From 80508f5111049f7f13295423d8fa8dcb3d26bd90 Mon Sep 17 00:00:00 2001 From: AWS SDK for Go v2 automation user Date: Fri, 5 Jan 2024 19:09:34 +0000 Subject: [PATCH] Update API model --- codegen/sdk-codegen/aws-models/connect.json | 25 +- codegen/sdk-codegen/aws-models/kms.json | 284 +++++++++++++++++- codegen/sdk-codegen/aws-models/qconnect.json | 3 +- .../aws-models/redshift-serverless.json | 6 +- 4 files changed, 296 insertions(+), 22 deletions(-) diff --git a/codegen/sdk-codegen/aws-models/connect.json b/codegen/sdk-codegen/aws-models/connect.json index f819e07c715..695ef921d37 100644 --- a/codegen/sdk-codegen/aws-models/connect.json +++ b/codegen/sdk-codegen/aws-models/connect.json @@ -316,7 +316,8 @@ "smithy.api#length": { "min": 1, "max": 100 - } + }, + "smithy.api#sensitive": {} } }, "com.amazonaws.connect#AgentHierarchyGroups": { @@ -389,7 +390,8 @@ "smithy.api#length": { "min": 1, "max": 100 - } + }, + "smithy.api#sensitive": {} } }, "com.amazonaws.connect#AgentPauseDurationInSeconds": { @@ -8081,7 +8083,8 @@ } }, "traits": { - "smithy.api#documentation": "

Contains credentials to use for federation.

" + "smithy.api#documentation": "

Contains credentials to use for federation.

", + "smithy.api#sensitive": {} } }, "com.amazonaws.connect#CrossChannelBehavior": { @@ -11587,7 +11590,8 @@ "smithy.api#length": { "min": 0, "max": 4096 - } + }, + "smithy.api#sensitive": {} } }, "com.amazonaws.connect#Description250": { @@ -12698,7 +12702,10 @@ } }, "com.amazonaws.connect#Email": { - "type": "string" + "type": "string", + "traits": { + "smithy.api#sensitive": {} + } }, "com.amazonaws.connect#EmailReference": { "type": "structure", @@ -13973,7 +13980,7 @@ "traits": { "smithy.api#length": { "min": 0, - "max": 3072 + "max": 1024 } } }, @@ -22450,7 +22457,8 @@ "smithy.api#length": { "min": 0, "max": 512 - } + }, + "smithy.api#sensitive": {} } }, "com.amazonaws.connect#Name128": { @@ -22955,7 +22963,8 @@ "com.amazonaws.connect#Password": { "type": "string", "traits": { - "smithy.api#pattern": "^/^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)[a-zA-Z\\d\\S]{8,64}$/$" + "smithy.api#pattern": "^/^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)[a-zA-Z\\d\\S]{8,64}$/$", + "smithy.api#sensitive": {} } }, "com.amazonaws.connect#PauseContact": { diff --git a/codegen/sdk-codegen/aws-models/kms.json b/codegen/sdk-codegen/aws-models/kms.json index cfed385c98c..82fb7e252d9 100644 --- a/codegen/sdk-codegen/aws-models/kms.json +++ b/codegen/sdk-codegen/aws-models/kms.json @@ -729,7 +729,7 @@ "XksProxyUriEndpoint": { "target": "com.amazonaws.kms#XksProxyUriEndpointType", "traits": { - "smithy.api#documentation": "

Specifies the endpoint that KMS uses to send requests to the external key store proxy\n (XKS proxy). This parameter is required for custom key stores with a\n CustomKeyStoreType of EXTERNAL_KEY_STORE.

\n

The protocol must be HTTPS. KMS communicates on port 443. Do not specify the port in the\n XksProxyUriEndpoint value.

\n

For external key stores with XksProxyConnectivity value of\n VPC_ENDPOINT_SERVICE, specify https:// followed by the private DNS\n name of the VPC endpoint service.

\n

For external key stores with PUBLIC_ENDPOINT connectivity, this endpoint must\n be reachable before you create the custom key store. KMS connects to the external key store\n proxy while creating the custom key store. For external key stores with\n VPC_ENDPOINT_SERVICE connectivity, KMS connects when you call the ConnectCustomKeyStore operation.

\n

The value of this parameter must begin with https://. The remainder can\n contain upper and lower case letters (A-Z and a-z), numbers (0-9), dots (.), and\n hyphens (-). Additional slashes (/ and \\) are not\n permitted.

\n

\n Uniqueness requirements: \n

\n " + "smithy.api#documentation": "

Specifies the endpoint that KMS uses to send requests to the external key store proxy\n (XKS proxy). This parameter is required for custom key stores with a\n CustomKeyStoreType of EXTERNAL_KEY_STORE.

\n

The protocol must be HTTPS. KMS communicates on port 443. Do not specify the port in the\n XksProxyUriEndpoint value.

\n

For external key stores with XksProxyConnectivity value of\n VPC_ENDPOINT_SERVICE, specify https:// followed by the private DNS\n name of the VPC endpoint service.

\n

For external key stores with PUBLIC_ENDPOINT connectivity, this endpoint must\n be reachable before you create the custom key store. KMS connects to the external key store\n proxy while creating the custom key store. For external key stores with\n VPC_ENDPOINT_SERVICE connectivity, KMS connects when you call the ConnectCustomKeyStore operation.

\n

The value of this parameter must begin with https://. The remainder can\n contain upper and lower case letters (A-Z and a-z), numbers (0-9), dots (.), and\n hyphens (-). Additional slashes (/ and \\) are not\n permitted.

\n

\n Uniqueness requirements: \n

\n " } }, "XksProxyUriPath": { @@ -1448,6 +1448,20 @@ "Plaintext": "", "EncryptionAlgorithm": "SYMMETRIC_DEFAULT" } + }, + { + "title": "To decrypt data with an asymmetric encryption KMS key", + "documentation": "The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.", + "input": { + "CiphertextBlob": "", + "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", + "EncryptionAlgorithm": "RSAES_OAEP_SHA_256" + }, + "output": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "Plaintext": "", + "EncryptionAlgorithm": "RSAES_OAEP_SHA_256" + } } ] } @@ -1836,7 +1850,174 @@ } ], "traits": { - "smithy.api#documentation": "

Provides detailed information about a KMS key. You can run DescribeKey on a\n customer managed\n key or an Amazon Web Services managed key.

\n

This detailed information includes the key ARN, creation date (and deletion date, if\n applicable), the key state, and the origin and expiration date (if any) of the key material.\n It includes fields, like KeySpec, that help you distinguish different types of\n KMS keys. It also displays the key usage (encryption, signing, or generating and verifying\n MACs) and the algorithms that the KMS key supports.

\n

For multi-Region keys, DescribeKey displays the primary key and all\n related replica keys. For KMS keys in CloudHSM key stores, it includes information\n about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in external key stores,\n it includes the custom key store ID and the ID of the external key.

\n

\n DescribeKey does not return the following information:

\n
    \n
  • \n

    Aliases associated with the KMS key. To get this information, use ListAliases.

    \n
    • \n
  • \n

    Whether automatic key rotation is enabled on the KMS key. To get this information, use\n GetKeyRotationStatus. Also, some key states prevent a KMS key from\n being automatically rotated. For details, see How Automatic Key Rotation\n Works in the Key Management Service Developer Guide.

    \n
    • \n
  • \n

    Tags on the KMS key. To get this information, use ListResourceTags.

    \n
    • \n
  • \n

    Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.

    \n
    • \n
\n

In general, DescribeKey is a non-mutating operation. It returns data about\n KMS keys, but doesn't change them. However, Amazon Web Services services use DescribeKey to\n create Amazon Web Services\n managed keys from a predefined Amazon Web Services alias with no key\n ID.

\n

\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n

\n Required permissions: kms:DescribeKey (key policy)

\n

\n Related operations:\n

\n \n

\n Eventual consistency: The KMS API follows an eventual consistency model. \n For more information, see KMS eventual consistency.

" + "smithy.api#documentation": "

Provides detailed information about a KMS key. You can run DescribeKey on a\n customer managed\n key or an Amazon Web Services managed key.

\n

This detailed information includes the key ARN, creation date (and deletion date, if\n applicable), the key state, and the origin and expiration date (if any) of the key material.\n It includes fields, like KeySpec, that help you distinguish different types of\n KMS keys. It also displays the key usage (encryption, signing, or generating and verifying\n MACs) and the algorithms that the KMS key supports.

\n

For multi-Region keys, DescribeKey displays the primary key and all\n related replica keys. For KMS keys in CloudHSM key stores, it includes information\n about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in external key stores,\n it includes the custom key store ID and the ID of the external key.

\n

\n DescribeKey does not return the following information:

\n
    \n
  • \n

    Aliases associated with the KMS key. To get this information, use ListAliases.

    \n
    • \n
  • \n

    Whether automatic key rotation is enabled on the KMS key. To get this information, use\n GetKeyRotationStatus. Also, some key states prevent a KMS key from\n being automatically rotated. For details, see How Automatic Key Rotation\n Works in the Key Management Service Developer Guide.

    \n
    • \n
  • \n

    Tags on the KMS key. To get this information, use ListResourceTags.

    \n
    • \n
  • \n

    Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.

    \n
    • \n
\n

In general, DescribeKey is a non-mutating operation. It returns data about\n KMS keys, but doesn't change them. However, Amazon Web Services services use DescribeKey to\n create Amazon Web Services\n managed keys from a predefined Amazon Web Services alias with no key\n ID.

\n

\n Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify\n the key ARN or alias ARN in the value of the KeyId parameter.

\n

\n Required permissions: kms:DescribeKey (key policy)

\n

\n Related operations:\n

\n \n

\n Eventual consistency: The KMS API follows an eventual consistency model. \n For more information, see KMS eventual consistency.

", + "smithy.api#examples": [ + { + "title": "To get details about an RSA asymmetric KMS key", + "documentation": "The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.", + "input": { + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "111122223333", + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CreationDate": 1.571767572317E9, + "CustomerMasterKeySpec": "RSA_2048", + "Enabled": false, + "Description": "", + "KeyState": "Disabled", + "Origin": "AWS_KMS", + "MultiRegion": false, + "KeyManager": "CUSTOMER", + "KeySpec": "RSA_2048", + "KeyUsage": "SIGN_VERIFY", + "SigningAlgorithms": [ + "RSASSA_PKCS1_V1_5_SHA_256", + "RSASSA_PKCS1_V1_5_SHA_384", + "RSASSA_PKCS1_V1_5_SHA_512", + "RSASSA_PSS_SHA_256", + "RSASSA_PSS_SHA_384", + "RSASSA_PSS_SHA_512" + ] + } + } + }, + { + "title": "To get details about a multi-Region key", + "documentation": "The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key. DescribeKey returns information about the primary key and all of its replicas.", + "input": { + "KeyId": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab" + }, + "output": { + "KeyMetadata": { + "MultiRegion": true, + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "CreationDate": 1.586329200918E9, + "Description": "", + "Enabled": true, + "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", + "KeyManager": "CUSTOMER", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "Origin": "AWS_KMS", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "MultiRegionConfiguration": { + "MultiRegionKeyType": "PRIMARY", + "PrimaryKey": { + "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "Region": "us-west-2" + }, + "ReplicaKeys": [ + { + "Arn": "arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "Region": "eu-west-1" + }, + { + "Arn": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "Region": "ap-northeast-1" + }, + { + "Arn": "arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "Region": "sa-east-1" + } + ] + } + } + } + }, + { + "title": "To get details about an HMAC KMS key", + "documentation": "The following example gets the metadata of an HMAC KMS key.", + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "123456789012", + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CreationDate": 1.566160362664E9, + "Enabled": true, + "Description": "Development test key", + "KeyUsage": "GENERATE_VERIFY_MAC", + "KeyState": "Enabled", + "Origin": "AWS_KMS", + "KeyManager": "CUSTOMER", + "CustomerMasterKeySpec": "HMAC_256", + "MacAlgorithms": [ + "HMAC_SHA_256" + ], + "MultiRegion": false + } + } + }, + { + "title": "To get details about a KMS key in an AWS CloudHSM key store", + "documentation": "The following example gets the metadata of a KMS key in an AWS CloudHSM key store.", + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "123456789012", + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CreationDate": 1.646160362664E9, + "Description": "CloudHSM key store test key", + "Enabled": true, + "MultiRegion": false, + "KeyManager": "CUSTOMER", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "Origin": "AWS_CLOUDHSM", + "CloudHsmClusterId": "cluster-234abcdefABC", + "CustomKeyStoreId": "cks-1234567890abcdef0", + "KeySpec": "SYMMETRIC_DEFAULT", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ] + } + } + }, + { + "title": "To get details about a KMS key in an external key store", + "documentation": "The following example gets the metadata of a KMS key in an external key store.", + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + }, + "output": { + "KeyMetadata": { + "Arn": "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "AWSAccountId": "123456789012", + "CreationDate": 1.646160362664E9, + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "CustomKeyStoreId": "cks-1234567890abcdef0", + "Description": "External key store test key", + "Enabled": true, + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyManager": "CUSTOMER", + "KeySpec": "SYMMETRIC_DEFAULT", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": false, + "Origin": "EXTERNAL_KEY_STORE", + "XksKeyConfiguration": { + "Id": "bb8562717f809024" + } + } + } + } + ] } }, "com.amazonaws.kms#DescribeKeyRequest": { @@ -2251,6 +2432,20 @@ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "EncryptionAlgorithm": "SYMMETRIC_DEFAULT" } + }, + { + "title": "To encrypt data with an asymmetric encryption KMS key", + "documentation": "The following example encrypts data with the specified RSA asymmetric KMS key. When you encrypt with an asymmetric key, you must specify the encryption algorithm.", + "input": { + "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", + "Plaintext": "", + "EncryptionAlgorithm": "RSAES_OAEP_SHA_256" + }, + "output": { + "CiphertextBlob": "", + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "EncryptionAlgorithm": "RSAES_OAEP_SHA_256" + } } ] } @@ -3345,7 +3540,7 @@ } ], "traits": { - "smithy.api#documentation": "

Returns the public key and an import token you need to import or reimport key material for\n a KMS key.

\n

By default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.

\n

Before calling GetParametersForImport, use the CreateKey\n operation with an Origin value of EXTERNAL to create a KMS key with\n no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,\n asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material\n into a multi-Region key of\n any supported type. However, you can't import key material into a KMS key in a custom key\n store. You can also use GetParametersForImport to get a public key and\n import token to reimport\n the original key material into a KMS key whose key material expired or was\n deleted.

\n

\n GetParametersForImport returns the items that you need to import your key\n material.

\n
    \n
  • \n

    The public key (or \"wrapping key\") of an RSA key pair that KMS generates.

    \n

    You will use this public key to encrypt (\"wrap\") your key material while it's in\n transit to KMS.

    \n
    • \n
  • \n

    A import token that ensures that KMS can decrypt your key material and associate it\n with the correct KMS key.

    \n
    • \n
\n

The public key and its import token are permanently linked and must be used together. Each\n public key and import token set is valid for 24 hours. The expiration date and time appear in\n the ParametersValidTo field in the GetParametersForImport response.\n You cannot use an expired public key or import token in an ImportKeyMaterial\n request. If your key and token expire, send another GetParametersForImport\n request.

\n

\n GetParametersForImport requires the following information:

\n
    \n
  • \n

    The key ID of the KMS key for which you are importing the key material.

    \n
    • \n
  • \n

    The key spec of the public key (\"wrapping key\") that you will use to encrypt your key\n material during import.

    \n
    • \n
  • \n

    The wrapping algorithm that you will use with the public key to encrypt your key\n material.

    \n
    • \n
\n

You can use the same or a different public key spec and wrapping algorithm each time you\n import or reimport the same key material.

\n

The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

\n

\n Required permissions: kms:GetParametersForImport (key policy)

\n

\n Related operations:\n

\n \n

\n Eventual consistency: The KMS API follows an eventual consistency model. \n For more information, see KMS eventual consistency.

" + "smithy.api#documentation": "

Returns the public key and an import token you need to import or reimport key material for\n a KMS key.

\n

By default, KMS keys are created with key material that KMS generates. This operation\n supports Importing key\n material, an advanced feature that lets you generate and import the cryptographic\n key material for a KMS key. For more information about importing key material into KMS, see\n Importing key\n material in the Key Management Service Developer Guide.

\n

Before calling GetParametersForImport, use the CreateKey\n operation with an Origin value of EXTERNAL to create a KMS key with\n no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,\n asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material\n into a multi-Region key of any supported type. However, you can't import key material into\n a KMS key in a custom key store. You can also use GetParametersForImport to get a\n public key and import token to reimport the original key\n material into a KMS key whose key material expired or was deleted.

\n

\n GetParametersForImport returns the items that you need to import your key\n material.

\n
    \n
  • \n

    The public key (or \"wrapping key\") of an RSA key pair that KMS generates.

    \n

    You will use this public key to encrypt (\"wrap\") your key material while it's in\n transit to KMS.

    \n
    • \n
  • \n

    A import token that ensures that KMS can decrypt your key material and associate it\n with the correct KMS key.

    \n
    • \n
\n

The public key and its import token are permanently linked and must be used together. Each\n public key and import token set is valid for 24 hours. The expiration date and time appear in\n the ParametersValidTo field in the GetParametersForImport response.\n You cannot use an expired public key or import token in an ImportKeyMaterial\n request. If your key and token expire, send another GetParametersForImport\n request.

\n

\n GetParametersForImport requires the following information:

\n
    \n
  • \n

    The key ID of the KMS key for which you are importing the key material.

    \n
    • \n
  • \n

    The key spec of the public key (\"wrapping key\") that you will use to encrypt your key\n material during import.

    \n
    • \n
  • \n

    The wrapping algorithm that you will use with the public key to encrypt your key\n material.

    \n
    • \n
\n

You can use the same or a different public key spec and wrapping algorithm each time you\n import or reimport the same key material.

\n

The KMS key that you use for this operation must be in a compatible key state. For\ndetails, see Key states of KMS keys in the Key Management Service Developer Guide.

\n

\n Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

\n

\n Required permissions: kms:GetParametersForImport (key policy)

\n

\n Related operations:\n

\n \n

\n Eventual consistency: The KMS API follows an eventual consistency model. \n For more information, see KMS eventual consistency.

" } }, "com.amazonaws.kms#GetParametersForImportRequest": { @@ -5798,7 +5993,7 @@ } ], "traits": { - "smithy.api#documentation": "

Replicates a multi-Region key into the specified Region. This operation creates a\n multi-Region replica key based on a multi-Region primary key in a different Region of the same\n Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a\n different Region. To create a multi-Region primary key, use the CreateKey\n operation.

\n

This operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.

\n

A replica key is a fully-functional KMS key that can be used\n independently of its primary and peer replica keys. A primary key and its replica keys share\n properties that make them interoperable. They have the same key ID and key material. They also\n have the same key\n spec, key\n usage, key\n material origin, and automatic key rotation status. KMS automatically synchronizes these shared\n properties among related multi-Region keys. All other properties of a replica key can differ,\n including its key\n policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each\n primary key and replica key.

\n

When this operation completes, the new replica key has a transient key state of\n Creating. This key state changes to Enabled (or\n PendingImport) after a few seconds when the process of creating the new replica\n key is complete. While the key state is Creating, you can manage key, but you\n cannot yet use it in cryptographic operations. If you are creating and using the replica key\n programmatically, retry on KMSInvalidStateException or call\n DescribeKey to check its KeyState value before using it. For\n details about the Creating key state, see Key states of KMS keys in the\n Key Management Service Developer Guide.

\n

You cannot create more than one replica of a primary key in any Region. If the Region\n already includes a replica of the key you're trying to replicate, ReplicateKey\n returns an AlreadyExistsException error. If the key state of the existing replica\n is PendingDeletion, you can cancel the scheduled key deletion (CancelKeyDeletion) or wait for the key to be deleted. The new replica key you\n create will have the same shared\n properties as the original replica key.

\n

The CloudTrail log of a ReplicateKey operation records a\n ReplicateKey operation in the primary key's Region and a CreateKey operation in the replica key's Region.

\n

If you replicate a multi-Region primary key with imported key material, the replica key is\n created with no key material. You must import the same key material that you imported into the\n primary key. For details, see Importing key material into multi-Region keys in the Key Management Service Developer Guide.

\n

To convert a replica key to a primary key, use the UpdatePrimaryRegion\n operation.

\n \n

\n ReplicateKey uses different default values for the KeyPolicy\n and Tags parameters than those used in the KMS console. For details, see the\n parameter descriptions.

\n \n

\n Cross-account use: No. You cannot use this operation to\n create a replica key in a different Amazon Web Services account.

\n

\n Required permissions:

\n
    \n
  • \n

    \n kms:ReplicateKey on the primary key (in the primary key's Region).\n Include this permission in the primary key's key policy.

    \n
    • \n
  • \n

    \n kms:CreateKey in an IAM policy in the replica Region.

    \n
    • \n
  • \n

    To use the Tags parameter, kms:TagResource in an IAM policy\n in the replica Region.

    \n
    • \n
\n

\n Related operations\n

\n \n

\n Eventual consistency: The KMS API follows an eventual consistency model. \n For more information, see KMS eventual consistency.

", + "smithy.api#documentation": "

Replicates a multi-Region key into the specified Region. This operation creates a\n multi-Region replica key based on a multi-Region primary key in a different Region of the same\n Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a\n different Region. To create a multi-Region primary key, use the CreateKey\n operation.

\n

This operation supports multi-Region keys, an KMS feature that lets you create multiple\n interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key\n material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt\n it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.

\n

A replica key is a fully-functional KMS key that can be used\n independently of its primary and peer replica keys. A primary key and its replica keys share\n properties that make them interoperable. They have the same key ID and key material. They also\n have the same key\n spec, key\n usage, key\n material origin, and automatic key rotation status. KMS automatically synchronizes these shared\n properties among related multi-Region keys. All other properties of a replica key can differ,\n including its key\n policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each\n primary key and replica key.

\n

When this operation completes, the new replica key has a transient key state of\n Creating. This key state changes to Enabled (or\n PendingImport) after a few seconds when the process of creating the new replica\n key is complete. While the key state is Creating, you can manage key, but you\n cannot yet use it in cryptographic operations. If you are creating and using the replica key\n programmatically, retry on KMSInvalidStateException or call\n DescribeKey to check its KeyState value before using it. For\n details about the Creating key state, see Key states of KMS keys in the\n Key Management Service Developer Guide.

\n

You cannot create more than one replica of a primary key in any Region. If the Region\n already includes a replica of the key you're trying to replicate, ReplicateKey\n returns an AlreadyExistsException error. If the key state of the existing replica\n is PendingDeletion, you can cancel the scheduled key deletion (CancelKeyDeletion) or wait for the key to be deleted. The new replica key you\n create will have the same shared\n properties as the original replica key.

\n

The CloudTrail log of a ReplicateKey operation records a\n ReplicateKey operation in the primary key's Region and a CreateKey operation in the replica key's Region.

\n

If you replicate a multi-Region primary key with imported key material, the replica key is\n created with no key material. You must import the same key material that you imported into the\n primary key. For details, see Importing key material into multi-Region\n keys in the Key Management Service Developer Guide.

\n

To convert a replica key to a primary key, use the UpdatePrimaryRegion\n operation.

\n \n

\n ReplicateKey uses different default values for the KeyPolicy\n and Tags parameters than those used in the KMS console. For details, see the\n parameter descriptions.

\n \n

\n Cross-account use: No. You cannot use this operation to\n create a replica key in a different Amazon Web Services account.

\n

\n Required permissions:

\n
    \n
  • \n

    \n kms:ReplicateKey on the primary key (in the primary key's Region).\n Include this permission in the primary key's key policy.

    \n
    • \n
  • \n

    \n kms:CreateKey in an IAM policy in the replica Region.

    \n
    • \n
  • \n

    To use the Tags parameter, kms:TagResource in an IAM policy\n in the replica Region.

    \n
    • \n
\n

\n Related operations\n

\n \n

\n Eventual consistency: The KMS API follows an eventual consistency model. \n For more information, see KMS eventual consistency.

", "smithy.api#examples": [ { "title": "To replicate a multi-Region key in a different AWS Region", @@ -6207,6 +6402,21 @@ "Signature": "", "SigningAlgorithm": "ECDSA_SHA_384" } + }, + { + "title": "To digitally sign a message digest with an asymmetric KMS key.", + "documentation": "This operation uses the private key in an asymmetric RSA signing KMS key to generate a digital signature for a message digest. In this example, a large message was hashed and the resulting digest is provided in the Message parameter. To tell KMS not to hash the message again, the MessageType field is set to DIGEST", + "input": { + "KeyId": "alias/RSA_signing_key", + "Message": "", + "MessageType": "DIGEST", + "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" + }, + "output": { + "KeyId": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "Signature": "", + "SigningAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256" + } } ] } @@ -8129,6 +8339,44 @@ "NewCustomKeyStoreName": "DevelopmentKeys" }, "output": {} + }, + { + "title": "To edit the password of an AWS CloudHSM key store", + "documentation": "This example tells AWS KMS the password for the kmsuser crypto user in the AWS CloudHSM cluster that is associated with the AWS KMS custom key store. (It does not change the password in the CloudHSM cluster.) This operation does not return any data.", + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "KeyStorePassword": "ExamplePassword" + }, + "output": {} + }, + { + "title": "To associate the custom key store with a different, but related, AWS CloudHSM cluster.", + "documentation": "This example changes the AWS CloudHSM cluster that is associated with an AWS CloudHSM key store to a related cluster, such as a different backup of the same cluster. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation.", + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "CloudHsmClusterId": "cluster-234abcdefABC" + }, + "output": {} + }, + { + "title": "To edit the proxy URI path of an external key store.", + "documentation": "This example updates the proxy URI path for an external key store", + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "XksProxyUriPath": "/new-path/kms/xks/v1" + }, + "output": {} + }, + { + "title": "To update the proxy connectivity of an external key store to VPC_ENDPOINT_SERVICE", + "documentation": "To change the external key store proxy connectivity option from public endpoint connectivity to VPC endpoint service connectivity, in addition to changing the XksProxyConnectivity value, you must change the XksProxyUriEndpoint value to reflect the private DNS name associated with the VPC endpoint service. You must also add an XksProxyVpcEndpointServiceName value.", + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "XksProxyConnectivity": "VPC_ENDPOINT_SERVICE", + "XksProxyUriEndpoint": "https://myproxy-private.xks.example.com", + "XksProxyVpcEndpointServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-example" + }, + "output": {} } ] } @@ -8386,6 +8634,22 @@ "SignatureValid": true, "SigningAlgorithm": "ECDSA_SHA_384" } + }, + { + "title": "To use an asymmetric KMS key to verify a digital signature on a message digest", + "documentation": "This operation uses the public key in an RSA asymmetric signing key pair to verify the digital signature of a message digest. Hashing a message into a digest before sending it to KMS lets you verify messages that exceed the 4096-byte message size limit. To indicate that the value of Message is a digest, use the MessageType parameter ", + "input": { + "KeyId": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "Message": "", + "MessageType": "DIGEST", + "Signature": "", + "SigningAlgorithm": "RSASSA_PSS_SHA_512" + }, + "output": { + "KeyId": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "SignatureValid": true, + "SigningAlgorithm": "RSASSA_PSS_SHA_512" + } } ] } @@ -8639,7 +8903,7 @@ "code": "XksKeyAlreadyInUse", "httpResponseCode": 400 }, - "smithy.api#documentation": "

The request was rejected because the (XksKeyId) is already associated with a\n KMS key in this external key store. Each KMS key in an external key store must be associated\n with a different external key.

", + "smithy.api#documentation": "

The request was rejected because the (XksKeyId) is already associated with\n another KMS key in this external key store. Each KMS key in an external key store must be\n associated with a different external key.

", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -8830,7 +9094,7 @@ "code": "XksProxyInvalidConfigurationException", "httpResponseCode": 400 }, - "smithy.api#documentation": "

The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store proxy. For details, see the exception\n message.

", + "smithy.api#documentation": "

The request was rejected because the external key store proxy is not configured correctly.\n To identify the cause, see the error message that accompanies the exception.

", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -8864,7 +9128,7 @@ "code": "XksProxyUriEndpointInUseException", "httpResponseCode": 400 }, - "smithy.api#documentation": "

The request was rejected because the concatenation of the XksProxyUriEndpoint\n is already associated with an external key store in the Amazon Web Services account and Region. Each\n external key store in an account and Region must use a unique external key store proxy\n address.

", + "smithy.api#documentation": "

The request was rejected because the XksProxyUriEndpoint is already\n associated with another external key store in this Amazon Web Services Region. To identify the cause,\n see the error message that accompanies the exception.

", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -8891,7 +9155,7 @@ "code": "XksProxyUriInUseException", "httpResponseCode": 400 }, - "smithy.api#documentation": "

The request was rejected because the concatenation of the XksProxyUriEndpoint\n and XksProxyUriPath is already associated with an external key store in the\n Amazon Web Services account and Region. Each external key store in an account and Region must use a unique\n external key store proxy API address.

", + "smithy.api#documentation": "

The request was rejected because the concatenation of the XksProxyUriEndpoint\n and XksProxyUriPath is already associated with another external key store in this\n Amazon Web Services Region. Each external key store in a Region must use a unique external key store proxy\n API address.

", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -8935,7 +9199,7 @@ "code": "XksProxyVpcEndpointServiceInUseException", "httpResponseCode": 400 }, - "smithy.api#documentation": "

The request was rejected because the specified Amazon VPC endpoint service is already\n associated with an external key store in the Amazon Web Services account and Region. Each external key store\n in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.

", + "smithy.api#documentation": "

The request was rejected because the specified Amazon VPC endpoint service is already\n associated with another external key store in this Amazon Web Services Region. Each external key store in a\n Region must use a different Amazon VPC endpoint service.

", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -8952,7 +9216,7 @@ "code": "XksProxyVpcEndpointServiceInvalidConfigurationException", "httpResponseCode": 400 }, - "smithy.api#documentation": "

The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store proxy. For details, see the exception message and\n review the requirements for Amazon VPC endpoint service connectivity for an external key\n store.

", + "smithy.api#documentation": "

The request was rejected because the Amazon VPC endpoint service configuration does not fulfill\n the requirements for an external key store. To identify the cause, see the error message that\n accompanies the exception and review the\n requirements for Amazon VPC endpoint service connectivity for an external key\n store.

", "smithy.api#error": "client", "smithy.api#httpError": 400 } diff --git a/codegen/sdk-codegen/aws-models/qconnect.json b/codegen/sdk-codegen/aws-models/qconnect.json index 83508b15623..bf83b326d4e 100644 --- a/codegen/sdk-codegen/aws-models/qconnect.json +++ b/codegen/sdk-codegen/aws-models/qconnect.json @@ -5728,7 +5728,8 @@ "outputToken": "nextToken", "pageSize": "maxResults", "items": "results" - } + }, + "smithy.api#readonly": {} } }, "com.amazonaws.qconnect#SearchQuickResponsesRequest": { diff --git a/codegen/sdk-codegen/aws-models/redshift-serverless.json b/codegen/sdk-codegen/aws-models/redshift-serverless.json index b567e038396..0156226cc29 100644 --- a/codegen/sdk-codegen/aws-models/redshift-serverless.json +++ b/codegen/sdk-codegen/aws-models/redshift-serverless.json @@ -951,7 +951,7 @@ "configParameters": { "target": "com.amazonaws.redshiftserverless#ConfigParameterList", "traits": { - "smithy.api#documentation": "

An array of parameters to set for advanced control over a database. The\n options are auto_mv, datestyle, enable_case_sensitive_identifier, enable_user_activity_logging,\n query_group, search_path, and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see \n \n Query monitoring metrics for Amazon Redshift Serverless.

" + "smithy.api#documentation": "

An array of parameters to set for advanced control over a database. The\n options are auto_mv, datestyle, enable_case_sensitive_identifier, enable_user_activity_logging,\n query_group, search_path, require_ssl, use_fips_ssl, and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see \n \n Query monitoring metrics for Amazon Redshift Serverless.

" } }, "securityGroupIds": { @@ -6468,7 +6468,7 @@ "configParameters": { "target": "com.amazonaws.redshiftserverless#ConfigParameterList", "traits": { - "smithy.api#documentation": "

An array of parameters to set for advanced control over a database. The\n options are auto_mv, datestyle, enable_case_sensitive_identifier, enable_user_activity_logging,\n query_group, search_path, and query monitoring metrics that let you \n define performance boundaries. For more information about query monitoring rules and available metrics, see \n \n Query monitoring metrics for Amazon Redshift Serverless.

" + "smithy.api#documentation": "

An array of parameters to set for advanced control over a database. The\n options are auto_mv, datestyle, enable_case_sensitive_identifier, enable_user_activity_logging,\n query_group, search_path, require_ssl, use_fips_ssl, and query monitoring metrics that let you \n define performance boundaries. For more information about query monitoring rules and available metrics, see \n \n Query monitoring metrics for Amazon Redshift Serverless.

" } }, "publiclyAccessible": { @@ -6787,7 +6787,7 @@ "configParameters": { "target": "com.amazonaws.redshiftserverless#ConfigParameterList", "traits": { - "smithy.api#documentation": "

An array of parameters to set for advanced control over a database. The\n options are auto_mv, datestyle, enable_case_sensitive_identifier, enable_user_activity_logging,\n query_group, search_path, and query monitoring metrics that let you define performance boundaries. \n For more information about query monitoring rules and available metrics, see Query monitoring metrics for Amazon Redshift Serverless.

" + "smithy.api#documentation": "

An array of parameters to set for advanced control over a database. The\n options are auto_mv, datestyle, enable_case_sensitive_identifier, enable_user_activity_logging,\n query_group, search_path, require_ssl, use_fips_ssl, and query monitoring metrics that let you define performance boundaries. \n For more information about query monitoring rules and available metrics, see Query monitoring metrics for Amazon Redshift Serverless.

" } }, "securityGroupIds": {