Package: types

import "../ibm-cos-sdk-go-v2/service/kms/types"

Constants

const AlgorithmSpecRsaesPkcs1V15 AlgorithmSpec = readonly

Value:

"RSAES_PKCS1_V1_5"
const AlgorithmSpecRsaesOaepSha1 AlgorithmSpec = readonly

Value:

"RSAES_OAEP_SHA_1"
const AlgorithmSpecRsaesOaepSha256 AlgorithmSpec = readonly

Value:

"RSAES_OAEP_SHA_256"
const AlgorithmSpecRsaAesKeyWrapSha1 AlgorithmSpec = readonly

Value:

"RSA_AES_KEY_WRAP_SHA_1"
const AlgorithmSpecRsaAesKeyWrapSha256 AlgorithmSpec = readonly

Value:

"RSA_AES_KEY_WRAP_SHA_256"
const AlgorithmSpecSm2pke AlgorithmSpec = readonly

Value:

"SM2PKE"
const ConnectionErrorCodeTypeInvalidCredentials ConnectionErrorCodeType = readonly

Value:

"INVALID_CREDENTIALS"
const ConnectionErrorCodeTypeClusterNotFound ConnectionErrorCodeType = readonly

Value:

"CLUSTER_NOT_FOUND"
const ConnectionErrorCodeTypeNetworkErrors ConnectionErrorCodeType = readonly

Value:

"NETWORK_ERRORS"
const ConnectionErrorCodeTypeInternalError ConnectionErrorCodeType = readonly

Value:

"INTERNAL_ERROR"
const ConnectionErrorCodeTypeInsufficientCloudhsmHsms ConnectionErrorCodeType = readonly

Value:

"INSUFFICIENT_CLOUDHSM_HSMS"
const ConnectionErrorCodeTypeUserLockedOut ConnectionErrorCodeType = readonly

Value:

"USER_LOCKED_OUT"
const ConnectionErrorCodeTypeUserNotFound ConnectionErrorCodeType = readonly

Value:

"USER_NOT_FOUND"
const ConnectionErrorCodeTypeUserLoggedIn ConnectionErrorCodeType = readonly

Value:

"USER_LOGGED_IN"
const ConnectionErrorCodeTypeSubnetNotFound ConnectionErrorCodeType = readonly

Value:

"SUBNET_NOT_FOUND"
const ConnectionErrorCodeTypeInsufficientFreeAddressesInSubnet ConnectionErrorCodeType = readonly

Value:

"INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET"
const ConnectionErrorCodeTypeXksProxyAccessDenied ConnectionErrorCodeType = readonly

Value:

"XKS_PROXY_ACCESS_DENIED"
const ConnectionErrorCodeTypeXksProxyNotReachable ConnectionErrorCodeType = readonly

Value:

"XKS_PROXY_NOT_REACHABLE"
const ConnectionErrorCodeTypeXksVpcEndpointServiceNotFound ConnectionErrorCodeType = readonly

Value:

"XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND"
const ConnectionErrorCodeTypeXksProxyInvalidResponse ConnectionErrorCodeType = readonly

Value:

"XKS_PROXY_INVALID_RESPONSE"
const ConnectionErrorCodeTypeXksProxyInvalidConfiguration ConnectionErrorCodeType = readonly

Value:

"XKS_PROXY_INVALID_CONFIGURATION"
const ConnectionErrorCodeTypeXksVpcEndpointServiceInvalidConfiguration ConnectionErrorCodeType = readonly

Value:

"XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION"
const ConnectionErrorCodeTypeXksProxyTimedOut ConnectionErrorCodeType = readonly

Value:

"XKS_PROXY_TIMED_OUT"
const ConnectionErrorCodeTypeXksProxyInvalidTlsConfiguration ConnectionErrorCodeType = readonly

Value:

"XKS_PROXY_INVALID_TLS_CONFIGURATION"
const ConnectionStateTypeConnected ConnectionStateType = readonly

Value:

"CONNECTED"
const ConnectionStateTypeConnecting ConnectionStateType = readonly

Value:

"CONNECTING"
const ConnectionStateTypeFailed ConnectionStateType = readonly

Value:

"FAILED"
const ConnectionStateTypeDisconnected ConnectionStateType = readonly

Value:

"DISCONNECTED"
const ConnectionStateTypeDisconnecting ConnectionStateType = readonly

Value:

"DISCONNECTING"
const CustomerMasterKeySpecRsa2048 CustomerMasterKeySpec = readonly

Value:

"RSA_2048"
const CustomerMasterKeySpecRsa3072 CustomerMasterKeySpec = readonly

Value:

"RSA_3072"
const CustomerMasterKeySpecRsa4096 CustomerMasterKeySpec = readonly

Value:

"RSA_4096"
const CustomerMasterKeySpecEccNistP256 CustomerMasterKeySpec = readonly

Value:

"ECC_NIST_P256"
const CustomerMasterKeySpecEccNistP384 CustomerMasterKeySpec = readonly

Value:

"ECC_NIST_P384"
const CustomerMasterKeySpecEccNistP521 CustomerMasterKeySpec = readonly

Value:

"ECC_NIST_P521"
const CustomerMasterKeySpecEccSecgP256k1 CustomerMasterKeySpec = readonly

Value:

"ECC_SECG_P256K1"
const CustomerMasterKeySpecSymmetricDefault CustomerMasterKeySpec = readonly

Value:

"SYMMETRIC_DEFAULT"
const CustomerMasterKeySpecHmac224 CustomerMasterKeySpec = readonly

Value:

"HMAC_224"
const CustomerMasterKeySpecHmac256 CustomerMasterKeySpec = readonly

Value:

"HMAC_256"
const CustomerMasterKeySpecHmac384 CustomerMasterKeySpec = readonly

Value:

"HMAC_384"
const CustomerMasterKeySpecHmac512 CustomerMasterKeySpec = readonly

Value:

"HMAC_512"
const CustomerMasterKeySpecSm2 CustomerMasterKeySpec = readonly

Value:

"SM2"
const CustomKeyStoreTypeAwsCloudhsm CustomKeyStoreType = readonly

Value:

"AWS_CLOUDHSM"
const CustomKeyStoreTypeExternalKeyStore CustomKeyStoreType = readonly

Value:

"EXTERNAL_KEY_STORE"
const DataKeyPairSpecRsa2048 DataKeyPairSpec = readonly

Value:

"RSA_2048"
const DataKeyPairSpecRsa3072 DataKeyPairSpec = readonly

Value:

"RSA_3072"
const DataKeyPairSpecRsa4096 DataKeyPairSpec = readonly

Value:

"RSA_4096"
const DataKeyPairSpecEccNistP256 DataKeyPairSpec = readonly

Value:

"ECC_NIST_P256"
const DataKeyPairSpecEccNistP384 DataKeyPairSpec = readonly

Value:

"ECC_NIST_P384"
const DataKeyPairSpecEccNistP521 DataKeyPairSpec = readonly

Value:

"ECC_NIST_P521"
const DataKeyPairSpecEccSecgP256k1 DataKeyPairSpec = readonly

Value:

"ECC_SECG_P256K1"
const DataKeyPairSpecSm2 DataKeyPairSpec = readonly

Value:

"SM2"
const DataKeySpecAes256 DataKeySpec = readonly

Value:

"AES_256"
const DataKeySpecAes128 DataKeySpec = readonly

Value:

"AES_128"
const EncryptionAlgorithmSpecSymmetricDefault EncryptionAlgorithmSpec = readonly

Value:

"SYMMETRIC_DEFAULT"
const EncryptionAlgorithmSpecRsaesOaepSha1 EncryptionAlgorithmSpec = readonly

Value:

"RSAES_OAEP_SHA_1"
const EncryptionAlgorithmSpecRsaesOaepSha256 EncryptionAlgorithmSpec = readonly

Value:

"RSAES_OAEP_SHA_256"
const EncryptionAlgorithmSpecSm2pke EncryptionAlgorithmSpec = readonly

Value:

"SM2PKE"
const ExpirationModelTypeKeyMaterialExpires ExpirationModelType = readonly

Value:

"KEY_MATERIAL_EXPIRES"
const ExpirationModelTypeKeyMaterialDoesNotExpire ExpirationModelType = readonly

Value:

"KEY_MATERIAL_DOES_NOT_EXPIRE"
const GrantOperationDecrypt GrantOperation = readonly

Value:

"Decrypt"
const GrantOperationEncrypt GrantOperation = readonly

Value:

"Encrypt"
const GrantOperationGenerateDataKey GrantOperation = readonly

Value:

"GenerateDataKey"
const GrantOperationGenerateDataKeyWithoutPlaintext GrantOperation = readonly

Value:

"GenerateDataKeyWithoutPlaintext"
const GrantOperationReEncryptFrom GrantOperation = readonly

Value:

"ReEncryptFrom"
const GrantOperationReEncryptTo GrantOperation = readonly

Value:

"ReEncryptTo"
const GrantOperationSign GrantOperation = readonly

Value:

"Sign"
const GrantOperationVerify GrantOperation = readonly

Value:

"Verify"
const GrantOperationGetPublicKey GrantOperation = readonly

Value:

"GetPublicKey"
const GrantOperationCreateGrant GrantOperation = readonly

Value:

"CreateGrant"
const GrantOperationRetireGrant GrantOperation = readonly

Value:

"RetireGrant"
const GrantOperationDescribeKey GrantOperation = readonly

Value:

"DescribeKey"
const GrantOperationGenerateDataKeyPair GrantOperation = readonly

Value:

"GenerateDataKeyPair"
const GrantOperationGenerateDataKeyPairWithoutPlaintext GrantOperation = readonly

Value:

"GenerateDataKeyPairWithoutPlaintext"
const GrantOperationGenerateMac GrantOperation = readonly

Value:

"GenerateMac"
const GrantOperationVerifyMac GrantOperation = readonly

Value:

"VerifyMac"
const GrantOperationDeriveSharedSecret GrantOperation = readonly

Value:

"DeriveSharedSecret"
const KeyAgreementAlgorithmSpecEcdh KeyAgreementAlgorithmSpec = readonly

Value:

"ECDH"
const KeyEncryptionMechanismRsaesOaepSha256 KeyEncryptionMechanism = readonly

Value:

"RSAES_OAEP_SHA_256"
const KeyManagerTypeAws KeyManagerType = readonly

Value:

"AWS"
const KeyManagerTypeCustomer KeyManagerType = readonly

Value:

"CUSTOMER"
const KeySpecRsa2048 KeySpec = readonly

Value:

"RSA_2048"
const KeySpecRsa3072 KeySpec = readonly

Value:

"RSA_3072"
const KeySpecRsa4096 KeySpec = readonly

Value:

"RSA_4096"
const KeySpecEccNistP256 KeySpec = readonly

Value:

"ECC_NIST_P256"
const KeySpecEccNistP384 KeySpec = readonly

Value:

"ECC_NIST_P384"
const KeySpecEccNistP521 KeySpec = readonly

Value:

"ECC_NIST_P521"
const KeySpecEccSecgP256k1 KeySpec = readonly

Value:

"ECC_SECG_P256K1"
const KeySpecSymmetricDefault KeySpec = readonly

Value:

"SYMMETRIC_DEFAULT"
const KeySpecHmac224 KeySpec = readonly

Value:

"HMAC_224"
const KeySpecHmac256 KeySpec = readonly

Value:

"HMAC_256"
const KeySpecHmac384 KeySpec = readonly

Value:

"HMAC_384"
const KeySpecHmac512 KeySpec = readonly

Value:

"HMAC_512"
const KeySpecSm2 KeySpec = readonly

Value:

"SM2"
const KeyStateCreating KeyState = readonly

Value:

"Creating"
const KeyStateEnabled KeyState = readonly

Value:

"Enabled"
const KeyStateDisabled KeyState = readonly

Value:

"Disabled"
const KeyStatePendingDeletion KeyState = readonly

Value:

"PendingDeletion"
const KeyStatePendingImport KeyState = readonly

Value:

"PendingImport"
const KeyStatePendingReplicaDeletion KeyState = readonly

Value:

"PendingReplicaDeletion"
const KeyStateUnavailable KeyState = readonly

Value:

"Unavailable"
const KeyStateUpdating KeyState = readonly

Value:

"Updating"
const KeyUsageTypeSignVerify KeyUsageType = readonly

Value:

"SIGN_VERIFY"
const KeyUsageTypeEncryptDecrypt KeyUsageType = readonly

Value:

"ENCRYPT_DECRYPT"
const KeyUsageTypeGenerateVerifyMac KeyUsageType = readonly

Value:

"GENERATE_VERIFY_MAC"
const KeyUsageTypeKeyAgreement KeyUsageType = readonly

Value:

"KEY_AGREEMENT"
const MacAlgorithmSpecHmacSha224 MacAlgorithmSpec = readonly

Value:

"HMAC_SHA_224"
const MacAlgorithmSpecHmacSha256 MacAlgorithmSpec = readonly

Value:

"HMAC_SHA_256"
const MacAlgorithmSpecHmacSha384 MacAlgorithmSpec = readonly

Value:

"HMAC_SHA_384"
const MacAlgorithmSpecHmacSha512 MacAlgorithmSpec = readonly

Value:

"HMAC_SHA_512"
const MessageTypeRaw MessageType = readonly

Value:

"RAW"
const MessageTypeDigest MessageType = readonly

Value:

"DIGEST"
const MultiRegionKeyTypePrimary MultiRegionKeyType = readonly

Value:

"PRIMARY"
const MultiRegionKeyTypeReplica MultiRegionKeyType = readonly

Value:

"REPLICA"
const OriginTypeAwsKms OriginType = readonly

Value:

"AWS_KMS"
const OriginTypeExternal OriginType = readonly

Value:

"EXTERNAL"
const OriginTypeAwsCloudhsm OriginType = readonly

Value:

"AWS_CLOUDHSM"
const OriginTypeExternalKeyStore OriginType = readonly

Value:

"EXTERNAL_KEY_STORE"
const RotationTypeAutomatic RotationType = readonly

Value:

"AUTOMATIC"
const RotationTypeOnDemand RotationType = readonly

Value:

"ON_DEMAND"
const SigningAlgorithmSpecRsassaPssSha256 SigningAlgorithmSpec = readonly

Value:

"RSASSA_PSS_SHA_256"
const SigningAlgorithmSpecRsassaPssSha384 SigningAlgorithmSpec = readonly

Value:

"RSASSA_PSS_SHA_384"
const SigningAlgorithmSpecRsassaPssSha512 SigningAlgorithmSpec = readonly

Value:

"RSASSA_PSS_SHA_512"
const SigningAlgorithmSpecRsassaPkcs1V15Sha256 SigningAlgorithmSpec = readonly

Value:

"RSASSA_PKCS1_V1_5_SHA_256"
const SigningAlgorithmSpecRsassaPkcs1V15Sha384 SigningAlgorithmSpec = readonly

Value:

"RSASSA_PKCS1_V1_5_SHA_384"
const SigningAlgorithmSpecRsassaPkcs1V15Sha512 SigningAlgorithmSpec = readonly

Value:

"RSASSA_PKCS1_V1_5_SHA_512"
const SigningAlgorithmSpecEcdsaSha256 SigningAlgorithmSpec = readonly

Value:

"ECDSA_SHA_256"
const SigningAlgorithmSpecEcdsaSha384 SigningAlgorithmSpec = readonly

Value:

"ECDSA_SHA_384"
const SigningAlgorithmSpecEcdsaSha512 SigningAlgorithmSpec = readonly

Value:

"ECDSA_SHA_512"
const SigningAlgorithmSpecSm2dsa SigningAlgorithmSpec = readonly

Value:

"SM2DSA"
const WrappingKeySpecRsa2048 WrappingKeySpec = readonly

Value:

"RSA_2048"
const WrappingKeySpecRsa3072 WrappingKeySpec = readonly

Value:

"RSA_3072"
const WrappingKeySpecRsa4096 WrappingKeySpec = readonly

Value:

"RSA_4096"
const WrappingKeySpecSm2 WrappingKeySpec = readonly

Value:

"SM2"
const XksProxyConnectivityTypePublicEndpoint XksProxyConnectivityType = readonly

Value:

"PUBLIC_ENDPOINT"
const XksProxyConnectivityTypeVpcEndpointService XksProxyConnectivityType = readonly

Value:

"VPC_ENDPOINT_SERVICE"

Type Summary collapse

Type Details

AliasListEntry struct

Contains information about an alias.

Structure Fields:

AliasArn *string

String that contains the key ARN.

AliasName *string

String that contains the alias. This value begins with alias/ .

CreationDate *time.Time

Date and time that the alias was most recently created in the account and Region. Formatted as Unix time.

LastUpdatedDate *time.Time

Date and time that the alias was most recently associated with a KMS key in the account and Region. Formatted as Unix time.

TargetKeyId *string

String that contains the key identifier of the KMS key associated with the alias.

CustomKeyStoresListEntry struct

Contains information about each custom key store in the custom key store list.

Structure Fields:

CloudHsmClusterId *string

A unique identifier for the CloudHSM cluster that is associated with an CloudHSM key store. This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM .

ConnectionErrorCode ConnectionErrorCodeType

Describes the connection error. This field appears in the response only when the ConnectionState is FAILED .

Many failures can be resolved by updating the properties of the custom key store. To update a custom key store, disconnect it (DisconnectCustomKeyStore ), correct the errors (UpdateCustomKeyStore ), and try to connect again (ConnectCustomKeyStore ). For additional help resolving these errors, see How to Fix a Connection Failure in Key Management Service Developer Guide.

All custom key stores:

  • INTERNAL_ERROR — KMS could not complete the request due to an internal error. Retry the request. For ConnectCustomKeyStore requests, disconnect the custom key store before trying to connect again.

  • NETWORK_ERRORS — Network errors are preventing KMS from connecting the custom key store to its backing key store.

CloudHSM key stores:

  • CLUSTER_NOT_FOUND — KMS cannot find the CloudHSM cluster with the specified cluster ID.

  • INSUFFICIENT_CLOUDHSM_HSMS — The associated CloudHSM cluster does not contain any active HSMs. To connect a custom key store to its CloudHSM cluster, the cluster must contain at least one active HSM.

  • INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET — At least one private subnet associated with the CloudHSM cluster doesn’t have any available IP addresses. A CloudHSM key store connection requires one free IP address in each of the associated private subnets, although two are preferable. For details, see to Fix a Connection Failure[https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed]in the Key Management Service Developer Guide.

  • INVALID_CREDENTIALS — The KeyStorePassword for the custom key store doesn’t match the current password of the kmsuser crypto user in the CloudHSM cluster. Before you can connect your custom key store to its CloudHSM cluster, you must change the kmsuser account password and update the KeyStorePassword value for the custom key store.

  • SUBNET_NOT_FOUND — A subnet in the CloudHSM cluster configuration was deleted. If KMS cannot find all of the subnets in the cluster configuration, attempts to connect the custom key store to the CloudHSM cluster fail. To fix this error, create a cluster from a recent backup and associate it with your custom key store. (This process creates a new cluster configuration with a VPC and private subnets.) For details, see to Fix a Connection Failure[https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed]in the Key Management Service Developer Guide.

  • USER_LOCKED_OUT — The kmsuser CU account is locked out of the associated CloudHSM cluster due to too many failed password attempts. Before you can connect your custom key store to its CloudHSM cluster, you must change the kmsuser account password and update the key store password value for the custom key store.

  • USER_LOGGED_IN — The kmsuser CU account is logged into the associated CloudHSM cluster. This prevents KMS from rotating the kmsuser account password and logging into the cluster. Before you can connect your custom key store to its CloudHSM cluster, you must log the kmsuser CU out of the cluster. If you changed the kmsuser password to log into the cluster, you must also and update the key store password value for the custom key store. For help, see to Log Out and Reconnect[https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2]in the Key Management Service Developer Guide.

  • USER_NOT_FOUND — KMS cannot find a kmsuser CU account in the associated CloudHSM cluster. Before you can connect your custom key store to its CloudHSM cluster, you must create a kmsuser CU account in the cluster, and then update the key store password value for the custom key store.

External key stores:

  • INVALID_CREDENTIALS — One or both of the XksProxyAuthenticationCredential values is not valid on the specified external key store proxy.

  • XKS_PROXY_ACCESS_DENIED — KMS requests are denied access to the external key store proxy. If the external key store proxy has authorization rules, verify that they permit KMS to communicate with the proxy on your behalf.

  • XKS_PROXY_INVALID_CONFIGURATION — A configuration error is preventing the external key store from connecting to its proxy. Verify the value of the XksProxyUriPath .

  • XKS_PROXY_INVALID_RESPONSE — KMS cannot interpret the response from the external key store proxy. If you see this connection error code repeatedly, notify your external key store proxy vendor.

  • XKS_PROXY_INVALID_TLS_CONFIGURATION — KMS cannot connect to the external key store proxy because the TLS configuration is invalid. Verify that the XKS proxy supports TLS 1.2 or 1.3. Also, verify that the TLS certificate is not expired, and that it matches the hostname in the XksProxyUriEndpoint value, and that it is signed by a certificate authority included in the Certificate Authorities[https://github.com/aws/aws-kms-xksproxy-api-spec/blob/main/TrustedCertificateAuthorities]list.

  • XKS_PROXY_NOT_REACHABLE — KMS can’t communicate with your external key store proxy. Verify that the XksProxyUriEndpoint and XksProxyUriPath are correct. Use the tools for your external key store proxy to verify that the proxy is active and available on its network. Also, verify that your external key manager instances are operating properly. Connection attempts fail with this connection error code if the proxy reports that all external key manager instances are unavailable.

  • XKS_PROXY_TIMED_OUT — KMS can connect to the external key store proxy, but the proxy does not respond to KMS in the time allotted. If you see this connection error code repeatedly, notify your external key store proxy vendor.

  • XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION — The Amazon VPC endpoint service configuration doesn’t conform to the requirements for an KMS external key store.

  • The VPC endpoint service must be an endpoint service for interface endpoints in the caller's Amazon Web Services account.

  • It must have a network load balancer (NLB) connected to at least two subnets, each in a different Availability Zone.

  • The Allow principals list must include the KMS service principal for the Region, cks.kms..amazonaws.com , such as cks.kms.us-east-1.amazonaws.com .

  • It must not require service/kms/types.CustomKeyStoresListEntryacceptance[https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html]of connection requests.

  • It must have a private DNS name. The private DNS name for an external key store with VPC_ENDPOINT_SERVICE connectivity must be unique in its Amazon Web Services Region.

  • The domain of the private DNS name must have a status[https://docs.aws.amazon.com/vpc/latest/privatelink/verify-domains.html]of verified .

  • The certificate[https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html]specifies the private DNS hostname at which the endpoint is reachable.

  • XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND — KMS can’t find the VPC endpoint service that it uses to communicate with the external key store proxy. Verify that the XksProxyVpcEndpointServiceName is correct and the KMS service principal has service consumer permissions on the Amazon VPC endpoint service.

ConnectionState ConnectionStateType

Indicates whether the custom key store is connected to its backing key store. For an CloudHSM key store, the ConnectionState indicates whether it is connected to its CloudHSM cluster. For an external key store, the ConnectionState indicates whether it is connected to the external key store proxy that communicates with your external key manager.

You can create and use KMS keys in your custom key stores only when its ConnectionState is CONNECTED .

The ConnectionState value is DISCONNECTED only if the key store has never been connected or you use the DisconnectCustomKeyStoreoperation to disconnect it. If the value is CONNECTED but you are having trouble using the custom key store, make sure that the backing key store is reachable and active. For an CloudHSM key store, verify that its associated CloudHSM cluster is active and contains at least one active HSM. For an external key store, verify that the external key store proxy and external key manager are connected and enabled.

A value of FAILED indicates that an attempt to connect was unsuccessful. The ConnectionErrorCode field in the response indicates the cause of the failure. For help resolving a connection failure, see a custom key store[https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html]in the Key Management Service Developer Guide.

CreationDate *time.Time

The date and time when the custom key store was created.

CustomKeyStoreId *string

A unique identifier for the custom key store.

CustomKeyStoreName *string

The user-specified friendly name for the custom key store.

CustomKeyStoreType CustomKeyStoreType

Indicates the type of the custom key store. AWS_CLOUDHSM indicates a custom key store backed by an CloudHSM cluster. EXTERNAL_KEY_STORE indicates a custom key store backed by an external key store proxy and external key manager outside of Amazon Web Services.

TrustAnchorCertificate *string

The trust anchor certificate of the CloudHSM cluster associated with an CloudHSM key store. When you initialize the cluster, you create this certificate and save it in the customerCA.crt file.

This field appears only when the CustomKeyStoreType is AWS_CLOUDHSM .

XksProxyConfiguration *XksProxyConfigurationType

Configuration settings for the external key store proxy (XKS proxy). The external key store proxy translates KMS requests into a format that your external key manager can understand. The proxy configuration includes connection information that KMS requires.

This field appears only when the CustomKeyStoreType is EXTERNAL_KEY_STORE .

GrantConstraints struct

Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.

KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric KMS key. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKeyor RetireGrant.

In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.

However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.

To avoid confusion, do not use multiple encryption context pairs that differ only by case. To require a fully case-sensitive encryption context, use the kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM or key policy. For details, see service/kms/types.GrantConstraintskms:EncryptionContext:[https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context]in the Key Management Service Developer Guide .

Structure Fields:

EncryptionContextEquals map[string]string

A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

EncryptionContextSubset map[string]string

A list of key-value pairs that must be included in the encryption context of the operation[https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations]request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

GrantListEntry struct

Contains information about a grant.

Structure Fields:

Constraints *GrantConstraints

A list of key-value pairs that must be present in the encryption context of certain subsequent operations that the grant allows.

CreationDate *time.Time

The date and time when the grant was created.

GrantId *string

The unique identifier for the grant.

GranteePrincipal *string

The identity that gets the permissions in the grant.

The GranteePrincipal field in the ListGrants response usually contains the user or role designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon Web Services service, the GranteePrincipal field contains the service principal, which might represent several different grantee principals.

IssuingAccount *string

The Amazon Web Services account under which the grant was issued.

KeyId *string

The unique identifier for the KMS key to which the grant applies.

Name *string

The friendly name that identifies the grant. If a name was provided in the CreateGrant request, that name is returned. Otherwise this value is null.

Operations []GrantOperation

The list of operations permitted by the grant.

RetiringPrincipal *string

The principal that can retire the grant.

KeyListEntry struct

Contains information about each entry in the key list.

Structure Fields:

KeyArn *string

ARN of the key.

KeyId *string

Unique identifier of the key.

KeyMetadata struct

Contains metadata about a KMS key.

This data type is used as a response element for the CreateKey, DescribeKey, and ReplicateKey operations.

Structure Fields:

KeyId *string

The globally unique identifier for the KMS key.

This member is required.

AWSAccountId *string

The twelve-digit account ID of the Amazon Web Services account that owns the KMS key.

Arn *string

The Amazon Resource Name (ARN) of the KMS key. For examples, see Key Management Service (KMS) in the Example ARNs section of the Amazon Web Services General Reference.

CloudHsmClusterId *string

The cluster ID of the CloudHSM cluster that contains the key material for the KMS key. When you create a KMS key in an CloudHSM custom key store, KMS creates the key material for the KMS key in the associated CloudHSM cluster. This field is present only when the KMS key is created in an CloudHSM key store.

CreationDate *time.Time

The date and time when the KMS key was created.

CustomKeyStoreId *string

A unique identifier for the custom key store that contains the KMS key. This field is present only when the KMS key is created in a custom key store.

CustomerMasterKeySpec CustomerMasterKeySpec

Instead, use the KeySpec field.

The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend that you use the KeySpec field in your code. However, to avoid breaking changes, KMS supports both fields.

Deprecated: This field has been deprecated. Instead, use the KeySpec field.

DeletionDate *time.Time

The date and time after which KMS deletes this KMS key. This value is present only when the KMS key is scheduled for deletion, that is, when its KeyState is PendingDeletion .

When the primary key in a multi-Region key is scheduled for deletion but still has replica keys, its key state is PendingReplicaDeletion and the length of its waiting period is displayed in the PendingDeletionWindowInDays field.

Description *string

The description of the KMS key.

Enabled bool

Specifies whether the KMS key is enabled. When KeyState is Enabled this value is true, otherwise it is false.

EncryptionAlgorithms []EncryptionAlgorithmSpec

The encryption algorithms that the KMS key supports. You cannot use the KMS key with other encryption algorithms within KMS.

This value is present only when the KeyUsage of the KMS key is ENCRYPT_DECRYPT .

ExpirationModel ExpirationModelType

Specifies whether the KMS key’s key material expires. This value is present only when Origin is EXTERNAL , otherwise this value is omitted.

KeyAgreementAlgorithms []KeyAgreementAlgorithmSpec

The key agreement algorithm used to derive a shared secret.

KeyManager KeyManagerType

The manager of the KMS key. KMS keys in your Amazon Web Services account are either customer managed or Amazon Web Services managed. For more information about the difference, see keys[https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys]in the Key Management Service Developer Guide.

KeySpec KeySpec

Describes the type of key material in the KMS key.

KeyState KeyState

The current status of the KMS key.

For more information about how key state affects the use of a KMS key, see Key states of KMS keys in the Key Management Service Developer Guide.

KeyUsage KeyUsageType

The cryptographic operations for which you can use the KMS key.

MacAlgorithms []MacAlgorithmSpec

The message authentication code (MAC) algorithm that the HMAC KMS key supports.

This value is present only when the KeyUsage of the KMS key is GENERATE_VERIFY_MAC .

MultiRegion *bool

Indicates whether the KMS key is a multi-Region ( True ) or regional ( False ) key. This value is True for multi-Region primary and replica keys and False for regional KMS keys.

For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.

MultiRegionConfiguration *MultiRegionConfiguration

Lists the primary and replica keys in same multi-Region key. This field is present only when the value of the MultiRegion field is True .

For more information about any listed KMS key, use the DescribeKey operation.

  • MultiRegionKeyType indicates whether the KMS key is a PRIMARY or REPLICA key.

  • PrimaryKey displays the key ARN and Region of the primary key. This field displays the current KMS key if it is the primary key.

  • ReplicaKeys displays the key ARNs and Regions of all replica keys. This field includes the current KMS key if it is a replica key.

Origin OriginType

The source of the key material for the KMS key. When this value is AWS_KMS , KMS created the key material. When this value is EXTERNAL , the key material was imported or the KMS key doesn’t have any key material. When this value is AWS_CLOUDHSM , the key material was created in the CloudHSM cluster associated with a custom key store.

PendingDeletionWindowInDays *int32

The waiting period before the primary key in a multi-Region key is deleted. This waiting period begins when the last of its replica keys is deleted. This value is present only when the KeyState of the KMS key is PendingReplicaDeletion . That indicates that the KMS key is the primary key in a multi-Region key, it is scheduled for deletion, and it still has existing replica keys.

When a single-Region KMS key or a multi-Region replica key is scheduled for deletion, its deletion date is displayed in the DeletionDate field. However, when the primary key in a multi-Region key is scheduled for deletion, its waiting period doesn’t begin until all of its replica keys are deleted. This value displays that waiting period. When the last replica key in the multi-Region key is deleted, the KeyState of the scheduled primary key changes from PendingReplicaDeletion to PendingDeletion and the deletion date appears in the DeletionDate field.

SigningAlgorithms []SigningAlgorithmSpec

The signing algorithms that the KMS key supports. You cannot use the KMS key with other signing algorithms within KMS.

This field appears only when the KeyUsage of the KMS key is SIGN_VERIFY .

ValidTo *time.Time

The time at which the imported key material expires. When the key material expires, KMS deletes the key material and the KMS key becomes unusable. This value is present only for KMS keys whose Origin is EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES , otherwise this value is omitted.

XksKeyConfiguration *XksKeyConfigurationType

Information about the external key that is associated with a KMS key in an external key store.

For more information, see External key in the Key Management Service Developer Guide.

MultiRegionConfiguration struct

Describes the configuration of this multi-Region key. This field appears only when the KMS key is a primary or replica of a multi-Region key.

For more information about any listed KMS key, use the DescribeKey operation.

Structure Fields:

MultiRegionKeyType MultiRegionKeyType

Indicates whether the KMS key is a PRIMARY or REPLICA key.

PrimaryKey *MultiRegionKey

Displays the key ARN and Region of the primary key. This field includes the current KMS key if it is the primary key.

ReplicaKeys []MultiRegionKey

displays the key ARNs and Regions of all replica keys. This field includes the current KMS key if it is a replica key.

MultiRegionKey struct

Describes the primary or replica key in a multi-Region key.

Structure Fields:

Arn *string

Displays the key ARN of a primary or replica key of a multi-Region key.

Region *string

Displays the Amazon Web Services Region of a primary or replica key in a multi-Region key.

RecipientInfo struct

Contains information about the party that receives the response from the API operation.

This data type is designed to support Amazon Web Services Nitro Enclaves, which lets you create an isolated compute environment in Amazon EC2. For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.

Structure Fields:

AttestationDocument []byte

The attestation document for an Amazon Web Services Nitro Enclave. This document includes the enclave’s public key.

KeyEncryptionAlgorithm KeyEncryptionMechanism

The encryption algorithm that KMS should use with the public key for an Amazon Web Services Nitro Enclave to encrypt plaintext values for the response. The only valid value is RSAES_OAEP_SHA_256 .

RotationsListEntry struct

Contains information about completed key material rotations.

Structure Fields:

KeyId *string

Unique identifier of the key.

RotationDate *time.Time

Date and time that the key material rotation completed. Formatted as Unix time.

RotationType RotationType

Identifies whether the key material rotation was a scheduled automatic rotation or an on-demand rotation.

Tag struct

A key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag values can be empty (null) strings.

Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.

For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictions in the Amazon Web Services Billing and Cost Management User Guide.

Structure Fields:

TagKey *string

The key of the tag.

This member is required.

TagValue *string

The value of the tag.

This member is required.

XksKeyConfigurationType struct

Information about the key[https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key]that is associated with a KMS key in an external key store.

This element appears in a CreateKey or DescribeKey response only for a KMS key in an external key store.

The external key is a symmetric encryption key that is hosted by an external key manager outside of Amazon Web Services. When you use the KMS key in an external key store in a cryptographic operation, the cryptographic operation is performed in the external key manager using the specified external key. For more information, see key[https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html#concept-external-key]in the Key Management Service Developer Guide.

Structure Fields:

Id *string

The ID of the external key in its external key manager. This is the ID that the external key store proxy uses to identify the external key.

XksProxyAuthenticationCredentialType struct

KMS uses the authentication credential to sign requests that it sends to the external key store proxy (XKS proxy) on your behalf. You establish these credentials on your external key store proxy and report them to KMS.

The XksProxyAuthenticationCredential includes two required elements.

Structure Fields:

AccessKeyId *string

A unique identifier for the raw secret access key.

This member is required.

RawSecretAccessKey *string

A secret string of 43-64 characters. Valid characters are a-z, A-Z, 0-9, /, +, and =.

This member is required.

XksProxyConfigurationType struct

Detailed information about the external key store proxy (XKS proxy). Your external key store proxy translates KMS requests into a format that your external key manager can understand. These fields appear in a DescribeCustomKeyStoresresponse only when the CustomKeyStoreType is EXTERNAL_KEY_STORE .

Structure Fields:

AccessKeyId *string

The part of the external key store proxy authentication credential that uniquely identifies the secret access key.

Connectivity XksProxyConnectivityType

Indicates whether the external key store proxy uses a public endpoint or an Amazon VPC endpoint service to communicate with KMS.

UriEndpoint *string

The URI endpoint for the external key store proxy.

If the external key store proxy has a public endpoint, it is displayed here.

If the external key store proxy uses an Amazon VPC endpoint service name, this field displays the private DNS name associated with the VPC endpoint service.

UriPath *string

The path to the external key store proxy APIs.

VpcEndpointServiceName *string

The Amazon VPC endpoint service used to communicate with the external key store proxy. This field appears only when the external key store proxy uses an Amazon VPC endpoint service to communicate with KMS.