1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
// Code generated by smithy-go-codegen DO NOT EDIT.
package kms
import (
"context"
awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"
)
// Associates an existing KMS alias with a different KMS key. Each alias is
// associated with only one KMS key at a time, although a KMS key can have multiple
// aliases. The alias and the KMS key must be in the same Amazon Web Services
// account and Region. Adding, deleting, or updating an alias can allow or deny
// permission to the KMS key. For details, see ABAC in KMS
// (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the Key
// Management Service Developer Guide. The current and new KMS key must be the same
// type (both symmetric or both asymmetric), and they must have the same key usage
// (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code that
// uses aliases. If you must assign an alias to a different type of KMS key, use
// DeleteAlias to delete the old alias and CreateAlias to create a new alias. You
// cannot use UpdateAlias to change an alias name. To change an alias name, use
// DeleteAlias to delete the old alias and CreateAlias to create a new alias.
// Because an alias is not a property of a KMS key, you can create, update, and
// delete the aliases of a KMS key without affecting the KMS key. Also, aliases do
// not appear in the response from the DescribeKey operation. To get the aliases of
// all KMS keys in the account, use the ListAliases operation. The KMS key that you
// use for this operation must be in a compatible key state. For details, see Key
// states of KMS keys
// (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the
// Key Management Service Developer Guide. Cross-account use: No. You cannot
// perform this operation on a KMS key in a different Amazon Web Services account.
// Required permissions
//
// * kms:UpdateAlias
// (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
// on the alias (IAM policy).
//
// * kms:UpdateAlias
// (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
// on the current KMS key (key policy).
//
// * kms:UpdateAlias
// (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
// on the new KMS key (key policy).
//
// For details, see Controlling access to aliases
// (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access)
// in the Key Management Service Developer Guide. Related operations:
//
// *
// CreateAlias
//
// * DeleteAlias
//
// * ListAliases
func (c *Client) UpdateAlias(ctx context.Context, params *UpdateAliasInput, optFns ...func(*Options)) (*UpdateAliasOutput, error) {
if params == nil {
params = &UpdateAliasInput{}
}
result, metadata, err := c.invokeOperation(ctx, "UpdateAlias", params, optFns, c.addOperationUpdateAliasMiddlewares)
if err != nil {
return nil, err
}
out := result.(*UpdateAliasOutput)
out.ResultMetadata = metadata
return out, nil
}
type UpdateAliasInput struct {
// Identifies the alias that is changing its KMS key. This value must begin with
// alias/ followed by the alias name, such as alias/ExampleAlias. You cannot use
// UpdateAlias to change the alias name.
//
// This member is required.
AliasName *string
// Identifies the customer managed key
// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)
// to associate with the alias. You don't have permission to associate an alias
// with an Amazon Web Services managed key
// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
// The KMS key must be in the same Amazon Web Services account and Region as the
// alias. Also, the new target KMS key must be the same type as the current target
// KMS key (both symmetric or both asymmetric) and they must have the same key
// usage. Specify the key ID or key ARN of the KMS key. For example:
//
// * Key ID:
// 1234abcd-12ab-34cd-56ef-1234567890ab
//
// * Key ARN:
// arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
//
// To
// get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. To verify
// that the alias is mapped to the correct KMS key, use ListAliases.
//
// This member is required.
TargetKeyId *string
noSmithyDocumentSerde
}
type UpdateAliasOutput struct {
// Metadata pertaining to the operation's result.
ResultMetadata middleware.Metadata
noSmithyDocumentSerde
}
func (c *Client) addOperationUpdateAliasMiddlewares(stack *middleware.Stack, options Options) (err error) {
err = stack.Serialize.Add(&awsAwsjson11_serializeOpUpdateAlias{}, middleware.After)
if err != nil {
return err
}
err = stack.Deserialize.Add(&awsAwsjson11_deserializeOpUpdateAlias{}, middleware.After)
if err != nil {
return err
}
if err = addSetLoggerMiddleware(stack, options); err != nil {
return err
}
if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil {
return err
}
if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil {
return err
}
if err = addResolveEndpointMiddleware(stack, options); err != nil {
return err
}
if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil {
return err
}
if err = addRetryMiddlewares(stack, options); err != nil {
return err
}
if err = addHTTPSignerV4Middleware(stack, options); err != nil {
return err
}
if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil {
return err
}
if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil {
return err
}
if err = addClientUserAgent(stack); err != nil {
return err
}
if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
return err
}
if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
return err
}
if err = addOpUpdateAliasValidationMiddleware(stack); err != nil {
return err
}
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opUpdateAlias(options.Region), middleware.Before); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err
}
if err = addResponseErrorMiddleware(stack); err != nil {
return err
}
if err = addRequestResponseLogging(stack, options); err != nil {
return err
}
return nil
}
func newServiceMetadataMiddleware_opUpdateAlias(region string) *awsmiddleware.RegisterServiceMetadata {
return &awsmiddleware.RegisterServiceMetadata{
Region: region,
ServiceID: ServiceID,
SigningName: "kms",
OperationName: "UpdateAlias",
}
}
|
