software.amazon.awssdk.services.kms.DefaultKmsClient Maven / Gradle / Ivy
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package software.amazon.awssdk.services.kms;
import java.util.Collections;
import java.util.List;
import java.util.function.Consumer;
import software.amazon.awssdk.annotations.Generated;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.core.ApiName;
import software.amazon.awssdk.core.RequestOverrideConfiguration;
import software.amazon.awssdk.core.client.config.SdkClientConfiguration;
import software.amazon.awssdk.core.client.config.SdkClientOption;
import software.amazon.awssdk.core.client.handler.ClientExecutionParams;
import software.amazon.awssdk.core.client.handler.SyncClientHandler;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.http.HttpResponseHandler;
import software.amazon.awssdk.core.metrics.CoreMetric;
import software.amazon.awssdk.core.util.VersionInfo;
import software.amazon.awssdk.metrics.MetricCollector;
import software.amazon.awssdk.metrics.MetricPublisher;
import software.amazon.awssdk.metrics.NoOpMetricCollector;
import software.amazon.awssdk.protocols.core.ExceptionMetadata;
import software.amazon.awssdk.protocols.json.AwsJsonProtocol;
import software.amazon.awssdk.protocols.json.AwsJsonProtocolFactory;
import software.amazon.awssdk.protocols.json.BaseAwsJsonProtocolFactory;
import software.amazon.awssdk.protocols.json.JsonOperationMetadata;
import software.amazon.awssdk.services.kms.model.AlreadyExistsException;
import software.amazon.awssdk.services.kms.model.CancelKeyDeletionRequest;
import software.amazon.awssdk.services.kms.model.CancelKeyDeletionResponse;
import software.amazon.awssdk.services.kms.model.CloudHsmClusterInUseException;
import software.amazon.awssdk.services.kms.model.CloudHsmClusterInvalidConfigurationException;
import software.amazon.awssdk.services.kms.model.CloudHsmClusterNotActiveException;
import software.amazon.awssdk.services.kms.model.CloudHsmClusterNotFoundException;
import software.amazon.awssdk.services.kms.model.CloudHsmClusterNotRelatedException;
import software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreRequest;
import software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreResponse;
import software.amazon.awssdk.services.kms.model.CreateAliasRequest;
import software.amazon.awssdk.services.kms.model.CreateAliasResponse;
import software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreRequest;
import software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreResponse;
import software.amazon.awssdk.services.kms.model.CreateGrantRequest;
import software.amazon.awssdk.services.kms.model.CreateGrantResponse;
import software.amazon.awssdk.services.kms.model.CreateKeyRequest;
import software.amazon.awssdk.services.kms.model.CreateKeyResponse;
import software.amazon.awssdk.services.kms.model.CustomKeyStoreHasCmKsException;
import software.amazon.awssdk.services.kms.model.CustomKeyStoreInvalidStateException;
import software.amazon.awssdk.services.kms.model.CustomKeyStoreNameInUseException;
import software.amazon.awssdk.services.kms.model.CustomKeyStoreNotFoundException;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.kms.model.DecryptResponse;
import software.amazon.awssdk.services.kms.model.DeleteAliasRequest;
import software.amazon.awssdk.services.kms.model.DeleteAliasResponse;
import software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreRequest;
import software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreResponse;
import software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialRequest;
import software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialResponse;
import software.amazon.awssdk.services.kms.model.DependencyTimeoutException;
import software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest;
import software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse;
import software.amazon.awssdk.services.kms.model.DescribeKeyRequest;
import software.amazon.awssdk.services.kms.model.DescribeKeyResponse;
import software.amazon.awssdk.services.kms.model.DisableKeyRequest;
import software.amazon.awssdk.services.kms.model.DisableKeyResponse;
import software.amazon.awssdk.services.kms.model.DisableKeyRotationRequest;
import software.amazon.awssdk.services.kms.model.DisableKeyRotationResponse;
import software.amazon.awssdk.services.kms.model.DisabledException;
import software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreRequest;
import software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreResponse;
import software.amazon.awssdk.services.kms.model.EnableKeyRequest;
import software.amazon.awssdk.services.kms.model.EnableKeyResponse;
import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest;
import software.amazon.awssdk.services.kms.model.EnableKeyRotationResponse;
import software.amazon.awssdk.services.kms.model.EncryptRequest;
import software.amazon.awssdk.services.kms.model.EncryptResponse;
import software.amazon.awssdk.services.kms.model.ExpiredImportTokenException;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairResponse;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextResponse;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextRequest;
import software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextResponse;
import software.amazon.awssdk.services.kms.model.GenerateRandomRequest;
import software.amazon.awssdk.services.kms.model.GenerateRandomResponse;
import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest;
import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse;
import software.amazon.awssdk.services.kms.model.GetKeyRotationStatusRequest;
import software.amazon.awssdk.services.kms.model.GetKeyRotationStatusResponse;
import software.amazon.awssdk.services.kms.model.GetParametersForImportRequest;
import software.amazon.awssdk.services.kms.model.GetParametersForImportResponse;
import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest;
import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse;
import software.amazon.awssdk.services.kms.model.ImportKeyMaterialRequest;
import software.amazon.awssdk.services.kms.model.ImportKeyMaterialResponse;
import software.amazon.awssdk.services.kms.model.IncorrectKeyException;
import software.amazon.awssdk.services.kms.model.IncorrectKeyMaterialException;
import software.amazon.awssdk.services.kms.model.IncorrectTrustAnchorException;
import software.amazon.awssdk.services.kms.model.InvalidAliasNameException;
import software.amazon.awssdk.services.kms.model.InvalidArnException;
import software.amazon.awssdk.services.kms.model.InvalidCiphertextException;
import software.amazon.awssdk.services.kms.model.InvalidGrantIdException;
import software.amazon.awssdk.services.kms.model.InvalidGrantTokenException;
import software.amazon.awssdk.services.kms.model.InvalidImportTokenException;
import software.amazon.awssdk.services.kms.model.InvalidKeyUsageException;
import software.amazon.awssdk.services.kms.model.InvalidMarkerException;
import software.amazon.awssdk.services.kms.model.KeyUnavailableException;
import software.amazon.awssdk.services.kms.model.KmsException;
import software.amazon.awssdk.services.kms.model.KmsInternalException;
import software.amazon.awssdk.services.kms.model.KmsInvalidSignatureException;
import software.amazon.awssdk.services.kms.model.KmsInvalidStateException;
import software.amazon.awssdk.services.kms.model.KmsRequest;
import software.amazon.awssdk.services.kms.model.LimitExceededException;
import software.amazon.awssdk.services.kms.model.ListAliasesRequest;
import software.amazon.awssdk.services.kms.model.ListAliasesResponse;
import software.amazon.awssdk.services.kms.model.ListGrantsRequest;
import software.amazon.awssdk.services.kms.model.ListGrantsResponse;
import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest;
import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse;
import software.amazon.awssdk.services.kms.model.ListKeysRequest;
import software.amazon.awssdk.services.kms.model.ListKeysResponse;
import software.amazon.awssdk.services.kms.model.ListResourceTagsRequest;
import software.amazon.awssdk.services.kms.model.ListResourceTagsResponse;
import software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest;
import software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse;
import software.amazon.awssdk.services.kms.model.MalformedPolicyDocumentException;
import software.amazon.awssdk.services.kms.model.NotFoundException;
import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest;
import software.amazon.awssdk.services.kms.model.PutKeyPolicyResponse;
import software.amazon.awssdk.services.kms.model.ReEncryptRequest;
import software.amazon.awssdk.services.kms.model.ReEncryptResponse;
import software.amazon.awssdk.services.kms.model.ReplicateKeyRequest;
import software.amazon.awssdk.services.kms.model.ReplicateKeyResponse;
import software.amazon.awssdk.services.kms.model.RetireGrantRequest;
import software.amazon.awssdk.services.kms.model.RetireGrantResponse;
import software.amazon.awssdk.services.kms.model.RevokeGrantRequest;
import software.amazon.awssdk.services.kms.model.RevokeGrantResponse;
import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest;
import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionResponse;
import software.amazon.awssdk.services.kms.model.SignRequest;
import software.amazon.awssdk.services.kms.model.SignResponse;
import software.amazon.awssdk.services.kms.model.TagException;
import software.amazon.awssdk.services.kms.model.TagResourceRequest;
import software.amazon.awssdk.services.kms.model.TagResourceResponse;
import software.amazon.awssdk.services.kms.model.UnsupportedOperationException;
import software.amazon.awssdk.services.kms.model.UntagResourceRequest;
import software.amazon.awssdk.services.kms.model.UntagResourceResponse;
import software.amazon.awssdk.services.kms.model.UpdateAliasRequest;
import software.amazon.awssdk.services.kms.model.UpdateAliasResponse;
import software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreRequest;
import software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreResponse;
import software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionRequest;
import software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionResponse;
import software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionRequest;
import software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionResponse;
import software.amazon.awssdk.services.kms.model.VerifyRequest;
import software.amazon.awssdk.services.kms.model.VerifyResponse;
import software.amazon.awssdk.services.kms.paginators.ListAliasesIterable;
import software.amazon.awssdk.services.kms.paginators.ListGrantsIterable;
import software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable;
import software.amazon.awssdk.services.kms.paginators.ListKeysIterable;
import software.amazon.awssdk.services.kms.transform.CancelKeyDeletionRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ConnectCustomKeyStoreRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.CreateAliasRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.CreateCustomKeyStoreRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.CreateGrantRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.CreateKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DecryptRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DeleteAliasRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DeleteCustomKeyStoreRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DeleteImportedKeyMaterialRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DescribeCustomKeyStoresRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DescribeKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DisableKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DisableKeyRotationRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.DisconnectCustomKeyStoreRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.EnableKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.EnableKeyRotationRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.EncryptRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GenerateDataKeyPairRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GenerateDataKeyPairWithoutPlaintextRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GenerateDataKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GenerateDataKeyWithoutPlaintextRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GenerateRandomRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GetKeyPolicyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GetKeyRotationStatusRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GetParametersForImportRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.GetPublicKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ImportKeyMaterialRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ListAliasesRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ListGrantsRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ListKeyPoliciesRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ListKeysRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ListResourceTagsRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ListRetirableGrantsRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.PutKeyPolicyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ReEncryptRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ReplicateKeyRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.RetireGrantRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.RevokeGrantRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.ScheduleKeyDeletionRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.SignRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.TagResourceRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.UntagResourceRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.UpdateAliasRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.UpdateCustomKeyStoreRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.UpdateKeyDescriptionRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.UpdatePrimaryRegionRequestMarshaller;
import software.amazon.awssdk.services.kms.transform.VerifyRequestMarshaller;
import software.amazon.awssdk.utils.Logger;
/**
* Internal implementation of {@link KmsClient}.
*
* @see KmsClient#builder()
*/
@Generated("software.amazon.awssdk:codegen")
@SdkInternalApi
final class DefaultKmsClient implements KmsClient {
private static final Logger log = Logger.loggerFor(DefaultKmsClient.class);
private final SyncClientHandler clientHandler;
private final AwsJsonProtocolFactory protocolFactory;
private final SdkClientConfiguration clientConfiguration;
protected DefaultKmsClient(SdkClientConfiguration clientConfiguration) {
this.clientHandler = new AwsSyncClientHandler(clientConfiguration);
this.clientConfiguration = clientConfiguration;
this.protocolFactory = init(AwsJsonProtocolFactory.builder()).build();
}
@Override
public final String serviceName() {
return SERVICE_NAME;
}
/**
*
* Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is
* Disabled
. To enable the KMS key, use EnableKey.
*
*
* For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the
* Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:CancelKeyDeletion (key policy)
*
*
* Related operations: ScheduleKeyDeletion
*
*
* @param cancelKeyDeletionRequest
* @return Result of the CancelKeyDeletion operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.CancelKeyDeletion
* @see AWS API
* Documentation
*/
@Override
public CancelKeyDeletionResponse cancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest)
throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
CancelKeyDeletionResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, cancelKeyDeletionRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CancelKeyDeletion");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CancelKeyDeletion").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(cancelKeyDeletionRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CancelKeyDeletionRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Connects or reconnects a custom key store
* to its associated CloudHSM cluster.
*
*
* The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it
* contains. You can disconnect and reconnect a custom key store at any time.
*
*
* To connect a custom key store, its associated CloudHSM cluster must have at least one active HSM. To get the
* number of active HSMs in a cluster, use the DescribeClusters
* operation. To add HSMs to the cluster, use the CreateHsm operation. Also,
* the
* kmsuser
crypto user (CU) must not be logged into the cluster. This prevents KMS from using this
* account to log in.
*
*
* The connection process can take an extended amount of time to complete; up to 20 minutes. This operation starts
* the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns
* an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the
* custom key store is connected. To get the connection state of the custom key store, use the
* DescribeCustomKeyStores operation.
*
*
* During the connection process, KMS finds the CloudHSM cluster that is associated with the custom key store,
* creates the connection infrastructure, connects to the cluster, logs into the CloudHSM client as the
* kmsuser
CU, and rotates its password.
*
*
* The ConnectCustomKeyStore
operation might fail for various reasons. To find the reason, use the
* DescribeCustomKeyStores operation and see the ConnectionErrorCode
in the response. For help
* interpreting the ConnectionErrorCode
, see CustomKeyStoresListEntry.
*
*
* To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, correct
* the error, use the UpdateCustomKeyStore operation if necessary, and then use
* ConnectCustomKeyStore
again.
*
*
* If you are having trouble connecting or disconnecting a custom key store, see Troubleshooting a Custom Key
* Store in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:ConnectCustomKeyStore (IAM policy)
*
*
* Related operations
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* @param connectCustomKeyStoreRequest
* @return Result of the ConnectCustomKeyStore operation returned by the service.
* @throws CloudHsmClusterNotActiveException
* The request was rejected because the CloudHSM cluster that is associated with the custom key store is not
* active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in
* the CloudHSM User Guide.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState
of the custom key store. To get the
* ConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState
is
* CONNECTED
.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState
is DISCONNECTED
.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState
of DISCONNECTING
or FAILED
. This operation is
* valid for all other ConnectionState
values.
*
*
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM
* CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information
* about creating a private subnet for an CloudHSM cluster, see Create a Private
* Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the CloudHSM User Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ConnectCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public ConnectCustomKeyStoreResponse connectCustomKeyStore(ConnectCustomKeyStoreRequest connectCustomKeyStoreRequest)
throws CloudHsmClusterNotActiveException, CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException,
KmsInternalException, CloudHsmClusterInvalidConfigurationException, AwsServiceException, SdkClientException,
KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ConnectCustomKeyStoreResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, connectCustomKeyStoreRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ConnectCustomKeyStore");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ConnectCustomKeyStore").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(connectCustomKeyStoreRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ConnectCustomKeyStoreRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates a friendly name for a KMS key.
*
*
*
* Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key
* Management Service Developer Guide.
*
*
*
* You can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation and in cryptographic
* operations, such as Encrypt and GenerateDataKey. You can also change the KMS key that's
* associated with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. These
* operations don't affect the underlying KMS key.
*
*
* You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is
* associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required.
* You can't create an alias without a KMS key.
*
*
* The alias must be unique in the account and Region, but you can have aliases with the same name in different
* Regions. For detailed information about aliases, see Using aliases in the Key
* Management Service Developer Guide.
*
*
* This operation does not return a response. To get the alias that you created, use the ListAliases
* operation.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services
* account.
*
*
* Required permissions
*
*
* -
*
* kms:CreateAlias
* on the alias (IAM policy).
*
*
* -
*
* kms:CreateAlias
* on the KMS key (key policy).
*
*
*
*
* For details, see Controlling access to
* aliases in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* DeleteAlias
*
*
* -
*
* ListAliases
*
*
* -
*
* UpdateAlias
*
*
*
*
* @param createAliasRequest
* @return Result of the CreateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws AlreadyExistsException
* The request was rejected because it attempted to create a resource that already exists.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidAliasNameException
* The request was rejected because the specified alias name is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.CreateAlias
* @see AWS API
* Documentation
*/
@Override
public CreateAliasResponse createAlias(CreateAliasRequest createAliasRequest) throws DependencyTimeoutException,
AlreadyExistsException, NotFoundException, InvalidAliasNameException, KmsInternalException, LimitExceededException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
CreateAliasResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createAliasRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateAlias");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CreateAlias").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(createAliasRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreateAliasRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates a custom
* key store that is associated with an CloudHSM cluster that you own and
* manage.
*
*
* This operation is part of the Custom Key Store
* feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation
* and control of a single-tenant key store.
*
*
* Before you create the custom key store, you must assemble the required elements, including an CloudHSM cluster
* that fulfills the requirements for a custom key store. For details about the required elements, see Assemble the
* Prerequisites in the Key Management Service Developer Guide.
*
*
* When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your
* new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to
* its CloudHSM cluster. Even if you are not going to use your custom key store immediately, you might want to
* connect it to verify that all settings are correct and then disconnect it until you are ready to use it.
*
*
* For help with failures, see Troubleshooting a Custom Key
* Store in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:CreateCustomKeyStore (IAM policy).
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* @param createCustomKeyStoreRequest
* @return Result of the CreateCustomKeyStore operation returned by the service.
* @throws CloudHsmClusterInUseException
* The request was rejected because the specified CloudHSM cluster is already associated with a custom key
* store or it shares a backup history with a cluster that is associated with a custom key store. Each
* custom key store must be associated with a different CloudHSM cluster.
*
* Clusters that share a backup history have the same cluster certificate. To view the cluster certificate
* of a cluster, use the DescribeClusters operation.
* @throws CustomKeyStoreNameInUseException
* The request was rejected because the specified custom key store name is already assigned to another
* custom key store in the account. Try again with a custom key store name that is unique in the account.
* @throws CloudHsmClusterNotFoundException
* The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID.
* Retry the request with a different cluster ID.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CloudHsmClusterNotActiveException
* The request was rejected because the CloudHSM cluster that is associated with the custom key store is not
* active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in
* the CloudHSM User Guide.
* @throws IncorrectTrustAnchorException
* The request was rejected because the trust anchor certificate in the request is not the trust anchor
* certificate for the specified CloudHSM cluster.
*
*
* When you initialize
* the cluster, you create the trust anchor certificate and save it in the customerCA.crt
* file.
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM
* CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information
* about creating a private subnet for an CloudHSM cluster, see Create a Private
* Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the CloudHSM User Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.CreateCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public CreateCustomKeyStoreResponse createCustomKeyStore(CreateCustomKeyStoreRequest createCustomKeyStoreRequest)
throws CloudHsmClusterInUseException, CustomKeyStoreNameInUseException, CloudHsmClusterNotFoundException,
KmsInternalException, CloudHsmClusterNotActiveException, IncorrectTrustAnchorException,
CloudHsmClusterInvalidConfigurationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, CreateCustomKeyStoreResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createCustomKeyStoreRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateCustomKeyStore");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CreateCustomKeyStore").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(createCustomKeyStoreRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreateCustomKeyStoreRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Adds a grant to a KMS key.
*
*
* A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic
* operations. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When
* authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often
* used for temporary permissions because you can create one, use its permissions, and delete it without changing
* your key policies or IAM policies.
*
*
* For detailed information about grants, including grant terminology, see Using grants in the Key
* Management Service Developer Guide . For examples of working with grants in several programming
* languages, see Programming grants.
*
*
* The CreateGrant
operation returns a GrantToken
and a GrantId
.
*
*
* -
*
* When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until
* the grant is available throughout KMS. This state is known as eventual consistency. Once the grant has
* achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the
* grant.
*
*
* However, to use the permissions in the grant immediately, use the GrantToken
that
* CreateGrant
returns. For details, see Using a grant
* token in the Key Management Service Developer Guide .
*
*
* -
*
* The CreateGrant
operation also returns a GrantId
. You can use the GrantId
* and a key identifier to identify the grant in the RetireGrant and RevokeGrant operations. To find
* the grant ID, use the ListGrants or ListRetirableGrants operations.
*
*
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account,
* specify the key ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:CreateGrant (key policy)
*
*
* Related operations:
*
*
* -
*
* ListGrants
*
*
* -
*
*
* -
*
* RetireGrant
*
*
* -
*
* RevokeGrant
*
*
*
*
* @param createGrantRequest
* @return Result of the CreateGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.CreateGrant
* @see AWS API
* Documentation
*/
@Override
public CreateGrantResponse createGrant(CreateGrantRequest createGrantRequest) throws NotFoundException, DisabledException,
DependencyTimeoutException, InvalidArnException, KmsInternalException, InvalidGrantTokenException,
LimitExceededException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
CreateGrantResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createGrantRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateGrant");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CreateGrant").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(createGrantRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreateGrantRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates a unique customer managed KMS key in your Amazon
* Web Services account and Region.
*
*
*
* KMS is replacing the term customer master key (CMK) with KMS key and KMS key. The concept
* has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
*
*
*
* You can use the CreateKey
operation to create symmetric or asymmetric KMS keys.
*
*
* -
*
* Symmetric KMS keys contain a 256-bit symmetric key that never leaves KMS unencrypted. To use the KMS key,
* you must call KMS. You can use a symmetric KMS key to encrypt and decrypt small amounts of data, but they are
* typically used to generate data keys and data keys pairs.
* For details, see GenerateDataKey and GenerateDataKeyPair.
*
*
* -
*
* Asymmetric KMS keys can contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in an
* asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey operation to
* download the public key so it can be used outside of KMS. KMS keys with RSA key pairs can be used to encrypt or
* decrypt data or sign and verify messages (but not both). KMS keys with ECC key pairs can be used only to sign and
* verify messages.
*
*
*
*
* For information about symmetric and asymmetric KMS keys, see Using Symmetric and
* Asymmetric KMS keys in the Key Management Service Developer Guide.
*
*
* To create different types of KMS keys, use the following guidance:
*
*
* - Asymmetric KMS keys
* -
*
* To create an asymmetric KMS key, use the KeySpec
parameter to specify the type of key material in
* the KMS key. Then, use the KeyUsage
parameter to determine whether the KMS key will be used to
* encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created.
*
*
*
* - Symmetric KMS keys
* -
*
* When creating a symmetric KMS key, you don't need to specify the KeySpec
or KeyUsage
* parameters. The default value for KeySpec
, SYMMETRIC_DEFAULT
, and the default value for
* KeyUsage
, ENCRYPT_DECRYPT
, are the only valid values for symmetric KMS keys.
*
*
*
* - Multi-Region primary keys
* - Imported key material
* -
*
* To create a multi-Region primary key in the local Amazon Web Services Region, use the
* MultiRegion
parameter with a value of True
. To create a multi-Region replica
* key, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web
* Services Region, use the ReplicateKey operation. To change a replica key to a primary key, and its primary
* key to a replica key, use the UpdatePrimaryRegion operation.
*
*
* This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS
* keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and
* other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it
* in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more
* information about multi-Region keys, see Using multi-Region
* keys in the Key Management Service Developer Guide.
*
*
* You can create symmetric and asymmetric multi-Region keys and multi-Region keys with imported key material. You
* cannot create multi-Region keys in a custom key store.
*
*
*
* -
*
* To import your own key material, begin by creating a symmetric KMS key with no key material. To do this, use the
* Origin
parameter of CreateKey
with a value of EXTERNAL
. Next, use
* GetParametersForImport operation to get a public key and import token, and use the public key to encrypt
* your key material. Then, use ImportKeyMaterial with your import token to import the key material. For
* step-by-step instructions, see Importing Key Material in
* the Key Management Service Developer Guide . You cannot import the key material into an asymmetric
* KMS key.
*
*
* To create a multi-Region primary key with imported key material, use the Origin
parameter of
* CreateKey
with a value of EXTERNAL
and the MultiRegion
parameter with a
* value of True
. To create replicas of the multi-Region primary key, use the ReplicateKey
* operation. For more information about multi-Region keys, see Using multi-Region
* keys in the Key Management Service Developer Guide.
*
*
*
* - Custom key store
* -
*
* To create a symmetric KMS key in a custom key store,
* use the CustomKeyStoreId
parameter to specify the custom key store. You must also use the
* Origin
parameter with a value of AWS_CLOUDHSM
. The CloudHSM cluster that is associated
* with the custom key store must have at least two active HSMs in different Availability Zones in the Amazon Web
* Services Region.
*
*
* You cannot create an asymmetric KMS key in a custom key store. For information about custom key stores in KMS see
* Using Custom Key
* Stores in the Key Management Service Developer Guide .
*
*
*
*
* Cross-account use: No. You cannot use this operation to create a KMS key in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:CreateKey
* (IAM policy). To use the Tags
parameter, kms:TagResource (IAM policy). For examples and information about related permissions, see Allow a user to create KMS keys in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* DescribeKey
*
*
* -
*
* ListKeys
*
*
* -
*
*
*
*
* @param createKeyRequest
* @return Result of the CreateKey operation returned by the service.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState
of the custom key store. To get the
* ConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState
is
* CONNECTED
.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState
is DISCONNECTED
.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState
of DISCONNECTING
or FAILED
. This operation is
* valid for all other ConnectionState
values.
*
*
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM
* CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information
* about creating a private subnet for an CloudHSM cluster, see Create a Private
* Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the CloudHSM User Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.CreateKey
* @see AWS API
* Documentation
*/
@Override
public CreateKeyResponse createKey(CreateKeyRequest createKeyRequest) throws MalformedPolicyDocumentException,
DependencyTimeoutException, InvalidArnException, UnsupportedOperationException, KmsInternalException,
LimitExceededException, TagException, CustomKeyStoreNotFoundException, CustomKeyStoreInvalidStateException,
CloudHsmClusterInvalidConfigurationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
CreateKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateKey");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CreateKey").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(createKeyRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new CreateKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Decrypts ciphertext that was encrypted by a KMS key using any of the following operations:
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* You can use this operation to decrypt ciphertext that was encrypted under a symmetric or asymmetric KMS key. When
* the KMS key is asymmetric, you must specify the KMS key and the encryption algorithm that was used to encrypt the
* ciphertext. For information about symmetric and asymmetric KMS keys, see Using Symmetric and
* Asymmetric KMS keys in the Key Management Service Developer Guide.
*
*
* The Decrypt operation also decrypts ciphertext that was encrypted outside of KMS by the public key in an KMS
* asymmetric KMS key. However, it cannot decrypt ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK
* or Amazon S3 client-side
* encryption. These libraries return a ciphertext format that is incompatible with KMS.
*
*
* If the ciphertext was encrypted under a symmetric KMS key, the KeyId
parameter is optional. KMS can
* get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to
* your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even
* if they've lost track of the key ID. However, specifying the KMS key is always recommended as a best practice.
* When you use the KeyId
parameter to specify a KMS key, KMS only uses the KMS key you specify. If the
* ciphertext was encrypted under a different KMS key, the Decrypt
operation fails. This practice
* ensures that you use the KMS key that you intend.
*
*
* Whenever possible, use key policies to give users permission to call the Decrypt
operation on a
* particular KMS key, instead of using IAM policies. Otherwise, you might create an IAM user policy that gives the
* user Decrypt
permission on all KMS keys. This user could decrypt ciphertext that was encrypted by
* KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must use an IAM
* policy for Decrypt
permissions, limit the user to particular KMS keys or particular trusted
* accounts. For details, see Best
* practices for IAM policies in the Key Management Service Developer Guide.
*
*
* Applications in Amazon Web Services Nitro Enclaves can call this operation by using the Amazon Web Services Nitro Enclaves Development Kit.
* For information about the supporting parameters, see How Amazon Web Services
* Nitro Enclaves use KMS in the Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:Decrypt
* (key policy)
*
*
* Related operations:
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
* ReEncrypt
*
*
*
*
* @param decryptRequest
* @return Result of the Decrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws InvalidCiphertextException
* From the Decrypt or ReEncrypt operation, the request was rejected because the specified
* ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption
* context, is corrupted, missing, or otherwise invalid.
*
* From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the
* encrypted (wrapped) key material.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws IncorrectKeyException
* The request was rejected because the specified KMS key cannot decrypt the data. The KeyId
in
* a Decrypt request and the SourceKeyId
in a ReEncrypt request must identify the
* same KMS key that was used to encrypt the ciphertext.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.Decrypt
* @see AWS API
* Documentation
*/
@Override
public DecryptResponse decrypt(DecryptRequest decryptRequest) throws NotFoundException, DisabledException,
InvalidCiphertextException, KeyUnavailableException, IncorrectKeyException, InvalidKeyUsageException,
DependencyTimeoutException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException,
AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DecryptResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, decryptRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "Decrypt");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("Decrypt").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(decryptRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new DecryptRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes the specified alias.
*
*
*
* Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key
* Management Service Developer Guide.
*
*
*
* Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without
* affecting the KMS key. Also, aliases do not appear in the response from the DescribeKey operation. To get
* the aliases of all KMS keys, use the ListAliases operation.
*
*
* Each KMS key can have multiple aliases. To change the alias of a KMS key, use DeleteAlias to delete the
* current alias and CreateAlias to create a new alias. To associate an existing alias with a different KMS
* key, call UpdateAlias.
*
*
* Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services
* account.
*
*
* Required permissions
*
*
* -
*
* kms:DeleteAlias
* on the alias (IAM policy).
*
*
* -
*
* kms:DeleteAlias
* on the KMS key (key policy).
*
*
*
*
* For details, see Controlling access to
* aliases in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* CreateAlias
*
*
* -
*
* ListAliases
*
*
* -
*
* UpdateAlias
*
*
*
*
* @param deleteAliasRequest
* @return Result of the DeleteAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DeleteAlias
* @see AWS API
* Documentation
*/
@Override
public DeleteAliasResponse deleteAlias(DeleteAliasRequest deleteAliasRequest) throws DependencyTimeoutException,
NotFoundException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException,
KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DeleteAliasResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deleteAliasRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeleteAlias");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DeleteAlias").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(deleteAliasRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeleteAliasRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes a custom
* key store. This operation does not delete the CloudHSM cluster that is associated with the custom key store,
* or affect any users or keys in the cluster.
*
*
* The custom key store that you delete cannot contain any KMS KMS keys. Before deleting
* the key store, verify that you will never need to use any of the KMS keys in the key store for any cryptographic
* operations. Then, use ScheduleKeyDeletion to delete the KMS keys from the key store. When the
* scheduled waiting period expires, the ScheduleKeyDeletion
operation deletes the KMS keys. Then it
* makes a best effort to delete the key material from the associated cluster. However, you might need to manually
* delete
* the orphaned key material from the cluster and its backups.
*
*
* After all KMS keys are deleted from KMS, use DisconnectCustomKeyStore to disconnect the key store from
* KMS. Then, you can delete the custom key store.
*
*
* Instead of deleting the custom key store, consider using DisconnectCustomKeyStore to disconnect it from
* KMS. While the key store is disconnected, you cannot create or use the KMS keys in the key store. But, you do not
* need to delete KMS keys and you can reconnect a disconnected custom key store at any time.
*
*
* If the operation succeeds, it returns a JSON object with no properties.
*
*
* This operation is part of the Custom Key Store
* feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation
* and control of a single-tenant key store.
*
*
* Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:DeleteCustomKeyStore (IAM policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* @param deleteCustomKeyStoreRequest
* @return Result of the DeleteCustomKeyStore operation returned by the service.
* @throws CustomKeyStoreHasCmKsException
* The request was rejected because the custom key store contains KMS keys. After verifying that you do not
* need to use the KMS keys, use the ScheduleKeyDeletion operation to delete the KMS keys. After they
* are deleted, you can delete the custom key store.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState
of the custom key store. To get the
* ConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState
is
* CONNECTED
.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState
is DISCONNECTED
.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState
of DISCONNECTING
or FAILED
. This operation is
* valid for all other ConnectionState
values.
*
*
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DeleteCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public DeleteCustomKeyStoreResponse deleteCustomKeyStore(DeleteCustomKeyStoreRequest deleteCustomKeyStoreRequest)
throws CustomKeyStoreHasCmKsException, CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException,
KmsInternalException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DeleteCustomKeyStoreResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deleteCustomKeyStoreRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeleteCustomKeyStore");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DeleteCustomKeyStore").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(deleteCustomKeyStoreRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeleteCustomKeyStoreRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes key material that you previously imported. This operation makes the specified KMS key unusable. For more
* information about importing key material into KMS, see Importing Key Material in
* the Key Management Service Developer Guide.
*
*
* When the specified KMS key is in the PendingDeletion
state, this operation does not change the KMS
* key's state. Otherwise, it changes the KMS key's state to PendingImport
.
*
*
* After you delete key material, you can use ImportKeyMaterial to reimport the same key material into the
* KMS key.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:DeleteImportedKeyMaterial (key policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
*
*
* @param deleteImportedKeyMaterialRequest
* @return Result of the DeleteImportedKeyMaterial operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DeleteImportedKeyMaterial
* @see AWS
* API Documentation
*/
@Override
public DeleteImportedKeyMaterialResponse deleteImportedKeyMaterial(
DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest) throws InvalidArnException,
UnsupportedOperationException, DependencyTimeoutException, NotFoundException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DeleteImportedKeyMaterialResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deleteImportedKeyMaterialRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeleteImportedKeyMaterial");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("DeleteImportedKeyMaterial").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(deleteImportedKeyMaterialRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeleteImportedKeyMaterialRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets information about custom key stores
* in the account and Region.
*
*
* This operation is part of the Custom Key Store
* feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation
* and control of a single-tenant key store.
*
*
* By default, this operation returns information about all custom key stores in the account and Region. To get only
* information about a particular custom key store, use either the CustomKeyStoreName
or
* CustomKeyStoreId
parameter (but not both).
*
*
* To determine whether the custom key store is connected to its CloudHSM cluster, use the
* ConnectionState
element in the response. If an attempt to connect the custom key store failed, the
* ConnectionState
value is FAILED
and the ConnectionErrorCode
element in the
* response indicates the cause of the failure. For help interpreting the ConnectionErrorCode
, see
* CustomKeyStoresListEntry.
*
*
* Custom key stores have a DISCONNECTED
connection state if the key store has never been connected or
* you use the DisconnectCustomKeyStore operation to disconnect it. If your custom key store state is
* CONNECTED
but you are having trouble using it, make sure that its associated CloudHSM cluster is
* active and contains the minimum number of HSMs required for the operation, if any.
*
*
* For help repairing your custom key store, see the Troubleshooting Custom Key
* Stores topic in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:DescribeCustomKeyStores (IAM policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* @param describeCustomKeyStoresRequest
* @return Result of the DescribeCustomKeyStores operation returned by the service.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DescribeCustomKeyStores
* @see AWS
* API Documentation
*/
@Override
public DescribeCustomKeyStoresResponse describeCustomKeyStores(DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest)
throws CustomKeyStoreNotFoundException, InvalidMarkerException, KmsInternalException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DescribeCustomKeyStoresResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, describeCustomKeyStoresRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DescribeCustomKeyStores");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("DescribeCustomKeyStores").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(describeCustomKeyStoresRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DescribeCustomKeyStoresRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Provides detailed information about a KMS key. You can run DescribeKey
on a customer managed key
* or an Amazon Web
* Services managed key.
*
*
* This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state,
* and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec
,
* that help you distinguish symmetric from asymmetric KMS keys. It also provides information that is particularly
* important to asymmetric keys, such as the key usage (encryption or signing) and the encryption algorithms or
* signing algorithms that the KMS key supports. For KMS keys in custom key stores, it includes information about
* the custom key store, such as the key store ID and the CloudHSM cluster ID. For multi-Region keys, it displays
* the primary key and all related replica keys.
*
*
* DescribeKey
does not return the following information:
*
*
* -
*
* Aliases associated with the KMS key. To get this information, use ListAliases.
*
*
* -
*
* Whether automatic key rotation is enabled on the KMS key. To get this information, use
* GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For
* details, see How
* Automatic Key Rotation Works in Key Management Service Developer Guide.
*
*
* -
*
* Tags on the KMS key. To get this information, use ListResourceTags.
*
*
* -
*
* Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.
*
*
*
*
* If you call the DescribeKey
operation on a predefined Amazon Web Services alias, that is, an
* Amazon Web Services alias with no key ID, KMS creates an Amazon Web Services
* managed key. Then, it associates the alias with the new KMS key, and returns the KeyId
and
* Arn
of the new KMS key in the response.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:DescribeKey (key policy)
*
*
* Related operations:
*
*
* -
*
* GetKeyPolicy
*
*
* -
*
*
* -
*
* ListAliases
*
*
* -
*
* ListGrants
*
*
* -
*
* ListKeys
*
*
* -
*
* ListResourceTags
*
*
* -
*
*
*
*
* @param describeKeyRequest
* @return Result of the DescribeKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DescribeKey
* @see AWS API
* Documentation
*/
@Override
public DescribeKeyResponse describeKey(DescribeKeyRequest describeKeyRequest) throws NotFoundException, InvalidArnException,
DependencyTimeoutException, KmsInternalException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DescribeKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, describeKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DescribeKey");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DescribeKey").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(describeKeyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DescribeKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for cryptographic
* operations.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide .
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:DisableKey (key policy)
*
*
* Related operations: EnableKey
*
*
* @param disableKeyRequest
* @return Result of the DisableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DisableKey
* @see AWS API
* Documentation
*/
@Override
public DisableKeyResponse disableKey(DisableKeyRequest disableKeyRequest) throws NotFoundException, InvalidArnException,
DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException,
KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DisableKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, disableKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DisableKey");
return clientHandler
.execute(new ClientExecutionParams().withOperationName("DisableKey")
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withInput(disableKeyRequest).withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DisableKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Disables automatic rotation of
* the key material for the specified symmetric KMS key.
*
*
* You cannot enable automatic rotation of asymmetric
* KMS keys, KMS keys with imported key material, or
* KMS keys in a custom key store.
* To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:DisableKeyRotation (key policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
*
*
* @param disableKeyRotationRequest
* @return Result of the DisableKeyRotation operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DisableKeyRotation
* @see AWS API
* Documentation
*/
@Override
public DisableKeyRotationResponse disableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest)
throws NotFoundException, DisabledException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, UnsupportedOperationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DisableKeyRotationResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, disableKeyRotationRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DisableKeyRotation");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DisableKeyRotation").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(disableKeyRotationRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DisableKeyRotationRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Disconnects the custom key store
* from its associated CloudHSM cluster. While a custom key store is disconnected, you can manage the custom key
* store and its KMS keys, but you cannot create or use KMS keys in the custom key store. You can reconnect the
* custom key store at any time.
*
*
*
* While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use
* existing KMS keys in cryptographic
* operations will fail. This action can prevent users from storing and accessing sensitive data.
*
*
*
*
* To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To
* reconnect a custom key store, use the ConnectCustomKeyStore operation.
*
*
* If the operation succeeds, it returns a JSON object with no properties.
*
*
* This operation is part of the Custom Key Store
* feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation
* and control of a single-tenant key store.
*
*
* Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:DisconnectCustomKeyStore (IAM policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* @param disconnectCustomKeyStoreRequest
* @return Result of the DisconnectCustomKeyStore operation returned by the service.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState
of the custom key store. To get the
* ConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState
is
* CONNECTED
.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState
is DISCONNECTED
.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState
of DISCONNECTING
or FAILED
. This operation is
* valid for all other ConnectionState
values.
*
*
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.DisconnectCustomKeyStore
* @see AWS
* API Documentation
*/
@Override
public DisconnectCustomKeyStoreResponse disconnectCustomKeyStore(
DisconnectCustomKeyStoreRequest disconnectCustomKeyStoreRequest) throws CustomKeyStoreInvalidStateException,
CustomKeyStoreNotFoundException, KmsInternalException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DisconnectCustomKeyStoreResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, disconnectCustomKeyStoreRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DisconnectCustomKeyStore");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("DisconnectCustomKeyStore").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(disconnectCustomKeyStoreRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DisconnectCustomKeyStoreRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Sets the key state of a KMS key to enabled. This allows you to use the KMS key for cryptographic
* operations.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:EnableKey
* (key policy)
*
*
* Related operations: DisableKey
*
*
* @param enableKeyRequest
* @return Result of the EnableKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.EnableKey
* @see AWS API
* Documentation
*/
@Override
public EnableKeyResponse enableKey(EnableKeyRequest enableKeyRequest) throws NotFoundException, InvalidArnException,
DependencyTimeoutException, KmsInternalException, LimitExceededException, KmsInvalidStateException,
AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
EnableKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, enableKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "EnableKey");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("EnableKey").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(enableKeyRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new EnableKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Enables automatic rotation of
* the key material for the specified symmetric KMS key.
*
*
* You cannot enable automatic rotation of asymmetric
* KMS keys, KMS keys with imported key material, or
* KMS keys in a custom key store.
* To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:EnableKeyRotation (key policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
*
*
* @param enableKeyRotationRequest
* @return Result of the EnableKeyRotation operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.EnableKeyRotation
* @see AWS API
* Documentation
*/
@Override
public EnableKeyRotationResponse enableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest)
throws NotFoundException, DisabledException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, UnsupportedOperationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
EnableKeyRotationResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, enableKeyRotationRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "EnableKeyRotation");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("EnableKeyRotation").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(enableKeyRotationRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new EnableKeyRotationRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Encrypts plaintext into ciphertext by using a KMS key. The Encrypt
operation has two primary use
* cases:
*
*
* -
*
* You can encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other
* sensitive information.
*
*
* -
*
* You can use the Encrypt
operation to move encrypted data from one Amazon Web Services Region to
* another. For example, in Region A, generate a data key and use the plaintext key to encrypt your data. Then, in
* Region A, use the Encrypt
operation to encrypt the plaintext data key under a KMS key in Region B.
* Now, you can move the encrypted data and the encrypted data key to Region B. When necessary, you can decrypt the
* encrypted data key and the encrypted data entirely within in Region B.
*
*
*
*
* You don't need to use the Encrypt
operation to encrypt a data key. The GenerateDataKey and
* GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.
*
*
* When you encrypt data, you must specify a symmetric or asymmetric KMS key to use in the encryption operation. The
* KMS key must have a KeyUsage
value of ENCRYPT_DECRYPT.
To find the
* KeyUsage
of a KMS key, use the DescribeKey operation.
*
*
* If you use a symmetric KMS key, you can use an encryption context to add additional security to your encryption
* operation. If you specify an EncryptionContext
when encrypting data, you must specify the same
* encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt
* fails with an InvalidCiphertextException
. For more information, see Encryption Context
* in the Key Management Service Developer Guide.
*
*
* If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be
* compatible with the KMS key type.
*
*
*
* When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption
* algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you
* decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt
* operation fails.
*
*
* You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric KMS keys
* because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated
* with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
*
*
*
* The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm
* that you choose.
*
*
* -
*
* Symmetric KMS keys
*
*
* -
*
* SYMMETRIC_DEFAULT
: 4096 bytes
*
*
*
*
* -
*
* RSA_2048
*
*
* -
*
* RSAES_OAEP_SHA_1
: 214 bytes
*
*
* -
*
* RSAES_OAEP_SHA_256
: 190 bytes
*
*
*
*
* -
*
* RSA_3072
*
*
* -
*
* RSAES_OAEP_SHA_1
: 342 bytes
*
*
* -
*
* RSAES_OAEP_SHA_256
: 318 bytes
*
*
*
*
* -
*
* RSA_4096
*
*
* -
*
* RSAES_OAEP_SHA_1
: 470 bytes
*
*
* -
*
* RSAES_OAEP_SHA_256
: 446 bytes
*
*
*
*
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:Encrypt
* (key policy)
*
*
* Related operations:
*
*
* -
*
* Decrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
*
*
* @param encryptRequest
* @return Result of the Encrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.Encrypt
* @see AWS API
* Documentation
*/
@Override
public EncryptResponse encrypt(EncryptRequest encryptRequest) throws NotFoundException, DisabledException,
KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException,
KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
EncryptResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, encryptRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "Encrypt");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("Encrypt").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(encryptRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new EncryptRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Generates a unique symmetric data key for client-side encryption. This operation returns a plaintext copy of the
* data key and a copy that is encrypted under a KMS key that you specify. You can use the plaintext key to encrypt
* your data outside of KMS and store the encrypted data key with the encrypted data.
*
*
* GenerateDataKey
returns a unique data key for each request. The bytes in the plaintext key are not
* related to the caller or the KMS key.
*
*
* To generate a data key, specify the symmetric KMS key that will be used to encrypt the data key. You cannot use
* an asymmetric KMS key to generate data keys. To get the type of your KMS key, use the DescribeKey
* operation. You must also specify the length of the data key. Use either the KeySpec
or
* NumberOfBytes
parameters (but not both). For 128-bit and 256-bit data keys, use the
* KeySpec
parameter.
*
*
* To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an
* asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext
* operation. To get a cryptographically secure random byte string, use GenerateRandom.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext
, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException
. For more information, see Encryption Context
* in the Key Management Service Developer Guide.
*
*
* Applications in Amazon Web Services Nitro Enclaves can call this operation by using the Amazon Web Services Nitro Enclaves Development Kit.
* For information about the supporting parameters, see How Amazon Web Services
* Nitro Enclaves use KMS in the Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* How to use your data key
*
*
* We recommend that you use the following pattern to encrypt data locally in your application. You can write your
* own code or use a client-side encryption library, such as the Amazon Web Services Encryption SDK,
* the Amazon DynamoDB Encryption
* Client, or Amazon S3
* client-side encryption to do these tasks for you.
*
*
* To encrypt data outside of KMS:
*
*
* -
*
* Use the GenerateDataKey
operation to get a data key.
*
*
* -
*
* Use the plaintext data key (in the Plaintext
field of the response) to encrypt your data outside of
* KMS. Then erase the plaintext data key from memory.
*
*
* -
*
* Store the encrypted data key (in the CiphertextBlob
field of the response) with the encrypted data.
*
*
*
*
* To decrypt data outside of KMS:
*
*
* -
*
* Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the
* data key.
*
*
* -
*
* Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory.
*
*
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:GenerateDataKey (key policy)
*
*
* Related operations:
*
*
*
* @param generateDataKeyRequest
* @return Result of the GenerateDataKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GenerateDataKey
* @see AWS API
* Documentation
*/
@Override
public GenerateDataKeyResponse generateDataKey(GenerateDataKeyRequest generateDataKeyRequest) throws NotFoundException,
DisabledException, KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException,
InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException,
KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GenerateDataKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, generateDataKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GenerateDataKey");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GenerateDataKey").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(generateDataKeyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GenerateDataKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Generates a unique asymmetric data key pair. The GenerateDataKeyPair
operation returns a plaintext
* public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric KMS key
* you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures
* outside of KMS.
*
*
* You can use the public key that GenerateDataKeyPair
returns to encrypt data or verify a signature
* outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a
* message, you can use the Decrypt operation to decrypt the encrypted private key.
*
*
* To generate a data key pair, you must specify a symmetric KMS key to encrypt the private key in a data key pair.
* You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS
* key, use the DescribeKey operation.
*
*
* Use the KeyPairSpec
parameter to choose an RSA or Elliptic Curve (ECC) data key pair. KMS recommends
* that your use ECC key pairs for signing, and use RSA key pairs for either encryption or signing, but not both.
* However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
*
*
* If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a
* private key, consider using the GenerateDataKeyPairWithoutPlaintext operation.
* GenerateDataKeyPairWithoutPlaintext
returns a plaintext public key and an encrypted private key, but
* omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need
* to decrypt the data or sign a message, use the Decrypt operation to decrypt the encrypted private key in
* the data key pair.
*
*
* GenerateDataKeyPair
returns a unique data key pair for each request. The bytes in the keys are not
* related to the caller or the KMS key that is used to encrypt the private key. The public key is a DER-encoded
* X.509 SubjectPublicKeyInfo, as specified in RFC 5280. The
* private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext
, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException
. For more information, see Encryption Context
* in the Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:GenerateDataKeyPair (key policy)
*
*
* Related operations:
*
*
* -
*
* Decrypt
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
*
*
*
* @param generateDataKeyPairRequest
* @return Result of the GenerateDataKeyPair operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GenerateDataKeyPair
* @see AWS API
* Documentation
*/
@Override
public GenerateDataKeyPairResponse generateDataKeyPair(GenerateDataKeyPairRequest generateDataKeyPairRequest)
throws NotFoundException, DisabledException, KeyUnavailableException, DependencyTimeoutException,
InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException,
UnsupportedOperationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GenerateDataKeyPairResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, generateDataKeyPairRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GenerateDataKeyPair");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GenerateDataKeyPair").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(generateDataKeyPairRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GenerateDataKeyPairRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext
operation
* returns a plaintext public key and a copy of the private key that is encrypted under the symmetric KMS key you
* specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key.
*
*
* You can use the public key that GenerateDataKeyPairWithoutPlaintext
returns to encrypt data or
* verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to
* decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
*
*
* To generate a data key pair, you must specify a symmetric KMS key to encrypt the private key in a data key pair.
* You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS
* key, use the DescribeKey operation.
*
*
* Use the KeyPairSpec
parameter to choose an RSA or Elliptic Curve (ECC) data key pair. KMS recommends
* that your use ECC key pairs for signing, and use RSA key pairs for either encryption or signing, but not both.
* However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
*
*
* GenerateDataKeyPairWithoutPlaintext
returns a unique data key pair for each request. The bytes in
* the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a
* DER-encoded X.509 SubjectPublicKeyInfo, as specified in RFC
* 5280.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext
, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException
. For more information, see Encryption Context
* in the Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key policy)
*
*
* Related operations:
*
*
* -
*
* Decrypt
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
*
*
*
* @param generateDataKeyPairWithoutPlaintextRequest
* @return Result of the GenerateDataKeyPairWithoutPlaintext operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GenerateDataKeyPairWithoutPlaintext
* @see AWS API Documentation
*/
@Override
public GenerateDataKeyPairWithoutPlaintextResponse generateDataKeyPairWithoutPlaintext(
GenerateDataKeyPairWithoutPlaintextRequest generateDataKeyPairWithoutPlaintextRequest) throws NotFoundException,
DisabledException, KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException,
InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, UnsupportedOperationException,
AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GenerateDataKeyPairWithoutPlaintextResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration,
generateDataKeyPairWithoutPlaintextRequest.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GenerateDataKeyPairWithoutPlaintext");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("GenerateDataKeyPairWithoutPlaintext").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(generateDataKeyPairWithoutPlaintextRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GenerateDataKeyPairWithoutPlaintextRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Generates a unique symmetric data key. This operation returns a data key that is encrypted under a KMS key that
* you specify. To request an asymmetric data key pair, use the GenerateDataKeyPair or
* GenerateDataKeyPairWithoutPlaintext operations.
*
*
* GenerateDataKeyWithoutPlaintext
is identical to the GenerateDataKey operation except that
* returns only the encrypted copy of the data key. This operation is useful for systems that need to encrypt data
* at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on
* the encrypted copy of the key.
*
*
* It's also useful in distributed systems with different levels of trust. For example, you might store encrypted
* data in containers. One component of your system creates new containers and stores an encrypted data key with
* each container. Then, a different component puts the data into the containers. That component first decrypts the
* data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then
* destroys the plaintext data key. In this system, the component that creates the containers never sees the
* plaintext data key.
*
*
* GenerateDataKeyWithoutPlaintext
returns a unique data key for each request. The bytes in the keys
* are not related to the caller or KMS key that is used to encrypt the private key.
*
*
* To generate a data key, you must specify the symmetric KMS key that is used to encrypt the data key. You cannot
* use an asymmetric KMS key to generate a data key. To get the type of your KMS key, use the DescribeKey
* operation.
*
*
* If the operation succeeds, you will find the encrypted copy of the data key in the CiphertextBlob
* field.
*
*
* You can use the optional encryption context to add additional security to the encryption operation. If you
* specify an EncryptionContext
, you must specify the same encryption context (a case-sensitive exact
* match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an
* InvalidCiphertextException
. For more information, see Encryption Context
* in the Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:GenerateDataKeyWithoutPlaintext (key policy)
*
*
* Related operations:
*
*
* -
*
* Decrypt
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
* -
*
*
*
*
* @param generateDataKeyWithoutPlaintextRequest
* @return Result of the GenerateDataKeyWithoutPlaintext operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GenerateDataKeyWithoutPlaintext
* @see AWS API Documentation
*/
@Override
public GenerateDataKeyWithoutPlaintextResponse generateDataKeyWithoutPlaintext(
GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest) throws NotFoundException,
DisabledException, KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException,
InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException,
KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GenerateDataKeyWithoutPlaintextResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration,
generateDataKeyWithoutPlaintextRequest.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GenerateDataKeyWithoutPlaintext");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("GenerateDataKeyWithoutPlaintext").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(generateDataKeyWithoutPlaintextRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GenerateDataKeyWithoutPlaintextRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Returns a random byte string that is cryptographically secure.
*
*
* By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster that
* is associated with a custom key store,
* specify the custom key store ID.
*
*
* Applications in Amazon Web Services Nitro Enclaves can call this operation by using the Amazon Web Services Nitro Enclaves Development Kit.
* For information about the supporting parameters, see How Amazon Web Services
* Nitro Enclaves use KMS in the Key Management Service Developer Guide.
*
*
* For more information about entropy and random number generation, see Key Management Service Cryptographic
* Details.
*
*
* Required permissions: kms:GenerateRandom (IAM policy)
*
*
* @param generateRandomRequest
* @return Result of the GenerateRandom operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState
of the custom key store. To get the
* ConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState
is
* CONNECTED
.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState
is DISCONNECTED
.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState
of DISCONNECTING
or FAILED
. This operation is
* valid for all other ConnectionState
values.
*
*
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GenerateRandom
* @see AWS API
* Documentation
*/
@Override
public GenerateRandomResponse generateRandom(GenerateRandomRequest generateRandomRequest) throws DependencyTimeoutException,
KmsInternalException, CustomKeyStoreNotFoundException, CustomKeyStoreInvalidStateException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GenerateRandomResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, generateRandomRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GenerateRandom");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GenerateRandom").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(generateRandomRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GenerateRandomRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets a key policy attached to the specified KMS key.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:GetKeyPolicy (key policy)
*
*
* Related operations: PutKeyPolicy
*
*
* @param getKeyPolicyRequest
* @return Result of the GetKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GetKeyPolicy
* @see AWS API
* Documentation
*/
@Override
public GetKeyPolicyResponse getKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest) throws NotFoundException,
InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetKeyPolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getKeyPolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetKeyPolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetKeyPolicy").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getKeyPolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetKeyPolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets a Boolean value that indicates whether automatic rotation of the key
* material is enabled for the specified KMS key.
*
*
* You cannot enable automatic rotation of asymmetric
* KMS keys, KMS keys with imported key material, or
* KMS keys in a custom key store.
* To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key. The key rotation status for these KMS keys is always
* false
.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* -
*
* Disabled: The key rotation status does not change when you disable a KMS key. However, while the KMS key is
* disabled, KMS does not rotate the key material.
*
*
* -
*
* Pending deletion: While a KMS key is pending deletion, its key rotation status is false
and KMS does
* not rotate the key material. If you cancel the deletion, the original key rotation status is restored.
*
*
*
*
* Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account,
* specify the key ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:GetKeyRotationStatus (key policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
*
*
* @param getKeyRotationStatusRequest
* @return Result of the GetKeyRotationStatus operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GetKeyRotationStatus
* @see AWS API
* Documentation
*/
@Override
public GetKeyRotationStatusResponse getKeyRotationStatus(GetKeyRotationStatusRequest getKeyRotationStatusRequest)
throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, UnsupportedOperationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GetKeyRotationStatusResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getKeyRotationStatusRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetKeyRotationStatus");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetKeyRotationStatus").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getKeyRotationStatusRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetKeyRotationStatusRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Returns the items you need to import key material into a symmetric, customer managed KMS key. For more
* information about importing key material into KMS, see Importing Key Material in
* the Key Management Service Developer Guide.
*
*
* This operation returns a public key and an import token. Use the public key to encrypt the symmetric key
* material. Store the import token to send with a subsequent ImportKeyMaterial request.
*
*
* You must specify the key ID of the symmetric KMS key into which you will import key material. This KMS key's
* Origin
must be EXTERNAL
. You must also specify the wrapping algorithm and type of
* wrapping key (public key) that you will use to encrypt the key material. You cannot perform this operation on an
* asymmetric KMS key or on any KMS key in a different Amazon Web Services account.
*
*
* To import key material, you must use the public key and import token from the same response. These items are
* valid for 24 hours. The expiration date and time appear in the GetParametersForImport
response. You
* cannot use an expired token in an ImportKeyMaterial request. If your key and token expire, send another
* GetParametersForImport
request.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:GetParametersForImport (key policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
*
*
* @param getParametersForImportRequest
* @return Result of the GetParametersForImport operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GetParametersForImport
* @see AWS
* API Documentation
*/
@Override
public GetParametersForImportResponse getParametersForImport(GetParametersForImportRequest getParametersForImportRequest)
throws InvalidArnException, UnsupportedOperationException, DependencyTimeoutException, NotFoundException,
KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GetParametersForImportResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getParametersForImportRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetParametersForImport");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("GetParametersForImport").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getParametersForImportRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetParametersForImportRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric KMS key, which never
* leaves KMS unencrypted, callers with kms:GetPublicKey
permission can download the public key of an
* asymmetric KMS key. You can share the public key to allow others to encrypt messages and verify signatures
* outside of KMS. For information about symmetric and asymmetric KMS keys, see Using Symmetric and
* Asymmetric KMS keys in the Key Management Service Developer Guide.
*
*
* You do not need to download the public key. Instead, you can use the public key within KMS by calling the
* Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When
* you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part
* of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are
* not effective outside of KMS. For details, see Special Considerations for Downloading Public Keys.
*
*
* To help you use the public key safely outside of KMS, GetPublicKey
returns important information
* about the public key in the response, including:
*
*
* -
*
* KeySpec: The type of key material in the public key, such as RSA_4096
or
* ECC_NIST_P521
.
*
*
* -
*
* KeyUsage: Whether the key is used for encryption or signing.
*
*
* -
*
* EncryptionAlgorithms or SigningAlgorithms: A list of the encryption algorithms or the signing algorithms for the key.
*
*
*
*
* Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this
* information to prevent the public key from being used improperly. For example, you can prevent a public signing
* key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is
* not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification
* operation.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:GetPublicKey (key policy)
*
*
* Related operations: CreateKey
*
*
* @param getPublicKeyRequest
* @return Result of the GetPublicKey operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.GetPublicKey
* @see AWS API
* Documentation
*/
@Override
public GetPublicKeyResponse getPublicKey(GetPublicKeyRequest getPublicKeyRequest) throws NotFoundException,
DisabledException, KeyUnavailableException, DependencyTimeoutException, UnsupportedOperationException,
InvalidArnException, InvalidGrantTokenException, InvalidKeyUsageException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetPublicKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getPublicKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetPublicKey");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetPublicKey").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getPublicKeyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetPublicKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Imports key material into an existing symmetric KMS KMS key that was created without key material. After you
* successfully import key material into a KMS key, you can reimport
* the same key material into that KMS key, but you cannot import different key material.
*
*
* You cannot perform this operation on an asymmetric KMS key or on any KMS key in a different Amazon Web Services
* account. For more information about creating KMS keys with no key material and then importing key material, see
* Importing Key Material in
* the Key Management Service Developer Guide.
*
*
* Before using this operation, call GetParametersForImport. Its response includes a public key and an import
* token. Use the public key to encrypt the key material. Then, submit the import token from the same
* GetParametersForImport
response.
*
*
* When calling this operation, you must specify the following values:
*
*
* -
*
* The key ID or key ARN of a KMS key with no key material. Its Origin
must be EXTERNAL
.
*
*
* To create a KMS key with no key material, call CreateKey and set the value of its Origin
* parameter to EXTERNAL
. To get the Origin
of a KMS key, call DescribeKey.)
*
*
* -
*
* The encrypted key material. To get the public key to encrypt the key material, call
* GetParametersForImport.
*
*
* -
*
* The import token that GetParametersForImport returned. You must use a public key and token from the same
* GetParametersForImport
response.
*
*
* -
*
* Whether the key material expires and if so, when. If you set an expiration date, KMS deletes the key material
* from the KMS key on the specified date, and the KMS key becomes unusable. To use the KMS key again, you must
* reimport the same key material. The only way to change an expiration date is by reimporting the same key material
* and specifying a new expiration date.
*
*
*
*
* When this operation is successful, the key state of the KMS key changes from PendingImport
to
* Enabled
, and you can use the KMS key.
*
*
* If this operation fails, use the exception to help determine the problem. If the error is related to the key
* material, the import token, or wrapping key, use GetParametersForImport to get a new public key and import
* token for the KMS key and repeat the import procedure. For help, see How To
* Import Key Material in the Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ImportKeyMaterial (key policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
*
*
* @param importKeyMaterialRequest
* @return Result of the ImportKeyMaterial operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws InvalidCiphertextException
* From the Decrypt or ReEncrypt operation, the request was rejected because the specified
* ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption
* context, is corrupted, missing, or otherwise invalid.
*
*
* From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the
* encrypted (wrapped) key material.
* @throws IncorrectKeyMaterialException
* The request was rejected because the key material in the request is, expired, invalid, or is not the same
* key material that was previously imported into this KMS key.
* @throws ExpiredImportTokenException
* The request was rejected because the specified import token is expired. Use GetParametersForImport
* to get a new import token and public key, use the new public key to encrypt the key material, and then
* try the request again.
* @throws InvalidImportTokenException
* The request was rejected because the provided import token is invalid or is associated with a different
* KMS key.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ImportKeyMaterial
* @see AWS API
* Documentation
*/
@Override
public ImportKeyMaterialResponse importKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest)
throws InvalidArnException, UnsupportedOperationException, DependencyTimeoutException, NotFoundException,
KmsInternalException, KmsInvalidStateException, InvalidCiphertextException, IncorrectKeyMaterialException,
ExpiredImportTokenException, InvalidImportTokenException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ImportKeyMaterialResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, importKeyMaterialRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ImportKeyMaterial");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ImportKeyMaterial").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(importKeyMaterialRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ImportKeyMaterialRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about
* aliases, see CreateAlias.
*
*
* By default, the ListAliases
operation returns all aliases in the account and region. To get only the
* aliases associated with a particular KMS key, use the KeyId
parameter.
*
*
* The ListAliases
response can include aliases that you created and associated with your customer
* managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys
* in your account. You can recognize Amazon Web Services aliases because their names have the format
* aws/<service-name>
, such as aws/dynamodb
.
*
*
* The response might also include aliases that have no TargetKeyId
field. These are predefined aliases
* that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services
* creates in your account, including predefined aliases, do not count against your KMS aliases quota.
*
*
* Cross-account use: No. ListAliases
does not return aliases in other Amazon Web Services
* accounts.
*
*
* Required permissions: kms:ListAliases (IAM policy)
*
*
* For details, see Controlling access to
* aliases in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* CreateAlias
*
*
* -
*
* DeleteAlias
*
*
* -
*
* UpdateAlias
*
*
*
*
* @param listAliasesRequest
* @return Result of the ListAliases operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListAliases
* @see AWS API
* Documentation
*/
@Override
public ListAliasesResponse listAliases(ListAliasesRequest listAliasesRequest) throws DependencyTimeoutException,
InvalidMarkerException, KmsInternalException, InvalidArnException, NotFoundException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListAliasesResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listAliasesRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListAliases");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListAliases").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listAliasesRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListAliasesRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about
* aliases, see CreateAlias.
*
*
* By default, the ListAliases
operation returns all aliases in the account and region. To get only the
* aliases associated with a particular KMS key, use the KeyId
parameter.
*
*
* The ListAliases
response can include aliases that you created and associated with your customer
* managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys
* in your account. You can recognize Amazon Web Services aliases because their names have the format
* aws/<service-name>
, such as aws/dynamodb
.
*
*
* The response might also include aliases that have no TargetKeyId
field. These are predefined aliases
* that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services
* creates in your account, including predefined aliases, do not count against your KMS aliases quota.
*
*
* Cross-account use: No. ListAliases
does not return aliases in other Amazon Web Services
* accounts.
*
*
* Required permissions: kms:ListAliases (IAM policy)
*
*
* For details, see Controlling access to
* aliases in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* CreateAlias
*
*
* -
*
* DeleteAlias
*
*
* -
*
* UpdateAlias
*
*
*
*
*
* This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)}
* operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will
* internally handle making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request);
* for (software.amazon.awssdk.services.kms.model.ListAliasesResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It
* only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.
*
*
* @param listAliasesRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListAliases
* @see AWS API
* Documentation
*/
@Override
public ListAliasesIterable listAliasesPaginator(ListAliasesRequest listAliasesRequest) throws DependencyTimeoutException,
InvalidMarkerException, KmsInternalException, InvalidArnException, NotFoundException, AwsServiceException,
SdkClientException, KmsException {
return new ListAliasesIterable(this, applyPaginatorUserAgent(listAliasesRequest));
}
/**
*
* Gets a list of all grants for the specified KMS key.
*
*
* You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal.
*
*
* For detailed information about grants, including grant terminology, see Using grants in the Key
* Management Service Developer Guide . For examples of working with grants in several programming
* languages, see Programming grants.
*
*
*
* The GranteePrincipal
field in the ListGrants
response usually contains the user or role
* designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon
* Web Services service, the GranteePrincipal
field contains the service principal, which might represent several different grantee principals.
*
*
*
* Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account,
* specify the key ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:ListGrants (key policy)
*
*
* Related operations:
*
*
* -
*
* CreateGrant
*
*
* -
*
*
* -
*
* RetireGrant
*
*
* -
*
* RevokeGrant
*
*
*
*
* @param listGrantsRequest
* @return Result of the ListGrants operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified GrantId
is not valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListGrants
* @see AWS API
* Documentation
*/
@Override
public ListGrantsResponse listGrants(ListGrantsRequest listGrantsRequest) throws NotFoundException,
DependencyTimeoutException, InvalidMarkerException, InvalidGrantIdException, InvalidArnException,
KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListGrantsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listGrantsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListGrants");
return clientHandler
.execute(new ClientExecutionParams().withOperationName("ListGrants")
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler)
.withInput(listGrantsRequest).withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListGrantsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets a list of all grants for the specified KMS key.
*
*
* You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal.
*
*
* For detailed information about grants, including grant terminology, see Using grants in the Key
* Management Service Developer Guide . For examples of working with grants in several programming
* languages, see Programming grants.
*
*
*
* The GranteePrincipal
field in the ListGrants
response usually contains the user or role
* designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon
* Web Services service, the GranteePrincipal
field contains the service principal, which might represent several different grantee principals.
*
*
*
* Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account,
* specify the key ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:ListGrants (key policy)
*
*
* Related operations:
*
*
* -
*
* CreateGrant
*
*
* -
*
*
* -
*
* RetireGrant
*
*
* -
*
* RevokeGrant
*
*
*
*
*
* This is a variant of {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation.
* The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally
* handle making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request);
* for (software.amazon.awssdk.services.kms.model.ListGrantsResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It
* only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation.
*
*
* @param listGrantsRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified GrantId
is not valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListGrants
* @see AWS API
* Documentation
*/
@Override
public ListGrantsIterable listGrantsPaginator(ListGrantsRequest listGrantsRequest) throws NotFoundException,
DependencyTimeoutException, InvalidMarkerException, InvalidGrantIdException, InvalidArnException,
KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
return new ListGrantsIterable(this, applyPaginatorUserAgent(listGrantsRequest));
}
/**
*
* Gets the names of the key policies that are attached to a KMS key. This operation is designed to get policy names
* that you can use in a GetKeyPolicy operation. However, the only valid policy name is default
.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ListKeyPolicies (key policy)
*
*
* Related operations:
*
*
* -
*
* GetKeyPolicy
*
*
* -
*
* PutKeyPolicy
*
*
*
*
* @param listKeyPoliciesRequest
* @return Result of the ListKeyPolicies operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListKeyPolicies
* @see AWS API
* Documentation
*/
@Override
public ListKeyPoliciesResponse listKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest) throws NotFoundException,
InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListKeyPoliciesResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listKeyPoliciesRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListKeyPolicies");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListKeyPolicies").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listKeyPoliciesRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListKeyPoliciesRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets the names of the key policies that are attached to a KMS key. This operation is designed to get policy names
* that you can use in a GetKeyPolicy operation. However, the only valid policy name is default
.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ListKeyPolicies (key policy)
*
*
* Related operations:
*
*
* -
*
* GetKeyPolicy
*
*
* -
*
* PutKeyPolicy
*
*
*
*
*
* This is a variant of {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)}
* operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will
* internally handle making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request);
* for (software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It
* only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} operation.
*
*
* @param listKeyPoliciesRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListKeyPolicies
* @see AWS API
* Documentation
*/
@Override
public ListKeyPoliciesIterable listKeyPoliciesPaginator(ListKeyPoliciesRequest listKeyPoliciesRequest)
throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
return new ListKeyPoliciesIterable(this, applyPaginatorUserAgent(listKeyPoliciesRequest));
}
/**
*
* Gets a list of all KMS keys in the caller's Amazon Web Services account and Region.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ListKeys
* (IAM policy)
*
*
* Related operations:
*
*
* -
*
* CreateKey
*
*
* -
*
* DescribeKey
*
*
* -
*
* ListAliases
*
*
* -
*
* ListResourceTags
*
*
*
*
* @param listKeysRequest
* @return Result of the ListKeys operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListKeys
* @see AWS API
* Documentation
*/
@Override
public ListKeysResponse listKeys(ListKeysRequest listKeysRequest) throws DependencyTimeoutException, KmsInternalException,
InvalidMarkerException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListKeysResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listKeysRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListKeys");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListKeys").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listKeysRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new ListKeysRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Gets a list of all KMS keys in the caller's Amazon Web Services account and Region.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ListKeys
* (IAM policy)
*
*
* Related operations:
*
*
* -
*
* CreateKey
*
*
* -
*
* DescribeKey
*
*
* -
*
* ListAliases
*
*
* -
*
* ListResourceTags
*
*
*
*
*
* This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The
* return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle
* making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request);
* for (software.amazon.awssdk.services.kms.model.ListKeysResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It
* only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.
*
*
* @param listKeysRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListKeys
* @see AWS API
* Documentation
*/
@Override
public ListKeysIterable listKeysPaginator(ListKeysRequest listKeysRequest) throws DependencyTimeoutException,
KmsInternalException, InvalidMarkerException, AwsServiceException, SdkClientException, KmsException {
return new ListKeysIterable(this, applyPaginatorUserAgent(listKeysRequest));
}
/**
*
* Returns all tags on the specified KMS key.
*
*
* For general information about tags, including the format and syntax, see Tagging Amazon Web Services resources
* in the Amazon Web Services General Reference. For information about using tags in KMS, see Tagging keys.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ListResourceTags (key policy)
*
*
* Related operations:
*
*
* -
*
* CreateKey
*
*
* -
*
* ReplicateKey
*
*
* -
*
* TagResource
*
*
* -
*
* UntagResource
*
*
*
*
* @param listResourceTagsRequest
* @return Result of the ListResourceTags operation returned by the service.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListResourceTags
* @see AWS API
* Documentation
*/
@Override
public ListResourceTagsResponse listResourceTags(ListResourceTagsRequest listResourceTagsRequest)
throws KmsInternalException, NotFoundException, InvalidArnException, InvalidMarkerException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListResourceTagsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listResourceTagsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListResourceTags");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListResourceTags").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listResourceTagsRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListResourceTagsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Returns information about all grants in the Amazon Web Services account and Region that have the specified
* retiring principal.
*
*
* You can specify any principal in your Amazon Web Services account. The grants that are returned include grants
* for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this
* operation to determine which grants you may retire. To retire a grant, use the RetireGrant operation.
*
*
* For detailed information about grants, including grant terminology, see Using grants in the Key
* Management Service Developer Guide . For examples of working with grants in several programming
* languages, see Programming grants.
*
*
* Cross-account use: You must specify a principal in your Amazon Web Services account. However, this
* operation can return grants in any Amazon Web Services account. You do not need
* kms:ListRetirableGrants
permission (or any other additional permission) in any Amazon Web Services
* account other than your own.
*
*
* Required permissions: kms:ListRetirableGrants (IAM policy) in your Amazon Web Services account.
*
*
* Related operations:
*
*
* -
*
* CreateGrant
*
*
* -
*
* ListGrants
*
*
* -
*
* RetireGrant
*
*
* -
*
* RevokeGrant
*
*
*
*
* @param listRetirableGrantsRequest
* @return Result of the ListRetirableGrants operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidMarkerException
* The request was rejected because the marker that specifies where pagination should next begin is not
* valid.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ListRetirableGrants
* @see AWS API
* Documentation
*/
@Override
public ListRetirableGrantsResponse listRetirableGrants(ListRetirableGrantsRequest listRetirableGrantsRequest)
throws DependencyTimeoutException, InvalidMarkerException, InvalidArnException, NotFoundException,
KmsInternalException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ListRetirableGrantsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listRetirableGrantsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListRetirableGrants");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListRetirableGrants").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listRetirableGrantsRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListRetirableGrantsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Attaches a key policy to the specified KMS key.
*
*
* For more information about key policies, see Key Policies in the Key
* Management Service Developer Guide. For help writing and formatting a JSON policy document, see the IAM JSON Policy Reference in
* the Identity and Access Management User Guide . For examples of adding a key policy in multiple
* programming languages, see Setting a
* key policy in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:PutKeyPolicy (key policy)
*
*
* Related operations: GetKeyPolicy
*
*
* @param putKeyPolicyRequest
* @return Result of the PutKeyPolicy operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.PutKeyPolicy
* @see AWS API
* Documentation
*/
@Override
public PutKeyPolicyResponse putKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest) throws NotFoundException,
InvalidArnException, MalformedPolicyDocumentException, DependencyTimeoutException, UnsupportedOperationException,
KmsInternalException, LimitExceededException, KmsInvalidStateException, AwsServiceException, SdkClientException,
KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
PutKeyPolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, putKeyPolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "PutKeyPolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("PutKeyPolicy").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(putKeyPolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new PutKeyPolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key
* under which data is encrypted, such as when you manually
* rotate a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt
* ciphertext under the same KMS key, such as to change the encryption context
* of a ciphertext.
*
*
* The ReEncrypt
operation can decrypt ciphertext that was encrypted by using an KMS KMS key in an KMS
* operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by
* using the public key of an asymmetric
* KMS key outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK
* or Amazon S3 client-side
* encryption. These libraries return a ciphertext format that is incompatible with KMS.
*
*
* When you use the ReEncrypt
operation, you need to provide information for the decrypt operation and
* the subsequent encrypt operation.
*
*
* -
*
* If your ciphertext was encrypted under an asymmetric KMS key, you must use the SourceKeyId
parameter
* to identify the KMS key that encrypted the ciphertext. You must also supply the encryption algorithm that was
* used. This information is required to decrypt the data.
*
*
* -
*
* If your ciphertext was encrypted under a symmetric KMS key, the SourceKeyId
parameter is optional.
* KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds
* durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was
* encrypted, even if they've lost track of the key ID. However, specifying the source KMS key is always recommended
* as a best practice. When you use the SourceKeyId
parameter to specify a KMS key, KMS uses only the
* KMS key you specify. If the ciphertext was encrypted under a different KMS key, the ReEncrypt
* operation fails. This practice ensures that you use the KMS key that you intend.
*
*
* -
*
* To reencrypt the data, you must use the DestinationKeyId
parameter specify the KMS key that
* re-encrypts the data after it is decrypted. You can select a symmetric or asymmetric KMS key. If the destination
* KMS key is an asymmetric KMS key, you must also provide the encryption algorithm. The algorithm that you choose
* must be compatible with the KMS key.
*
*
*
* When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption
* algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you
* decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt
* operation fails.
*
*
* You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric KMS keys
* because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated
* with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
*
*
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services
* accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a
* different account, you must use its key ARN or alias ARN.
*
*
* Required permissions:
*
*
* -
*
* kms:
* ReEncryptFrom permission on the source KMS key (key policy)
*
*
* -
*
* kms:ReEncryptTo
* permission on the destination KMS key (key policy)
*
*
*
*
* To permit reencryption from or to a KMS key, include the "kms:ReEncrypt*"
permission in your key policy. This permission is
* automatically included in the key policy when you use the console to create a KMS key. But you must include it
* manually when you create a KMS key programmatically or when you use the PutKeyPolicy operation to set a
* key policy.
*
*
* Related operations:
*
*
* -
*
* Decrypt
*
*
* -
*
* Encrypt
*
*
* -
*
* GenerateDataKey
*
*
* -
*
*
*
*
* @param reEncryptRequest
* @return Result of the ReEncrypt operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws InvalidCiphertextException
* From the Decrypt or ReEncrypt operation, the request was rejected because the specified
* ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption
* context, is corrupted, missing, or otherwise invalid.
*
* From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the
* encrypted (wrapped) key material.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws IncorrectKeyException
* The request was rejected because the specified KMS key cannot decrypt the data. The KeyId
in
* a Decrypt request and the SourceKeyId
in a ReEncrypt request must identify the
* same KMS key that was used to encrypt the ciphertext.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ReEncrypt
* @see AWS API
* Documentation
*/
@Override
public ReEncryptResponse reEncrypt(ReEncryptRequest reEncryptRequest) throws NotFoundException, DisabledException,
InvalidCiphertextException, KeyUnavailableException, IncorrectKeyException, DependencyTimeoutException,
InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException,
AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ReEncryptResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, reEncryptRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ReEncrypt");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ReEncrypt").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(reEncryptRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new ReEncryptRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based
* on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create
* multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key,
* use the CreateKey operation.
*
*
* This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS
* keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and
* other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it
* in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more
* information about multi-Region keys, see Using multi-Region
* keys in the Key Management Service Developer Guide.
*
*
* A replica key is a fully-functional KMS key that can be used independently of its primary and peer replica
* keys. A primary key and its replica keys share properties that make them interoperable. They have the same key ID and key
* material. They also have the same key spec, key usage, key material origin,
* and automatic key rotation
* status. KMS automatically synchronizes these shared properties among related multi-Region keys. All other
* properties of a replica key can differ, including its key policy, tags, aliases, and key state. KMS pricing and quotas
* for KMS keys apply to each primary key and replica key.
*
*
* When this operation completes, the new replica key has a transient key state of Creating
. This key
* state changes to Enabled
(or PendingImport
) after a few seconds when the process of
* creating the new replica key is complete. While the key state is Creating
, you can manage key, but
* you cannot yet use it in cryptographic operations. If you are creating and using the replica key
* programmatically, retry on KMSInvalidStateException
or call DescribeKey
to check its
* KeyState
value before using it. For details about the Creating
key state, see Key state: Effect on your KMS key in the Key Management
* Service Developer Guide.
*
*
* The CloudTrail log of a ReplicateKey
operation records a ReplicateKey
operation in the
* primary key's Region and a CreateKey operation in the replica key's Region.
*
*
* If you replicate a multi-Region primary key with imported key material, the replica key is created with no key
* material. You must import the same key material that you imported into the primary key. For details, see Importing key material into multi-Region keys
* in the Key Management Service Developer Guide.
*
*
* To convert a replica key to a primary key, use the UpdatePrimaryRegion operation.
*
*
*
* ReplicateKey
uses different default values for the KeyPolicy
and Tags
* parameters than those used in the KMS console. For details, see the parameter descriptions.
*
*
*
* Cross-account use: No. You cannot use this operation to create a replica key in a different Amazon Web
* Services account.
*
*
* Required permissions:
*
*
* -
*
* kms:ReplicateKey
on the primary key (in the primary key's Region). Include this permission in the
* primary key's key policy.
*
*
* -
*
* kms:CreateKey
in an IAM policy in the replica Region.
*
*
* -
*
* To use the Tags
parameter, kms:TagResource
in an IAM policy in the replica Region.
*
*
*
*
* Related operations
*
*
* -
*
* CreateKey
*
*
* -
*
*
*
*
* @param replicateKeyRequest
* @return Result of the ReplicateKey operation returned by the service.
* @throws AlreadyExistsException
* The request was rejected because it attempted to create a resource that already exists.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws MalformedPolicyDocumentException
* The request was rejected because the specified policy is not syntactically or semantically correct.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ReplicateKey
* @see AWS API
* Documentation
*/
@Override
public ReplicateKeyResponse replicateKey(ReplicateKeyRequest replicateKeyRequest) throws AlreadyExistsException,
DisabledException, InvalidArnException, KmsInvalidStateException, KmsInternalException, LimitExceededException,
MalformedPolicyDocumentException, NotFoundException, TagException, UnsupportedOperationException,
AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ReplicateKeyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, replicateKeyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ReplicateKey");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ReplicateKey").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(replicateKeyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ReplicateKeyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to
* retire, use a grant
* token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant
* operation returns both values.
*
*
* This operation can be called by the retiring principal for a grant, by the grantee principal if the
* grant allows the RetireGrant
operation, and by the Amazon Web Services account (root user) in which
* the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated.
* For details, see Retiring and revoking
* grants in the Key Management Service Developer Guide.
*
*
* For detailed information about grants, including grant terminology, see Using grants in the Key
* Management Service Developer Guide . For examples of working with grants in several programming
* languages, see Programming grants.
*
*
* Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.
*
*
* Required permissions::Permission to retire a grant is determined primarily by the grant. For details, see
* Retiring and
* revoking grants in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* CreateGrant
*
*
* -
*
* ListGrants
*
*
* -
*
*
* -
*
* RevokeGrant
*
*
*
*
* @param retireGrantRequest
* @return Result of the RetireGrant operation returned by the service.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified GrantId
is not valid.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.RetireGrant
* @see AWS API
* Documentation
*/
@Override
public RetireGrantResponse retireGrant(RetireGrantRequest retireGrantRequest) throws InvalidArnException,
InvalidGrantTokenException, InvalidGrantIdException, NotFoundException, DependencyTimeoutException,
KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
RetireGrantResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, retireGrantRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RetireGrant");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("RetireGrant").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(retireGrantRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RetireGrantRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more
* information, see Retiring and
* revoking grants in the Key Management Service Developer Guide .
*
*
* When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until
* the grant is available throughout KMS. This state is known as eventual consistency. For details, see Eventual
* consistency in the Key Management Service Developer Guide .
*
*
* For detailed information about grants, including grant terminology, see Using grants in the Key
* Management Service Developer Guide . For examples of working with grants in several programming
* languages, see Programming grants.
*
*
* Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account,
* specify the key ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:RevokeGrant (key policy).
*
*
* Related operations:
*
*
* -
*
* CreateGrant
*
*
* -
*
* ListGrants
*
*
* -
*
*
* -
*
* RetireGrant
*
*
*
*
* @param revokeGrantRequest
* @return Result of the RevokeGrant operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws InvalidGrantIdException
* The request was rejected because the specified GrantId
is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.RevokeGrant
* @see AWS API
* Documentation
*/
@Override
public RevokeGrantResponse revokeGrant(RevokeGrantRequest revokeGrantRequest) throws NotFoundException,
DependencyTimeoutException, InvalidArnException, InvalidGrantIdException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
RevokeGrantResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, revokeGrantRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RevokeGrant");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("RevokeGrant").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(revokeGrantRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RevokeGrantRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a
* waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to
* PendingDeletion
and the key can't be used in any cryptographic operations. It remains in this state
* for the duration of the waiting period. Before the waiting period ends, you can use CancelKeyDeletion to
* cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and
* all KMS data associated with it, including all aliases that refer to it.
*
*
*
* Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that
* was encrypted under the KMS key is unrecoverable. (The only exception is a multi-Region replica key.) To prevent
* the use of a KMS key without deleting it, use DisableKey.
*
*
*
* If you schedule deletion of a KMS key from a custom key store,
* when the waiting period expires, ScheduleKeyDeletion
deletes the KMS key from KMS. Then KMS makes a
* best effort to delete the key material from the associated CloudHSM cluster. However, you might need to manually
* delete
* the orphaned key material from the cluster and its backups.
*
*
* You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will
* not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key
* with replicas, its key state changes to PendingReplicaDeletion
and it cannot be replicated or used
* in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted
* (not just scheduled), the key state of the primary key changes to PendingDeletion
and its waiting
* period (PendingWindowInDays
) begins. For details, see Deleting multi-Region
* keys in the Key Management Service Developer Guide.
*
*
* For more information about scheduling a KMS key for deletion, see Deleting KMS keys in the
* Key Management Service Developer Guide.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:ScheduleKeyDeletion (key policy)
*
*
* Related operations
*
*
* -
*
*
* -
*
* DisableKey
*
*
*
*
* @param scheduleKeyDeletionRequest
* @return Result of the ScheduleKeyDeletion operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.ScheduleKeyDeletion
* @see AWS API
* Documentation
*/
@Override
public ScheduleKeyDeletionResponse scheduleKeyDeletion(ScheduleKeyDeletionRequest scheduleKeyDeletionRequest)
throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ScheduleKeyDeletionResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, scheduleKeyDeletionRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ScheduleKeyDeletion");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ScheduleKeyDeletion").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(scheduleKeyDeletionRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ScheduleKeyDeletionRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates a digital signature for a message or
* message digest by using the private key in an asymmetric KMS key. To verify the signature, use the Verify
* operation, or use the public key in the same asymmetric KMS key outside of KMS. For information about symmetric
* and asymmetric KMS keys, see Using Symmetric and
* Asymmetric KMS keys in the Key Management Service Developer Guide.
*
*
* Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is
* represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a
* message. Anyone with the public key can verify that the message was signed with that particular private key and
* that the message hasn't changed since it was signed.
*
*
* To use the Sign
operation, provide the following information:
*
*
* -
*
* Use the KeyId
parameter to identify an asymmetric KMS key with a KeyUsage
value of
* SIGN_VERIFY
. To get the KeyUsage
value of a KMS key, use the DescribeKey
* operation. The caller must have kms:Sign
permission on the KMS key.
*
*
* -
*
* Use the Message
parameter to specify the message or message digest to sign. You can submit messages
* of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash
* digest in the Message
parameter. To indicate whether the message is a full message or a digest, use
* the MessageType
parameter.
*
*
* -
*
* Choose a signing algorithm that is compatible with the KMS key.
*
*
*
*
*
* When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to
* verify the signature.
*
*
*
* To verify the signature that this operation generates, use the Verify operation. Or use the
* GetPublicKey operation to download the public key and then use the public key to verify the signature
* outside of KMS.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:Sign (key
* policy)
*
*
* Related operations: Verify
*
*
* @param signRequest
* @return Result of the Sign operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.Sign
* @see AWS API
* Documentation
*/
@Override
public SignResponse sign(SignRequest signRequest) throws NotFoundException, DisabledException, KeyUnavailableException,
DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
SignResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, signRequest.overrideConfiguration()
.orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "Sign");
return clientHandler.execute(new ClientExecutionParams().withOperationName("Sign")
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler).withInput(signRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new SignRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Adds or edits tags on a customer managed key.
*
*
*
* Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key
* Management Service Developer Guide.
*
*
*
* Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an
* empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag
* key and a new tag value.
*
*
* You can use this operation to tag a customer managed key,
* but you cannot tag an Amazon Web Services
* managed key, an Amazon Web Services
* owned key, a custom key store,
* or an alias.
*
*
* You can also add tags to a KMS key while creating it (CreateKey) or replicating it (ReplicateKey).
*
*
* For information about using tags in KMS, see Tagging keys. For general
* information about tags, including the format and syntax, see Tagging Amazon Web Services resources
* in the Amazon Web Services General Reference.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:TagResource (key policy)
*
*
* Related operations
*
*
* -
*
* CreateKey
*
*
* -
*
* ListResourceTags
*
*
* -
*
* ReplicateKey
*
*
* -
*
* UntagResource
*
*
*
*
* @param tagResourceRequest
* @return Result of the TagResource operation returned by the service.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.TagResource
* @see AWS API
* Documentation
*/
@Override
public TagResourceResponse tagResource(TagResourceRequest tagResourceRequest) throws KmsInternalException, NotFoundException,
InvalidArnException, KmsInvalidStateException, LimitExceededException, TagException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
TagResourceResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, tagResourceRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "TagResource");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("TagResource").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(tagResourceRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new TagResourceRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes tags from a customer managed key.
* To delete a tag, specify the tag key and the KMS key.
*
*
*
* Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key
* Management Service Developer Guide.
*
*
*
* When it succeeds, the UntagResource
operation doesn't return any output. Also, if the specified tag
* key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation
* worked, use the ListResourceTags operation.
*
*
* For information about using tags in KMS, see Tagging keys. For general
* information about tags, including the format and syntax, see Tagging Amazon Web Services resources
* in the Amazon Web Services General Reference.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:UntagResource (key policy)
*
*
* Related operations
*
*
* -
*
* CreateKey
*
*
* -
*
* ListResourceTags
*
*
* -
*
* ReplicateKey
*
*
* -
*
* TagResource
*
*
*
*
* @param untagResourceRequest
* @return Result of the UntagResource operation returned by the service.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws TagException
* The request was rejected because one or more tags are not valid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.UntagResource
* @see AWS API
* Documentation
*/
@Override
public UntagResourceResponse untagResource(UntagResourceRequest untagResourceRequest) throws KmsInternalException,
NotFoundException, InvalidArnException, KmsInvalidStateException, TagException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
UntagResourceResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, untagResourceRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UntagResource");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UntagResource").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(untagResourceRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UntagResourceRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Associates an existing KMS alias with a different KMS key. Each alias is associated with only one KMS key at a
* time, although a KMS key can have multiple aliases. The alias and the KMS key must be in the same Amazon Web
* Services account and Region.
*
*
*
* Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key
* Management Service Developer Guide.
*
*
*
* The current and new KMS key must be the same type (both symmetric or both asymmetric), and they must have the
* same key usage (ENCRYPT_DECRYPT
or SIGN_VERIFY
). This restriction prevents errors in
* code that uses aliases. If you must assign an alias to a different type of KMS key, use DeleteAlias to
* delete the old alias and CreateAlias to create a new alias.
*
*
* You cannot use UpdateAlias
to change an alias name. To change an alias name, use DeleteAlias
* to delete the old alias and CreateAlias to create a new alias.
*
*
* Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key
* without affecting the KMS key. Also, aliases do not appear in the response from the DescribeKey operation.
* To get the aliases of all KMS keys in the account, use the ListAliases operation.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions
*
*
* -
*
* kms:UpdateAlias
* on the alias (IAM policy).
*
*
* -
*
* kms:UpdateAlias
* on the current KMS key (key policy).
*
*
* -
*
* kms:UpdateAlias
* on the new KMS key (key policy).
*
*
*
*
* For details, see Controlling access to
* aliases in the Key Management Service Developer Guide.
*
*
* Related operations:
*
*
* -
*
* CreateAlias
*
*
* -
*
* DeleteAlias
*
*
* -
*
* ListAliases
*
*
*
*
* @param updateAliasRequest
* @return Result of the UpdateAlias operation returned by the service.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws LimitExceededException
* The request was rejected because a quota was exceeded. For more information, see Quotas in the Key
* Management Service Developer Guide.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.UpdateAlias
* @see AWS API
* Documentation
*/
@Override
public UpdateAliasResponse updateAlias(UpdateAliasRequest updateAliasRequest) throws DependencyTimeoutException,
NotFoundException, KmsInternalException, LimitExceededException, KmsInvalidStateException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
UpdateAliasResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updateAliasRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdateAlias");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UpdateAlias").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(updateAliasRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdateAliasRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Changes the properties of a custom key store. Use the CustomKeyStoreId
parameter to identify the
* custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.
*
*
* You can only update a custom key store that is disconnected. To disconnect the custom key store, use
* DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use
* ConnectCustomKeyStore. To find the connection state of a custom key store, use the
* DescribeCustomKeyStores operation.
*
*
* The CustomKeyStoreId
parameter is required in all commands. Use the other parameters of
* UpdateCustomKeyStore
to edit your key store settings.
*
*
* -
*
* Use the NewCustomKeyStoreName
parameter to change the friendly name of the custom key store to the
* value that you specify.
*
*
*
* -
*
* Use the KeyStorePassword
parameter tell KMS the current password of the
* kmsuser
crypto user (CU) in the associated CloudHSM cluster. You can use this parameter to fix
* connection failures that occur when KMS cannot log into the associated cluster because the
* kmsuser
password has changed. This value does not change the password in the CloudHSM cluster.
*
*
*
* -
*
* Use the CloudHsmClusterId
parameter to associate the custom key store with a different, but related,
* CloudHSM cluster. You can use this parameter to repair a custom key store if its CloudHSM cluster becomes
* corrupted or is deleted, or when you need to create or restore a cluster from a backup.
*
*
*
*
* If the operation succeeds, it returns a JSON object with no properties.
*
*
* This operation is part of the Custom Key Store
* feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation
* and control of a single-tenant key store.
*
*
* Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web
* Services account.
*
*
* Required permissions: kms:UpdateCustomKeyStore (IAM policy)
*
*
* Related operations:
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
* -
*
*
*
*
* @param updateCustomKeyStoreRequest
* @return Result of the UpdateCustomKeyStore operation returned by the service.
* @throws CustomKeyStoreNotFoundException
* The request was rejected because KMS cannot find a custom key store with the specified key store name or
* ID.
* @throws CustomKeyStoreNameInUseException
* The request was rejected because the specified custom key store name is already assigned to another
* custom key store in the account. Try again with a custom key store name that is unique in the account.
* @throws CloudHsmClusterNotFoundException
* The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID.
* Retry the request with a different cluster ID.
* @throws CloudHsmClusterNotRelatedException
* The request was rejected because the specified CloudHSM cluster has a different cluster certificate than
* the original cluster. You cannot use the operation to specify an unrelated cluster.
*
* Specify a cluster that shares a backup history with the original cluster. This includes clusters that
* were created from a backup of the current cluster, and clusters that were created from the same backup
* that produced the current cluster.
*
*
* Clusters that share a backup history have the same cluster certificate. To view the cluster certificate
* of a cluster, use the DescribeClusters operation.
* @throws CustomKeyStoreInvalidStateException
* The request was rejected because of the ConnectionState
of the custom key store. To get the
* ConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.
*
*
* This exception is thrown under the following conditions:
*
*
* -
*
* You requested the CreateKey or GenerateRandom operation in a custom key store that is not
* connected. These operations are valid only when the custom key store ConnectionState
is
* CONNECTED
.
*
*
* -
*
* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key
* store that is not disconnected. This operation is valid only when the custom key store
* ConnectionState
is DISCONNECTED
.
*
*
* -
*
* You requested the ConnectCustomKeyStore operation on a custom key store with a
* ConnectionState
of DISCONNECTING
or FAILED
. This operation is
* valid for all other ConnectionState
values.
*
*
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws CloudHsmClusterNotActiveException
* The request was rejected because the CloudHSM cluster that is associated with the custom key store is not
* active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in
* the CloudHSM User Guide.
* @throws CloudHsmClusterInvalidConfigurationException
* The request was rejected because the associated CloudHSM cluster did not meet the configuration
* requirements for a custom key store.
*
* -
*
* The cluster must be configured with private subnets in at least two different Availability Zones in the
* Region.
*
*
* -
*
* The security group for
* the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
* rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the
* Destination in the outbound rules must match the security group ID. These rules are set by default
* when you create the cluster. Do not delete or change them. To get information about a particular security
* group, use the DescribeSecurityGroups operation.
*
*
* -
*
* The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM
* CreateHsm
* operation.
*
*
* For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the
* CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the
* ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.
*
*
*
*
* For information about the requirements for an CloudHSM cluster that is associated with a custom key
* store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information
* about creating a private subnet for an CloudHSM cluster, see Create a Private
* Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default
* Security Group in the CloudHSM User Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.UpdateCustomKeyStore
* @see AWS API
* Documentation
*/
@Override
public UpdateCustomKeyStoreResponse updateCustomKeyStore(UpdateCustomKeyStoreRequest updateCustomKeyStoreRequest)
throws CustomKeyStoreNotFoundException, CustomKeyStoreNameInUseException, CloudHsmClusterNotFoundException,
CloudHsmClusterNotRelatedException, CustomKeyStoreInvalidStateException, KmsInternalException,
CloudHsmClusterNotActiveException, CloudHsmClusterInvalidConfigurationException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, UpdateCustomKeyStoreResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updateCustomKeyStoreRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdateCustomKeyStore");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UpdateCustomKeyStore").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(updateCustomKeyStoreRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdateCustomKeyStoreRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Updates the description of a KMS key. To see the description of a KMS key, use DescribeKey.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services
* account.
*
*
* Required permissions: kms:UpdateKeyDescription (key policy)
*
*
* Related operations
*
*
* -
*
* CreateKey
*
*
* -
*
* DescribeKey
*
*
*
*
* @param updateKeyDescriptionRequest
* @return Result of the UpdateKeyDescription operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.UpdateKeyDescription
* @see AWS API
* Documentation
*/
@Override
public UpdateKeyDescriptionResponse updateKeyDescription(UpdateKeyDescriptionRequest updateKeyDescriptionRequest)
throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException,
KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, UpdateKeyDescriptionResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updateKeyDescriptionRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdateKeyDescription");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UpdateKeyDescription").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(updateKeyDescriptionRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdateKeyDescriptionRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Changes the primary key of a multi-Region key.
*
*
* This operation changes the replica key in the specified Region to a primary key and changes the former primary
* key to a replica key. For example, suppose you have a primary key in us-east-1
and a replica key in
* eu-west-2
. If you run UpdatePrimaryRegion
with a PrimaryRegion
value of
* eu-west-2
, the primary key is now the key in eu-west-2
, and the key in
* us-east-1
becomes a replica key. For details, see Updating the primary Region in the Key Management Service Developer Guide.
*
*
* This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS
* keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and
* other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it
* in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more
* information about multi-Region keys, see Using multi-Region
* keys in the Key Management Service Developer Guide.
*
*
* The primary key of a multi-Region key is the source for properties that are always shared by primary and
* replica keys, including the key material, key ID, key spec, key usage, key material origin,
* and automatic key rotation.
* It's the only key that can be replicated. You cannot delete the primary
* key until all replica keys are deleted.
*
*
* The key ID and primary Region that you specify uniquely identify the replica key that will become the primary
* key. The primary Region must already have a replica key. This operation does not create a KMS key in the
* specified Region. To find the replica keys, use the DescribeKey operation on the primary key or any
* replica key. To create a replica key, use the ReplicateKey operation.
*
*
* You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation
* should not delay, interrupt, or cause failures in cryptographic operations.
*
*
* Even after this operation completes, the process of updating the primary Region might still be in progress for a
* few more seconds. Operations such as DescribeKey
might display both the old and new primary keys as
* replicas. The old and new primary keys have a transient key state of Updating
. The original key
* state is restored when the update is complete. While the key state is Updating
, you can use the keys
* in cryptographic operations, but you cannot replicate the new primary key or perform certain management
* operations, such as enabling or disabling these keys. For details about the Updating
key state, see
* Key state: Effect on your KMS key in the Key Management
* Service Developer Guide.
*
*
* This operation does not return any output. To verify that primary key is changed, use the DescribeKey
* operation.
*
*
* Cross-account use: No. You cannot use this operation in a different Amazon Web Services account.
*
*
* Required permissions:
*
*
* -
*
* kms:UpdatePrimaryRegion
on the current primary key (in the primary key's Region). Include this
* permission primary key's key policy.
*
*
* -
*
* kms:UpdatePrimaryRegion
on the current replica key (in the replica key's Region). Include this
* permission in the replica key's key policy.
*
*
*
*
* Related operations
*
*
* -
*
* CreateKey
*
*
* -
*
* ReplicateKey
*
*
*
*
* @param updatePrimaryRegionRequest
* @return Result of the UpdatePrimaryRegion operation returned by the service.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws InvalidArnException
* The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws UnsupportedOperationException
* The request was rejected because a specified parameter is not supported or a specified resource is not
* valid for this operation.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.UpdatePrimaryRegion
* @see AWS API
* Documentation
*/
@Override
public UpdatePrimaryRegionResponse updatePrimaryRegion(UpdatePrimaryRegionRequest updatePrimaryRegionRequest)
throws DisabledException, InvalidArnException, KmsInvalidStateException, KmsInternalException, NotFoundException,
UnsupportedOperationException, AwsServiceException, SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, UpdatePrimaryRegionResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updatePrimaryRegionRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdatePrimaryRegion");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("UpdatePrimaryRegion").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(updatePrimaryRegionRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdatePrimaryRegionRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Verifies a digital signature that was generated by the Sign operation.
*
*
*
* Verification confirms that an authorized user signed the message with the specified KMS key and signing
* algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the
* SignatureValid
field in the response is True
. If the signature verification fails, the
* Verify
operation fails with an KMSInvalidSignatureException
exception.
*
*
* A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by
* using the public key in the same asymmetric KMS key. For information about symmetric and asymmetric KMS keys, see
* Using Symmetric and
* Asymmetric KMS keys in the Key Management Service Developer Guide.
*
*
* To verify a digital signature, you can use the Verify
operation. Specify the same asymmetric KMS
* key, message, and signing algorithm that were used to produce the signature.
*
*
* You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the
* GetPublicKey operation to download the public key in the asymmetric KMS key and then use the public key to
* verify the signature outside of KMS. The advantage of using the Verify
operation is that it is
* performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is
* logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key
* to verify signatures.
*
*
* The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key
* in the Key Management Service Developer Guide.
*
*
* Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services
* account, specify the key ARN or alias ARN in the value of the KeyId
parameter.
*
*
* Required permissions: kms:Verify
* (key policy)
*
*
* Related operations: Sign
*
*
* @param verifyRequest
* @return Result of the Verify operation returned by the service.
* @throws NotFoundException
* The request was rejected because the specified entity or resource could not be found.
* @throws DisabledException
* The request was rejected because the specified KMS key is not enabled.
* @throws KeyUnavailableException
* The request was rejected because the specified KMS key was not available. You can retry the request.
* @throws DependencyTimeoutException
* The system timed out while trying to fulfill the request. The request can be retried.
* @throws InvalidKeyUsageException
* The request was rejected for one of the following reasons:
*
* -
*
* The KeyUsage
value of the KMS key is incompatible with the API operation.
*
*
* -
*
* The encryption algorithm or signing algorithm specified for the operation is incompatible with the type
* of key material in the KMS key (KeySpec
).
*
*
*
*
* For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage
must be
* ENCRYPT_DECRYPT
. For signing and verifying, the KeyUsage
must be
* SIGN_VERIFY
. To find the KeyUsage
of a KMS key, use the DescribeKey
* operation.
*
*
* To find the encryption or signing algorithms supported for a particular KMS key, use the
* DescribeKey operation.
* @throws InvalidGrantTokenException
* The request was rejected because the specified grant token is not valid.
* @throws KmsInternalException
* The request was rejected because an internal exception occurred. The request can be retried.
* @throws KmsInvalidStateException
* The request was rejected because the state of the specified resource is not valid for this request.
*
*
* For more information about how key state affects the use of a KMS key, see Key state: Effect on your KMS
* key in the Key Management Service Developer Guide .
* @throws KmsInvalidSignatureException
* The request was rejected because the signature verification failed. Signature verification fails when it
* cannot confirm that signature was produced by signing the specified message with the specified KMS key
* and signing algorithm.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws KmsException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample KmsClient.Verify
* @see AWS API
* Documentation
*/
@Override
public VerifyResponse verify(VerifyRequest verifyRequest) throws NotFoundException, DisabledException,
KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException,
KmsInternalException, KmsInvalidStateException, KmsInvalidSignatureException, AwsServiceException,
SdkClientException, KmsException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
VerifyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, verifyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "KMS");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "Verify");
return clientHandler.execute(new ClientExecutionParams().withOperationName("Verify")
.withResponseHandler(responseHandler).withErrorResponseHandler(errorResponseHandler).withInput(verifyRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new VerifyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
private static List resolveMetricPublishers(SdkClientConfiguration clientConfiguration,
RequestOverrideConfiguration requestOverrideConfiguration) {
List publishers = null;
if (requestOverrideConfiguration != null) {
publishers = requestOverrideConfiguration.metricPublishers();
}
if (publishers == null || publishers.isEmpty()) {
publishers = clientConfiguration.option(SdkClientOption.METRIC_PUBLISHERS);
}
if (publishers == null) {
publishers = Collections.emptyList();
}
return publishers;
}
private HttpResponseHandler createErrorResponseHandler(BaseAwsJsonProtocolFactory protocolFactory,
JsonOperationMetadata operationMetadata) {
return protocolFactory.createErrorResponseHandler(operationMetadata);
}
private > T init(T builder) {
return builder
.clientConfiguration(clientConfiguration)
.defaultServiceExceptionSupplier(KmsException::builder)
.protocol(AwsJsonProtocol.AWS_JSON)
.protocolVersion("1.1")
.registerModeledException(
ExceptionMetadata.builder().errorCode("CloudHsmClusterNotFoundException")
.exceptionBuilderSupplier(CloudHsmClusterNotFoundException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("ExpiredImportTokenException")
.exceptionBuilderSupplier(ExpiredImportTokenException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CustomKeyStoreNotFoundException")
.exceptionBuilderSupplier(CustomKeyStoreNotFoundException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("MalformedPolicyDocumentException")
.exceptionBuilderSupplier(MalformedPolicyDocumentException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("IncorrectKeyMaterialException")
.exceptionBuilderSupplier(IncorrectKeyMaterialException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidImportTokenException")
.exceptionBuilderSupplier(InvalidImportTokenException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("KMSInvalidStateException")
.exceptionBuilderSupplier(KmsInvalidStateException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidArnException")
.exceptionBuilderSupplier(InvalidArnException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CloudHsmClusterNotRelatedException")
.exceptionBuilderSupplier(CloudHsmClusterNotRelatedException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CustomKeyStoreInvalidStateException")
.exceptionBuilderSupplier(CustomKeyStoreInvalidStateException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("IncorrectTrustAnchorException")
.exceptionBuilderSupplier(IncorrectTrustAnchorException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("DisabledException")
.exceptionBuilderSupplier(DisabledException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("NotFoundException")
.exceptionBuilderSupplier(NotFoundException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("KeyUnavailableException")
.exceptionBuilderSupplier(KeyUnavailableException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("KMSInvalidSignatureException")
.exceptionBuilderSupplier(KmsInvalidSignatureException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("KMSInternalException")
.exceptionBuilderSupplier(KmsInternalException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("LimitExceededException")
.exceptionBuilderSupplier(LimitExceededException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CloudHsmClusterInUseException")
.exceptionBuilderSupplier(CloudHsmClusterInUseException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidCiphertextException")
.exceptionBuilderSupplier(InvalidCiphertextException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidGrantIdException")
.exceptionBuilderSupplier(InvalidGrantIdException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CustomKeyStoreHasCMKsException")
.exceptionBuilderSupplier(CustomKeyStoreHasCmKsException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("IncorrectKeyException")
.exceptionBuilderSupplier(IncorrectKeyException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidGrantTokenException")
.exceptionBuilderSupplier(InvalidGrantTokenException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("UnsupportedOperationException")
.exceptionBuilderSupplier(UnsupportedOperationException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CustomKeyStoreNameInUseException")
.exceptionBuilderSupplier(CustomKeyStoreNameInUseException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("AlreadyExistsException")
.exceptionBuilderSupplier(AlreadyExistsException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("TagException").exceptionBuilderSupplier(TagException::builder)
.build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidKeyUsageException")
.exceptionBuilderSupplier(InvalidKeyUsageException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CloudHsmClusterInvalidConfigurationException")
.exceptionBuilderSupplier(CloudHsmClusterInvalidConfigurationException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidMarkerException")
.exceptionBuilderSupplier(InvalidMarkerException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidAliasNameException")
.exceptionBuilderSupplier(InvalidAliasNameException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("DependencyTimeoutException")
.exceptionBuilderSupplier(DependencyTimeoutException::builder).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CloudHsmClusterNotActiveException")
.exceptionBuilderSupplier(CloudHsmClusterNotActiveException::builder).build());
}
@Override
public void close() {
clientHandler.close();
}
private T applyPaginatorUserAgent(T request) {
Consumer userAgentApplier = b -> b.addApiName(ApiName.builder()
.version(VersionInfo.SDK_VERSION).name("PAGINATED").build());
AwsRequestOverrideConfiguration overrideConfiguration = request.overrideConfiguration()
.map(c -> c.toBuilder().applyMutation(userAgentApplier).build())
.orElse((AwsRequestOverrideConfiguration.builder().applyMutation(userAgentApplier).build()));
return (T) request.toBuilder().overrideConfiguration(overrideConfiguration).build();
}
}