1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
|
// Code generated by smithy-go-codegen DO NOT EDIT.
package types
import (
smithydocument "github.com/aws/smithy-go/document"
"time"
)
// Contains information about an alias.
type AliasListEntry struct {
// String that contains the key ARN.
AliasArn *string
// String that contains the alias. This value begins with alias/ .
AliasName *string
// Date and time that the alias was most recently created in the account and
// Region. Formatted as Unix time.
CreationDate *time.Time
// Date and time that the alias was most recently associated with a KMS key in the
// account and Region. Formatted as Unix time.
LastUpdatedDate *time.Time
// String that contains the key identifier of the KMS key associated with the
// alias.
TargetKeyId *string
noSmithyDocumentSerde
}
// Contains information about each custom key store in the custom key store list.
type CustomKeyStoresListEntry struct {
// A unique identifier for the CloudHSM cluster that is associated with an
// CloudHSM key store. This field appears only when the CustomKeyStoreType is
// AWS_CLOUDHSM .
CloudHsmClusterId *string
// Describes the connection error. This field appears in the response only when
// the ConnectionState is FAILED . Many failures can be resolved by updating the
// properties of the custom key store. To update a custom key store, disconnect it
// ( DisconnectCustomKeyStore ), correct the errors ( UpdateCustomKeyStore ), and
// try to connect again ( ConnectCustomKeyStore ). For additional help resolving
// these errors, see How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
// in Key Management Service Developer Guide. All custom key stores:
// - INTERNAL_ERROR — KMS could not complete the request due to an internal
// error. Retry the request. For ConnectCustomKeyStore requests, disconnect the
// custom key store before trying to connect again.
// - NETWORK_ERRORS — Network errors are preventing KMS from connecting the
// custom key store to its backing key store.
// CloudHSM key stores:
// - CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the specified
// cluster ID.
// - INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not
// contain any active HSMs. To connect a custom key store to its CloudHSM cluster,
// the cluster must contain at least one active HSM.
// - INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private subnet
// associated with the CloudHSM cluster doesn't have any available IP addresses. A
// CloudHSM key store connection requires one free IP address in each of the
// associated private subnets, although two are preferable. For details, see How
// to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
// in the Key Management Service Developer Guide.
// - INVALID_CREDENTIALS — The KeyStorePassword for the custom key store doesn't
// match the current password of the kmsuser crypto user in the CloudHSM cluster.
// Before you can connect your custom key store to its CloudHSM cluster, you must
// change the kmsuser account password and update the KeyStorePassword value for
// the custom key store.
// - SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was
// deleted. If KMS cannot find all of the subnets in the cluster configuration,
// attempts to connect the custom key store to the CloudHSM cluster fail. To fix
// this error, create a cluster from a recent backup and associate it with your
// custom key store. (This process creates a new cluster configuration with a VPC
// and private subnets.) For details, see How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
// in the Key Management Service Developer Guide.
// - USER_LOCKED_OUT — The kmsuser CU account is locked out of the associated
// CloudHSM cluster due to too many failed password attempts. Before you can
// connect your custom key store to its CloudHSM cluster, you must change the
// kmsuser account password and update the key store password value for the
// custom key store.
// - USER_LOGGED_IN — The kmsuser CU account is logged into the associated
// CloudHSM cluster. This prevents KMS from rotating the kmsuser account password
// and logging into the cluster. Before you can connect your custom key store to
// its CloudHSM cluster, you must log the kmsuser CU out of the cluster. If you
// changed the kmsuser password to log into the cluster, you must also and update
// the key store password value for the custom key store. For help, see How to
// Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2)
// in the Key Management Service Developer Guide.
// - USER_NOT_FOUND — KMS cannot find a kmsuser CU account in the associated
// CloudHSM cluster. Before you can connect your custom key store to its CloudHSM
// cluster, you must create a kmsuser CU account in the cluster, and then update
// the key store password value for the custom key store.
// External key stores:
// - INVALID_CREDENTIALS — One or both of the XksProxyAuthenticationCredential
// values is not valid on the specified external key store proxy.
// - XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the external key
// store proxy. If the external key store proxy has authorization rules, verify
// that they permit KMS to communicate with the proxy on your behalf.
// - XKS_PROXY_INVALID_CONFIGURATION — A configuration error is preventing the
// external key store from connecting to its proxy. Verify the value of the
// XksProxyUriPath .
// - XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response from the
// external key store proxy. If you see this connection error code repeatedly,
// notify your external key store proxy vendor.
// - XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the external key
// store proxy because the TLS configuration is invalid. Verify that the XKS proxy
// supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired,
// and that it matches the hostname in the XksProxyUriEndpoint value, and that it
// is signed by a certificate authority included in the Trusted Certificate
// Authorities (https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities)
// list.
// - XKS_PROXY_NOT_REACHABLE — KMS can't communicate with your external key store
// proxy. Verify that the XksProxyUriEndpoint and XksProxyUriPath are correct.
// Use the tools for your external key store proxy to verify that the proxy is
// active and available on its network. Also, verify that your external key manager
// instances are operating properly. Connection attempts fail with this connection
// error code if the proxy reports that all external key manager instances are
// unavailable.
// - XKS_PROXY_TIMED_OUT — KMS can connect to the external key store proxy, but
// the proxy does not respond to KMS in the time allotted. If you see this
// connection error code repeatedly, notify your external key store proxy vendor.
// - XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC endpoint
// service configuration doesn't conform to the requirements for an KMS external
// key store.
// - The VPC endpoint service must be an endpoint service for interface
// endpoints in the caller's Amazon Web Services account.
// - It must have a network load balancer (NLB) connected to at least two
// subnets, each in a different Availability Zone.
// - The Allow principals list must include the KMS service principal for the
// Region, cks.kms..amazonaws.com , such as cks.kms.us-east-1.amazonaws.com .
// - It must not require acceptance (https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html)
// of connection requests.
// - It must have a private DNS name. The private DNS name for an external key
// store with VPC_ENDPOINT_SERVICE connectivity must be unique in its Amazon Web
// Services Region.
// - The domain of the private DNS name must have a verification status (https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html)
// of verified .
// - The TLS certificate (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html)
// specifies the private DNS hostname at which the endpoint is reachable.
// - XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can't find the VPC endpoint service
// that it uses to communicate with the external key store proxy. Verify that the
// XksProxyVpcEndpointServiceName is correct and the KMS service principal has
// service consumer permissions on the Amazon VPC endpoint service.
ConnectionErrorCode ConnectionErrorCodeType
// Indicates whether the custom key store is connected to its backing key store.
// For an CloudHSM key store, the ConnectionState indicates whether it is
// connected to its CloudHSM cluster. For an external key store, the
// ConnectionState indicates whether it is connected to the external key store
// proxy that communicates with your external key manager. You can create and use
// KMS keys in your custom key stores only when its ConnectionState is CONNECTED .
// The ConnectionState value is DISCONNECTED only if the key store has never been
// connected or you use the DisconnectCustomKeyStore operation to disconnect it.
// If the value is CONNECTED but you are having trouble using the custom key
// store, make sure that the backing key store is reachable and active. For an
// CloudHSM key store, verify that its associated CloudHSM cluster is active and
// contains at least one active HSM. For an external key store, verify that the
// external key store proxy and external key manager are connected and enabled. A
// value of FAILED indicates that an attempt to connect was unsuccessful. The
// ConnectionErrorCode field in the response indicates the cause of the failure.
// For help resolving a connection failure, see Troubleshooting a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
// in the Key Management Service Developer Guide.
ConnectionState ConnectionStateType
// The date and time when the custom key store was created.
CreationDate *time.Time
// A unique identifier for the custom key store.
CustomKeyStoreId *string
// The user-specified friendly name for the custom key store.
CustomKeyStoreName *string
// Indicates the type of the custom key store. AWS_CLOUDHSM indicates a custom key
// store backed by an CloudHSM cluster. EXTERNAL_KEY_STORE indicates a custom key
// store backed by an external key store proxy and external key manager outside of
// Amazon Web Services.
CustomKeyStoreType CustomKeyStoreType
// The trust anchor certificate of the CloudHSM cluster associated with an
// CloudHSM key store. When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr)
// , you create this certificate and save it in the customerCA.crt file. This
// field appears only when the CustomKeyStoreType is AWS_CLOUDHSM .
TrustAnchorCertificate *string
// Configuration settings for the external key store proxy (XKS proxy). The
// external key store proxy translates KMS requests into a format that your
// external key manager can understand. The proxy configuration includes connection
// information that KMS requires. This field appears only when the
// CustomKeyStoreType is EXTERNAL_KEY_STORE .
XksProxyConfiguration *XksProxyConfigurationType
noSmithyDocumentSerde
}
// Use this structure to allow cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
// in the grant only when the operation request includes the specified encryption
// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
// . KMS applies the grant constraints only to cryptographic operations that
// support an encryption context, that is, all cryptographic operations with a
// symmetric KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks)
// . Grant constraints are not applied to operations that do not support an
// encryption context, such as cryptographic operations with asymmetric KMS keys
// and management operations, such as DescribeKey or RetireGrant . In a
// cryptographic operation, the encryption context in the decryption operation must
// be an exact, case-sensitive match for the keys and values in the encryption
// context of the encryption operation. Only the order of the pairs can vary.
// However, in a grant constraint, the key in each key-value pair is not case
// sensitive, but the value is case sensitive. To avoid confusion, do not use
// multiple encryption context pairs that differ only by case. To require a fully
// case-sensitive encryption context, use the kms:EncryptionContext: and
// kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see
// kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context)
// in the Key Management Service Developer Guide .
type GrantConstraints struct {
// A list of key-value pairs that must match the encryption context in the
// cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
// request. The grant allows the operation only when the encryption context in the
// request is the same as the encryption context specified in this constraint.
EncryptionContextEquals map[string]string
// A list of key-value pairs that must be included in the encryption context of
// the cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
// request. The grant allows the cryptographic operation only when the encryption
// context in the request includes the key-value pairs specified in this
// constraint, although it can include additional key-value pairs.
EncryptionContextSubset map[string]string
noSmithyDocumentSerde
}
// Contains information about a grant.
type GrantListEntry struct {
// A list of key-value pairs that must be present in the encryption context of
// certain subsequent operations that the grant allows.
Constraints *GrantConstraints
// The date and time when the grant was created.
CreationDate *time.Time
// The unique identifier for the grant.
GrantId *string
// The identity that gets the permissions in the grant. The GranteePrincipal field
// in the ListGrants response usually contains the user or role designated as the
// grantee principal in the grant. However, when the grantee principal in the grant
// is an Amazon Web Services service, the GranteePrincipal field contains the
// service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services)
// , which might represent several different grantee principals.
GranteePrincipal *string
// The Amazon Web Services account under which the grant was issued.
IssuingAccount *string
// The unique identifier for the KMS key to which the grant applies.
KeyId *string
// The friendly name that identifies the grant. If a name was provided in the
// CreateGrant request, that name is returned. Otherwise this value is null.
Name *string
// The list of operations permitted by the grant.
Operations []GrantOperation
// The principal that can retire the grant.
RetiringPrincipal *string
noSmithyDocumentSerde
}
// Contains information about each entry in the key list.
type KeyListEntry struct {
// ARN of the key.
KeyArn *string
// Unique identifier of the key.
KeyId *string
noSmithyDocumentSerde
}
// Contains metadata about a KMS key. This data type is used as a response element
// for the CreateKey , DescribeKey , and ReplicateKey operations.
type KeyMetadata struct {
// The globally unique identifier for the KMS key.
//
// This member is required.
KeyId *string
// The twelve-digit account ID of the Amazon Web Services account that owns the
// KMS key.
AWSAccountId *string
// The Amazon Resource Name (ARN) of the KMS key. For examples, see Key Management
// Service (KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms)
// in the Example ARNs section of the Amazon Web Services General Reference.
Arn *string
// The cluster ID of the CloudHSM cluster that contains the key material for the
// KMS key. When you create a KMS key in an CloudHSM custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
// , KMS creates the key material for the KMS key in the associated CloudHSM
// cluster. This field is present only when the KMS key is created in an CloudHSM
// key store.
CloudHsmClusterId *string
// The date and time when the KMS key was created.
CreationDate *time.Time
// A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
// that contains the KMS key. This field is present only when the KMS key is
// created in a custom key store.
CustomKeyStoreId *string
// Instead, use the KeySpec field. The KeySpec and CustomerMasterKeySpec fields
// have the same value. We recommend that you use the KeySpec field in your code.
// However, to avoid breaking changes, KMS supports both fields.
//
// Deprecated: This field has been deprecated. Instead, use the KeySpec field.
CustomerMasterKeySpec CustomerMasterKeySpec
// The date and time after which KMS deletes this KMS key. This value is present
// only when the KMS key is scheduled for deletion, that is, when its KeyState is
// PendingDeletion . When the primary key in a multi-Region key is scheduled for
// deletion but still has replica keys, its key state is PendingReplicaDeletion
// and the length of its waiting period is displayed in the
// PendingDeletionWindowInDays field.
DeletionDate *time.Time
// The description of the KMS key.
Description *string
// Specifies whether the KMS key is enabled. When KeyState is Enabled this value
// is true, otherwise it is false.
Enabled bool
// The encryption algorithms that the KMS key supports. You cannot use the KMS key
// with other encryption algorithms within KMS. This value is present only when the
// KeyUsage of the KMS key is ENCRYPT_DECRYPT .
EncryptionAlgorithms []EncryptionAlgorithmSpec
// Specifies whether the KMS key's key material expires. This value is present
// only when Origin is EXTERNAL , otherwise this value is omitted.
ExpirationModel ExpirationModelType
// The manager of the KMS key. KMS keys in your Amazon Web Services account are
// either customer managed or Amazon Web Services managed. For more information
// about the difference, see KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys)
// in the Key Management Service Developer Guide.
KeyManager KeyManagerType
// Describes the type of key material in the KMS key.
KeySpec KeySpec
// The current status of the KMS key. For more information about how key state
// affects the use of a KMS key, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
// in the Key Management Service Developer Guide.
KeyState KeyState
// The cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
// for which you can use the KMS key.
KeyUsage KeyUsageType
// The message authentication code (MAC) algorithm that the HMAC KMS key supports.
// This value is present only when the KeyUsage of the KMS key is
// GENERATE_VERIFY_MAC .
MacAlgorithms []MacAlgorithmSpec
// Indicates whether the KMS key is a multi-Region ( True ) or regional ( False )
// key. This value is True for multi-Region primary and replica keys and False for
// regional KMS keys. For more information about multi-Region keys, see
// Multi-Region keys in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
// in the Key Management Service Developer Guide.
MultiRegion *bool
// Lists the primary and replica keys in same multi-Region key. This field is
// present only when the value of the MultiRegion field is True . For more
// information about any listed KMS key, use the DescribeKey operation.
// - MultiRegionKeyType indicates whether the KMS key is a PRIMARY or REPLICA
// key.
// - PrimaryKey displays the key ARN and Region of the primary key. This field
// displays the current KMS key if it is the primary key.
// - ReplicaKeys displays the key ARNs and Regions of all replica keys. This
// field includes the current KMS key if it is a replica key.
MultiRegionConfiguration *MultiRegionConfiguration
// The source of the key material for the KMS key. When this value is AWS_KMS , KMS
// created the key material. When this value is EXTERNAL , the key material was
// imported or the KMS key doesn't have any key material. When this value is
// AWS_CLOUDHSM , the key material was created in the CloudHSM cluster associated
// with a custom key store.
Origin OriginType
// The waiting period before the primary key in a multi-Region key is deleted.
// This waiting period begins when the last of its replica keys is deleted. This
// value is present only when the KeyState of the KMS key is PendingReplicaDeletion
// . That indicates that the KMS key is the primary key in a multi-Region key, it
// is scheduled for deletion, and it still has existing replica keys. When a
// single-Region KMS key or a multi-Region replica key is scheduled for deletion,
// its deletion date is displayed in the DeletionDate field. However, when the
// primary key in a multi-Region key is scheduled for deletion, its waiting period
// doesn't begin until all of its replica keys are deleted. This value displays
// that waiting period. When the last replica key in the multi-Region key is
// deleted, the KeyState of the scheduled primary key changes from
// PendingReplicaDeletion to PendingDeletion and the deletion date appears in the
// DeletionDate field.
PendingDeletionWindowInDays *int32
// The signing algorithms that the KMS key supports. You cannot use the KMS key
// with other signing algorithms within KMS. This field appears only when the
// KeyUsage of the KMS key is SIGN_VERIFY .
SigningAlgorithms []SigningAlgorithmSpec
// The time at which the imported key material expires. When the key material
// expires, KMS deletes the key material and the KMS key becomes unusable. This
// value is present only for KMS keys whose Origin is EXTERNAL and whose
// ExpirationModel is KEY_MATERIAL_EXPIRES , otherwise this value is omitted.
ValidTo *time.Time
// Information about the external key that is associated with a KMS key in an
// external key store. For more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)
// in the Key Management Service Developer Guide.
XksKeyConfiguration *XksKeyConfigurationType
noSmithyDocumentSerde
}
// Describes the configuration of this multi-Region key. This field appears only
// when the KMS key is a primary or replica of a multi-Region key. For more
// information about any listed KMS key, use the DescribeKey operation.
type MultiRegionConfiguration struct {
// Indicates whether the KMS key is a PRIMARY or REPLICA key.
MultiRegionKeyType MultiRegionKeyType
// Displays the key ARN and Region of the primary key. This field includes the
// current KMS key if it is the primary key.
PrimaryKey *MultiRegionKey
// displays the key ARNs and Regions of all replica keys. This field includes the
// current KMS key if it is a replica key.
ReplicaKeys []MultiRegionKey
noSmithyDocumentSerde
}
// Describes the primary or replica key in a multi-Region key.
type MultiRegionKey struct {
// Displays the key ARN of a primary or replica key of a multi-Region key.
Arn *string
// Displays the Amazon Web Services Region of a primary or replica key in a
// multi-Region key.
Region *string
noSmithyDocumentSerde
}
// Contains information about the party that receives the response from the API
// operation. This data type is designed to support Amazon Web Services Nitro
// Enclaves, which lets you create an isolated compute environment in Amazon EC2.
// For information about the interaction between KMS and Amazon Web Services Nitro
// Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
// in the Key Management Service Developer Guide.
type RecipientInfo struct {
// The attestation document for an Amazon Web Services Nitro Enclave. This
// document includes the enclave's public key.
AttestationDocument []byte
// The encryption algorithm that KMS should use with the public key for an Amazon
// Web Services Nitro Enclave to encrypt plaintext values for the response. The
// only valid value is RSAES_OAEP_SHA_256 .
KeyEncryptionAlgorithm KeyEncryptionMechanism
noSmithyDocumentSerde
}
// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag
// values are both required, but tag values can be empty (null) strings. Do not
// include confidential or sensitive information in this field. This field may be
// displayed in plaintext in CloudTrail logs and other output. For information
// about the rules that apply to tag keys and tag values, see User-Defined Tag
// Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html)
// in the Amazon Web Services Billing and Cost Management User Guide.
type Tag struct {
// The key of the tag.
//
// This member is required.
TagKey *string
// The value of the tag.
//
// This member is required.
TagValue *string
noSmithyDocumentSerde
}
// Information about the external key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)
// that is associated with a KMS key in an external key store. This element appears
// in a CreateKey or DescribeKey response only for a KMS key in an external key
// store. The external key is a symmetric encryption key that is hosted by an
// external key manager outside of Amazon Web Services. When you use the KMS key in
// an external key store in a cryptographic operation, the cryptographic operation
// is performed in the external key manager using the specified external key. For
// more information, see External key (https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key)
// in the Key Management Service Developer Guide.
type XksKeyConfigurationType struct {
// The ID of the external key in its external key manager. This is the ID that the
// external key store proxy uses to identify the external key.
Id *string
noSmithyDocumentSerde
}
// KMS uses the authentication credential to sign requests that it sends to the
// external key store proxy (XKS proxy) on your behalf. You establish these
// credentials on your external key store proxy and report them to KMS. The
// XksProxyAuthenticationCredential includes two required elements.
type XksProxyAuthenticationCredentialType struct {
// A unique identifier for the raw secret access key.
//
// This member is required.
AccessKeyId *string
// A secret string of 43-64 characters. Valid characters are a-z, A-Z, 0-9, /, +,
// and =.
//
// This member is required.
RawSecretAccessKey *string
noSmithyDocumentSerde
}
// Detailed information about the external key store proxy (XKS proxy). Your
// external key store proxy translates KMS requests into a format that your
// external key manager can understand. These fields appear in a
// DescribeCustomKeyStores response only when the CustomKeyStoreType is
// EXTERNAL_KEY_STORE .
type XksProxyConfigurationType struct {
// The part of the external key store proxy authentication credential (https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html#KMS-CreateCustomKeyStore-request-XksProxyAuthenticationCredential)
// that uniquely identifies the secret access key.
AccessKeyId *string
// Indicates whether the external key store proxy uses a public endpoint or an
// Amazon VPC endpoint service to communicate with KMS.
Connectivity XksProxyConnectivityType
// The URI endpoint for the external key store proxy. If the external key store
// proxy has a public endpoint, it is displayed here. If the external key store
// proxy uses an Amazon VPC endpoint service name, this field displays the private
// DNS name associated with the VPC endpoint service.
UriEndpoint *string
// The path to the external key store proxy APIs.
UriPath *string
// The Amazon VPC endpoint service used to communicate with the external key store
// proxy. This field appears only when the external key store proxy uses an Amazon
// VPC endpoint service to communicate with KMS.
VpcEndpointServiceName *string
noSmithyDocumentSerde
}
type noSmithyDocumentSerde = smithydocument.NoSerde
|
