Package: kms
Overview
Package kms provides the client and types for making API requests to AWS Key Management Service.
Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations that you can call programmatically. For general information about KMS, see the Key Management Service Developer Guide (docs.aws.amazon.com/kms/latest/developerguide/).
KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools for Amazon Web Services (aws.amazon.com/tools/).
We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS.
If you need to use FIPS 140-2 validated cryptographic modules when communicating with Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the available FIPS endpoints, see Service endpoints (docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) in the Key Management Service topic of the Amazon Web Services General Reference.
All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS). KMS recommends you always use the latest supported TLS version. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Signing Requests
Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use your Amazon Web Services account root access key ID and secret access key for everyday work. You can use the access key ID and secret access key for an IAM user or you can use the Security Token Service (STS) to generate temporary security credentials and use those to sign requests.
All KMS requests must be signed with Signature Version 4 (docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
Logging API Requests
KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the CloudTrail User Guide (docs.aws.amazon.com/awscloudtrail/latest/userguide/).
Additional Resources
For more information about credentials and request signing, see the following:
-
Amazon Web Services Security Credentials (docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
-
This topic provides general information about the types of credentials used to access Amazon Web Services.
-
Temporary Security Credentials (docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
-
This section of the IAM User Guide describes how to create and use temporary security credentials.
-
Signature Version 4 Signing Process (docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
-
This set of topics walks you through the process of signing a request using an access key ID and a secret access key.
Commonly Used API Operations
Of the API operations discussed in this guide, the following will prove the most useful for most applications. You will likely perform operations other than these, such as creating keys and assigning policies, by using the console.
-
Encrypt
-
Decrypt
-
GenerateDataKey
-
GenerateDataKeyWithoutPlaintext
See docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service.
See kms package documentation for more information. docs.aws.amazon.com/sdk-for-go/api/service/kms/
Using the Client
To contact AWS Key Management Service with the SDK use the New function to create a new service client. With that client you can make API requests to the service. These clients are safe to use concurrently.
See the SDK's documentation for more information on how to use the SDK. docs.aws.amazon.com/sdk-for-go/api/
See aws.Config documentation for more information on configuring SDK clients. docs.aws.amazon.com/sdk-for-go/api/aws/#Config
See the AWS Key Management Service client KMS for more information on creating client for this service. docs.aws.amazon.com/sdk-for-go/api/service/kms/#New
Sub-Packages
Client Structure collapse
-
KMS
struct
client
KMS provides the API operation methods for making requests to AWS Key Management Service.
Constants
-
const AlgorithmSpecRsaesPkcs1V15 = readonly
AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value
-
Value:
"RSAES_PKCS1_V1_5" -
const AlgorithmSpecRsaesOaepSha1 = readonly
AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value
-
Value:
"RSAES_OAEP_SHA_1" -
const AlgorithmSpecRsaesOaepSha256 = readonly
AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value
-
Value:
"RSAES_OAEP_SHA_256" -
const AlgorithmSpecRsaAesKeyWrapSha1 = readonly
AlgorithmSpecRsaAesKeyWrapSha1 is a AlgorithmSpec enum value
-
Value:
"RSA_AES_KEY_WRAP_SHA_1" -
const AlgorithmSpecRsaAesKeyWrapSha256 = readonly
AlgorithmSpecRsaAesKeyWrapSha256 is a AlgorithmSpec enum value
-
Value:
"RSA_AES_KEY_WRAP_SHA_256" -
const ConnectionErrorCodeTypeInvalidCredentials = readonly
ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value
-
Value:
"INVALID_CREDENTIALS" -
const ConnectionErrorCodeTypeClusterNotFound = readonly
ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value
-
Value:
"CLUSTER_NOT_FOUND" -
const ConnectionErrorCodeTypeNetworkErrors = readonly
ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value
-
Value:
"NETWORK_ERRORS" -
const ConnectionErrorCodeTypeInternalError = readonly
ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value
-
Value:
"INTERNAL_ERROR" -
const ConnectionErrorCodeTypeInsufficientCloudhsmHsms = readonly
ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value
-
Value:
"INSUFFICIENT_CLOUDHSM_HSMS" -
const ConnectionErrorCodeTypeUserLockedOut = readonly
ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value
-
Value:
"USER_LOCKED_OUT" -
const ConnectionErrorCodeTypeUserNotFound = readonly
ConnectionErrorCodeTypeUserNotFound is a ConnectionErrorCodeType enum value
-
Value:
"USER_NOT_FOUND" -
const ConnectionErrorCodeTypeUserLoggedIn = readonly
ConnectionErrorCodeTypeUserLoggedIn is a ConnectionErrorCodeType enum value
-
Value:
"USER_LOGGED_IN" -
const ConnectionErrorCodeTypeSubnetNotFound = readonly
ConnectionErrorCodeTypeSubnetNotFound is a ConnectionErrorCodeType enum value
-
Value:
"SUBNET_NOT_FOUND" -
const ConnectionStateTypeConnected = readonly
ConnectionStateTypeConnected is a ConnectionStateType enum value
-
Value:
"CONNECTED" -
const ConnectionStateTypeConnecting = readonly
ConnectionStateTypeConnecting is a ConnectionStateType enum value
-
Value:
"CONNECTING" -
const ConnectionStateTypeFailed = readonly
ConnectionStateTypeFailed is a ConnectionStateType enum value
-
Value:
"FAILED" -
const ConnectionStateTypeDisconnected = readonly
ConnectionStateTypeDisconnected is a ConnectionStateType enum value
-
Value:
"DISCONNECTED" -
const ConnectionStateTypeDisconnecting = readonly
ConnectionStateTypeDisconnecting is a ConnectionStateType enum value
-
Value:
"DISCONNECTING" -
const CustomerMasterKeySpecRsa2048 = readonly
CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value
-
Value:
"RSA_2048" -
const CustomerMasterKeySpecRsa3072 = readonly
CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value
-
Value:
"RSA_3072" -
const CustomerMasterKeySpecRsa4096 = readonly
CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value
-
Value:
"RSA_4096" -
const CustomerMasterKeySpecEccNistP256 = readonly
CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value
-
Value:
"ECC_NIST_P256" -
const CustomerMasterKeySpecEccNistP384 = readonly
CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value
-
Value:
"ECC_NIST_P384" -
const CustomerMasterKeySpecEccNistP521 = readonly
CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value
-
Value:
"ECC_NIST_P521" -
const CustomerMasterKeySpecEccSecgP256k1 = readonly
CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value
-
Value:
"ECC_SECG_P256K1" -
const CustomerMasterKeySpecSymmetricDefault = readonly
CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value
-
Value:
"SYMMETRIC_DEFAULT" -
const CustomerMasterKeySpecHmac224 = readonly
CustomerMasterKeySpecHmac224 is a CustomerMasterKeySpec enum value
-
Value:
"HMAC_224" -
const CustomerMasterKeySpecHmac256 = readonly
CustomerMasterKeySpecHmac256 is a CustomerMasterKeySpec enum value
-
Value:
"HMAC_256" -
const CustomerMasterKeySpecHmac384 = readonly
CustomerMasterKeySpecHmac384 is a CustomerMasterKeySpec enum value
-
Value:
"HMAC_384" -
const CustomerMasterKeySpecHmac512 = readonly
CustomerMasterKeySpecHmac512 is a CustomerMasterKeySpec enum value
-
Value:
"HMAC_512" -
const CustomerMasterKeySpecSm2 = readonly
CustomerMasterKeySpecSm2 is a CustomerMasterKeySpec enum value
-
Value:
"SM2" -
const DataKeyPairSpecRsa2048 = readonly
DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value
-
Value:
"RSA_2048" -
const DataKeyPairSpecRsa3072 = readonly
DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value
-
Value:
"RSA_3072" -
const DataKeyPairSpecRsa4096 = readonly
DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value
-
Value:
"RSA_4096" -
const DataKeyPairSpecEccNistP256 = readonly
DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value
-
Value:
"ECC_NIST_P256" -
const DataKeyPairSpecEccNistP384 = readonly
DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value
-
Value:
"ECC_NIST_P384" -
const DataKeyPairSpecEccNistP521 = readonly
DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value
-
Value:
"ECC_NIST_P521" -
const DataKeyPairSpecEccSecgP256k1 = readonly
DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value
-
Value:
"ECC_SECG_P256K1" -
const DataKeyPairSpecSm2 = readonly
DataKeyPairSpecSm2 is a DataKeyPairSpec enum value
-
Value:
"SM2" -
const DataKeySpecAes256 = readonly
DataKeySpecAes256 is a DataKeySpec enum value
-
Value:
"AES_256" -
const DataKeySpecAes128 = readonly
DataKeySpecAes128 is a DataKeySpec enum value
-
Value:
"AES_128" -
const EncryptionAlgorithmSpecSymmetricDefault = readonly
EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value
-
Value:
"SYMMETRIC_DEFAULT" -
const EncryptionAlgorithmSpecRsaesOaepSha1 = readonly
EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value
-
Value:
"RSAES_OAEP_SHA_1" -
const EncryptionAlgorithmSpecRsaesOaepSha256 = readonly
EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value
-
Value:
"RSAES_OAEP_SHA_256" -
const EncryptionAlgorithmSpecSm2pke = readonly
EncryptionAlgorithmSpecSm2pke is a EncryptionAlgorithmSpec enum value
-
Value:
"SM2PKE" -
const ExpirationModelTypeKeyMaterialExpires = readonly
ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value
-
Value:
"KEY_MATERIAL_EXPIRES" -
const ExpirationModelTypeKeyMaterialDoesNotExpire = readonly
ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value
-
Value:
"KEY_MATERIAL_DOES_NOT_EXPIRE" -
const GrantOperationDecrypt = readonly
GrantOperationDecrypt is a GrantOperation enum value
-
Value:
"Decrypt" -
const GrantOperationEncrypt = readonly
GrantOperationEncrypt is a GrantOperation enum value
-
Value:
"Encrypt" -
const GrantOperationGenerateDataKey = readonly
GrantOperationGenerateDataKey is a GrantOperation enum value
-
Value:
"GenerateDataKey" -
const GrantOperationGenerateDataKeyWithoutPlaintext = readonly
GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value
-
Value:
"GenerateDataKeyWithoutPlaintext" -
const GrantOperationReEncryptFrom = readonly
GrantOperationReEncryptFrom is a GrantOperation enum value
-
Value:
"ReEncryptFrom" -
const GrantOperationReEncryptTo = readonly
GrantOperationReEncryptTo is a GrantOperation enum value
-
Value:
"ReEncryptTo" -
const GrantOperationSign = readonly
GrantOperationSign is a GrantOperation enum value
-
Value:
"Sign" -
const GrantOperationVerify = readonly
GrantOperationVerify is a GrantOperation enum value
-
Value:
"Verify" -
const GrantOperationGetPublicKey = readonly
GrantOperationGetPublicKey is a GrantOperation enum value
-
Value:
"GetPublicKey" -
const GrantOperationCreateGrant = readonly
GrantOperationCreateGrant is a GrantOperation enum value
-
Value:
"CreateGrant" -
const GrantOperationRetireGrant = readonly
GrantOperationRetireGrant is a GrantOperation enum value
-
Value:
"RetireGrant" -
const GrantOperationDescribeKey = readonly
GrantOperationDescribeKey is a GrantOperation enum value
-
Value:
"DescribeKey" -
const GrantOperationGenerateDataKeyPair = readonly
GrantOperationGenerateDataKeyPair is a GrantOperation enum value
-
Value:
"GenerateDataKeyPair" -
const GrantOperationGenerateDataKeyPairWithoutPlaintext = readonly
GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value
-
Value:
"GenerateDataKeyPairWithoutPlaintext" -
const KeyManagerTypeAws = readonly
KeyManagerTypeAws is a KeyManagerType enum value
-
Value:
"AWS" -
const KeyManagerTypeCustomer = readonly
KeyManagerTypeCustomer is a KeyManagerType enum value
-
Value:
"CUSTOMER" -
const KeySpecRsa2048 = readonly
KeySpecRsa2048 is a KeySpec enum value
-
Value:
"RSA_2048" -
const KeySpecRsa3072 = readonly
KeySpecRsa3072 is a KeySpec enum value
-
Value:
"RSA_3072" -
const KeySpecRsa4096 = readonly
KeySpecRsa4096 is a KeySpec enum value
-
Value:
"RSA_4096" -
const KeySpecEccNistP256 = readonly
KeySpecEccNistP256 is a KeySpec enum value
-
Value:
"ECC_NIST_P256" -
const KeySpecEccNistP384 = readonly
KeySpecEccNistP384 is a KeySpec enum value
-
Value:
"ECC_NIST_P384" -
const KeySpecEccNistP521 = readonly
KeySpecEccNistP521 is a KeySpec enum value
-
Value:
"ECC_NIST_P521" -
const KeySpecEccSecgP256k1 = readonly
KeySpecEccSecgP256k1 is a KeySpec enum value
-
Value:
"ECC_SECG_P256K1" -
const KeySpecSymmetricDefault = readonly
KeySpecSymmetricDefault is a KeySpec enum value
-
Value:
"SYMMETRIC_DEFAULT" -
const KeySpecHmac224 = readonly
KeySpecHmac224 is a KeySpec enum value
-
Value:
"HMAC_224" -
const KeySpecHmac256 = readonly
KeySpecHmac256 is a KeySpec enum value
-
Value:
"HMAC_256" -
const KeySpecHmac384 = readonly
KeySpecHmac384 is a KeySpec enum value
-
Value:
"HMAC_384" -
const KeySpecHmac512 = readonly
KeySpecHmac512 is a KeySpec enum value
-
Value:
"HMAC_512" -
const KeySpecSm2 = readonly
KeySpecSm2 is a KeySpec enum value
-
Value:
"SM2" -
const KeyStateCreating = readonly
KeyStateCreating is a KeyState enum value
-
Value:
"Creating" -
const KeyStateEnabled = readonly
KeyStateEnabled is a KeyState enum value
-
Value:
"Enabled" -
const KeyStateDisabled = readonly
KeyStateDisabled is a KeyState enum value
-
Value:
"Disabled" -
const KeyStatePendingDeletion = readonly
KeyStatePendingDeletion is a KeyState enum value
-
Value:
"PendingDeletion" -
const KeyStatePendingImport = readonly
KeyStatePendingImport is a KeyState enum value
-
Value:
"PendingImport" -
const KeyStatePendingReplicaDeletion = readonly
KeyStatePendingReplicaDeletion is a KeyState enum value
-
Value:
"PendingReplicaDeletion" -
Value:
"Unavailable" -
const KeyStateUpdating = readonly
KeyStateUpdating is a KeyState enum value
-
Value:
"Updating" -
const KeyUsageTypeSignVerify = readonly
KeyUsageTypeSignVerify is a KeyUsageType enum value
-
Value:
"SIGN_VERIFY" -
const KeyUsageTypeEncryptDecrypt = readonly
KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value
-
Value:
"ENCRYPT_DECRYPT" -
const MessageTypeRaw = readonly
MessageTypeRaw is a MessageType enum value
-
Value:
"RAW" -
const MessageTypeDigest = readonly
MessageTypeDigest is a MessageType enum value
-
Value:
"DIGEST" -
const OriginTypeAwsKms = readonly
OriginTypeAwsKms is a OriginType enum value
-
Value:
"AWS_KMS" -
const OriginTypeExternal = readonly
OriginTypeExternal is a OriginType enum value
-
Value:
"EXTERNAL" -
const OriginTypeAwsCloudhsm = readonly
OriginTypeAwsCloudhsm is a OriginType enum value
-
Value:
"AWS_CLOUDHSM" -
const OriginTypeExternalKeyStore = readonly
OriginTypeExternalKeyStore is a OriginType enum value
-
Value:
"EXTERNAL_KEY_STORE" -
const SigningAlgorithmSpecRsassaPssSha256 = readonly
SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value
-
Value:
"RSASSA_PSS_SHA_256" -
const SigningAlgorithmSpecRsassaPssSha384 = readonly
SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value
-
Value:
"RSASSA_PSS_SHA_384" -
const SigningAlgorithmSpecRsassaPssSha512 = readonly
SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value
-
Value:
"RSASSA_PSS_SHA_512" -
const SigningAlgorithmSpecRsassaPkcs1V15Sha256 = readonly
SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value
-
Value:
"RSASSA_PKCS1_V1_5_SHA_256" -
const SigningAlgorithmSpecRsassaPkcs1V15Sha384 = readonly
SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value
-
Value:
"RSASSA_PKCS1_V1_5_SHA_384" -
const SigningAlgorithmSpecRsassaPkcs1V15Sha512 = readonly
SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value
-
Value:
"RSASSA_PKCS1_V1_5_SHA_512" -
const SigningAlgorithmSpecEcdsaSha256 = readonly
SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value
-
Value:
"ECDSA_SHA_256" -
const SigningAlgorithmSpecEcdsaSha384 = readonly
SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value
-
Value:
"ECDSA_SHA_384" -
const SigningAlgorithmSpecEcdsaSha512 = readonly
SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value
-
Value:
"ECDSA_SHA_512" -
const SigningAlgorithmSpecSm2dsa = readonly
SigningAlgorithmSpecSm2dsa is a SigningAlgorithmSpec enum value
-
Value:
"SM2DSA" -
const WrappingKeySpecRsa2048 = readonly
WrappingKeySpecRsa2048 is a WrappingKeySpec enum value
-
Value:
"RSA_2048" -
const WrappingKeySpecRsa3072 = readonly
WrappingKeySpecRsa3072 is a WrappingKeySpec enum value
-
Value:
"RSA_3072" -
const WrappingKeySpecRsa4096 = readonly
WrappingKeySpecRsa4096 is a WrappingKeySpec enum value
-
Value:
"RSA_4096" -
const ErrCodeAlreadyExistsException = readonly
ErrCodeAlreadyExistsException for service response error code “AlreadyExistsException”.
The request was rejected because it attempted to create a resource that already exists.
-
Value:
-
const ErrCodeCloudHsmClusterInUseException = readonly
ErrCodeCloudHsmClusterInUseException for service response error code “CloudHsmClusterInUseException”.
The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a different CloudHSM cluster.
CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters (docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation.
-
Value:
-
const ErrCodeCloudHsmClusterInvalidConfigurationException = readonly
ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code “CloudHsmClusterInvalidConfigurationException”.
The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.
-
The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.
-
The security group for the cluster (docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups (docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) operation.
-
The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm (docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.
For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites (docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet (docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group (docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) in the CloudHSM User Guide .
-
-
Value:
-
const ErrCodeCloudHsmClusterNotActiveException = readonly
ErrCodeCloudHsmClusterNotActiveException for service response error code “CloudHsmClusterNotActiveException”.
The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started (docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) in the CloudHSM User Guide.
-
Value:
-
const ErrCodeCloudHsmClusterNotFoundException = readonly
ErrCodeCloudHsmClusterNotFoundException for service response error code “CloudHsmClusterNotFoundException”.
The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.
-
Value:
-
const ErrCodeCloudHsmClusterNotRelatedException = readonly
ErrCodeCloudHsmClusterNotRelatedException for service response error code “CloudHsmClusterNotRelatedException”.
The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key store.
Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.
CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters (docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation.
-
Value:
-
const ErrCodeCustomKeyStoreHasCMKsException = readonly
ErrCodeCustomKeyStoreHasCMKsException for service response error code “CustomKeyStoreHasCMKsException”.
The request was rejected because the custom key store contains AWS KMS customer master keys (CMKs). After verifying that you do not need to use the CMKs, use the ScheduleKeyDeletion operation to delete the CMKs. After they are deleted, you can delete the custom key store.
-
Value:
-
const ErrCodeCustomKeyStoreInvalidStateException = readonly
ErrCodeCustomKeyStoreInvalidStateException for service response error code “CustomKeyStoreInvalidStateException”.
The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
This exception is thrown under the following conditions:
-
You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).
-
You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.
-
You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.
-
You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.
-
You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.
-
-
Value:
-
const ErrCodeCustomKeyStoreNameInUseException = readonly
ErrCodeCustomKeyStoreNameInUseException for service response error code “CustomKeyStoreNameInUseException”.
The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.
-
Value:
-
const ErrCodeCustomKeyStoreNotFoundException = readonly
ErrCodeCustomKeyStoreNotFoundException for service response error code “CustomKeyStoreNotFoundException”.
The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.
-
Value:
-
const ErrCodeDependencyTimeoutException = readonly
ErrCodeDependencyTimeoutException for service response error code “DependencyTimeoutException”.
The system timed out while trying to fulfill the request. You can retry the request.
-
Value:
-
const ErrCodeDisabledException = readonly
ErrCodeDisabledException for service response error code “DisabledException”.
The request was rejected because the specified CMK is not enabled.
-
Value:
-
const ErrCodeExpiredImportTokenException = readonly
ErrCodeExpiredImportTokenException for service response error code “ExpiredImportTokenException”.
The request was rejected because the specified import token is expired. Use GetParametersForImport to get a new import token and public key, use the new public key to encrypt the key material, and then try the request again.
-
Value:
-
const ErrCodeIncorrectKeyException = readonly
ErrCodeIncorrectKeyException for service response error code “IncorrectKeyException”.
The request was rejected because the specified KMS key cannot decrypt the data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must identify the same KMS key that was used to encrypt the ciphertext.
-
Value:
-
const ErrCodeIncorrectKeyMaterialException = readonly
ErrCodeIncorrectKeyMaterialException for service response error code “IncorrectKeyMaterialException”.
The request was rejected because the key material in the request is, expired, invalid, or is not the same key material that was previously imported into this KMS key.
-
Value:
-
const ErrCodeIncorrectTrustAnchorException = readonly
ErrCodeIncorrectTrustAnchorException for service response error code “IncorrectTrustAnchorException”.
The request was rejected because the trust anchor certificate in the request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster.
When you initialize the CloudHSM cluster (docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), you create the trust anchor certificate and save it in the customerCA.crt file.
-
Value:
-
const ErrCodeInternalException = readonly
ErrCodeInternalException for service response error code “KMSInternalException”.
The request was rejected because an internal exception occurred. The request can be retried.
-
Value:
"KMSInternalException" -
const ErrCodeInvalidAliasNameException = readonly
ErrCodeInvalidAliasNameException for service response error code “InvalidAliasNameException”.
The request was rejected because the specified alias name is not valid.
-
Value:
-
const ErrCodeInvalidArnException = readonly
ErrCodeInvalidArnException for service response error code “InvalidArnException”.
The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.
-
Value:
-
const ErrCodeInvalidCiphertextException = readonly
ErrCodeInvalidCiphertextException for service response error code “InvalidCiphertextException”.
From the Decrypt or ReEncrypt operation, the request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.
From the ImportKeyMaterial operation, the request was rejected because AWS KMS could not decrypt the encrypted (wrapped) key material.
-
Value:
-
const ErrCodeInvalidGrantIdException = readonly
ErrCodeInvalidGrantIdException for service response error code “InvalidGrantIdException”.
The request was rejected because the specified GrantId is not valid.
-
Value:
-
const ErrCodeInvalidGrantTokenException = readonly
ErrCodeInvalidGrantTokenException for service response error code “InvalidGrantTokenException”.
The request was rejected because the specified grant token is not valid.
-
Value:
-
const ErrCodeInvalidImportTokenException = readonly
ErrCodeInvalidImportTokenException for service response error code “InvalidImportTokenException”.
The request was rejected because the provided import token is invalid or is associated with a different customer master key (CMK).
-
Value:
-
const ErrCodeInvalidKeyUsageException = readonly
ErrCodeInvalidKeyUsageException for service response error code “InvalidKeyUsageException”.
The request was rejected for one of the following reasons:
-
The KeyUsage value of the CMK is incompatible with the API operation.
-
The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).
For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.
To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey operation.
-
-
Value:
-
const ErrCodeInvalidMarkerException = readonly
ErrCodeInvalidMarkerException for service response error code “InvalidMarkerException”.
The request was rejected because the marker that specifies where pagination should next begin is not valid.
-
Value:
-
const ErrCodeInvalidStateException = readonly
ErrCodeInvalidStateException for service response error code “KMSInvalidStateException”.
The request was rejected because the state of the specified resource is not valid for this request.
For more information about how key state affects the use of a CMK, see How Key State Affects Use of a Customer Master Key (docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the AWS Key Management Service Developer Guide .
-
Value:
"KMSInvalidStateException" -
const ErrCodeKMSInvalidSignatureException = readonly
ErrCodeKMSInvalidSignatureException for service response error code “KMSInvalidSignatureException”.
The request was rejected because the signature verification failed. Signature verification fails when it cannot confirm that signature was produced by signing the specified message with the specified CMK and signing algorithm.
-
Value:
-
Value:
-
const ErrCodeLimitExceededException = readonly
ErrCodeLimitExceededException for service response error code “LimitExceededException”.
The request was rejected because a quota was exceeded. For more information, see Quotas (docs.aws.amazon.com/kms/latest/developerguide/limits.html) in the Key Management Service Developer Guide.
-
Value:
-
const ErrCodeMalformedPolicyDocumentException = readonly
ErrCodeMalformedPolicyDocumentException for service response error code “MalformedPolicyDocumentException”.
The request was rejected because the specified policy is not syntactically or semantically correct.
-
Value:
-
const ErrCodeNotFoundException = readonly
ErrCodeNotFoundException for service response error code “NotFoundException”.
The request was rejected because the specified entity or resource could not be found.
-
Value:
-
const ErrCodeTagException = readonly
ErrCodeTagException for service response error code “TagException”.
The request was rejected because one or more tags are not valid.
-
Value:
-
const ErrCodeUnsupportedOperationException = readonly
ErrCodeUnsupportedOperationException for service response error code “UnsupportedOperationException”.
The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.
-
Value:
-
const ServiceName = readonly
-
Value:
"kms" // Name of service. -
const EndpointsID = readonly
-
Value:
ServiceName // ID to lookup a service endpoint with. -
const ServiceID = readonly
-
Value:
Type Summary collapse
- ConnectCustomKeyStoreOutput struct
- CreateAliasOutput struct
- DeleteAliasOutput struct
- DeleteCustomKeyStoreOutput struct
- DeleteImportedKeyMaterialOutput struct
- DisableKeyOutput struct
- DisableKeyRotationOutput struct
- DisconnectCustomKeyStoreOutput struct
- EnableKeyOutput struct
- EnableKeyRotationOutput struct
- ImportKeyMaterialOutput struct
- PutKeyPolicyOutput struct
- RetireGrantOutput struct
- RevokeGrantOutput struct
- TagResourceOutput struct
- UntagResourceOutput struct
- UpdateAliasOutput struct
- UpdateCustomKeyStoreOutput struct
- UpdateKeyDescriptionOutput struct
Function Summary collapse
-
func AlgorithmSpec_Values() []string
AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum.
-
func ConnectionErrorCodeType_Values() []string
ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum.
-
func ConnectionStateType_Values() []string
ConnectionStateType_Values returns all elements of the ConnectionStateType enum.
-
func CustomerMasterKeySpec_Values() []string
CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum.
-
func DataKeyPairSpec_Values() []string
DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum.
-
func DataKeySpec_Values() []string
DataKeySpec_Values returns all elements of the DataKeySpec enum.
-
func EncryptionAlgorithmSpec_Values() []string
EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum.
-
func ExpirationModelType_Values() []string
ExpirationModelType_Values returns all elements of the ExpirationModelType enum.
-
func GrantOperation_Values() []string
GrantOperation_Values returns all elements of the GrantOperation enum.
-
func KeyManagerType_Values() []string
KeyManagerType_Values returns all elements of the KeyManagerType enum.
-
func KeySpec_Values() []string
KeySpec_Values returns all elements of the KeySpec enum.
-
func KeyState_Values() []string
KeyState_Values returns all elements of the KeyState enum.
-
func KeyUsageType_Values() []string
KeyUsageType_Values returns all elements of the KeyUsageType enum.
-
func MessageType_Values() []string
MessageType_Values returns all elements of the MessageType enum.
-
func OriginType_Values() []string
OriginType_Values returns all elements of the OriginType enum.
-
func SigningAlgorithmSpec_Values() []string
SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum.
-
func WrappingKeySpec_Values() []string
WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum.
Type Details
ConnectCustomKeyStoreOutput struct
CreateAliasOutput struct
DeleteAliasOutput struct
DeleteCustomKeyStoreOutput struct
DeleteImportedKeyMaterialOutput struct
DisableKeyOutput struct
DisableKeyRotationOutput struct
DisconnectCustomKeyStoreOutput struct
EnableKeyOutput struct
EnableKeyRotationOutput struct
ImportKeyMaterialOutput struct
PutKeyPolicyOutput struct
RetireGrantOutput struct
RevokeGrantOutput struct
TagResourceOutput struct
UntagResourceOutput struct
UpdateAliasOutput struct
UpdateCustomKeyStoreOutput struct
UpdateKeyDescriptionOutput struct
Function Details
func AlgorithmSpec_Values() []string
AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum
17473 17474 17475 17476 17477 17478 17479 17480 17481 |
// File 'service/kms/api.go', line 17473
|
func ConnectionErrorCodeType_Values() []string
ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum
17513 17514 17515 17516 17517 17518 17519 17520 17521 17522 17523 17524 17525 |
// File 'service/kms/api.go', line 17513
|
func ConnectionStateType_Values() []string
ConnectionStateType_Values returns all elements of the ConnectionStateType enum
17545 17546 17547 17548 17549 17550 17551 17552 17553 |
// File 'service/kms/api.go', line 17545
|
func CustomerMasterKeySpec_Values() []string
CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum
17597 17598 17599 17600 17601 17602 17603 17604 17605 17606 17607 17608 17609 17610 17611 17612 17613 |
// File 'service/kms/api.go', line 17597
|
func DataKeyPairSpec_Values() []string
DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum
17642 17643 17644 17645 17646 17647 17648 17649 17650 17651 17652 17653 |
// File 'service/kms/api.go', line 17642
|
func DataKeySpec_Values() []string
DataKeySpec_Values returns all elements of the DataKeySpec enum
17664 17665 17666 17667 17668 17669 |
// File 'service/kms/api.go', line 17664
|
func EncryptionAlgorithmSpec_Values() []string
EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum
17686 17687 17688 17689 17690 17691 17692 17693 |
// File 'service/kms/api.go', line 17686
|
func ExpirationModelType_Values() []string
ExpirationModelType_Values returns all elements of the ExpirationModelType enum
17704 17705 17706 17707 17708 17709 |
// File 'service/kms/api.go', line 17704
|
func GrantOperation_Values() []string
GrantOperation_Values returns all elements of the GrantOperation enum
17756 17757 17758 17759 17760 17761 17762 17763 17764 17765 17766 17767 17768 17769 17770 17771 17772 17773 |
// File 'service/kms/api.go', line 17756
|
func KeyManagerType_Values() []string
KeyManagerType_Values returns all elements of the KeyManagerType enum
17784 17785 17786 17787 17788 17789 |
// File 'service/kms/api.go', line 17784
|
func KeySpec_Values() []string
KeySpec_Values returns all elements of the KeySpec enum
17833 17834 17835 17836 17837 17838 17839 17840 17841 17842 17843 17844 17845 17846 17847 17848 17849 |
// File 'service/kms/api.go', line 17833
|
func KeyState_Values() []string
KeyState_Values returns all elements of the KeyState enum
17878 17879 17880 17881 17882 17883 17884 17885 17886 17887 17888 17889 |
// File 'service/kms/api.go', line 17878
|
func KeyUsageType_Values() []string
KeyUsageType_Values returns all elements of the KeyUsageType enum
17900 17901 17902 17903 17904 17905 |
// File 'service/kms/api.go', line 17900
|
func MessageType_Values() []string
MessageType_Values returns all elements of the MessageType enum
17916 17917 17918 17919 17920 17921 |
// File 'service/kms/api.go', line 17916
|
func OriginType_Values() []string
OriginType_Values returns all elements of the OriginType enum
17938 17939 17940 17941 17942 17943 17944 17945 |
// File 'service/kms/api.go', line 17938
|
func SigningAlgorithmSpec_Values() []string
SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum
17980 17981 17982 17983 17984 17985 17986 17987 17988 17989 17990 17991 17992 17993 |
// File 'service/kms/api.go', line 17980
|
func WrappingKeySpec_Values() []string
WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum
18007 18008 18009 18010 18011 18012 18013 |
// File 'service/kms/api.go', line 18007
|