final String getOrigin() {
return origin;
}
@Override
public final Builder origin(String origin) {
this.origin = origin;
return this;
}
@Override
public final Builder origin(OriginType origin) {
this.origin(origin == null ? null : origin.toString());
return this;
}
public final void setOrigin(String origin) {
this.origin = origin;
}
public final String getCustomKeyStoreId() {
return customKeyStoreId;
}
@Override
public final Builder customKeyStoreId(String customKeyStoreId) {
this.customKeyStoreId = customKeyStoreId;
return this;
}
public final void setCustomKeyStoreId(String customKeyStoreId) {
this.customKeyStoreId = customKeyStoreId;
}
public final Boolean getBypassPolicyLockoutSafetyCheck() {
return bypassPolicyLockoutSafetyCheck;
}
@Override
public final Builder bypassPolicyLockoutSafetyCheck(Boolean bypassPolicyLockoutSafetyCheck) {
this.bypassPolicyLockoutSafetyCheck = bypassPolicyLockoutSafetyCheck;
return this;
}
public final void setBypassPolicyLockoutSafetyCheck(Boolean bypassPolicyLockoutSafetyCheck) {
this.bypassPolicyLockoutSafetyCheck = bypassPolicyLockoutSafetyCheck;
}
public final Collection getTags() {
return tags != null ? tags.stream().map(Tag::toBuilder).collect(Collectors.toList()) : null;
}
@Override
public final Builder tags(Collection tags) {
this.tags = TagListCopier.copy(tags);
return this;
}
@Override
@SafeVarargs
public final Builder tags(Tag... tags) {
tags(Arrays.asList(tags));
return this;
}
@Override
@SafeVarargs
public final Builder tags(Consumer... tags) {
tags(Stream.of(tags).map(c -> Tag.builder().applyMutation(c).build()).collect(Collectors.toList()));
return this;
}
public final void setTags(Collection tags) {
this.tags = TagListCopier.copyFromBuilder(tags);
}
@Override
public Builder overrideConfiguration(AwsRequestOverrideConfiguration overrideConfiguration) {
super.overrideConfiguration(overrideConfiguration);
return this;
}
@Override
public Builder overrideConfiguration(Consumer builderConsumer) {
super.overrideConfiguration(builderConsumer);
return this;
}
@Override
public CreateKeyRequest build() {
return new CreateKeyRequest(this);
}
@Override
public List> sdkFields() {
return SDK_FIELDS;
}
}
}