From 1c5e23be58e1457f8254e5ea6b37534d82440b4b Mon Sep 17 00:00:00 2001 From: aws-sdk-go-automation <43143561+aws-sdk-go-automation@users.noreply.github.com> Date: Mon, 4 Oct 2021 11:14:41 -0700 Subject: [PATCH] Release v1.40.55 (2021-10-04) (#4122) Release v1.40.55 (2021-10-04) === ### Service Client Updates * `service/codebuild`: Updates service API and documentation * CodeBuild now allows you to select how batch build statuses are sent to the source provider for a project. * `service/elasticfilesystem`: Updates service API * EFS adds a new exception for short identifiers to be thrown after its migration to long resource identifiers. * `service/kms`: Updates service documentation and examples * Added SDK examples for ConnectCustomKeyStore, CreateCustomKeyStore, CreateKey, DeleteCustomKeyStore, DescribeCustomKeyStores, DisconnectCustomKeyStore, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GetPublicKey, ReplicateKey, Sign, UpdateCustomKeyStore and Verify APIs --- CHANGELOG.md | 11 + aws/version.go | 2 +- models/apis/codebuild/2016-10-06/api-2.json | 10 +- models/apis/codebuild/2016-10-06/docs-2.json | 12 +- .../elasticfilesystem/2015-02-01/api-2.json | 1 + models/apis/kms/2014-11-01/docs-2.json | 2 +- models/apis/kms/2014-11-01/examples-1.json | 616 +++++++++++- service/codebuild/api.go | 52 +- service/efs/api.go | 4 + service/kms/api.go | 3 +- service/kms/examples_test.go | 929 +++++++++++++++++- 11 files changed, 1604 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96e9666766a..e292bc39f31 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +Release v1.40.55 (2021-10-04) +=== + +### Service Client Updates +* `service/codebuild`: Updates service API and documentation + * CodeBuild now allows you to select how batch build statuses are sent to the source provider for a project. +* `service/elasticfilesystem`: Updates service API + * EFS adds a new exception for short identifiers to be thrown after its migration to long resource identifiers. +* `service/kms`: Updates service documentation and examples + * Added SDK examples for ConnectCustomKeyStore, CreateCustomKeyStore, CreateKey, DeleteCustomKeyStore, DescribeCustomKeyStores, DisconnectCustomKeyStore, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GetPublicKey, ReplicateKey, Sign, UpdateCustomKeyStore and Verify APIs + Release v1.40.54 (2021-10-01) === diff --git a/aws/version.go b/aws/version.go index e24d524e6d8..80752a429ae 100644 --- a/aws/version.go +++ b/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.40.54" +const SDKVersion = "1.40.55" diff --git a/models/apis/codebuild/2016-10-06/api-2.json b/models/apis/codebuild/2016-10-06/api-2.json index 3785ab4a465..7c18d44f5ac 100644 --- a/models/apis/codebuild/2016-10-06/api-2.json +++ b/models/apis/codebuild/2016-10-06/api-2.json @@ -704,6 +704,13 @@ "reportsNotFound":{"shape":"ReportArns"} } }, + "BatchReportModeType":{ + "type":"string", + "enum":[ + "REPORT_INDIVIDUAL_BUILDS", + "REPORT_AGGREGATED_BATCH" + ] + }, "BatchRestrictions":{ "type":"structure", "members":{ @@ -1769,7 +1776,8 @@ "serviceRole":{"shape":"NonEmptyString"}, "combineArtifacts":{"shape":"WrapperBoolean"}, "restrictions":{"shape":"BatchRestrictions"}, - "timeoutInMins":{"shape":"WrapperInt"} + "timeoutInMins":{"shape":"WrapperInt"}, + "batchReportMode":{"shape":"BatchReportModeType"} } }, "ProjectCache":{ diff --git a/models/apis/codebuild/2016-10-06/docs-2.json b/models/apis/codebuild/2016-10-06/docs-2.json index d28ac764a3d..102ec72f772 100644 --- a/models/apis/codebuild/2016-10-06/docs-2.json +++ b/models/apis/codebuild/2016-10-06/docs-2.json @@ -140,6 +140,12 @@ "refs": { } }, + "BatchReportModeType": { + "base": null, + "refs": { + "ProjectBuildBatchConfig$batchReportMode": "

Specifies how build status reports are sent to the source provider for the batch build. This property is only used when the source provider for your project is Bitbucket, GitHub, or GitHub Enterprise, and your project is configured to report build statuses to the source provider.

REPORT_AGGREGATED_BATCH

(Default) Aggregate all of the build statuses into a single status report.

REPORT_INDIVIDUAL_BUILDS

Send a separate status report for each individual build.

" + } + }, "BatchRestrictions": { "base": "

Specifies restrictions for the batch build.

", "refs": { @@ -258,7 +264,7 @@ "BatchGetBuildsInput$ids": "

The IDs of the builds.

", "BatchGetBuildsOutput$buildsNotFound": "

The IDs of builds for which information could not be found.

", "DeleteBuildBatchOutput$buildsDeleted": "

An array of strings that contain the identifiers of the builds that were deleted.

", - "ListBuildsForProjectOutput$ids": "

A list of build IDs for the specified build project, with each build ID representing a single build.

", + "ListBuildsForProjectOutput$ids": "

A list of build identifiers for the specified build project, with each build ID representing a single build.

", "ListBuildsOutput$ids": "

A list of build IDs, with each build ID representing a single build.

" } }, @@ -1042,7 +1048,7 @@ "Project$secondaryArtifacts": "

An array of ProjectArtifacts objects.

", "StartBuildBatchInput$secondaryArtifactsOverride": "

An array of ProjectArtifacts objects that override the secondary artifacts defined in the batch build project.

", "StartBuildInput$secondaryArtifactsOverride": "

An array of ProjectArtifacts objects.

", - "UpdateProjectInput$secondaryArtifacts": "

An array of ProjectSource objects.

" + "UpdateProjectInput$secondaryArtifacts": "

An array of ProjectArtifact objects.

" } }, "ProjectBadge": { @@ -1446,7 +1452,7 @@ "DescribeCodeCoveragesInput$sortOrder": "

Specifies if the results are sorted in ascending or descending order.

", "ListBuildBatchesForProjectInput$sortOrder": "

Specifies the sort order of the returned items. Valid values include:

", "ListBuildBatchesInput$sortOrder": "

Specifies the sort order of the returned items. Valid values include:

", - "ListBuildsForProjectInput$sortOrder": "

The order to list results in. The results are sorted by build number, not the build identifier.

Valid values include:

If the project has more than 100 builds, setting the sort order will result in an error.

", + "ListBuildsForProjectInput$sortOrder": "

The order to sort the results in. The results are sorted by build number, not the build identifier. If this is not specified, the results are sorted in descending order.

Valid values include:

If the project has more than 100 builds, setting the sort order will result in an error.

", "ListBuildsInput$sortOrder": "

The order to list build IDs. Valid values include:

", "ListProjectsInput$sortOrder": "

The order in which to list build projects. Valid values include:

Use sortBy to specify the criterion to be used to list build project names.

", "ListReportGroupsInput$sortOrder": "

Used to specify the order to sort the list of returned report groups. Valid values are ASCENDING and DESCENDING.

", diff --git a/models/apis/elasticfilesystem/2015-02-01/api-2.json b/models/apis/elasticfilesystem/2015-02-01/api-2.json index 2e871685d70..be81e1ee1ae 100644 --- a/models/apis/elasticfilesystem/2015-02-01/api-2.json +++ b/models/apis/elasticfilesystem/2015-02-01/api-2.json @@ -347,6 +347,7 @@ "input":{"shape":"PutAccountPreferencesRequest"}, "output":{"shape":"PutAccountPreferencesResponse"}, "errors":[ + {"shape":"BadRequest"}, {"shape":"InternalServerError"} ] }, diff --git a/models/apis/kms/2014-11-01/docs-2.json b/models/apis/kms/2014-11-01/docs-2.json index dff2b324c13..bfcdb2c63f2 100644 --- a/models/apis/kms/2014-11-01/docs-2.json +++ b/models/apis/kms/2014-11-01/docs-2.json @@ -46,7 +46,7 @@ "TagResource": "

Adds or edits tags on a customer managed key.

Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key Management Service Developer Guide.

Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag key and a new tag value.

You can use this operation to tag a customer managed key, but you cannot tag an Amazon Web Services managed key, an Amazon Web Services owned key, a custom key store, or an alias.

You can also add tags to a KMS key while creating it (CreateKey) or replicating it (ReplicateKey).

For information about using tags in KMS, see Tagging keys. For general information about tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:TagResource (key policy)

Related operations

", "UntagResource": "

Deletes tags from a customer managed key. To delete a tag, specify the tag key and the KMS key.

Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key Management Service Developer Guide.

When it succeeds, the UntagResource operation doesn't return any output. Also, if the specified tag key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation worked, use the ListResourceTags operation.

For information about using tags in KMS, see Tagging keys. For general information about tags, including the format and syntax, see Tagging Amazon Web Services resources in the Amazon Web Services General Reference.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:UntagResource (key policy)

Related operations

", "UpdateAlias": "

Associates an existing KMS alias with a different KMS key. Each alias is associated with only one KMS key at a time, although a KMS key can have multiple aliases. The alias and the KMS key must be in the same Amazon Web Services account and Region.

Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in KMS in the Key Management Service Developer Guide.

The current and new KMS key must be the same type (both symmetric or both asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code that uses aliases. If you must assign an alias to a different type of KMS key, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.

You cannot use UpdateAlias to change an alias name. To change an alias name, use DeleteAlias to delete the old alias and CreateAlias to create a new alias.

Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all KMS keys in the account, use the ListAliases operation.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions

For details, see Controlling access to aliases in the Key Management Service Developer Guide.

Related operations:

", - "UpdateCustomKeyStore": "

Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.

You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use ConnectCustomKeyStore. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.

Use the parameters of UpdateCustomKeyStore to edit your keystore settings.

If the operation succeeds, it returns a JSON object with no properties.

This operation is part of the Custom Key Store feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a single-tenant key store.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:UpdateCustomKeyStore (IAM policy)

Related operations:

", + "UpdateCustomKeyStore": "

Changes the properties of a custom key store. Use the CustomKeyStoreId parameter to identify the custom key store you want to edit. Use the remaining parameters to change the properties of the custom key store.

You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use ConnectCustomKeyStore. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.

The CustomKeyStoreId parameter is required in all commands. Use the other parameters of UpdateCustomKeyStore to edit your key store settings.

If the operation succeeds, it returns a JSON object with no properties.

This operation is part of the Custom Key Store feature feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a single-tenant key store.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:UpdateCustomKeyStore (IAM policy)

Related operations:

", "UpdateKeyDescription": "

Updates the description of a KMS key. To see the description of a KMS key, use DescribeKey.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:UpdateKeyDescription (key policy)

Related operations

", "UpdatePrimaryRegion": "

Changes the primary key of a multi-Region key.

This operation changes the replica key in the specified Region to a primary key and changes the former primary key to a replica key. For example, suppose you have a primary key in us-east-1 and a replica key in eu-west-2. If you run UpdatePrimaryRegion with a PrimaryRegion value of eu-west-2, the primary key is now the key in eu-west-2, and the key in us-east-1 becomes a replica key. For details, see Updating the primary Region in the Key Management Service Developer Guide.

This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Using multi-Region keys in the Key Management Service Developer Guide.

The primary key of a multi-Region key is the source for properties that are always shared by primary and replica keys, including the key material, key ID, key spec, key usage, key material origin, and automatic key rotation. It's the only key that can be replicated. You cannot delete the primary key until all replica keys are deleted.

The key ID and primary Region that you specify uniquely identify the replica key that will become the primary key. The primary Region must already have a replica key. This operation does not create a KMS key in the specified Region. To find the replica keys, use the DescribeKey operation on the primary key or any replica key. To create a replica key, use the ReplicateKey operation.

You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation should not delay, interrupt, or cause failures in cryptographic operations.

Even after this operation completes, the process of updating the primary Region might still be in progress for a few more seconds. Operations such as DescribeKey might display both the old and new primary keys as replicas. The old and new primary keys have a transient key state of Updating. The original key state is restored when the update is complete. While the key state is Updating, you can use the keys in cryptographic operations, but you cannot replicate the new primary key or perform certain management operations, such as enabling or disabling these keys. For details about the Updating key state, see Key state: Effect on your KMS key in the Key Management Service Developer Guide.

This operation does not return any output. To verify that primary key is changed, use the DescribeKey operation.

Cross-account use: No. You cannot use this operation in a different Amazon Web Services account.

Required permissions:

Related operations

", "Verify": "

Verifies a digital signature that was generated by the Sign operation.

Verification confirms that an authorized user signed the message with the specified KMS key and signing algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the SignatureValid field in the response is True. If the signature verification fails, the Verify operation fails with an KMSInvalidSignatureException exception.

A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by using the public key in the same asymmetric KMS key. For information about symmetric and asymmetric KMS keys, see Using Symmetric and Asymmetric KMS keys in the Key Management Service Developer Guide.

To verify a digital signature, you can use the Verify operation. Specify the same asymmetric KMS key, message, and signing algorithm that were used to produce the signature.

You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the GetPublicKey operation to download the public key in the asymmetric KMS key and then use the public key to verify the signature outside of KMS. The advantage of using the Verify operation is that it is performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key to verify signatures.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key state: Effect on your KMS key in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:Verify (key policy)

Related operations: Sign

" diff --git a/models/apis/kms/2014-11-01/examples-1.json b/models/apis/kms/2014-11-01/examples-1.json index 411bcc54774..c8a67f8698c 100644 --- a/models/apis/kms/2014-11-01/examples-1.json +++ b/models/apis/kms/2014-11-01/examples-1.json @@ -22,6 +22,25 @@ "title": "To cancel deletion of a KMS key" } ], + "ConnectCustomKeyStore": [ + { + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0" + }, + "output": { + }, + "comments": { + "input": { + "CustomKeyStoreId": "The ID of the AWS KMS custom key store." + }, + "output": { + } + }, + "description": "This example connects an AWS KMS custom key store to its AWS CloudHSM cluster. This operation does not return any data. To verify that the custom key store is connected, use the DescribeCustomKeyStores operation.", + "id": "to-connect-a-custom-key-store-to-its-cloudhsm-cluster-1628626947750", + "title": "To connect a custom key store to its CloudHSM cluster" + } + ], "CreateAlias": [ { "input": { @@ -39,6 +58,33 @@ "title": "To create an alias" } ], + "CreateCustomKeyStore": [ + { + "input": { + "CloudHsmClusterId": "cluster-1a23b4cdefg", + "CustomKeyStoreName": "ExampleKeyStore", + "KeyStorePassword": "kmsPswd", + "TrustAnchorCertificate": "" + }, + "output": { + "CustomKeyStoreId": "cks-1234567890abcdef0" + }, + "comments": { + "input": { + "CloudHsmClusterId": "The ID of the CloudHSM cluster.", + "CustomKeyStoreName": "A friendly name for the custom key store.", + "KeyStorePassword": "The password for the kmsuser CU account in the specified cluster.", + "TrustAnchorCertificate": "The content of the customerCA.crt file that you created when you initialized the cluster." + }, + "output": { + "CustomKeyStoreId": "The ID of the new custom key store." + } + }, + "description": "This example creates a custom key store that is associated with an AWS CloudHSM cluster.", + "id": "to-create-an-aws-cloudhsm-custom-key-store-1628627769469", + "title": "To create an AWS CloudHSM custom key store" + } + ], "CreateGrant": [ { "input": { @@ -72,12 +118,6 @@ "CreateKey": [ { "input": { - "Tags": [ - { - "TagKey": "CreatedBy", - "TagValue": "ExampleUser" - } - ] }, "output": { "KeyMetadata": { @@ -95,6 +135,7 @@ "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": false, "Origin": "AWS_KMS" } }, @@ -103,12 +144,211 @@ "Tags": "One or more tags. Each tag consists of a tag key and a tag value." }, "output": { - "KeyMetadata": "An object that contains information about the KMS key created by this operation." + "KeyMetadata": "Detailed information about the KMS key that this operation creates." } }, - "description": "The following example creates a KMS key.", + "description": "The following example creates a symmetric KMS key for encryption and decryption. No parameters are required for this operation.", "id": "to-create-a-cmk-1478028992966", "title": "To create a KMS key" + }, + { + "input": { + "KeySpec": "RSA_4096", + "KeyUsage": "ENCRYPT_DECRYPT" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CreationDate": "2021-04-05T14:04:55-07:00", + "CustomerMasterKeySpec": "RSA_4096", + "Description": "", + "Enabled": true, + "EncryptionAlgorithms": [ + "RSAES_OAEP_SHA_1", + "RSAES_OAEP_SHA_256" + ], + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyManager": "CUSTOMER", + "KeySpec": "RSA_4096", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": false, + "Origin": "AWS_KMS" + } + }, + "comments": { + "input": { + "KeySpec": "Describes the type of key material in the KMS key.", + "KeyUsage": "The cryptographic operations for which you can use the KMS key." + }, + "output": { + "KeyMetadata": "Detailed information about the KMS key that this operation creates." + } + }, + "description": "This example creates a KMS key that contains an asymmetric RSA key pair for encryption and decryption. The key spec and key usage can't be changed after the key is created.", + "id": "to-create-an-asymmetric-rsa-kms-key-for-encryption-and-decryption-1630533897833", + "title": "To create an asymmetric RSA KMS key for encryption and decryption" + }, + { + "input": { + "KeySpec": "ECC_NIST_P521", + "KeyUsage": "SIGN_VERIFY" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CreationDate": "2019-12-02T07:48:55-07:00", + "CustomerMasterKeySpec": "ECC_NIST_P521", + "Description": "", + "Enabled": true, + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyManager": "CUSTOMER", + "KeySpec": "ECC_NIST_P521", + "KeyState": "Enabled", + "KeyUsage": "SIGN_VERIFY", + "MultiRegion": false, + "Origin": "AWS_KMS", + "SigningAlgorithms": [ + "ECDSA_SHA_512" + ] + } + }, + "comments": { + "input": { + "KeySpec": "Describes the type of key material in the KMS key.", + "KeyUsage": "The cryptographic operations for which you can use the KMS key." + }, + "output": { + "KeyMetadata": "Detailed information about the KMS key that this operation creates." + } + }, + "description": "This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key pair for signing and verification. The key usage is required even though \"SIGN_VERIFY\" is the only valid value for ECC KMS keys. The key spec and key usage can't be changed after the key is created.", + "id": "to-create-an-asymmetric-elliptic-curve-kms-key-for-signing-and-verification-1630541089401", + "title": "To create an asymmetric elliptic curve KMS key for signing and verification" + }, + { + "input": { + "MultiRegion": true + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", + "CreationDate": "2021-09-02T016:15:21-09:00", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "Description": "", + "Enabled": true, + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "KeyId": "mrk-1234abcd12ab34cd56ef12345678990ab", + "KeyManager": "CUSTOMER", + "KeySpec": "SYMMETRIC_DEFAULT", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": true, + "MultiRegionConfiguration": { + "MultiRegionKeyType": "PRIMARY", + "PrimaryKey": { + "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab", + "Region": "us-west-2" + }, + "ReplicaKeys": [ + + ] + }, + "Origin": "AWS_KMS" + } + }, + "comments": { + "input": { + "MultiRegion": "Indicates whether the KMS key is a multi-Region (True) or regional (False) key." + }, + "output": { + "KeyMetadata": "Detailed information about the KMS key that this operation creates." + } + }, + "description": "This example creates a multi-Region primary symmetric encryption key. Because the default values for all parameters create a symmetric encryption key, only the MultiRegion parameter is required for this KMS key.", + "id": "to-create-a-multi-region-primary-kms-key-1630599158567", + "title": "To create a multi-Region primary KMS key" + }, + { + "input": { + "Origin": "EXTERNAL" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CreationDate": "2019-12-02T07:48:55-07:00", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "Description": "", + "Enabled": false, + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyManager": "CUSTOMER", + "KeySpec": "SYMMETRIC_DEFAULT", + "KeyState": "PendingImport", + "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": false, + "Origin": "EXTERNAL" + } + }, + "comments": { + "input": { + "Origin": "The source of the key material for the KMS key." + }, + "output": { + "KeyMetadata": "Detailed information about the KMS key that this operation creates." + } + }, + "description": "This example creates a KMS key with no key material. When the operation is complete, you can import your own key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL. ", + "id": "to-create-a-kms-key-for-imported-key-material-1630603607560", + "title": "To create a KMS key for imported key material" + }, + { + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "Origin": "AWS_CLOUDHSM" + }, + "output": { + "KeyMetadata": { + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "CloudHsmClusterId": "cluster-1a23b4cdefg", + "CreationDate": "2019-12-02T07:48:55-07:00", + "CustomKeyStoreId": "cks-1234567890abcdef0", + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "Description": "", + "Enabled": true, + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyManager": "CUSTOMER", + "KeySpec": "SYMMETRIC_DEFAULT", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": false, + "Origin": "AWS_CLOUDHSM" + } + }, + "comments": { + "input": { + "CustomKeyStoreId": "Identifies the custom key store that hosts the KMS key.", + "Origin": "Indicates the source of the key material for the KMS key." + }, + "output": { + "KeyMetadata": "Detailed information about the KMS key that this operation creates." + } + }, + "description": "This example creates a KMS key in the specified custom key store. The operation creates the KMS key and its metadata in AWS KMS and the key material in the AWS CloudHSM cluster associated with the custom key store. This example requires the Origin and CustomKeyStoreId parameters.", + "id": "to-create-a-kms-key-in-a-custom-key-store-1630604382908", + "title": "To create a KMS key in a custom key store" } ], "Decrypt": [ @@ -151,6 +391,25 @@ "title": "To delete an alias" } ], + "DeleteCustomKeyStore": [ + { + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0" + }, + "output": { + }, + "comments": { + "input": { + "CustomKeyStoreId": "The ID of the custom key store to be deleted." + }, + "output": { + } + }, + "description": "This example deletes a custom key store from AWS KMS. This operation does not delete the AWS CloudHSM cluster that was associated with the CloudHSM cluster. This operation doesn't return any data. To verify that the operation was successful, use the DescribeCustomKeyStores operation. ", + "id": "to-delete-a-custom-key-store-from-aws-kms-1628630837145", + "title": "To delete a custom key store from AWS KMS" + } + ], "DeleteImportedKeyMaterial": [ { "input": { @@ -166,6 +425,55 @@ "title": "To delete imported key material" } ], + "DescribeCustomKeyStores": [ + { + "input": { + }, + "output": { + "CustomKeyStores": [ + + ] + }, + "comments": { + "input": { + }, + "output": { + "CustomKeyStores": "Details about each custom key store in the account and Region." + } + }, + "description": "This example gets detailed information about all AWS KMS custom key stores in an AWS account and Region. To get all key stores, do not enter a custom key store name or ID.", + "id": "to-get-detailed-information-about-custom-key-stores-in-the-account-and-region-1628628556811", + "title": "To get detailed information about custom key stores in the account and Region" + }, + { + "input": { + "CustomKeyStoreName": "ExampleKeyStore" + }, + "output": { + "CustomKeyStores": [ + { + "CloudHsmClusterId": "cluster-1a23b4cdefg", + "ConnectionState": "CONNECTED", + "CreationDate": "1.499288695918E9", + "CustomKeyStoreId": "cks-1234567890abcdef0", + "CustomKeyStoreName": "ExampleKeyStore", + "TrustAnchorCertificate": "" + } + ] + }, + "comments": { + "input": { + "CustomKeyStoreName": "The friendly name of the custom key store." + }, + "output": { + "CustomKeyStores": "Detailed information about the specified custom key store." + } + }, + "description": "This example gets detailed information about a particular AWS KMS custom key store that is associate with an AWS CloudHSM cluster. To limit the output to a particular custom key store, provide the custom key store name or ID. ", + "id": "to-get-detailed-information-about-a-custom-key-store-associated-with-a-cloudhsm-cluster-1628628885843", + "title": "To get detailed information about a custom key store associated with a CloudHSM cluster." + } + ], "DescribeKey": [ { "input": { @@ -234,6 +542,25 @@ "title": "To disable automatic rotation of key material" } ], + "DisconnectCustomKeyStore": [ + { + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0" + }, + "output": { + }, + "comments": { + "input": { + "CustomKeyStoreId": "The ID of the custom key store." + }, + "output": { + } + }, + "description": "This example disconnects an AWS KMS custom key store from its AWS CloudHSM cluster. This operation doesn't return any data. To verify that the custom key store is disconnected, use the DescribeCustomKeyStores operation.", + "id": "to-disconnect-a-custom-key-store-from-its-cloudhsm-cluster-1628627955156", + "title": "To disconnect a custom key store from its CloudHSM cluster" + } + ], "EnableKey": [ { "input": { @@ -316,6 +643,66 @@ "title": "To generate a data key" } ], + "GenerateDataKeyPair": [ + { + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyPairSpec": "RSA_3072" + }, + "output": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyPairSpec": "RSA_3072", + "PrivateKeyCiphertextBlob": "", + "PrivateKeyPlaintext": "", + "PublicKey": "" + }, + "comments": { + "input": { + "KeyId": "The key ID of the symmetric KMS key that encrypts the private RSA key in the data key pair.", + "KeyPairSpec": "The requested key spec of the RSA data key pair." + }, + "output": { + "KeyId": "The key ARN of the symmetric KMS key that was used to encrypt the private key.", + "KeyPairSpec": "The actual key spec of the RSA data key pair.", + "PrivateKeyCiphertextBlob": "The encrypted private key of the RSA data key pair.", + "PrivateKeyPlaintext": "The plaintext private key of the RSA data key pair.", + "PublicKey": "The public key (plaintext) of the RSA data key pair." + } + }, + "description": "This example generates an RSA data key pair for encryption and decryption. The operation returns a plaintext public key and private key, and a copy of the private key that is encrypted under a symmetric KMS key that you specify.", + "id": "to-generate-an-rsa-key-pair-for-encryption-and-decryption-1628619376878", + "title": "To generate an RSA key pair for encryption and decryption" + } + ], + "GenerateDataKeyPairWithoutPlaintext": [ + { + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyPairSpec": "ECC_NIST_P521" + }, + "output": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "KeyPairSpec": "ECC_NIST_P521", + "PrivateKeyCiphertextBlob": "", + "PublicKey": "" + }, + "comments": { + "input": { + "KeyId": "The symmetric KMS key that encrypts the private key of the ECC data key pair.", + "KeyPairSpec": "The requested key spec of the ECC asymmetric data key pair." + }, + "output": { + "KeyId": "The key ARN of the symmetric KMS key that encrypted the private key in the ECC asymmetric data key pair.", + "KeyPairSpec": "The actual key spec of the ECC asymmetric data key pair.", + "PrivateKeyCiphertextBlob": "The encrypted private key of the asymmetric ECC data key pair.", + "PublicKey": "The public key (plaintext)." + } + }, + "description": "This example returns an asymmetric elliptic curve (ECC) data key pair. The private key is encrypted under the symmetric KMS key that you specify. This operation doesn't return a plaintext (unencrypted) private key.", + "id": "to-generate-an-asymmetric-data-key-pair-without-a-plaintext-key-1628620971564", + "title": "To generate an asymmetric data key pair without a plaintext key" + } + ], "GenerateDataKeyWithoutPlaintext": [ { "input": { @@ -437,6 +824,38 @@ "title": "To retrieve the public key and import token for a KMS key" } ], + "GetPublicKey": [ + { + "input": { + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" + }, + "output": { + "CustomerMasterKeySpec": "RSA_4096", + "EncryptionAlgorithms": [ + "RSAES_OAEP_SHA_1", + "RSAES_OAEP_SHA_256" + ], + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", + "KeyUsage": "ENCRYPT_DECRYPT", + "PublicKey": "" + }, + "comments": { + "input": { + "KeyId": "The key ARN of the asymmetric KMS key." + }, + "output": { + "CustomerMasterKeySpec": "The key spec of the asymmetric KMS key from which the public key was downloaded.", + "EncryptionAlgorithms": "The encryption algorithms supported by the asymmetric KMS key that was downloaded.", + "KeyId": "The key ARN of the asymmetric KMS key from which the public key was downloaded.", + "KeyUsage": "The key usage of the asymmetric KMS key from which the public key was downloaded.", + "PublicKey": "The public key (plaintext) of the asymmetric KMS key." + } + }, + "description": "This example gets the public key of an asymmetric RSA KMS key used for encryption and decryption. The operation returns the key spec, key usage, and encryption or signing algorithms to help you use the public key correctly outside of AWS KMS.", + "id": "to-download-the-public-key-of-an-asymmetric-kms-key-1628621691873", + "title": "To download the public key of an asymmetric KMS key" + } + ], "ImportKeyMaterial": [ { "input": { @@ -781,6 +1200,64 @@ "title": "To reencrypt data" } ], + "ReplicateKey": [ + { + "input": { + "KeyId": "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "ReplicaRegion": "us-west-2" + }, + "output": { + "ReplicaKeyMetadata": { + "AWSAccountId": "111122223333", + "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "CreationDate": 1607472987.918, + "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", + "Description": "", + "Enabled": true, + "EncryptionAlgorithms": [ + "SYMMETRIC_DEFAULT" + ], + "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab", + "KeyManager": "CUSTOMER", + "KeyState": "Enabled", + "KeyUsage": "ENCRYPT_DECRYPT", + "MultiRegion": true, + "MultiRegionConfiguration": { + "MultiRegionKeyType": "REPLICA", + "PrimaryKey": { + "Arn": "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "Region": "us-east-1" + }, + "ReplicaKeys": [ + { + "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", + "Region": "us-west-2" + } + ] + }, + "Origin": "AWS_KMS" + }, + "ReplicaPolicy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-default-1\",...}", + "ReplicaTags": [ + + ] + }, + "comments": { + "input": { + "KeyId": "The key ID or key ARN of the multi-Region primary key", + "ReplicaRegion": "The Region of the new replica." + }, + "output": { + "ReplicaKeyMetadata": "An object that displays detailed information about the replica key.", + "ReplicaPolicy": "The key policy of the replica key. If you don't specify a key policy, the replica key gets the default key policy for a KMS key.", + "ReplicaTags": "The tags on the replica key, if any." + } + }, + "description": "This example creates a multi-Region replica key in us-west-2 of a multi-Region primary key in us-east-1. ", + "id": "to-replicate-a-multi-region-key-in-a-different-aws-region-1628622402887", + "title": "To replicate a multi-Region key in a different AWS Region" + } + ], "RetireGrant": [ { "input": { @@ -840,6 +1317,37 @@ "title": "To schedule a KMS key for deletion" } ], + "Sign": [ + { + "input": { + "KeyId": "alias/ECC_signing_key", + "Message": "", + "MessageType": "RAW", + "SigningAlgorithm": "ECDSA_SHA_384" + }, + "output": { + "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "Signature": "", + "SigningAlgorithm": "ECDSA_SHA_384" + }, + "comments": { + "input": { + "KeyId": "The asymmetric KMS key to be used to generate the digital signature. This example uses an alias of the KMS key.", + "Message": "Message to be signed. Use Base-64 for the CLI.", + "MessageType": "Indicates whether the message is RAW or a DIGEST.", + "SigningAlgorithm": "The requested signing algorithm. This must be an algorithm that the KMS key supports." + }, + "output": { + "KeyId": "The key ARN of the asymmetric KMS key that was used to sign the message.", + "Signature": "The digital signature of the message.", + "SigningAlgorithm": "The actual signing algorithm that was used to generate the signature." + } + }, + "description": "This operation uses the private key in an asymmetric elliptic curve (ECC) KMS key to generate a digital signature for a given message.", + "id": "to-digitally-sign-a-message-with-an-asymmetric-kms-key-1628631433832", + "title": "To digitally sign a message with an asymmetric KMS key." + } + ], "TagResource": [ { "input": { @@ -899,6 +1407,65 @@ "title": "To update an alias" } ], + "UpdateCustomKeyStore": [ + { + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "KeyStorePassword": "ExamplePassword" + }, + "output": { + }, + "comments": { + "input": { + "CustomKeyStoreId": "The ID of the custom key store that you are updating.", + "KeyStorePassword": "The password for the kmsuser crypto user in the CloudHSM cluster." + }, + "output": { + } + }, + "description": "This example tells KMS the password for the kmsuser crypto user in the AWS CloudHSM cluster that is associated with the AWS KMS custom key store. (It does not change the password in the CloudHSM cluster.) This operation does not return any data.", + "id": "to-edit-the-properties-of-a-custom-key-store-1628629851834", + "title": "To edit the password of a custom key store" + }, + { + "input": { + "CustomKeyStoreId": "cks-1234567890abcdef0", + "NewCustomKeyStoreName": "DevelopmentKeys" + }, + "output": { + }, + "comments": { + "input": { + "CustomKeyStoreId": "The ID of the custom key store that you are updating.", + "NewCustomKeyStoreName": "A new friendly name for the custom key store." + }, + "output": { + } + }, + "description": "This example changes the friendly name of the AWS KMS custom key store to the name that you specify. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation.", + "id": "to-edit-the-friendly-name-of-a-custom-key-store-1630451340904", + "title": "To edit the friendly name of a custom key store" + }, + { + "input": { + "CloudHsmClusterId": "cluster-1a23b4cdefg", + "CustomKeyStoreId": "cks-1234567890abcdef0" + }, + "output": { + }, + "comments": { + "input": { + "CloudHsmClusterId": "The ID of the AWS CloudHSM cluster that you want to associate with the custom key store. This cluster must be related to the original CloudHSM cluster for this key store.", + "CustomKeyStoreId": "The ID of the custom key store that you are updating." + }, + "output": { + } + }, + "description": "This example changes the cluster that is associated with a custom key store to a related cluster, such as a different backup of the same cluster. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation.", + "id": "to-associate-the-custom-key-store-with-a-different-but-related-aws-cloudhsm-cluster-1630451842438", + "title": "To associate the custom key store with a different, but related, AWS CloudHSM cluster." + } + ], "UpdateKeyDescription": [ { "input": { @@ -915,6 +1482,39 @@ "id": "to-update-the-description-of-a-cmk-1481574808619", "title": "To update the description of a KMS key" } + ], + "Verify": [ + { + "input": { + "KeyId": "alias/ECC_signing_key", + "Message": "", + "MessageType": "RAW", + "Signature": "", + "SigningAlgorithm": "ECDSA_SHA_384" + }, + "output": { + "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "SignatureValid": true, + "SigningAlgorithm": "ECDSA_SHA_384" + }, + "comments": { + "input": { + "KeyId": "The asymmetric KMS key to be used to verify the digital signature. This example uses an alias to identify the KMS key.", + "Message": "The message that was signed.", + "MessageType": "Indicates whether the message is RAW or a DIGEST.", + "Signature": "The signature to be verified.", + "SigningAlgorithm": "The signing algorithm to be used to verify the signature." + }, + "output": { + "KeyId": "The key ARN of the asymmetric KMS key that was used to verify the digital signature.", + "SignatureValid": "Indicates whether the signature was verified (true) or failed verification (false).", + "SigningAlgorithm": "The signing algorithm that was used to verify the signature." + } + }, + "description": "This operation uses the public key in an elliptic curve (ECC) asymmetric key to verify a digital signature within AWS KMS. ", + "id": "to-use-an-asymmetric-kms-key-to-verify-a-digital-signature-1628633365663", + "title": "To use an asymmetric KMS key to verify a digital signature" + } ] } } diff --git a/service/codebuild/api.go b/service/codebuild/api.go index cda633ee88d..1e74490105a 100644 --- a/service/codebuild/api.go +++ b/service/codebuild/api.go @@ -9442,14 +9442,16 @@ type ListBuildsForProjectInput struct { // ProjectName is a required field ProjectName *string `locationName:"projectName" min:"1" type:"string" required:"true"` - // The order to list results in. The results are sorted by build number, not - // the build identifier. + // The order to sort the results in. The results are sorted by build number, + // not the build identifier. If this is not specified, the results are sorted + // in descending order. // // Valid values include: // - // * ASCENDING: List the build IDs in ascending order by build ID. + // * ASCENDING: List the build identifiers in ascending order, by build number. // - // * DESCENDING: List the build IDs in descending order by build ID. + // * DESCENDING: List the build identifiers in descending order, by build + // number. // // If the project has more than 100 builds, setting the sort order will result // in an error. @@ -9511,8 +9513,8 @@ func (s *ListBuildsForProjectInput) SetSortOrder(v string) *ListBuildsForProject type ListBuildsForProjectOutput struct { _ struct{} `type:"structure"` - // A list of build IDs for the specified build project, with each build ID representing - // a single build. + // A list of build identifiers for the specified build project, with each build + // ID representing a single build. Ids []*string `locationName:"ids" min:"1" type:"list"` // If there are more than 100 items in the list, only the first 100 items are @@ -11498,6 +11500,20 @@ func (s *ProjectBadge) SetBadgeRequestUrl(v string) *ProjectBadge { type ProjectBuildBatchConfig struct { _ struct{} `type:"structure"` + // Specifies how build status reports are sent to the source provider for the + // batch build. This property is only used when the source provider for your + // project is Bitbucket, GitHub, or GitHub Enterprise, and your project is configured + // to report build statuses to the source provider. + // + // REPORT_AGGREGATED_BATCH + // + // (Default) Aggregate all of the build statuses into a single status report. + // + // REPORT_INDIVIDUAL_BUILDS + // + // Send a separate status report for each individual build. + BatchReportMode *string `locationName:"batchReportMode" type:"string" enum:"BatchReportModeType"` + // Specifies if the build artifacts for the batch build should be combined into // a single artifact location. CombineArtifacts *bool `locationName:"combineArtifacts" type:"boolean"` @@ -11545,6 +11561,12 @@ func (s *ProjectBuildBatchConfig) Validate() error { return nil } +// SetBatchReportMode sets the BatchReportMode field's value. +func (s *ProjectBuildBatchConfig) SetBatchReportMode(v string) *ProjectBuildBatchConfig { + s.BatchReportMode = &v + return s +} + // SetCombineArtifacts sets the CombineArtifacts field's value. func (s *ProjectBuildBatchConfig) SetCombineArtifacts(v bool) *ProjectBuildBatchConfig { s.CombineArtifacts = &v @@ -15216,7 +15238,7 @@ type UpdateProjectInput struct { // The number of minutes a build is allowed to be queued before it times out. QueuedTimeoutInMinutes *int64 `locationName:"queuedTimeoutInMinutes" min:"5" type:"integer"` - // An array of ProjectSource objects. + // An array of ProjectArtifact objects. SecondaryArtifacts []*ProjectArtifacts `locationName:"secondaryArtifacts" type:"list"` // An array of ProjectSourceVersion objects. If secondarySourceVersions is specified @@ -16291,6 +16313,22 @@ func AuthType_Values() []string { } } +const ( + // BatchReportModeTypeReportIndividualBuilds is a BatchReportModeType enum value + BatchReportModeTypeReportIndividualBuilds = "REPORT_INDIVIDUAL_BUILDS" + + // BatchReportModeTypeReportAggregatedBatch is a BatchReportModeType enum value + BatchReportModeTypeReportAggregatedBatch = "REPORT_AGGREGATED_BATCH" +) + +// BatchReportModeType_Values returns all elements of the BatchReportModeType enum +func BatchReportModeType_Values() []string { + return []string{ + BatchReportModeTypeReportIndividualBuilds, + BatchReportModeTypeReportAggregatedBatch, + } +} + // Specifies the bucket owner's access for objects that another account uploads // to their Amazon S3 bucket. By default, only the account that uploads the // objects to the bucket has access to these objects. This property allows you diff --git a/service/efs/api.go b/service/efs/api.go index fda07c837d0..e6a9e6be53a 100644 --- a/service/efs/api.go +++ b/service/efs/api.go @@ -2512,6 +2512,10 @@ func (c *EFS) PutAccountPreferencesRequest(input *PutAccountPreferencesInput) (r // API operation PutAccountPreferences for usage and error information. // // Returned Error Types: +// * BadRequest +// Returned if the request is malformed or contains an error such as an invalid +// parameter value or a missing required parameter. +// // * InternalServerError // Returned if an error occurred on the server side. // diff --git a/service/kms/api.go b/service/kms/api.go index aef79ed9d80..a55357d2936 100644 --- a/service/kms/api.go +++ b/service/kms/api.go @@ -7057,7 +7057,8 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req // the connection state of a custom key store, use the DescribeCustomKeyStores // operation. // -// Use the parameters of UpdateCustomKeyStore to edit your keystore settings. +// The CustomKeyStoreId parameter is required in all commands. Use the other +// parameters of UpdateCustomKeyStore to edit your key store settings. // // * Use the NewCustomKeyStoreName parameter to change the friendly name // of the custom key store to the value that you specify. diff --git a/service/kms/examples_test.go b/service/kms/examples_test.go index 713919d0369..8454a845c72 100644 --- a/service/kms/examples_test.go +++ b/service/kms/examples_test.go @@ -62,6 +62,45 @@ func ExampleKMS_CancelKeyDeletion_shared00() { fmt.Println(result) } +// To connect a custom key store to its CloudHSM cluster +// +// This example connects an AWS KMS custom key store to its AWS CloudHSM cluster. This +// operation does not return any data. To verify that the custom key store is connected, +// use the DescribeCustomKeyStores operation. +func ExampleKMS_ConnectCustomKeyStore_shared00() { + svc := kms.New(session.New()) + input := &kms.ConnectCustomKeyStoreInput{ + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + } + + result, err := svc.ConnectCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCloudHsmClusterNotActiveException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotActiveException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To create an alias // // The following example creates an alias for the specified KMS key. @@ -104,6 +143,50 @@ func ExampleKMS_CreateAlias_shared00() { fmt.Println(result) } +// To create an AWS CloudHSM custom key store +// +// This example creates a custom key store that is associated with an AWS CloudHSM cluster. +func ExampleKMS_CreateCustomKeyStore_shared00() { + svc := kms.New(session.New()) + input := &kms.CreateCustomKeyStoreInput{ + CloudHsmClusterId: aws.String("cluster-1a23b4cdefg"), + CustomKeyStoreName: aws.String("ExampleKeyStore"), + KeyStorePassword: aws.String("kmsPswd"), + TrustAnchorCertificate: aws.String(""), + } + + result, err := svc.CreateCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCloudHsmClusterInUseException: + fmt.Println(kms.ErrCodeCloudHsmClusterInUseException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNameInUseException: + fmt.Println(kms.ErrCodeCustomKeyStoreNameInUseException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotFoundException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotFoundException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotActiveException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotActiveException, aerr.Error()) + case kms.ErrCodeIncorrectTrustAnchorException: + fmt.Println(kms.ErrCodeIncorrectTrustAnchorException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To create a grant // // The following example creates a grant that allows the specified IAM role to encrypt @@ -155,16 +238,259 @@ func ExampleKMS_CreateGrant_shared00() { // To create a KMS key // -// The following example creates a KMS key. +// The following example creates a symmetric KMS key for encryption and decryption. +// No parameters are required for this operation. func ExampleKMS_CreateKey_shared00() { + svc := kms.New(session.New()) + input := &kms.CreateKeyInput{} + + result, err := svc.CreateKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeMalformedPolicyDocumentException: + fmt.Println(kms.ErrCodeMalformedPolicyDocumentException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeLimitExceededException: + fmt.Println(kms.ErrCodeLimitExceededException, aerr.Error()) + case kms.ErrCodeTagException: + fmt.Println(kms.ErrCodeTagException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To create an asymmetric RSA KMS key for encryption and decryption +// +// This example creates a KMS key that contains an asymmetric RSA key pair for encryption +// and decryption. The key spec and key usage can't be changed after the key is created. +func ExampleKMS_CreateKey_shared01() { svc := kms.New(session.New()) input := &kms.CreateKeyInput{ - Tags: []*kms.Tag{ - { - TagKey: aws.String("CreatedBy"), - TagValue: aws.String("ExampleUser"), - }, - }, + KeySpec: aws.String("RSA_4096"), + KeyUsage: aws.String("ENCRYPT_DECRYPT"), + } + + result, err := svc.CreateKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeMalformedPolicyDocumentException: + fmt.Println(kms.ErrCodeMalformedPolicyDocumentException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeLimitExceededException: + fmt.Println(kms.ErrCodeLimitExceededException, aerr.Error()) + case kms.ErrCodeTagException: + fmt.Println(kms.ErrCodeTagException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To create an asymmetric elliptic curve KMS key for signing and verification +// +// This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key +// pair for signing and verification. The key usage is required even though "SIGN_VERIFY" +// is the only valid value for ECC KMS keys. The key spec and key usage can't be changed +// after the key is created. +func ExampleKMS_CreateKey_shared02() { + svc := kms.New(session.New()) + input := &kms.CreateKeyInput{ + KeySpec: aws.String("ECC_NIST_P521"), + KeyUsage: aws.String("SIGN_VERIFY"), + } + + result, err := svc.CreateKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeMalformedPolicyDocumentException: + fmt.Println(kms.ErrCodeMalformedPolicyDocumentException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeLimitExceededException: + fmt.Println(kms.ErrCodeLimitExceededException, aerr.Error()) + case kms.ErrCodeTagException: + fmt.Println(kms.ErrCodeTagException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To create a multi-Region primary KMS key +// +// This example creates a multi-Region primary symmetric encryption key. Because the +// default values for all parameters create a symmetric encryption key, only the MultiRegion +// parameter is required for this KMS key. +func ExampleKMS_CreateKey_shared03() { + svc := kms.New(session.New()) + input := &kms.CreateKeyInput{ + MultiRegion: aws.Bool(true), + } + + result, err := svc.CreateKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeMalformedPolicyDocumentException: + fmt.Println(kms.ErrCodeMalformedPolicyDocumentException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeLimitExceededException: + fmt.Println(kms.ErrCodeLimitExceededException, aerr.Error()) + case kms.ErrCodeTagException: + fmt.Println(kms.ErrCodeTagException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To create a KMS key for imported key material +// +// This example creates a KMS key with no key material. When the operation is complete, +// you can import your own key material into the KMS key. To create this KMS key, set +// the Origin parameter to EXTERNAL. +func ExampleKMS_CreateKey_shared04() { + svc := kms.New(session.New()) + input := &kms.CreateKeyInput{ + Origin: aws.String("EXTERNAL"), + } + + result, err := svc.CreateKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeMalformedPolicyDocumentException: + fmt.Println(kms.ErrCodeMalformedPolicyDocumentException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeLimitExceededException: + fmt.Println(kms.ErrCodeLimitExceededException, aerr.Error()) + case kms.ErrCodeTagException: + fmt.Println(kms.ErrCodeTagException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To create a KMS key in a custom key store +// +// This example creates a KMS key in the specified custom key store. The operation creates +// the KMS key and its metadata in AWS KMS and the key material in the AWS CloudHSM +// cluster associated with the custom key store. This example requires the Origin and +// CustomKeyStoreId parameters. +func ExampleKMS_CreateKey_shared05() { + svc := kms.New(session.New()) + input := &kms.CreateKeyInput{ + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + Origin: aws.String("AWS_CLOUDHSM"), } result, err := svc.CreateKey(input) @@ -288,6 +614,44 @@ func ExampleKMS_DeleteAlias_shared00() { fmt.Println(result) } +// To delete a custom key store from AWS KMS +// +// This example deletes a custom key store from AWS KMS. This operation does not delete +// the AWS CloudHSM cluster that was associated with the CloudHSM cluster. This operation +// doesn't return any data. To verify that the operation was successful, use the DescribeCustomKeyStores +// operation. +func ExampleKMS_DeleteCustomKeyStore_shared00() { + svc := kms.New(session.New()) + input := &kms.DeleteCustomKeyStoreInput{ + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + } + + result, err := svc.DeleteCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreHasCMKsException: + fmt.Println(kms.ErrCodeCustomKeyStoreHasCMKsException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To delete imported key material // // The following example deletes the imported key material from the specified KMS key. @@ -327,6 +691,74 @@ func ExampleKMS_DeleteImportedKeyMaterial_shared00() { fmt.Println(result) } +// To get detailed information about custom key stores in the account and Region +// +// This example gets detailed information about all AWS KMS custom key stores in an +// AWS account and Region. To get all key stores, do not enter a custom key store name +// or ID. +func ExampleKMS_DescribeCustomKeyStores_shared00() { + svc := kms.New(session.New()) + input := &kms.DescribeCustomKeyStoresInput{} + + result, err := svc.DescribeCustomKeyStores(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeInvalidMarkerException: + fmt.Println(kms.ErrCodeInvalidMarkerException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To get detailed information about a custom key store associated with a CloudHSM cluster. +// +// This example gets detailed information about a particular AWS KMS custom key store +// that is associate with an AWS CloudHSM cluster. To limit the output to a particular +// custom key store, provide the custom key store name or ID. +func ExampleKMS_DescribeCustomKeyStores_shared01() { + svc := kms.New(session.New()) + input := &kms.DescribeCustomKeyStoresInput{ + CustomKeyStoreName: aws.String("ExampleKeyStore"), + } + + result, err := svc.DescribeCustomKeyStores(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeInvalidMarkerException: + fmt.Println(kms.ErrCodeInvalidMarkerException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To get details about a KMS key // // The following example gets metadata about a symmetric KMS key. @@ -441,6 +873,41 @@ func ExampleKMS_DisableKeyRotation_shared00() { fmt.Println(result) } +// To disconnect a custom key store from its CloudHSM cluster +// +// This example disconnects an AWS KMS custom key store from its AWS CloudHSM cluster. +// This operation doesn't return any data. To verify that the custom key store is disconnected, +// use the DescribeCustomKeyStores operation. +func ExampleKMS_DisconnectCustomKeyStore_shared00() { + svc := kms.New(session.New()) + input := &kms.DisconnectCustomKeyStoreInput{ + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + } + + result, err := svc.DisconnectCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To enable a KMS key // // The following example enables the specified KMS key. @@ -566,19 +1033,113 @@ func ExampleKMS_Encrypt_shared00() { fmt.Println(result) } -// To generate a data key +// To generate a data key +// +// The following example generates a 256-bit symmetric data encryption key (data key) +// in two formats. One is the unencrypted (plainext) data key, and the other is the +// data key encrypted with the specified KMS key. +func ExampleKMS_GenerateDataKey_shared00() { + svc := kms.New(session.New()) + input := &kms.GenerateDataKeyInput{ + KeyId: aws.String("alias/ExampleAlias"), + KeySpec: aws.String("AES_256"), + } + + result, err := svc.GenerateDataKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeNotFoundException: + fmt.Println(kms.ErrCodeNotFoundException, aerr.Error()) + case kms.ErrCodeDisabledException: + fmt.Println(kms.ErrCodeDisabledException, aerr.Error()) + case kms.ErrCodeKeyUnavailableException: + fmt.Println(kms.ErrCodeKeyUnavailableException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidKeyUsageException: + fmt.Println(kms.ErrCodeInvalidKeyUsageException, aerr.Error()) + case kms.ErrCodeInvalidGrantTokenException: + fmt.Println(kms.ErrCodeInvalidGrantTokenException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeInvalidStateException: + fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To generate an RSA key pair for encryption and decryption +// +// This example generates an RSA data key pair for encryption and decryption. The operation +// returns a plaintext public key and private key, and a copy of the private key that +// is encrypted under a symmetric KMS key that you specify. +func ExampleKMS_GenerateDataKeyPair_shared00() { + svc := kms.New(session.New()) + input := &kms.GenerateDataKeyPairInput{ + KeyId: aws.String("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"), + KeyPairSpec: aws.String("RSA_3072"), + } + + result, err := svc.GenerateDataKeyPair(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeNotFoundException: + fmt.Println(kms.ErrCodeNotFoundException, aerr.Error()) + case kms.ErrCodeDisabledException: + fmt.Println(kms.ErrCodeDisabledException, aerr.Error()) + case kms.ErrCodeKeyUnavailableException: + fmt.Println(kms.ErrCodeKeyUnavailableException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidKeyUsageException: + fmt.Println(kms.ErrCodeInvalidKeyUsageException, aerr.Error()) + case kms.ErrCodeInvalidGrantTokenException: + fmt.Println(kms.ErrCodeInvalidGrantTokenException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeInvalidStateException: + fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To generate an asymmetric data key pair without a plaintext key // -// The following example generates a 256-bit symmetric data encryption key (data key) -// in two formats. One is the unencrypted (plainext) data key, and the other is the -// data key encrypted with the specified KMS key. -func ExampleKMS_GenerateDataKey_shared00() { +// This example returns an asymmetric elliptic curve (ECC) data key pair. The private +// key is encrypted under the symmetric KMS key that you specify. This operation doesn't +// return a plaintext (unencrypted) private key. +func ExampleKMS_GenerateDataKeyPairWithoutPlaintext_shared00() { svc := kms.New(session.New()) - input := &kms.GenerateDataKeyInput{ - KeyId: aws.String("alias/ExampleAlias"), - KeySpec: aws.String("AES_256"), + input := &kms.GenerateDataKeyPairWithoutPlaintextInput{ + KeyId: aws.String("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"), + KeyPairSpec: aws.String("ECC_NIST_P521"), } - result, err := svc.GenerateDataKey(input) + result, err := svc.GenerateDataKeyPairWithoutPlaintext(input) if err != nil { if aerr, ok := err.(awserr.Error); ok { switch aerr.Code() { @@ -598,6 +1159,8 @@ func ExampleKMS_GenerateDataKey_shared00() { fmt.Println(kms.ErrCodeInternalException, aerr.Error()) case kms.ErrCodeInvalidStateException: fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) default: fmt.Println(aerr.Error()) } @@ -812,6 +1375,55 @@ func ExampleKMS_GetParametersForImport_shared00() { fmt.Println(result) } +// To download the public key of an asymmetric KMS key +// +// This example gets the public key of an asymmetric RSA KMS key used for encryption +// and decryption. The operation returns the key spec, key usage, and encryption or +// signing algorithms to help you use the public key correctly outside of AWS KMS. +func ExampleKMS_GetPublicKey_shared00() { + svc := kms.New(session.New()) + input := &kms.GetPublicKeyInput{ + KeyId: aws.String("arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"), + } + + result, err := svc.GetPublicKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeNotFoundException: + fmt.Println(kms.ErrCodeNotFoundException, aerr.Error()) + case kms.ErrCodeDisabledException: + fmt.Println(kms.ErrCodeDisabledException, aerr.Error()) + case kms.ErrCodeKeyUnavailableException: + fmt.Println(kms.ErrCodeKeyUnavailableException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeInvalidGrantTokenException: + fmt.Println(kms.ErrCodeInvalidGrantTokenException, aerr.Error()) + case kms.ErrCodeInvalidKeyUsageException: + fmt.Println(kms.ErrCodeInvalidKeyUsageException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeInvalidStateException: + fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To import key material into a KMS key // // The following example imports key material into the specified KMS key. @@ -1172,6 +1784,55 @@ func ExampleKMS_ReEncrypt_shared00() { fmt.Println(result) } +// To replicate a multi-Region key in a different AWS Region +// +// This example creates a multi-Region replica key in us-west-2 of a multi-Region primary +// key in us-east-1. +func ExampleKMS_ReplicateKey_shared00() { + svc := kms.New(session.New()) + input := &kms.ReplicateKeyInput{ + KeyId: aws.String("arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"), + ReplicaRegion: aws.String("us-west-2"), + } + + result, err := svc.ReplicateKey(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeAlreadyExistsException: + fmt.Println(kms.ErrCodeAlreadyExistsException, aerr.Error()) + case kms.ErrCodeDisabledException: + fmt.Println(kms.ErrCodeDisabledException, aerr.Error()) + case kms.ErrCodeInvalidArnException: + fmt.Println(kms.ErrCodeInvalidArnException, aerr.Error()) + case kms.ErrCodeInvalidStateException: + fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeLimitExceededException: + fmt.Println(kms.ErrCodeLimitExceededException, aerr.Error()) + case kms.ErrCodeMalformedPolicyDocumentException: + fmt.Println(kms.ErrCodeMalformedPolicyDocumentException, aerr.Error()) + case kms.ErrCodeNotFoundException: + fmt.Println(kms.ErrCodeNotFoundException, aerr.Error()) + case kms.ErrCodeTagException: + fmt.Println(kms.ErrCodeTagException, aerr.Error()) + case kms.ErrCodeUnsupportedOperationException: + fmt.Println(kms.ErrCodeUnsupportedOperationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To retire a grant // // The following example retires a grant. @@ -1292,6 +1953,53 @@ func ExampleKMS_ScheduleKeyDeletion_shared00() { fmt.Println(result) } +// To digitally sign a message with an asymmetric KMS key. +// +// This operation uses the private key in an asymmetric elliptic curve (ECC) KMS key +// to generate a digital signature for a given message. +func ExampleKMS_Sign_shared00() { + svc := kms.New(session.New()) + input := &kms.SignInput{ + KeyId: aws.String("alias/ECC_signing_key"), + Message: []byte(""), + MessageType: aws.String("RAW"), + SigningAlgorithm: aws.String("ECDSA_SHA_384"), + } + + result, err := svc.Sign(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeNotFoundException: + fmt.Println(kms.ErrCodeNotFoundException, aerr.Error()) + case kms.ErrCodeDisabledException: + fmt.Println(kms.ErrCodeDisabledException, aerr.Error()) + case kms.ErrCodeKeyUnavailableException: + fmt.Println(kms.ErrCodeKeyUnavailableException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidKeyUsageException: + fmt.Println(kms.ErrCodeInvalidKeyUsageException, aerr.Error()) + case kms.ErrCodeInvalidGrantTokenException: + fmt.Println(kms.ErrCodeInvalidGrantTokenException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeInvalidStateException: + fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To tag a KMS key // // The following example tags a KMS key. @@ -1416,6 +2124,145 @@ func ExampleKMS_UpdateAlias_shared00() { fmt.Println(result) } +// To edit the password of a custom key store +// +// This example tells KMS the password for the kmsuser crypto user in the AWS CloudHSM +// cluster that is associated with the AWS KMS custom key store. (It does not change +// the password in the CloudHSM cluster.) This operation does not return any data. +func ExampleKMS_UpdateCustomKeyStore_shared00() { + svc := kms.New(session.New()) + input := &kms.UpdateCustomKeyStoreInput{ + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + KeyStorePassword: aws.String("ExamplePassword"), + } + + result, err := svc.UpdateCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNameInUseException: + fmt.Println(kms.ErrCodeCustomKeyStoreNameInUseException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotFoundException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotFoundException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotRelatedException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotRelatedException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotActiveException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotActiveException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To edit the friendly name of a custom key store +// +// This example changes the friendly name of the AWS KMS custom key store to the name +// that you specify. This operation does not return any data. To verify that the operation +// worked, use the DescribeCustomKeyStores operation. +func ExampleKMS_UpdateCustomKeyStore_shared01() { + svc := kms.New(session.New()) + input := &kms.UpdateCustomKeyStoreInput{ + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + NewCustomKeyStoreName: aws.String("DevelopmentKeys"), + } + + result, err := svc.UpdateCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNameInUseException: + fmt.Println(kms.ErrCodeCustomKeyStoreNameInUseException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotFoundException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotFoundException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotRelatedException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotRelatedException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotActiveException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotActiveException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + +// To associate the custom key store with a different, but related, AWS CloudHSM cluster. +// +// This example changes the cluster that is associated with a custom key store to a +// related cluster, such as a different backup of the same cluster. This operation does +// not return any data. To verify that the operation worked, use the DescribeCustomKeyStores +// operation. +func ExampleKMS_UpdateCustomKeyStore_shared02() { + svc := kms.New(session.New()) + input := &kms.UpdateCustomKeyStoreInput{ + CloudHsmClusterId: aws.String("cluster-1a23b4cdefg"), + CustomKeyStoreId: aws.String("cks-1234567890abcdef0"), + } + + result, err := svc.UpdateCustomKeyStore(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeCustomKeyStoreNotFoundException: + fmt.Println(kms.ErrCodeCustomKeyStoreNotFoundException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreNameInUseException: + fmt.Println(kms.ErrCodeCustomKeyStoreNameInUseException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotFoundException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotFoundException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotRelatedException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotRelatedException, aerr.Error()) + case kms.ErrCodeCustomKeyStoreInvalidStateException: + fmt.Println(kms.ErrCodeCustomKeyStoreInvalidStateException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterNotActiveException: + fmt.Println(kms.ErrCodeCloudHsmClusterNotActiveException, aerr.Error()) + case kms.ErrCodeCloudHsmClusterInvalidConfigurationException: + fmt.Println(kms.ErrCodeCloudHsmClusterInvalidConfigurationException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +} + // To update the description of a KMS key // // The following example updates the description of the specified KMS key. @@ -1453,3 +2300,53 @@ func ExampleKMS_UpdateKeyDescription_shared00() { fmt.Println(result) } + +// To use an asymmetric KMS key to verify a digital signature +// +// This operation uses the public key in an elliptic curve (ECC) asymmetric key to verify +// a digital signature within AWS KMS. +func ExampleKMS_Verify_shared00() { + svc := kms.New(session.New()) + input := &kms.VerifyInput{ + KeyId: aws.String("alias/ECC_signing_key"), + Message: []byte(""), + MessageType: aws.String("RAW"), + Signature: []byte(""), + SigningAlgorithm: aws.String("ECDSA_SHA_384"), + } + + result, err := svc.Verify(input) + if err != nil { + if aerr, ok := err.(awserr.Error); ok { + switch aerr.Code() { + case kms.ErrCodeNotFoundException: + fmt.Println(kms.ErrCodeNotFoundException, aerr.Error()) + case kms.ErrCodeDisabledException: + fmt.Println(kms.ErrCodeDisabledException, aerr.Error()) + case kms.ErrCodeKeyUnavailableException: + fmt.Println(kms.ErrCodeKeyUnavailableException, aerr.Error()) + case kms.ErrCodeDependencyTimeoutException: + fmt.Println(kms.ErrCodeDependencyTimeoutException, aerr.Error()) + case kms.ErrCodeInvalidKeyUsageException: + fmt.Println(kms.ErrCodeInvalidKeyUsageException, aerr.Error()) + case kms.ErrCodeInvalidGrantTokenException: + fmt.Println(kms.ErrCodeInvalidGrantTokenException, aerr.Error()) + case kms.ErrCodeInternalException: + fmt.Println(kms.ErrCodeInternalException, aerr.Error()) + case kms.ErrCodeInvalidStateException: + fmt.Println(kms.ErrCodeInvalidStateException, aerr.Error()) + case kms.ErrCodeKMSInvalidSignatureException: + fmt.Println(kms.ErrCodeKMSInvalidSignatureException, aerr.Error()) + default: + fmt.Println(aerr.Error()) + } + } else { + // Print the error, cast err to awserr.Error to get the Code and + // Message from an error. + fmt.Println(err.Error()) + } + return + } + + fmt.Println(result) +}