Package: kms

import "../ibm-cos-sdk-go/service/kms"

Overview

Package kms provides the client and types for making API requests to AWS Key Management Service.

Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations that you can call programmatically. For general information about KMS, see the Key Management Service Developer Guide (docs.aws.amazon.com/kms/latest/developerguide/).

KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.

Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools for Amazon Web Services (aws.amazon.com/tools/).

We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS.

If you need to use FIPS 140-2 validated cryptographic modules when communicating with Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the available FIPS endpoints, see Service endpoints (docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) in the Key Management Service topic of the Amazon Web Services General Reference.

All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS). KMS recommends you always use the latest supported TLS version. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.

Signing Requests

Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use your Amazon Web Services account root access key ID and secret access key for everyday work. You can use the access key ID and secret access key for an IAM user or you can use the Security Token Service (STS) to generate temporary security credentials and use those to sign requests.

All KMS requests must be signed with Signature Version 4 (docs.aws.amazon.com/general/latest/gr/signature-version-4.html).

Logging API Requests

KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the CloudTrail User Guide (docs.aws.amazon.com/awscloudtrail/latest/userguide/).

Additional Resources

For more information about credentials and request signing, see the following:

• Amazon Web Services Security Credentials (docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)

• This topic provides general information about the types of credentials used to access Amazon Web Services.

• Temporary Security Credentials (docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)

• This section of the IAM User Guide describes how to create and use temporary security credentials.

• Signature Version 4 Signing Process (docs.aws.amazon.com/general/latest/gr/signature-version-4.html)

• This set of topics walks you through the process of signing a request using an access key ID and a secret access key.

Commonly Used API Operations

Of the API operations discussed in this guide, the following will prove the most useful for most applications. You will likely perform operations other than these, such as creating keys and assigning policies, by using the console.

• Encrypt

• Decrypt

• GenerateDataKey

• GenerateDataKeyWithoutPlaintext

See docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service.

See kms package documentation for more information. docs.aws.amazon.com/sdk-for-go/api/service/kms/

Using the Client

To contact AWS Key Management Service with the SDK use the New function to create a new service client. With that client you can make API requests to the service. These clients are safe to use concurrently.

See the SDK's documentation for more information on how to use the SDK. docs.aws.amazon.com/sdk-for-go/api/

See aws.Config documentation for more information on configuring SDK clients. docs.aws.amazon.com/sdk-for-go/api/aws/#Config

See the AWS Key Management Service client KMS for more information on creating client for this service. docs.aws.amazon.com/sdk-for-go/api/service/kms/#New

Sub-Packages

kmsiface

Client Structure

• KMS struct client

  KMS provides the API operation methods for making requests to AWS Key Management Service.

Constants

const AlgorithmSpecRsaesPkcs1V15 = readonly

AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value

Value:

"RSAES_PKCS1_V1_5"

const AlgorithmSpecRsaesOaepSha1 = readonly

AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value

Value:

"RSAES_OAEP_SHA_1"

const AlgorithmSpecRsaesOaepSha256 = readonly

AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value

Value:

"RSAES_OAEP_SHA_256"

const AlgorithmSpecRsaAesKeyWrapSha1 = readonly

AlgorithmSpecRsaAesKeyWrapSha1 is a AlgorithmSpec enum value

Value:

"RSA_AES_KEY_WRAP_SHA_1"

const AlgorithmSpecRsaAesKeyWrapSha256 = readonly

AlgorithmSpecRsaAesKeyWrapSha256 is a AlgorithmSpec enum value

Value:

"RSA_AES_KEY_WRAP_SHA_256"

const ConnectionErrorCodeTypeInvalidCredentials = readonly

ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value

Value:

"INVALID_CREDENTIALS"

const ConnectionErrorCodeTypeClusterNotFound = readonly

ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value

Value:

"CLUSTER_NOT_FOUND"

const ConnectionErrorCodeTypeNetworkErrors = readonly

ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value

Value:

"NETWORK_ERRORS"

const ConnectionErrorCodeTypeInternalError = readonly

ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value

Value:

"INTERNAL_ERROR"

const ConnectionErrorCodeTypeInsufficientCloudhsmHsms = readonly

ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value

Value:

"INSUFFICIENT_CLOUDHSM_HSMS"

const ConnectionErrorCodeTypeUserLockedOut = readonly

ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value

Value:

"USER_LOCKED_OUT"

const ConnectionErrorCodeTypeUserNotFound = readonly

ConnectionErrorCodeTypeUserNotFound is a ConnectionErrorCodeType enum value

Value:

"USER_NOT_FOUND"

const ConnectionErrorCodeTypeUserLoggedIn = readonly

ConnectionErrorCodeTypeUserLoggedIn is a ConnectionErrorCodeType enum value

Value:

"USER_LOGGED_IN"

const ConnectionErrorCodeTypeSubnetNotFound = readonly

ConnectionErrorCodeTypeSubnetNotFound is a ConnectionErrorCodeType enum value

Value:

"SUBNET_NOT_FOUND"

const ConnectionStateTypeConnected = readonly

ConnectionStateTypeConnected is a ConnectionStateType enum value

Value:

"CONNECTED"

const ConnectionStateTypeConnecting = readonly

ConnectionStateTypeConnecting is a ConnectionStateType enum value

Value:

"CONNECTING"

const ConnectionStateTypeFailed = readonly

ConnectionStateTypeFailed is a ConnectionStateType enum value

Value:

"FAILED"

const ConnectionStateTypeDisconnected = readonly

ConnectionStateTypeDisconnected is a ConnectionStateType enum value

Value:

"DISCONNECTED"

const ConnectionStateTypeDisconnecting = readonly

ConnectionStateTypeDisconnecting is a ConnectionStateType enum value

Value:

"DISCONNECTING"

const CustomerMasterKeySpecRsa2048 = readonly

CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value

Value:

"RSA_2048"

const CustomerMasterKeySpecRsa3072 = readonly

CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value

Value:

"RSA_3072"

const CustomerMasterKeySpecRsa4096 = readonly

CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value

Value:

"RSA_4096"

const CustomerMasterKeySpecEccNistP256 = readonly

CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value

Value:

"ECC_NIST_P256"

const CustomerMasterKeySpecEccNistP384 = readonly

CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value

Value:

"ECC_NIST_P384"

const CustomerMasterKeySpecEccNistP521 = readonly

CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value

Value:

"ECC_NIST_P521"

const CustomerMasterKeySpecEccSecgP256k1 = readonly

CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value

Value:

"ECC_SECG_P256K1"

const CustomerMasterKeySpecSymmetricDefault = readonly

CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value

Value:

"SYMMETRIC_DEFAULT"

const CustomerMasterKeySpecHmac224 = readonly

CustomerMasterKeySpecHmac224 is a CustomerMasterKeySpec enum value

Value:

"HMAC_224"

const CustomerMasterKeySpecHmac256 = readonly

CustomerMasterKeySpecHmac256 is a CustomerMasterKeySpec enum value

Value:

"HMAC_256"

const CustomerMasterKeySpecHmac384 = readonly

CustomerMasterKeySpecHmac384 is a CustomerMasterKeySpec enum value

Value:

"HMAC_384"

const CustomerMasterKeySpecHmac512 = readonly

CustomerMasterKeySpecHmac512 is a CustomerMasterKeySpec enum value

Value:

"HMAC_512"

const CustomerMasterKeySpecSm2 = readonly

CustomerMasterKeySpecSm2 is a CustomerMasterKeySpec enum value

Value:

"SM2"

const DataKeyPairSpecRsa2048 = readonly

DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value

Value:

"RSA_2048"

const DataKeyPairSpecRsa3072 = readonly

DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value

Value:

"RSA_3072"

const DataKeyPairSpecRsa4096 = readonly

DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value

Value:

"RSA_4096"

const DataKeyPairSpecEccNistP256 = readonly

DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value

Value:

"ECC_NIST_P256"

const DataKeyPairSpecEccNistP384 = readonly

DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value

Value:

"ECC_NIST_P384"

const DataKeyPairSpecEccNistP521 = readonly

DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value

Value:

"ECC_NIST_P521"

const DataKeyPairSpecEccSecgP256k1 = readonly

DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value

Value:

"ECC_SECG_P256K1"

const DataKeyPairSpecSm2 = readonly

DataKeyPairSpecSm2 is a DataKeyPairSpec enum value

Value:

"SM2"

const DataKeySpecAes256 = readonly

DataKeySpecAes256 is a DataKeySpec enum value

Value:

"AES_256"

const DataKeySpecAes128 = readonly

DataKeySpecAes128 is a DataKeySpec enum value

Value:

"AES_128"

const EncryptionAlgorithmSpecSymmetricDefault = readonly

EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value

Value:

"SYMMETRIC_DEFAULT"

const EncryptionAlgorithmSpecRsaesOaepSha1 = readonly

EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value

Value:

"RSAES_OAEP_SHA_1"

const EncryptionAlgorithmSpecRsaesOaepSha256 = readonly

EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value

Value:

"RSAES_OAEP_SHA_256"

const EncryptionAlgorithmSpecSm2pke = readonly

EncryptionAlgorithmSpecSm2pke is a EncryptionAlgorithmSpec enum value

Value:

"SM2PKE"

const ExpirationModelTypeKeyMaterialExpires = readonly

ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value

Value:

"KEY_MATERIAL_EXPIRES"

const ExpirationModelTypeKeyMaterialDoesNotExpire = readonly

ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value

Value:

"KEY_MATERIAL_DOES_NOT_EXPIRE"

const GrantOperationDecrypt = readonly

GrantOperationDecrypt is a GrantOperation enum value

Value:

"Decrypt"

const GrantOperationEncrypt = readonly

GrantOperationEncrypt is a GrantOperation enum value

Value:

"Encrypt"

const GrantOperationGenerateDataKey = readonly

GrantOperationGenerateDataKey is a GrantOperation enum value

Value:

"GenerateDataKey"

const GrantOperationGenerateDataKeyWithoutPlaintext = readonly

GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value

Value:

"GenerateDataKeyWithoutPlaintext"

const GrantOperationReEncryptFrom = readonly

GrantOperationReEncryptFrom is a GrantOperation enum value

Value:

"ReEncryptFrom"

const GrantOperationReEncryptTo = readonly

GrantOperationReEncryptTo is a GrantOperation enum value

Value:

"ReEncryptTo"

const GrantOperationSign = readonly

GrantOperationSign is a GrantOperation enum value

Value:

"Sign"

const GrantOperationVerify = readonly

GrantOperationVerify is a GrantOperation enum value

Value:

"Verify"

const GrantOperationGetPublicKey = readonly

GrantOperationGetPublicKey is a GrantOperation enum value

Value:

"GetPublicKey"

const GrantOperationCreateGrant = readonly

GrantOperationCreateGrant is a GrantOperation enum value

Value:

"CreateGrant"

const GrantOperationRetireGrant = readonly

GrantOperationRetireGrant is a GrantOperation enum value

Value:

"RetireGrant"

const GrantOperationDescribeKey = readonly

GrantOperationDescribeKey is a GrantOperation enum value

Value:

"DescribeKey"

const GrantOperationGenerateDataKeyPair = readonly

GrantOperationGenerateDataKeyPair is a GrantOperation enum value

Value:

"GenerateDataKeyPair"

const GrantOperationGenerateDataKeyPairWithoutPlaintext = readonly

GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value

Value:

"GenerateDataKeyPairWithoutPlaintext"

const KeyManagerTypeAws = readonly

KeyManagerTypeAws is a KeyManagerType enum value

Value:

"AWS"

const KeyManagerTypeCustomer = readonly

KeyManagerTypeCustomer is a KeyManagerType enum value

Value:

"CUSTOMER"

const KeySpecRsa2048 = readonly

KeySpecRsa2048 is a KeySpec enum value

Value:

"RSA_2048"

const KeySpecRsa3072 = readonly

KeySpecRsa3072 is a KeySpec enum value

Value:

"RSA_3072"

const KeySpecRsa4096 = readonly

KeySpecRsa4096 is a KeySpec enum value

Value:

"RSA_4096"

const KeySpecEccNistP256 = readonly

KeySpecEccNistP256 is a KeySpec enum value

Value:

"ECC_NIST_P256"

const KeySpecEccNistP384 = readonly

KeySpecEccNistP384 is a KeySpec enum value

Value:

"ECC_NIST_P384"

const KeySpecEccNistP521 = readonly

KeySpecEccNistP521 is a KeySpec enum value

Value:

"ECC_NIST_P521"

const KeySpecEccSecgP256k1 = readonly

KeySpecEccSecgP256k1 is a KeySpec enum value

Value:

"ECC_SECG_P256K1"

const KeySpecSymmetricDefault = readonly

KeySpecSymmetricDefault is a KeySpec enum value

Value:

"SYMMETRIC_DEFAULT"

const KeySpecHmac224 = readonly

KeySpecHmac224 is a KeySpec enum value

Value:

"HMAC_224"

const KeySpecHmac256 = readonly

KeySpecHmac256 is a KeySpec enum value

Value:

"HMAC_256"

const KeySpecHmac384 = readonly

KeySpecHmac384 is a KeySpec enum value

Value:

"HMAC_384"

const KeySpecHmac512 = readonly

KeySpecHmac512 is a KeySpec enum value

Value:

"HMAC_512"

const KeySpecSm2 = readonly

KeySpecSm2 is a KeySpec enum value

Value:

"SM2"

const KeyStateCreating = readonly

KeyStateCreating is a KeyState enum value

Value:

"Creating"

const KeyStateEnabled = readonly

KeyStateEnabled is a KeyState enum value

Value:

"Enabled"

const KeyStateDisabled = readonly

KeyStateDisabled is a KeyState enum value

Value:

"Disabled"

const KeyStatePendingDeletion = readonly

KeyStatePendingDeletion is a KeyState enum value

Value:

"PendingDeletion"

const KeyStatePendingImport = readonly

KeyStatePendingImport is a KeyState enum value

Value:

"PendingImport"

const KeyStatePendingReplicaDeletion = readonly

KeyStatePendingReplicaDeletion is a KeyState enum value

Value:

"PendingReplicaDeletion"

const KeyStateUnavailable = readonly

KeyStateUnavailable is a KeyState enum value

Value:

"Unavailable"

const KeyStateUpdating = readonly

KeyStateUpdating is a KeyState enum value

Value:

"Updating"

const KeyUsageTypeSignVerify = readonly

KeyUsageTypeSignVerify is a KeyUsageType enum value

Value:

"SIGN_VERIFY"

const KeyUsageTypeEncryptDecrypt = readonly

KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value

Value:

"ENCRYPT_DECRYPT"

const MessageTypeRaw = readonly

MessageTypeRaw is a MessageType enum value

Value:

"RAW"

const MessageTypeDigest = readonly

MessageTypeDigest is a MessageType enum value

Value:

"DIGEST"

const OriginTypeAwsKms = readonly

OriginTypeAwsKms is a OriginType enum value

Value:

"AWS_KMS"

const OriginTypeExternal = readonly

OriginTypeExternal is a OriginType enum value

Value:

"EXTERNAL"

const OriginTypeAwsCloudhsm = readonly

OriginTypeAwsCloudhsm is a OriginType enum value

Value:

"AWS_CLOUDHSM"

const OriginTypeExternalKeyStore = readonly

OriginTypeExternalKeyStore is a OriginType enum value

Value:

"EXTERNAL_KEY_STORE"

const SigningAlgorithmSpecRsassaPssSha256 = readonly

SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value

Value:

"RSASSA_PSS_SHA_256"

const SigningAlgorithmSpecRsassaPssSha384 = readonly

SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value

Value:

"RSASSA_PSS_SHA_384"

const SigningAlgorithmSpecRsassaPssSha512 = readonly

SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value

Value:

"RSASSA_PSS_SHA_512"

const SigningAlgorithmSpecRsassaPkcs1V15Sha256 = readonly

SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value

Value:

"RSASSA_PKCS1_V1_5_SHA_256"

const SigningAlgorithmSpecRsassaPkcs1V15Sha384 = readonly

SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value

Value:

"RSASSA_PKCS1_V1_5_SHA_384"

const SigningAlgorithmSpecRsassaPkcs1V15Sha512 = readonly

SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value

Value:

"RSASSA_PKCS1_V1_5_SHA_512"

const SigningAlgorithmSpecEcdsaSha256 = readonly

SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value

Value:

"ECDSA_SHA_256"

const SigningAlgorithmSpecEcdsaSha384 = readonly

SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value

Value:

"ECDSA_SHA_384"

const SigningAlgorithmSpecEcdsaSha512 = readonly

SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value

Value:

"ECDSA_SHA_512"

const SigningAlgorithmSpecSm2dsa = readonly

SigningAlgorithmSpecSm2dsa is a SigningAlgorithmSpec enum value

Value:

"SM2DSA"

const WrappingKeySpecRsa2048 = readonly

WrappingKeySpecRsa2048 is a WrappingKeySpec enum value

Value:

"RSA_2048"

const WrappingKeySpecRsa3072 = readonly

WrappingKeySpecRsa3072 is a WrappingKeySpec enum value

Value:

"RSA_3072"

const WrappingKeySpecRsa4096 = readonly

WrappingKeySpecRsa4096 is a WrappingKeySpec enum value

Value:

"RSA_4096"

const ErrCodeAlreadyExistsException = readonly

ErrCodeAlreadyExistsException for service response error code “AlreadyExistsException”.

The request was rejected because it attempted to create a resource that already exists.

Value:

"AlreadyExistsException"

const ErrCodeCloudHsmClusterInUseException = readonly

ErrCodeCloudHsmClusterInUseException for service response error code “CloudHsmClusterInUseException”.

The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a different CloudHSM cluster.

CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters (docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation.

Value:

"CloudHsmClusterInUseException"

const ErrCodeCloudHsmClusterInvalidConfigurationException = readonly

ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code “CloudHsmClusterInvalidConfigurationException”.

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.

• The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.

• The security group for the cluster (docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups (docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) operation.

• The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm (docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites (docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet (docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group (docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) in the CloudHSM User Guide .

Value:

"CloudHsmClusterInvalidConfigurationException"

const ErrCodeCloudHsmClusterNotActiveException = readonly

ErrCodeCloudHsmClusterNotActiveException for service response error code “CloudHsmClusterNotActiveException”.

The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started (docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) in the CloudHSM User Guide.

Value:

"CloudHsmClusterNotActiveException"

const ErrCodeCloudHsmClusterNotFoundException = readonly

ErrCodeCloudHsmClusterNotFoundException for service response error code “CloudHsmClusterNotFoundException”.

The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.

Value:

"CloudHsmClusterNotFoundException"

const ErrCodeCloudHsmClusterNotRelatedException = readonly

ErrCodeCloudHsmClusterNotRelatedException for service response error code “CloudHsmClusterNotRelatedException”.

The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key store.

Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.

CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters (docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation.

Value:

"CloudHsmClusterNotRelatedException"

const ErrCodeCustomKeyStoreHasCMKsException = readonly

ErrCodeCustomKeyStoreHasCMKsException for service response error code “CustomKeyStoreHasCMKsException”.

The request was rejected because the custom key store contains AWS KMS customer master keys (CMKs). After verifying that you do not need to use the CMKs, use the ScheduleKeyDeletion operation to delete the CMKs. After they are deleted, you can delete the custom key store.

Value:

"CustomKeyStoreHasCMKsException"

const ErrCodeCustomKeyStoreInvalidStateException = readonly

ErrCodeCustomKeyStoreInvalidStateException for service response error code “CustomKeyStoreInvalidStateException”.

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

• You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

• You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.

Value:

"CustomKeyStoreInvalidStateException"

const ErrCodeCustomKeyStoreNameInUseException = readonly

ErrCodeCustomKeyStoreNameInUseException for service response error code “CustomKeyStoreNameInUseException”.

The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.

Value:

"CustomKeyStoreNameInUseException"

const ErrCodeCustomKeyStoreNotFoundException = readonly

ErrCodeCustomKeyStoreNotFoundException for service response error code “CustomKeyStoreNotFoundException”.

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

Value:

"CustomKeyStoreNotFoundException"

const ErrCodeDependencyTimeoutException = readonly

ErrCodeDependencyTimeoutException for service response error code “DependencyTimeoutException”.

The system timed out while trying to fulfill the request. You can retry the request.

Value:

"DependencyTimeoutException"

const ErrCodeDisabledException = readonly

ErrCodeDisabledException for service response error code “DisabledException”.

The request was rejected because the specified CMK is not enabled.

Value:

"DisabledException"

const ErrCodeExpiredImportTokenException = readonly

ErrCodeExpiredImportTokenException for service response error code “ExpiredImportTokenException”.

The request was rejected because the specified import token is expired. Use GetParametersForImport to get a new import token and public key, use the new public key to encrypt the key material, and then try the request again.

Value:

"ExpiredImportTokenException"

const ErrCodeIncorrectKeyException = readonly

ErrCodeIncorrectKeyException for service response error code “IncorrectKeyException”.

The request was rejected because the specified KMS key cannot decrypt the data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must identify the same KMS key that was used to encrypt the ciphertext.

Value:

"IncorrectKeyException"

const ErrCodeIncorrectKeyMaterialException = readonly

ErrCodeIncorrectKeyMaterialException for service response error code “IncorrectKeyMaterialException”.

The request was rejected because the key material in the request is, expired, invalid, or is not the same key material that was previously imported into this KMS key.

Value:

"IncorrectKeyMaterialException"

const ErrCodeIncorrectTrustAnchorException = readonly

ErrCodeIncorrectTrustAnchorException for service response error code “IncorrectTrustAnchorException”.

The request was rejected because the trust anchor certificate in the request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster.

When you initialize the CloudHSM cluster (docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), you create the trust anchor certificate and save it in the customerCA.crt file.

Value:

"IncorrectTrustAnchorException"

const ErrCodeInternalException = readonly

ErrCodeInternalException for service response error code “KMSInternalException”.

The request was rejected because an internal exception occurred. The request can be retried.

Value:

"KMSInternalException"

const ErrCodeInvalidAliasNameException = readonly

ErrCodeInvalidAliasNameException for service response error code “InvalidAliasNameException”.

The request was rejected because the specified alias name is not valid.

Value:

"InvalidAliasNameException"

const ErrCodeInvalidArnException = readonly

ErrCodeInvalidArnException for service response error code “InvalidArnException”.

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

Value:

"InvalidArnException"

const ErrCodeInvalidCiphertextException = readonly

ErrCodeInvalidCiphertextException for service response error code “InvalidCiphertextException”.

From the Decrypt or ReEncrypt operation, the request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.

From the ImportKeyMaterial operation, the request was rejected because AWS KMS could not decrypt the encrypted (wrapped) key material.

Value:

"InvalidCiphertextException"

const ErrCodeInvalidGrantIdException = readonly

ErrCodeInvalidGrantIdException for service response error code “InvalidGrantIdException”.

The request was rejected because the specified GrantId is not valid.

Value:

"InvalidGrantIdException"

const ErrCodeInvalidGrantTokenException = readonly

ErrCodeInvalidGrantTokenException for service response error code “InvalidGrantTokenException”.

The request was rejected because the specified grant token is not valid.

Value:

"InvalidGrantTokenException"

const ErrCodeInvalidImportTokenException = readonly

ErrCodeInvalidImportTokenException for service response error code “InvalidImportTokenException”.

The request was rejected because the provided import token is invalid or is associated with a different customer master key (CMK).

Value:

"InvalidImportTokenException"

const ErrCodeInvalidKeyUsageException = readonly

ErrCodeInvalidKeyUsageException for service response error code “InvalidKeyUsageException”.

The request was rejected for one of the following reasons:

• The KeyUsage value of the CMK is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the CMK (CustomerMasterKeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular CMK, use the DescribeKey operation.

Value:

"InvalidKeyUsageException"

const ErrCodeInvalidMarkerException = readonly

ErrCodeInvalidMarkerException for service response error code “InvalidMarkerException”.

The request was rejected because the marker that specifies where pagination should next begin is not valid.

Value:

"InvalidMarkerException"

const ErrCodeInvalidStateException = readonly

ErrCodeInvalidStateException for service response error code “KMSInvalidStateException”.

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Use of a Customer Master Key (docs.aws.amazon.com/kms/latest/developerguide/key-state.html) in the AWS Key Management Service Developer Guide .

Value:

"KMSInvalidStateException"

const ErrCodeKMSInvalidSignatureException = readonly

ErrCodeKMSInvalidSignatureException for service response error code “KMSInvalidSignatureException”.

The request was rejected because the signature verification failed. Signature verification fails when it cannot confirm that signature was produced by signing the specified message with the specified CMK and signing algorithm.

Value:

"KMSInvalidSignatureException"

const ErrCodeKeyUnavailableException = readonly

ErrCodeKeyUnavailableException for service response error code “KeyUnavailableException”.

The request was rejected because the specified KMS key was not available. You can retry the request.

Value:

"KeyUnavailableException"

const ErrCodeLimitExceededException = readonly

ErrCodeLimitExceededException for service response error code “LimitExceededException”.

The request was rejected because a quota was exceeded. For more information, see Quotas (docs.aws.amazon.com/kms/latest/developerguide/limits.html) in the Key Management Service Developer Guide.

Value:

"LimitExceededException"

const ErrCodeMalformedPolicyDocumentException = readonly

ErrCodeMalformedPolicyDocumentException for service response error code “MalformedPolicyDocumentException”.

The request was rejected because the specified policy is not syntactically or semantically correct.

Value:

"MalformedPolicyDocumentException"

const ErrCodeNotFoundException = readonly

ErrCodeNotFoundException for service response error code “NotFoundException”.

The request was rejected because the specified entity or resource could not be found.

Value:

"NotFoundException"

const ErrCodeTagException = readonly

ErrCodeTagException for service response error code “TagException”.

The request was rejected because one or more tags are not valid.

Value:

"TagException"

const ErrCodeUnsupportedOperationException = readonly

ErrCodeUnsupportedOperationException for service response error code “UnsupportedOperationException”.

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

Value:

"UnsupportedOperationException"

const ServiceName = readonly

Value:

"kms"       // Name of service.

const EndpointsID = readonly

Value:

ServiceName // ID to lookup a service endpoint with.

const ServiceID = readonly

Value:

"KMS"       // ServiceID is a unique identifier of a specific service.

Type Summary

• ConnectCustomKeyStoreOutput struct
• CreateAliasOutput struct
• DeleteAliasOutput struct
• DeleteCustomKeyStoreOutput struct
• DeleteImportedKeyMaterialOutput struct
• DisableKeyOutput struct
• DisableKeyRotationOutput struct
• DisconnectCustomKeyStoreOutput struct
• EnableKeyOutput struct
• EnableKeyRotationOutput struct
• ImportKeyMaterialOutput struct
• PutKeyPolicyOutput struct
• RetireGrantOutput struct
• RevokeGrantOutput struct
• TagResourceOutput struct
• UntagResourceOutput struct
• UpdateAliasOutput struct
• UpdateCustomKeyStoreOutput struct
• UpdateKeyDescriptionOutput struct

Function Summary

• func AlgorithmSpec_Values() []string

  AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum.

• func ConnectionErrorCodeType_Values() []string

  ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum.

• func ConnectionStateType_Values() []string

  ConnectionStateType_Values returns all elements of the ConnectionStateType enum.

• func CustomerMasterKeySpec_Values() []string

  CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum.

• func DataKeyPairSpec_Values() []string

  DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum.

• func DataKeySpec_Values() []string

  DataKeySpec_Values returns all elements of the DataKeySpec enum.

• func EncryptionAlgorithmSpec_Values() []string

  EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum.

• func ExpirationModelType_Values() []string

  ExpirationModelType_Values returns all elements of the ExpirationModelType enum.

• func GrantOperation_Values() []string

  GrantOperation_Values returns all elements of the GrantOperation enum.

• func KeyManagerType_Values() []string

  KeyManagerType_Values returns all elements of the KeyManagerType enum.

• func KeySpec_Values() []string

  KeySpec_Values returns all elements of the KeySpec enum.

• func KeyState_Values() []string

  KeyState_Values returns all elements of the KeyState enum.

• func KeyUsageType_Values() []string

  KeyUsageType_Values returns all elements of the KeyUsageType enum.

• func MessageType_Values() []string

  MessageType_Values returns all elements of the MessageType enum.

• func OriginType_Values() []string

  OriginType_Values returns all elements of the OriginType enum.

• func SigningAlgorithmSpec_Values() []string

  SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum.

• func WrappingKeySpec_Values() []string

  WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum.

Type Details

ConnectCustomKeyStoreOutput struct

Structure Fields:

_ struct{}

CreateAliasOutput struct

Structure Fields:

_ struct{}

DeleteAliasOutput struct

Structure Fields:

_ struct{}

DeleteCustomKeyStoreOutput struct

Structure Fields:

_ struct{}

DeleteImportedKeyMaterialOutput struct

Structure Fields:

_ struct{}

DisableKeyOutput struct

Structure Fields:

_ struct{}

DisableKeyRotationOutput struct

Structure Fields:

_ struct{}

DisconnectCustomKeyStoreOutput struct

Structure Fields:

_ struct{}

EnableKeyOutput struct

Structure Fields:

_ struct{}

EnableKeyRotationOutput struct

Structure Fields:

_ struct{}

ImportKeyMaterialOutput struct

Structure Fields:

_ struct{}

PutKeyPolicyOutput struct

Structure Fields:

_ struct{}

RetireGrantOutput struct

Structure Fields:

_ struct{}

RevokeGrantOutput struct

Structure Fields:

_ struct{}

TagResourceOutput struct

Structure Fields:

_ struct{}

UntagResourceOutput struct

Structure Fields:

_ struct{}

UpdateAliasOutput struct

Structure Fields:

_ struct{}

UpdateCustomKeyStoreOutput struct

Structure Fields:

_ struct{}

UpdateKeyDescriptionOutput struct

Structure Fields:

_ struct{}

Function Details

func AlgorithmSpec_Values() []string

AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum

// File 'service/kms/api.go', line 17473

func AlgorithmSpec_Values() []string {
	return []string{
		AlgorithmSpecRsaesPkcs1V15,
		AlgorithmSpecRsaesOaepSha1,
		AlgorithmSpecRsaesOaepSha256,
		AlgorithmSpecRsaAesKeyWrapSha1,
		AlgorithmSpecRsaAesKeyWrapSha256,
	}
}

func ConnectionErrorCodeType_Values() []string

ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum

// File 'service/kms/api.go', line 17513

func ConnectionErrorCodeType_Values() []string {
	return []string{
		ConnectionErrorCodeTypeInvalidCredentials,
		ConnectionErrorCodeTypeClusterNotFound,
		ConnectionErrorCodeTypeNetworkErrors,
		ConnectionErrorCodeTypeInternalError,
		ConnectionErrorCodeTypeInsufficientCloudhsmHsms,
		ConnectionErrorCodeTypeUserLockedOut,
		ConnectionErrorCodeTypeUserNotFound,
		ConnectionErrorCodeTypeUserLoggedIn,
		ConnectionErrorCodeTypeSubnetNotFound,
	}
}

func ConnectionStateType_Values() []string

ConnectionStateType_Values returns all elements of the ConnectionStateType enum

// File 'service/kms/api.go', line 17545

func ConnectionStateType_Values() []string {
	return []string{
		ConnectionStateTypeConnected,
		ConnectionStateTypeConnecting,
		ConnectionStateTypeFailed,
		ConnectionStateTypeDisconnected,
		ConnectionStateTypeDisconnecting,
	}
}

func CustomerMasterKeySpec_Values() []string

CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum

// File 'service/kms/api.go', line 17597

func CustomerMasterKeySpec_Values() []string {
	return []string{
		CustomerMasterKeySpecRsa2048,
		CustomerMasterKeySpecRsa3072,
		CustomerMasterKeySpecRsa4096,
		CustomerMasterKeySpecEccNistP256,
		CustomerMasterKeySpecEccNistP384,
		CustomerMasterKeySpecEccNistP521,
		CustomerMasterKeySpecEccSecgP256k1,
		CustomerMasterKeySpecSymmetricDefault,
		CustomerMasterKeySpecHmac224,
		CustomerMasterKeySpecHmac256,
		CustomerMasterKeySpecHmac384,
		CustomerMasterKeySpecHmac512,
		CustomerMasterKeySpecSm2,
	}
}

func DataKeyPairSpec_Values() []string

DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum

// File 'service/kms/api.go', line 17642

func DataKeyPairSpec_Values() []string {
	return []string{
		DataKeyPairSpecRsa2048,
		DataKeyPairSpecRsa3072,
		DataKeyPairSpecRsa4096,
		DataKeyPairSpecEccNistP256,
		DataKeyPairSpecEccNistP384,
		DataKeyPairSpecEccNistP521,
		DataKeyPairSpecEccSecgP256k1,
		DataKeyPairSpecSm2,
	}
}

func DataKeySpec_Values() []string

DataKeySpec_Values returns all elements of the DataKeySpec enum

// File 'service/kms/api.go', line 17664

func DataKeySpec_Values() []string {
	return []string{
		DataKeySpecAes256,
		DataKeySpecAes128,
	}
}

func EncryptionAlgorithmSpec_Values() []string

EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum

// File 'service/kms/api.go', line 17686

func EncryptionAlgorithmSpec_Values() []string {
	return []string{
		EncryptionAlgorithmSpecSymmetricDefault,
		EncryptionAlgorithmSpecRsaesOaepSha1,
		EncryptionAlgorithmSpecRsaesOaepSha256,
		EncryptionAlgorithmSpecSm2pke,
	}
}

func ExpirationModelType_Values() []string

ExpirationModelType_Values returns all elements of the ExpirationModelType enum

// File 'service/kms/api.go', line 17704

func ExpirationModelType_Values() []string {
	return []string{
		ExpirationModelTypeKeyMaterialExpires,
		ExpirationModelTypeKeyMaterialDoesNotExpire,
	}
}

func GrantOperation_Values() []string

GrantOperation_Values returns all elements of the GrantOperation enum

// File 'service/kms/api.go', line 17756

func GrantOperation_Values() []string {
	return []string{
		GrantOperationDecrypt,
		GrantOperationEncrypt,
		GrantOperationGenerateDataKey,
		GrantOperationGenerateDataKeyWithoutPlaintext,
		GrantOperationReEncryptFrom,
		GrantOperationReEncryptTo,
		GrantOperationSign,
		GrantOperationVerify,
		GrantOperationGetPublicKey,
		GrantOperationCreateGrant,
		GrantOperationRetireGrant,
		GrantOperationDescribeKey,
		GrantOperationGenerateDataKeyPair,
		GrantOperationGenerateDataKeyPairWithoutPlaintext,
	}
}

func KeyManagerType_Values() []string

KeyManagerType_Values returns all elements of the KeyManagerType enum

// File 'service/kms/api.go', line 17784

func KeyManagerType_Values() []string {
	return []string{
		KeyManagerTypeAws,
		KeyManagerTypeCustomer,
	}
}

func KeySpec_Values() []string

KeySpec_Values returns all elements of the KeySpec enum

// File 'service/kms/api.go', line 17833

func KeySpec_Values() []string {
	return []string{
		KeySpecRsa2048,
		KeySpecRsa3072,
		KeySpecRsa4096,
		KeySpecEccNistP256,
		KeySpecEccNistP384,
		KeySpecEccNistP521,
		KeySpecEccSecgP256k1,
		KeySpecSymmetricDefault,
		KeySpecHmac224,
		KeySpecHmac256,
		KeySpecHmac384,
		KeySpecHmac512,
		KeySpecSm2,
	}
}

func KeyState_Values() []string

KeyState_Values returns all elements of the KeyState enum

// File 'service/kms/api.go', line 17878

func KeyState_Values() []string {
	return []string{
		KeyStateCreating,
		KeyStateEnabled,
		KeyStateDisabled,
		KeyStatePendingDeletion,
		KeyStatePendingImport,
		KeyStatePendingReplicaDeletion,
		KeyStateUnavailable,
		KeyStateUpdating,
	}
}

func KeyUsageType_Values() []string

KeyUsageType_Values returns all elements of the KeyUsageType enum

// File 'service/kms/api.go', line 17900

func KeyUsageType_Values() []string {
	return []string{
		KeyUsageTypeSignVerify,
		KeyUsageTypeEncryptDecrypt,
	}
}

func MessageType_Values() []string

MessageType_Values returns all elements of the MessageType enum

// File 'service/kms/api.go', line 17916

func MessageType_Values() []string {
	return []string{
		MessageTypeRaw,
		MessageTypeDigest,
	}
}

func OriginType_Values() []string

OriginType_Values returns all elements of the OriginType enum

// File 'service/kms/api.go', line 17938

func OriginType_Values() []string {
	return []string{
		OriginTypeAwsKms,
		OriginTypeExternal,
		OriginTypeAwsCloudhsm,
		OriginTypeExternalKeyStore,
	}
}

func SigningAlgorithmSpec_Values() []string

SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum

// File 'service/kms/api.go', line 17980

func SigningAlgorithmSpec_Values() []string {
	return []string{
		SigningAlgorithmSpecRsassaPssSha256,
		SigningAlgorithmSpecRsassaPssSha384,
		SigningAlgorithmSpecRsassaPssSha512,
		SigningAlgorithmSpecRsassaPkcs1V15Sha256,
		SigningAlgorithmSpecRsassaPkcs1V15Sha384,
		SigningAlgorithmSpecRsassaPkcs1V15Sha512,
		SigningAlgorithmSpecEcdsaSha256,
		SigningAlgorithmSpecEcdsaSha384,
		SigningAlgorithmSpecEcdsaSha512,
		SigningAlgorithmSpecSm2dsa,
	}
}

func WrappingKeySpec_Values() []string

WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum

// File 'service/kms/api.go', line 18007

func WrappingKeySpec_Values() []string {
	return []string{
		WrappingKeySpecRsa2048,
		WrappingKeySpecRsa3072,
		WrappingKeySpecRsa4096,
	}
}