kms

package
Version: v1.40.51 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 28, 2021 License: Apache-2.0 Imports: 10 Imported by: 590

Documentation

Overview

Package kms provides the client and types for making API requests to AWS Key Management Service.

Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations that you can call programmatically. For general information about KMS, see the Key Management Service Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/).

KMS is replacing the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.

Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools for Amazon Web Services (http://aws.amazon.com/tools/).

We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS.

Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.

Signing Requests

Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you do not use your Amazon Web Services account (root) access key ID and secret key for everyday work with KMS. Instead, use the access key ID and secret access key for an IAM user. You can also use the Amazon Web Services Security Token Service to generate temporary security credentials that you can use to sign requests.

All KMS operations require Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).

Logging API Requests

KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).

Additional Resources

For more information about credentials and request signing, see the following:

* Amazon Web Services Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html)
- This topic provides general information about the types of credentials
used to access Amazon Web Services.

* Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
- This section of the IAM User Guide describes how to create and use temporary
security credentials.

* Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
- This set of topics walks you through the process of signing a request
using an access key ID and a secret access key.

Commonly Used API Operations

Of the API operations discussed in this guide, the following will prove the most useful for most applications. You will likely perform operations other than these, such as creating keys and assigning policies, by using the console.

* Encrypt

* Decrypt

* GenerateDataKey

* GenerateDataKeyWithoutPlaintext

See https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service.

See kms package documentation for more information. https://docs.aws.amazon.com/sdk-for-go/api/service/kms/

Using the Client

To contact AWS Key Management Service with the SDK use the New function to create a new service client. With that client you can make API requests to the service. These clients are safe to use concurrently.

See the SDK's documentation for more information on how to use the SDK. https://docs.aws.amazon.com/sdk-for-go/api/

See aws.Config documentation for more information on configuring SDK clients. https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config

See the AWS Key Management Service client KMS for more information on creating client for this service. https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#New

Index

Examples

Constants

View Source
const (
	// AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value
	AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5"

	// AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value
	AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1"

	// AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value
	AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256"
)
View Source
const (
	// ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS"

	// ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND"

	// ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS"

	// ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeInternalError = "INTERNAL_ERROR"

	// ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS"

	// ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT"

	// ConnectionErrorCodeTypeUserNotFound is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeUserNotFound = "USER_NOT_FOUND"

	// ConnectionErrorCodeTypeUserLoggedIn is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeUserLoggedIn = "USER_LOGGED_IN"

	// ConnectionErrorCodeTypeSubnetNotFound is a ConnectionErrorCodeType enum value
	ConnectionErrorCodeTypeSubnetNotFound = "SUBNET_NOT_FOUND"
)
View Source
const (
	// ConnectionStateTypeConnected is a ConnectionStateType enum value
	ConnectionStateTypeConnected = "CONNECTED"

	// ConnectionStateTypeConnecting is a ConnectionStateType enum value
	ConnectionStateTypeConnecting = "CONNECTING"

	// ConnectionStateTypeFailed is a ConnectionStateType enum value
	ConnectionStateTypeFailed = "FAILED"

	// ConnectionStateTypeDisconnected is a ConnectionStateType enum value
	ConnectionStateTypeDisconnected = "DISCONNECTED"

	// ConnectionStateTypeDisconnecting is a ConnectionStateType enum value
	ConnectionStateTypeDisconnecting = "DISCONNECTING"
)
View Source
const (
	// CustomerMasterKeySpecRsa2048 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecRsa2048 = "RSA_2048"

	// CustomerMasterKeySpecRsa3072 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecRsa3072 = "RSA_3072"

	// CustomerMasterKeySpecRsa4096 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecRsa4096 = "RSA_4096"

	// CustomerMasterKeySpecEccNistP256 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecEccNistP256 = "ECC_NIST_P256"

	// CustomerMasterKeySpecEccNistP384 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecEccNistP384 = "ECC_NIST_P384"

	// CustomerMasterKeySpecEccNistP521 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecEccNistP521 = "ECC_NIST_P521"

	// CustomerMasterKeySpecEccSecgP256k1 is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecEccSecgP256k1 = "ECC_SECG_P256K1"

	// CustomerMasterKeySpecSymmetricDefault is a CustomerMasterKeySpec enum value
	CustomerMasterKeySpecSymmetricDefault = "SYMMETRIC_DEFAULT"
)
View Source
const (
	// DataKeyPairSpecRsa2048 is a DataKeyPairSpec enum value
	DataKeyPairSpecRsa2048 = "RSA_2048"

	// DataKeyPairSpecRsa3072 is a DataKeyPairSpec enum value
	DataKeyPairSpecRsa3072 = "RSA_3072"

	// DataKeyPairSpecRsa4096 is a DataKeyPairSpec enum value
	DataKeyPairSpecRsa4096 = "RSA_4096"

	// DataKeyPairSpecEccNistP256 is a DataKeyPairSpec enum value
	DataKeyPairSpecEccNistP256 = "ECC_NIST_P256"

	// DataKeyPairSpecEccNistP384 is a DataKeyPairSpec enum value
	DataKeyPairSpecEccNistP384 = "ECC_NIST_P384"

	// DataKeyPairSpecEccNistP521 is a DataKeyPairSpec enum value
	DataKeyPairSpecEccNistP521 = "ECC_NIST_P521"

	// DataKeyPairSpecEccSecgP256k1 is a DataKeyPairSpec enum value
	DataKeyPairSpecEccSecgP256k1 = "ECC_SECG_P256K1"
)
View Source
const (
	// DataKeySpecAes256 is a DataKeySpec enum value
	DataKeySpecAes256 = "AES_256"

	// DataKeySpecAes128 is a DataKeySpec enum value
	DataKeySpecAes128 = "AES_128"
)
View Source
const (
	// EncryptionAlgorithmSpecSymmetricDefault is a EncryptionAlgorithmSpec enum value
	EncryptionAlgorithmSpecSymmetricDefault = "SYMMETRIC_DEFAULT"

	// EncryptionAlgorithmSpecRsaesOaepSha1 is a EncryptionAlgorithmSpec enum value
	EncryptionAlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1"

	// EncryptionAlgorithmSpecRsaesOaepSha256 is a EncryptionAlgorithmSpec enum value
	EncryptionAlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256"
)
View Source
const (
	// ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value
	ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES"

	// ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value
	ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE"
)
View Source
const (
	// GrantOperationDecrypt is a GrantOperation enum value
	GrantOperationDecrypt = "Decrypt"

	// GrantOperationEncrypt is a GrantOperation enum value
	GrantOperationEncrypt = "Encrypt"

	// GrantOperationGenerateDataKey is a GrantOperation enum value
	GrantOperationGenerateDataKey = "GenerateDataKey"

	// GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value
	GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext"

	// GrantOperationReEncryptFrom is a GrantOperation enum value
	GrantOperationReEncryptFrom = "ReEncryptFrom"

	// GrantOperationReEncryptTo is a GrantOperation enum value
	GrantOperationReEncryptTo = "ReEncryptTo"

	// GrantOperationSign is a GrantOperation enum value
	GrantOperationSign = "Sign"

	// GrantOperationVerify is a GrantOperation enum value
	GrantOperationVerify = "Verify"

	// GrantOperationGetPublicKey is a GrantOperation enum value
	GrantOperationGetPublicKey = "GetPublicKey"

	// GrantOperationCreateGrant is a GrantOperation enum value
	GrantOperationCreateGrant = "CreateGrant"

	// GrantOperationRetireGrant is a GrantOperation enum value
	GrantOperationRetireGrant = "RetireGrant"

	// GrantOperationDescribeKey is a GrantOperation enum value
	GrantOperationDescribeKey = "DescribeKey"

	// GrantOperationGenerateDataKeyPair is a GrantOperation enum value
	GrantOperationGenerateDataKeyPair = "GenerateDataKeyPair"

	// GrantOperationGenerateDataKeyPairWithoutPlaintext is a GrantOperation enum value
	GrantOperationGenerateDataKeyPairWithoutPlaintext = "GenerateDataKeyPairWithoutPlaintext"
)
View Source
const (
	// KeyManagerTypeAws is a KeyManagerType enum value
	KeyManagerTypeAws = "AWS"

	// KeyManagerTypeCustomer is a KeyManagerType enum value
	KeyManagerTypeCustomer = "CUSTOMER"
)
View Source
const (
	// KeySpecRsa2048 is a KeySpec enum value
	KeySpecRsa2048 = "RSA_2048"

	// KeySpecRsa3072 is a KeySpec enum value
	KeySpecRsa3072 = "RSA_3072"

	// KeySpecRsa4096 is a KeySpec enum value
	KeySpecRsa4096 = "RSA_4096"

	// KeySpecEccNistP256 is a KeySpec enum value
	KeySpecEccNistP256 = "ECC_NIST_P256"

	// KeySpecEccNistP384 is a KeySpec enum value
	KeySpecEccNistP384 = "ECC_NIST_P384"

	// KeySpecEccNistP521 is a KeySpec enum value
	KeySpecEccNistP521 = "ECC_NIST_P521"

	// KeySpecEccSecgP256k1 is a KeySpec enum value
	KeySpecEccSecgP256k1 = "ECC_SECG_P256K1"

	// KeySpecSymmetricDefault is a KeySpec enum value
	KeySpecSymmetricDefault = "SYMMETRIC_DEFAULT"
)
View Source
const (
	// KeyStateCreating is a KeyState enum value
	KeyStateCreating = "Creating"

	// KeyStateEnabled is a KeyState enum value
	KeyStateEnabled = "Enabled"

	// KeyStateDisabled is a KeyState enum value
	KeyStateDisabled = "Disabled"

	// KeyStatePendingDeletion is a KeyState enum value
	KeyStatePendingDeletion = "PendingDeletion"

	// KeyStatePendingImport is a KeyState enum value
	KeyStatePendingImport = "PendingImport"

	// KeyStatePendingReplicaDeletion is a KeyState enum value
	KeyStatePendingReplicaDeletion = "PendingReplicaDeletion"

	// KeyStateUnavailable is a KeyState enum value
	KeyStateUnavailable = "Unavailable"

	// KeyStateUpdating is a KeyState enum value
	KeyStateUpdating = "Updating"
)
View Source
const (
	// KeyUsageTypeSignVerify is a KeyUsageType enum value
	KeyUsageTypeSignVerify = "SIGN_VERIFY"

	// KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value
	KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT"
)
View Source
const (
	// MessageTypeRaw is a MessageType enum value
	MessageTypeRaw = "RAW"

	// MessageTypeDigest is a MessageType enum value
	MessageTypeDigest = "DIGEST"
)
View Source
const (
	// MultiRegionKeyTypePrimary is a MultiRegionKeyType enum value
	MultiRegionKeyTypePrimary = "PRIMARY"

	// MultiRegionKeyTypeReplica is a MultiRegionKeyType enum value
	MultiRegionKeyTypeReplica = "REPLICA"
)
View Source
const (
	// OriginTypeAwsKms is a OriginType enum value
	OriginTypeAwsKms = "AWS_KMS"

	// OriginTypeExternal is a OriginType enum value
	OriginTypeExternal = "EXTERNAL"

	// OriginTypeAwsCloudhsm is a OriginType enum value
	OriginTypeAwsCloudhsm = "AWS_CLOUDHSM"
)
View Source
const (
	// SigningAlgorithmSpecRsassaPssSha256 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecRsassaPssSha256 = "RSASSA_PSS_SHA_256"

	// SigningAlgorithmSpecRsassaPssSha384 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecRsassaPssSha384 = "RSASSA_PSS_SHA_384"

	// SigningAlgorithmSpecRsassaPssSha512 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecRsassaPssSha512 = "RSASSA_PSS_SHA_512"

	// SigningAlgorithmSpecRsassaPkcs1V15Sha256 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecRsassaPkcs1V15Sha256 = "RSASSA_PKCS1_V1_5_SHA_256"

	// SigningAlgorithmSpecRsassaPkcs1V15Sha384 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecRsassaPkcs1V15Sha384 = "RSASSA_PKCS1_V1_5_SHA_384"

	// SigningAlgorithmSpecRsassaPkcs1V15Sha512 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecRsassaPkcs1V15Sha512 = "RSASSA_PKCS1_V1_5_SHA_512"

	// SigningAlgorithmSpecEcdsaSha256 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecEcdsaSha256 = "ECDSA_SHA_256"

	// SigningAlgorithmSpecEcdsaSha384 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecEcdsaSha384 = "ECDSA_SHA_384"

	// SigningAlgorithmSpecEcdsaSha512 is a SigningAlgorithmSpec enum value
	SigningAlgorithmSpecEcdsaSha512 = "ECDSA_SHA_512"
)
View Source
const (

	// ErrCodeAlreadyExistsException for service response error code
	// "AlreadyExistsException".
	//
	// The request was rejected because it attempted to create a resource that already
	// exists.
	ErrCodeAlreadyExistsException = "AlreadyExistsException"

	// ErrCodeCloudHsmClusterInUseException for service response error code
	// "CloudHsmClusterInUseException".
	//
	// The request was rejected because the specified CloudHSM cluster is already
	// associated with a custom key store or it shares a backup history with a cluster
	// that is associated with a custom key store. Each custom key store must be
	// associated with a different CloudHSM cluster.
	//
	// Clusters that share a backup history have the same cluster certificate. To
	// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
	// operation.
	ErrCodeCloudHsmClusterInUseException = "CloudHsmClusterInUseException"

	// ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code
	// "CloudHsmClusterInvalidConfigurationException".
	//
	// The request was rejected because the associated CloudHSM cluster did not
	// meet the configuration requirements for a custom key store.
	//
	//    * The cluster must be configured with private subnets in at least two
	//    different Availability Zones in the Region.
	//
	//    * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
	//    (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
	//    rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
	//    rules and the Destination in the outbound rules must match the security
	//    group ID. These rules are set by default when you create the cluster.
	//    Do not delete or change them. To get information about a particular security
	//    group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
	//    operation.
	//
	//    * The cluster must contain at least as many HSMs as the operation requires.
	//    To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
	//    operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
	//    operations, the CloudHSM cluster must have at least two active HSMs, each
	//    in a different Availability Zone. For the ConnectCustomKeyStore operation,
	//    the CloudHSM must contain at least one active HSM.
	//
	// For information about the requirements for an CloudHSM cluster that is associated
	// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore)
	// in the Key Management Service Developer Guide. For information about creating
	// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html)
	// in the CloudHSM User Guide. For information about cluster security groups,
	// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
	// in the CloudHSM User Guide .
	ErrCodeCloudHsmClusterInvalidConfigurationException = "CloudHsmClusterInvalidConfigurationException"

	// ErrCodeCloudHsmClusterNotActiveException for service response error code
	// "CloudHsmClusterNotActiveException".
	//
	// The request was rejected because the CloudHSM cluster that is associated
	// with the custom key store is not active. Initialize and activate the cluster
	// and try the command again. For detailed instructions, see Getting Started
	// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html)
	// in the CloudHSM User Guide.
	ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException"

	// ErrCodeCloudHsmClusterNotFoundException for service response error code
	// "CloudHsmClusterNotFoundException".
	//
	// The request was rejected because KMS cannot find the CloudHSM cluster with
	// the specified cluster ID. Retry the request with a different cluster ID.
	ErrCodeCloudHsmClusterNotFoundException = "CloudHsmClusterNotFoundException"

	// ErrCodeCloudHsmClusterNotRelatedException for service response error code
	// "CloudHsmClusterNotRelatedException".
	//
	// The request was rejected because the specified CloudHSM cluster has a different
	// cluster certificate than the original cluster. You cannot use the operation
	// to specify an unrelated cluster.
	//
	// Specify a cluster that shares a backup history with the original cluster.
	// This includes clusters that were created from a backup of the current cluster,
	// and clusters that were created from the same backup that produced the current
	// cluster.
	//
	// Clusters that share a backup history have the same cluster certificate. To
	// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
	// operation.
	ErrCodeCloudHsmClusterNotRelatedException = "CloudHsmClusterNotRelatedException"

	// ErrCodeCustomKeyStoreHasCMKsException for service response error code
	// "CustomKeyStoreHasCMKsException".
	//
	// The request was rejected because the custom key store contains KMS keys.
	// After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion
	// operation to delete the KMS keys. After they are deleted, you can delete
	// the custom key store.
	ErrCodeCustomKeyStoreHasCMKsException = "CustomKeyStoreHasCMKsException"

	// ErrCodeCustomKeyStoreInvalidStateException for service response error code
	// "CustomKeyStoreInvalidStateException".
	//
	// The request was rejected because of the ConnectionState of the custom key
	// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores
	// operation.
	//
	// This exception is thrown under the following conditions:
	//
	//    * You requested the CreateKey or GenerateRandom operation in a custom
	//    key store that is not connected. These operations are valid only when
	//    the custom key store ConnectionState is CONNECTED.
	//
	//    * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
	//    on a custom key store that is not disconnected. This operation is valid
	//    only when the custom key store ConnectionState is DISCONNECTED.
	//
	//    * You requested the ConnectCustomKeyStore operation on a custom key store
	//    with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
	//    for all other ConnectionState values.
	ErrCodeCustomKeyStoreInvalidStateException = "CustomKeyStoreInvalidStateException"

	// ErrCodeCustomKeyStoreNameInUseException for service response error code
	// "CustomKeyStoreNameInUseException".
	//
	// The request was rejected because the specified custom key store name is already
	// assigned to another custom key store in the account. Try again with a custom
	// key store name that is unique in the account.
	ErrCodeCustomKeyStoreNameInUseException = "CustomKeyStoreNameInUseException"

	// ErrCodeCustomKeyStoreNotFoundException for service response error code
	// "CustomKeyStoreNotFoundException".
	//
	// The request was rejected because KMS cannot find a custom key store with
	// the specified key store name or ID.
	ErrCodeCustomKeyStoreNotFoundException = "CustomKeyStoreNotFoundException"

	// ErrCodeDependencyTimeoutException for service response error code
	// "DependencyTimeoutException".
	//
	// The system timed out while trying to fulfill the request. The request can
	// be retried.
	ErrCodeDependencyTimeoutException = "DependencyTimeoutException"

	// ErrCodeDisabledException for service response error code
	// "DisabledException".
	//
	// The request was rejected because the specified KMS key is not enabled.
	ErrCodeDisabledException = "DisabledException"

	// ErrCodeExpiredImportTokenException for service response error code
	// "ExpiredImportTokenException".
	//
	// The request was rejected because the specified import token is expired. Use
	// GetParametersForImport to get a new import token and public key, use the
	// new public key to encrypt the key material, and then try the request again.
	ErrCodeExpiredImportTokenException = "ExpiredImportTokenException"

	// ErrCodeIncorrectKeyException for service response error code
	// "IncorrectKeyException".
	//
	// The request was rejected because the specified KMS key cannot decrypt the
	// data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request
	// must identify the same KMS key that was used to encrypt the ciphertext.
	ErrCodeIncorrectKeyException = "IncorrectKeyException"

	// ErrCodeIncorrectKeyMaterialException for service response error code
	// "IncorrectKeyMaterialException".
	//
	// The request was rejected because the key material in the request is, expired,
	// invalid, or is not the same key material that was previously imported into
	// this KMS key.
	ErrCodeIncorrectKeyMaterialException = "IncorrectKeyMaterialException"

	// ErrCodeIncorrectTrustAnchorException for service response error code
	// "IncorrectTrustAnchorException".
	//
	// The request was rejected because the trust anchor certificate in the request
	// is not the trust anchor certificate for the specified CloudHSM cluster.
	//
	// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
	// you create the trust anchor certificate and save it in the customerCA.crt
	// file.
	ErrCodeIncorrectTrustAnchorException = "IncorrectTrustAnchorException"

	// ErrCodeInternalException for service response error code
	// "KMSInternalException".
	//
	// The request was rejected because an internal exception occurred. The request
	// can be retried.
	ErrCodeInternalException = "KMSInternalException"

	// ErrCodeInvalidAliasNameException for service response error code
	// "InvalidAliasNameException".
	//
	// The request was rejected because the specified alias name is not valid.
	ErrCodeInvalidAliasNameException = "InvalidAliasNameException"

	// ErrCodeInvalidArnException for service response error code
	// "InvalidArnException".
	//
	// The request was rejected because a specified ARN, or an ARN in a key policy,
	// is not valid.
	ErrCodeInvalidArnException = "InvalidArnException"

	// ErrCodeInvalidCiphertextException for service response error code
	// "InvalidCiphertextException".
	//
	// From the Decrypt or ReEncrypt operation, the request was rejected because
	// the specified ciphertext, or additional authenticated data incorporated into
	// the ciphertext, such as the encryption context, is corrupted, missing, or
	// otherwise invalid.
	//
	// From the ImportKeyMaterial operation, the request was rejected because KMS
	// could not decrypt the encrypted (wrapped) key material.
	ErrCodeInvalidCiphertextException = "InvalidCiphertextException"

	// ErrCodeInvalidGrantIdException for service response error code
	// "InvalidGrantIdException".
	//
	// The request was rejected because the specified GrantId is not valid.
	ErrCodeInvalidGrantIdException = "InvalidGrantIdException"

	// ErrCodeInvalidGrantTokenException for service response error code
	// "InvalidGrantTokenException".
	//
	// The request was rejected because the specified grant token is not valid.
	ErrCodeInvalidGrantTokenException = "InvalidGrantTokenException"

	// ErrCodeInvalidImportTokenException for service response error code
	// "InvalidImportTokenException".
	//
	// The request was rejected because the provided import token is invalid or
	// is associated with a different KMS key.
	ErrCodeInvalidImportTokenException = "InvalidImportTokenException"

	// ErrCodeInvalidKeyUsageException for service response error code
	// "InvalidKeyUsageException".
	//
	// The request was rejected for one of the following reasons:
	//
	//    * The KeyUsage value of the KMS key is incompatible with the API operation.
	//
	//    * The encryption algorithm or signing algorithm specified for the operation
	//    is incompatible with the type of key material in the KMS key (KeySpec).
	//
	// For encrypting, decrypting, re-encrypting, and generating data keys, the
	// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage
	// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey
	// operation.
	//
	// To find the encryption or signing algorithms supported for a particular KMS
	// key, use the DescribeKey operation.
	ErrCodeInvalidKeyUsageException = "InvalidKeyUsageException"

	// ErrCodeInvalidMarkerException for service response error code
	// "InvalidMarkerException".
	//
	// The request was rejected because the marker that specifies where pagination
	// should next begin is not valid.
	ErrCodeInvalidMarkerException = "InvalidMarkerException"

	// ErrCodeInvalidStateException for service response error code
	// "KMSInvalidStateException".
	//
	// The request was rejected because the state of the specified resource is not
	// valid for this request.
	//
	// For more information about how key state affects the use of a KMS key, see
	// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
	// in the Key Management Service Developer Guide .
	ErrCodeInvalidStateException = "KMSInvalidStateException"

	// ErrCodeKMSInvalidSignatureException for service response error code
	// "KMSInvalidSignatureException".
	//
	// The request was rejected because the signature verification failed. Signature
	// verification fails when it cannot confirm that signature was produced by
	// signing the specified message with the specified KMS key and signing algorithm.
	ErrCodeKMSInvalidSignatureException = "KMSInvalidSignatureException"

	// ErrCodeKeyUnavailableException for service response error code
	// "KeyUnavailableException".
	//
	// The request was rejected because the specified KMS key was not available.
	// You can retry the request.
	ErrCodeKeyUnavailableException = "KeyUnavailableException"

	// ErrCodeLimitExceededException for service response error code
	// "LimitExceededException".
	//
	// The request was rejected because a quota was exceeded. For more information,
	// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html)
	// in the Key Management Service Developer Guide.
	ErrCodeLimitExceededException = "LimitExceededException"

	// ErrCodeMalformedPolicyDocumentException for service response error code
	// "MalformedPolicyDocumentException".
	//
	// The request was rejected because the specified policy is not syntactically
	// or semantically correct.
	ErrCodeMalformedPolicyDocumentException = "MalformedPolicyDocumentException"

	// ErrCodeNotFoundException for service response error code
	// "NotFoundException".
	//
	// The request was rejected because the specified entity or resource could not
	// be found.
	ErrCodeNotFoundException = "NotFoundException"

	// ErrCodeTagException for service response error code
	// "TagException".
	//
	// The request was rejected because one or more tags are not valid.
	ErrCodeTagException = "TagException"

	// ErrCodeUnsupportedOperationException for service response error code
	// "UnsupportedOperationException".
	//
	// The request was rejected because a specified parameter is not supported or
	// a specified resource is not valid for this operation.
	ErrCodeUnsupportedOperationException = "UnsupportedOperationException"
)
View Source
const (
	ServiceName = "kms"       // Name of service.
	EndpointsID = ServiceName // ID to lookup a service endpoint with.
	ServiceID   = "KMS"       // ServiceID is a unique identifier of a specific service.
)

Service information constants

View Source
const (
	// WrappingKeySpecRsa2048 is a WrappingKeySpec enum value
	WrappingKeySpecRsa2048 = "RSA_2048"
)

Variables

This section is empty.

Functions

func AlgorithmSpec_Values added in v1.34.3

func AlgorithmSpec_Values() []string

AlgorithmSpec_Values returns all elements of the AlgorithmSpec enum

func ConnectionErrorCodeType_Values added in v1.34.3

func ConnectionErrorCodeType_Values() []string

ConnectionErrorCodeType_Values returns all elements of the ConnectionErrorCodeType enum

func ConnectionStateType_Values added in v1.34.3

func ConnectionStateType_Values() []string

ConnectionStateType_Values returns all elements of the ConnectionStateType enum

func CustomerMasterKeySpec_Values added in v1.34.3

func CustomerMasterKeySpec_Values() []string

CustomerMasterKeySpec_Values returns all elements of the CustomerMasterKeySpec enum

func DataKeyPairSpec_Values added in v1.34.3

func DataKeyPairSpec_Values() []string

DataKeyPairSpec_Values returns all elements of the DataKeyPairSpec enum

func DataKeySpec_Values added in v1.34.3

func DataKeySpec_Values() []string

DataKeySpec_Values returns all elements of the DataKeySpec enum

func EncryptionAlgorithmSpec_Values added in v1.34.3

func EncryptionAlgorithmSpec_Values() []string

EncryptionAlgorithmSpec_Values returns all elements of the EncryptionAlgorithmSpec enum

func ExpirationModelType_Values added in v1.34.3

func ExpirationModelType_Values() []string

ExpirationModelType_Values returns all elements of the ExpirationModelType enum

func GrantOperation_Values added in v1.34.3

func GrantOperation_Values() []string

GrantOperation_Values returns all elements of the GrantOperation enum

func KeyManagerType_Values added in v1.34.3

func KeyManagerType_Values() []string

KeyManagerType_Values returns all elements of the KeyManagerType enum

func KeySpec_Values added in v1.40.33

func KeySpec_Values() []string

KeySpec_Values returns all elements of the KeySpec enum

func KeyState_Values added in v1.34.3

func KeyState_Values() []string

KeyState_Values returns all elements of the KeyState enum

func KeyUsageType_Values added in v1.34.3

func KeyUsageType_Values() []string

KeyUsageType_Values returns all elements of the KeyUsageType enum

func MessageType_Values added in v1.34.3

func MessageType_Values() []string

MessageType_Values returns all elements of the MessageType enum

func MultiRegionKeyType_Values added in v1.38.63

func MultiRegionKeyType_Values() []string

MultiRegionKeyType_Values returns all elements of the MultiRegionKeyType enum

func OriginType_Values added in v1.34.3

func OriginType_Values() []string

OriginType_Values returns all elements of the OriginType enum

func SigningAlgorithmSpec_Values added in v1.34.3

func SigningAlgorithmSpec_Values() []string

SigningAlgorithmSpec_Values returns all elements of the SigningAlgorithmSpec enum

func WrappingKeySpec_Values added in v1.34.3

func WrappingKeySpec_Values() []string

WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum

Types

type AliasListEntry

type AliasListEntry struct {

	// String that contains the key ARN.
	AliasArn *string `min:"20" type:"string"`

	// String that contains the alias. This value begins with alias/.
	AliasName *string `min:"1" type:"string"`

	// Date and time that the alias was most recently created in the account and
	// Region. Formatted as Unix time.
	CreationDate *time.Time `type:"timestamp"`

	// Date and time that the alias was most recently associated with a KMS key
	// in the account and Region. Formatted as Unix time.
	LastUpdatedDate *time.Time `type:"timestamp"`

	// String that contains the key identifier of the KMS key associated with the
	// alias.
	TargetKeyId *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

Contains information about an alias.

func (AliasListEntry) GoString added in v0.6.5

func (s AliasListEntry) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*AliasListEntry) SetAliasArn added in v1.5.0

func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry

SetAliasArn sets the AliasArn field's value.

func (*AliasListEntry) SetAliasName added in v1.5.0

func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry

SetAliasName sets the AliasName field's value.

func (*AliasListEntry) SetCreationDate added in v1.36.11

func (s *AliasListEntry) SetCreationDate(v time.Time) *AliasListEntry

SetCreationDate sets the CreationDate field's value.

func (*AliasListEntry) SetLastUpdatedDate added in v1.36.11

func (s *AliasListEntry) SetLastUpdatedDate(v time.Time) *AliasListEntry

SetLastUpdatedDate sets the LastUpdatedDate field's value.

func (*AliasListEntry) SetTargetKeyId added in v1.5.0

func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry

SetTargetKeyId sets the TargetKeyId field's value.

func (AliasListEntry) String added in v0.6.5

func (s AliasListEntry) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type AlreadyExistsException added in v1.28.0

type AlreadyExistsException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because it attempted to create a resource that already exists.

func (*AlreadyExistsException) Code added in v1.28.0

func (s *AlreadyExistsException) Code() string

Code returns the exception type name.

func (*AlreadyExistsException) Error added in v1.28.0

func (s *AlreadyExistsException) Error() string

func (AlreadyExistsException) GoString added in v1.28.0

func (s AlreadyExistsException) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*AlreadyExistsException) Message added in v1.28.0

func (s *AlreadyExistsException) Message() string

Message returns the exception's message.

func (*AlreadyExistsException) OrigErr added in v1.28.0

func (s *AlreadyExistsException) OrigErr() error

OrigErr always returns nil, satisfies awserr.Error interface.

func (*AlreadyExistsException) RequestID added in v1.28.0

func (s *AlreadyExistsException) RequestID() string

RequestID returns the service's response RequestID for request.

func (*AlreadyExistsException) StatusCode added in v1.28.0

func (s *AlreadyExistsException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (AlreadyExistsException) String added in v1.28.0

func (s AlreadyExistsException) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CancelKeyDeletionInput added in v0.9.15

type CancelKeyDeletionInput struct {

	// Identifies the KMS key whose deletion is being canceled.
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (CancelKeyDeletionInput) GoString added in v0.9.15

func (s CancelKeyDeletionInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CancelKeyDeletionInput) SetKeyId added in v1.5.0

SetKeyId sets the KeyId field's value.

func (CancelKeyDeletionInput) String added in v0.9.15

func (s CancelKeyDeletionInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CancelKeyDeletionInput) Validate added in v1.1.21

func (s *CancelKeyDeletionInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type CancelKeyDeletionOutput added in v0.9.15

type CancelKeyDeletionOutput struct {

	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
	// of the KMS key whose deletion is canceled.
	KeyId *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

func (CancelKeyDeletionOutput) GoString added in v0.9.15

func (s CancelKeyDeletionOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CancelKeyDeletionOutput) SetKeyId added in v1.5.0

SetKeyId sets the KeyId field's value.

func (CancelKeyDeletionOutput) String added in v0.9.15

func (s CancelKeyDeletionOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CloudHsmClusterInUseException added in v1.28.0

type CloudHsmClusterInUseException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the specified CloudHSM cluster is already associated with a custom key store or it shares a backup history with a cluster that is associated with a custom key store. Each custom key store must be associated with a different CloudHSM cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation.

func (*CloudHsmClusterInUseException) Code added in v1.28.0

Code returns the exception type name.

func (*CloudHsmClusterInUseException) Error added in v1.28.0

func (CloudHsmClusterInUseException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CloudHsmClusterInUseException) Message added in v1.28.0

Message returns the exception's message.

func (*CloudHsmClusterInUseException) OrigErr added in v1.28.0

func (s *CloudHsmClusterInUseException) OrigErr() error

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CloudHsmClusterInUseException) RequestID added in v1.28.0

func (s *CloudHsmClusterInUseException) RequestID() string

RequestID returns the service's response RequestID for request.

func (*CloudHsmClusterInUseException) StatusCode added in v1.28.0

func (s *CloudHsmClusterInUseException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CloudHsmClusterInUseException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CloudHsmClusterInvalidConfigurationException added in v1.28.0

type CloudHsmClusterInvalidConfigurationException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for a custom key store.

* The cluster must be configured with private subnets in at least two
different Availability Zones in the Region.

* The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html)
(cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound
rules that allow TCP traffic on ports 2223-2225. The Source in the inbound
rules and the Destination in the outbound rules must match the security
group ID. These rules are set by default when you create the cluster.
Do not delete or change them. To get information about a particular security
group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
operation.

* The cluster must contain at least as many HSMs as the operation requires.
To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html)
operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
operations, the CloudHSM cluster must have at least two active HSMs, each
in a different Availability Zone. For the ConnectCustomKeyStore operation,
the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) in the CloudHSM User Guide .

func (*CloudHsmClusterInvalidConfigurationException) Code added in v1.28.0

Code returns the exception type name.

func (*CloudHsmClusterInvalidConfigurationException) Error added in v1.28.0

func (CloudHsmClusterInvalidConfigurationException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CloudHsmClusterInvalidConfigurationException) Message added in v1.28.0

Message returns the exception's message.

func (*CloudHsmClusterInvalidConfigurationException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CloudHsmClusterInvalidConfigurationException) RequestID added in v1.28.0

RequestID returns the service's response RequestID for request.

func (*CloudHsmClusterInvalidConfigurationException) StatusCode added in v1.28.0

Status code returns the HTTP status code for the request's response error.

func (CloudHsmClusterInvalidConfigurationException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CloudHsmClusterNotActiveException added in v1.28.0

type CloudHsmClusterNotActiveException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the CloudHSM cluster that is associated with the custom key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) in the CloudHSM User Guide.

func (*CloudHsmClusterNotActiveException) Code added in v1.28.0

Code returns the exception type name.

func (*CloudHsmClusterNotActiveException) Error added in v1.28.0

func (CloudHsmClusterNotActiveException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CloudHsmClusterNotActiveException) Message added in v1.28.0

Message returns the exception's message.

func (*CloudHsmClusterNotActiveException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CloudHsmClusterNotActiveException) RequestID added in v1.28.0

RequestID returns the service's response RequestID for request.

func (*CloudHsmClusterNotActiveException) StatusCode added in v1.28.0

func (s *CloudHsmClusterNotActiveException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CloudHsmClusterNotActiveException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CloudHsmClusterNotFoundException added in v1.28.0

type CloudHsmClusterNotFoundException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.

func (*CloudHsmClusterNotFoundException) Code added in v1.28.0

Code returns the exception type name.

func (*CloudHsmClusterNotFoundException) Error added in v1.28.0

func (CloudHsmClusterNotFoundException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CloudHsmClusterNotFoundException) Message added in v1.28.0

Message returns the exception's message.

func (*CloudHsmClusterNotFoundException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CloudHsmClusterNotFoundException) RequestID added in v1.28.0

RequestID returns the service's response RequestID for request.

func (*CloudHsmClusterNotFoundException) StatusCode added in v1.28.0

func (s *CloudHsmClusterNotFoundException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CloudHsmClusterNotFoundException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CloudHsmClusterNotRelatedException added in v1.28.0

type CloudHsmClusterNotRelatedException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster.

Specify a cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) operation.

func (*CloudHsmClusterNotRelatedException) Code added in v1.28.0

Code returns the exception type name.

func (*CloudHsmClusterNotRelatedException) Error added in v1.28.0

func (CloudHsmClusterNotRelatedException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CloudHsmClusterNotRelatedException) Message added in v1.28.0

Message returns the exception's message.

func (*CloudHsmClusterNotRelatedException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CloudHsmClusterNotRelatedException) RequestID added in v1.28.0

RequestID returns the service's response RequestID for request.

func (*CloudHsmClusterNotRelatedException) StatusCode added in v1.28.0

func (s *CloudHsmClusterNotRelatedException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CloudHsmClusterNotRelatedException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type ConnectCustomKeyStoreInput added in v1.15.83

type ConnectCustomKeyStoreInput struct {

	// Enter the key store ID of the custom key store that you want to connect.
	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
	//
	// CustomKeyStoreId is a required field
	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (ConnectCustomKeyStoreInput) GoString added in v1.15.83

func (s ConnectCustomKeyStoreInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*ConnectCustomKeyStoreInput) SetCustomKeyStoreId added in v1.15.83

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (ConnectCustomKeyStoreInput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*ConnectCustomKeyStoreInput) Validate added in v1.15.83

func (s *ConnectCustomKeyStoreInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type ConnectCustomKeyStoreOutput added in v1.15.83

type ConnectCustomKeyStoreOutput struct {
	// contains filtered or unexported fields
}

func (ConnectCustomKeyStoreOutput) GoString added in v1.15.83

func (s ConnectCustomKeyStoreOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (ConnectCustomKeyStoreOutput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CreateAliasInput

type CreateAliasInput struct {

	// Specifies the alias name. This value must begin with alias/ followed by a
	// name, such as alias/ExampleAlias.
	//
	// The AliasName value must be string of 1-256 characters. It can contain only
	// alphanumeric characters, forward slashes (/), underscores (_), and dashes
	// (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is
	// reserved for Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk).
	//
	// AliasName is a required field
	AliasName *string `min:"1" type:"string" required:"true"`

	// Associates the alias with the specified customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk).
	// The KMS key must be in the same Amazon Web Services Region.
	//
	// A valid key ID is required. If you supply a null or empty string value, this
	// operation returns an error.
	//
	// For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn)
	// in the Key Management Service Developer Guide .
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// TargetKeyId is a required field
	TargetKeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (CreateAliasInput) GoString added in v0.6.5

func (s CreateAliasInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateAliasInput) SetAliasName added in v1.5.0

func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput

SetAliasName sets the AliasName field's value.

func (*CreateAliasInput) SetTargetKeyId added in v1.5.0

func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput

SetTargetKeyId sets the TargetKeyId field's value.

func (CreateAliasInput) String added in v0.6.5

func (s CreateAliasInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateAliasInput) Validate added in v1.1.21

func (s *CreateAliasInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type CreateAliasOutput

type CreateAliasOutput struct {
	// contains filtered or unexported fields
}

func (CreateAliasOutput) GoString added in v0.6.5

func (s CreateAliasOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (CreateAliasOutput) String added in v0.6.5

func (s CreateAliasOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CreateCustomKeyStoreInput added in v1.15.83

type CreateCustomKeyStoreInput struct {

	// Identifies the CloudHSM cluster for the custom key store. Enter the cluster
	// ID of any active CloudHSM cluster that is not already associated with a custom
	// key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html)
	// operation.
	//
	// CloudHsmClusterId is a required field
	CloudHsmClusterId *string `min:"19" type:"string" required:"true"`

	// Specifies a friendly name for the custom key store. The name must be unique
	// in your Amazon Web Services account.
	//
	// CustomKeyStoreName is a required field
	CustomKeyStoreName *string `min:"1" type:"string" required:"true"`

	// Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser)
	// in the specified CloudHSM cluster. KMS logs into the cluster as this user
	// to manage key material on your behalf.
	//
	// The password must be a string of 7 to 32 characters. Its value is case sensitive.
	//
	// This parameter tells KMS the kmsuser account password; it does not change
	// the password in the CloudHSM cluster.
	//
	// KeyStorePassword is a sensitive parameter and its value will be
	// replaced with "sensitive" in string returned by CreateCustomKeyStoreInput's
	// String and GoString methods.
	//
	// KeyStorePassword is a required field
	KeyStorePassword *string `min:"7" type:"string" required:"true" sensitive:"true"`

	// Enter the content of the trust anchor certificate for the cluster. This is
	// the content of the customerCA.crt file that you created when you initialized
	// the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html).
	//
	// TrustAnchorCertificate is a required field
	TrustAnchorCertificate *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (CreateCustomKeyStoreInput) GoString added in v1.15.83

func (s CreateCustomKeyStoreInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateCustomKeyStoreInput) SetCloudHsmClusterId added in v1.15.83

func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput

SetCloudHsmClusterId sets the CloudHsmClusterId field's value.

func (*CreateCustomKeyStoreInput) SetCustomKeyStoreName added in v1.15.83

func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput

SetCustomKeyStoreName sets the CustomKeyStoreName field's value.

func (*CreateCustomKeyStoreInput) SetKeyStorePassword added in v1.15.83

func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput

SetKeyStorePassword sets the KeyStorePassword field's value.

func (*CreateCustomKeyStoreInput) SetTrustAnchorCertificate added in v1.15.83

func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput

SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.

func (CreateCustomKeyStoreInput) String added in v1.15.83

func (s CreateCustomKeyStoreInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateCustomKeyStoreInput) Validate added in v1.15.83

func (s *CreateCustomKeyStoreInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type CreateCustomKeyStoreOutput added in v1.15.83

type CreateCustomKeyStoreOutput struct {

	// A unique identifier for the new custom key store.
	CustomKeyStoreId *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

func (CreateCustomKeyStoreOutput) GoString added in v1.15.83

func (s CreateCustomKeyStoreOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateCustomKeyStoreOutput) SetCustomKeyStoreId added in v1.15.83

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (CreateCustomKeyStoreOutput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CreateGrantInput

type CreateGrantInput struct {

	// Specifies a grant constraint.
	//
	// KMS supports the EncryptionContextEquals and EncryptionContextSubset grant
	// constraints. Each constraint value can include up to 8 encryption context
	// pairs. The encryption context value in each constraint cannot exceed 384
	// characters.
	//
	// These grant constraints allow the permissions in the grant only when the
	// encryption context in the request matches (EncryptionContextEquals) or includes
	// (EncryptionContextSubset) the encryption context specified in this structure.
	// For information about grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints)
	// in the Key Management Service Developer Guide. For more information about
	// encryption context, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
	// in the Key Management Service Developer Guide .
	//
	// The encryption context grant constraints are supported only on operations
	// that include an encryption context. You cannot use an encryption context
	// grant constraint for cryptographic operations with asymmetric KMS keys or
	// for management operations, such as DescribeKey or RetireGrant.
	Constraints *GrantConstraints `type:"structure"`

	// A list of grant tokens.
	//
	// Use a grant token when your permission to call this operation comes from
	// a new grant that has not yet achieved eventual consistency. For more information,
	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
	// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
	// in the Key Management Service Developer Guide.
	GrantTokens []*string `type:"list"`

	// The identity that gets the permissions specified in the grant.
	//
	// To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
	// of an Amazon Web Services principal. Valid Amazon Web Services principals
	// include Amazon Web Services accounts (root), IAM users, IAM roles, federated
	// users, and assumed role users. For examples of the ARN syntax to use for
	// specifying a principal, see Amazon Web Services Identity and Access Management
	// (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
	// in the Example ARNs section of the Amazon Web Services General Reference.
	//
	// GranteePrincipal is a required field
	GranteePrincipal *string `min:"1" type:"string" required:"true"`

	// Identifies the KMS key for the grant. The grant gives principals permission
	// to use this KMS key.
	//
	// Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different
	// Amazon Web Services account, you must use the key ARN.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`

	// A friendly name for the grant. Use this value to prevent the unintended creation
	// of duplicate grants when retrying this request.
	//
	// When this value is absent, all CreateGrant requests result in a new grant
	// with a unique GrantId even if all the supplied parameters are identical.
	// This can result in unintended duplicates when you retry the CreateGrant request.
	//
	// When this value is present, you can retry a CreateGrant request with identical
	// parameters; if the grant already exists, the original GrantId is returned
	// without creating a new grant. Note that the returned grant token is unique
	// with every CreateGrant request, even when a duplicate GrantId is returned.
	// All grant tokens for the same grant ID can be used interchangeably.
	Name *string `min:"1" type:"string"`

	// A list of operations that the grant permits.
	//
	// The operation must be supported on the KMS key. For example, you cannot create
	// a grant for a symmetric KMS key that allows the Sign operation, or a grant
	// for an asymmetric KMS key that allows the GenerateDataKey operation. If you
	// try, KMS returns a ValidationError exception. For details, see Grant operations
	// (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)
	// in the Key Management Service Developer Guide.
	//
	// Operations is a required field
	Operations []*string `type:"list" required:"true"`

	// The principal that has permission to use the RetireGrant operation to retire
	// the grant.
	//
	// To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
	// of an Amazon Web Services principal. Valid Amazon Web Services principals
	// include Amazon Web Services accounts (root), IAM users, federated users,
	// and assumed role users. For examples of the ARN syntax to use for specifying
	// a principal, see Amazon Web Services Identity and Access Management (IAM)
	// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam)
	// in the Example ARNs section of the Amazon Web Services General Reference.
	//
	// The grant determines the retiring principal. Other principals might have
	// permission to retire the grant or revoke the grant. For details, see RevokeGrant
	// and Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete)
	// in the Key Management Service Developer Guide.
	RetiringPrincipal *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

func (CreateGrantInput) GoString added in v0.6.5

func (s CreateGrantInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateGrantInput) SetConstraints added in v1.5.0

func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput

SetConstraints sets the Constraints field's value.

func (*CreateGrantInput) SetGrantTokens added in v1.5.0

func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput

SetGrantTokens sets the GrantTokens field's value.

func (*CreateGrantInput) SetGranteePrincipal added in v1.5.0

func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput

SetGranteePrincipal sets the GranteePrincipal field's value.

func (*CreateGrantInput) SetKeyId added in v1.5.0

func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput

SetKeyId sets the KeyId field's value.

func (*CreateGrantInput) SetName added in v1.5.0

func (s *CreateGrantInput) SetName(v string) *CreateGrantInput

SetName sets the Name field's value.

func (*CreateGrantInput) SetOperations added in v1.5.0

func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput

SetOperations sets the Operations field's value.

func (*CreateGrantInput) SetRetiringPrincipal added in v1.5.0

func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput

SetRetiringPrincipal sets the RetiringPrincipal field's value.

func (CreateGrantInput) String added in v0.6.5

func (s CreateGrantInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateGrantInput) Validate added in v1.1.21

func (s *CreateGrantInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type CreateGrantOutput

type CreateGrantOutput struct {

	// The unique identifier for the grant.
	//
	// You can use the GrantId in a ListGrants, RetireGrant, or RevokeGrant operation.
	GrantId *string `min:"1" type:"string"`

	// The grant token.
	//
	// Use a grant token when your permission to call this operation comes from
	// a new grant that has not yet achieved eventual consistency. For more information,
	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
	// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
	// in the Key Management Service Developer Guide.
	GrantToken *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

func (CreateGrantOutput) GoString added in v0.6.5

func (s CreateGrantOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateGrantOutput) SetGrantId added in v1.5.0

func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput

SetGrantId sets the GrantId field's value.

func (*CreateGrantOutput) SetGrantToken added in v1.5.0

func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput

SetGrantToken sets the GrantToken field's value.

func (CreateGrantOutput) String added in v0.6.5

func (s CreateGrantOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CreateKeyInput

type CreateKeyInput struct {

	// A flag to indicate whether to bypass the key policy lockout safety check.
	//
	// Setting this value to true increases the risk that the KMS key becomes unmanageable.
	// Do not set this value to true indiscriminately.
	//
	// For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
	// section in the Key Management Service Developer Guide .
	//
	// Use this parameter only when you include a policy in the request and you
	// intend to prevent the principal that is making the request from making a
	// subsequent PutKeyPolicy request on the KMS key.
	//
	// The default value is false.
	BypassPolicyLockoutSafetyCheck *bool `type:"boolean"`

	// Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
	// and the key material in its associated CloudHSM cluster. To create a KMS
	// key in a custom key store, you must also specify the Origin parameter with
	// a value of AWS_CLOUDHSM. The CloudHSM cluster that is associated with the
	// custom key store must have at least two active HSMs, each in a different
	// Availability Zone in the Region.
	//
	// This parameter is valid only for symmetric KMS keys and regional KMS keys.
	// You cannot create an asymmetric KMS key or a multi-Region key in a custom
	// key store.
	//
	// To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
	//
	// The response includes the custom key store ID and the ID of the CloudHSM
	// cluster.
	//
	// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
	// feature in KMS, which combines the convenience and extensive integration
	// of KMS with the isolation and control of a single-tenant key store.
	CustomKeyStoreId *string `min:"1" type:"string"`

	// Instead, use the KeySpec parameter.
	//
	// The KeySpec and CustomerMasterKeySpec parameters work the same way. Only
	// the names differ. We recommend that you use KeySpec parameter in your code.
	// However, to avoid breaking changes, KMS will support both parameters.
	//
	// Deprecated: This parameter has been deprecated. Instead, use the KeySpec parameter.
	CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"`

	// A description of the KMS key.
	//
	// Use a description that helps you decide whether the KMS key is appropriate
	// for a task. The default value is an empty string (no description).
	//
	// To set or change the description after the key is created, use UpdateKeyDescription.
	Description *string `type:"string"`

	// Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT,
	// creates a KMS key with a 256-bit symmetric key for encryption and decryption.
	// For help choosing a key spec for your KMS key, see How to Choose Your KMS
	// key Configuration (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html)
	// in the Key Management Service Developer Guide .
	//
	// The KeySpec determines whether the KMS key contains a symmetric key or an
	// asymmetric key pair. It also determines the encryption algorithms or signing
	// algorithms that the KMS key supports. You can't change the KeySpec after
	// the KMS key is created. To further restrict the algorithms that can be used
	// with the KMS key, use a condition key in its key policy or IAM policy. For
	// more information, see kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm)
	// or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm)
	// in the Key Management Service Developer Guide .
	//
	// Amazon Web Services services that are integrated with KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration)
	// use symmetric KMS keys to protect your data. These services do not support
	// asymmetric KMS keys. For help determining whether a KMS key is symmetric
	// or asymmetric, see Identifying Symmetric and Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html)
	// in the Key Management Service Developer Guide.
	//
	// KMS supports the following key specs for KMS keys:
	//
	//    * Symmetric key (default) SYMMETRIC_DEFAULT (AES-256-GCM)
	//
	//    * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096
	//
	//    * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1)
	//    ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1)
	//
	//    * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1),
	//    commonly used for cryptocurrencies.
	KeySpec *string `type:"string" enum:"KeySpec"`

	// Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
	// for which you can use the KMS key. The default value is ENCRYPT_DECRYPT.
	// This parameter is required only for asymmetric KMS keys. You can't change
	// the KeyUsage value after the KMS key is created.
	//
	// Select only one valid value.
	//
	//    * For symmetric KMS keys, omit the parameter or specify ENCRYPT_DECRYPT.
	//
	//    * For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT
	//    or SIGN_VERIFY.
	//
	//    * For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
	KeyUsage *string `type:"string" enum:"KeyUsageType"`

	// Creates a multi-Region primary key that you can replicate into other Amazon
	// Web Services Regions. You cannot change this value after you create the KMS
	// key.
	//
	// For a multi-Region key, set this parameter to True. For a single-Region KMS
	// key, omit this parameter or set it to False. The default value is False.
	//
	// This operation supports multi-Region keys, an KMS feature that lets you create
	// multiple interoperable KMS keys in different Amazon Web Services Regions.
	// Because these KMS keys have the same key ID, key material, and other metadata,
	// you can use them interchangeably to encrypt data in one Amazon Web Services
	// Region and decrypt it in a different Amazon Web Services Region without re-encrypting
	// the data or making a cross-Region call. For more information about multi-Region
	// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html)
	// in the Key Management Service Developer Guide.
	//
	// This value creates a primary key, not a replica. To create a replica key,
	// use the ReplicateKey operation.
	//
	// You can create a symmetric or asymmetric multi-Region key, and you can create
	// a multi-Region key with imported key material. However, you cannot create
	// a multi-Region key in a custom key store.
	MultiRegion *bool `type:"boolean"`

	// The source of the key material for the KMS key. You cannot change the origin
	// after you create the KMS key. The default is AWS_KMS, which means that KMS
	// creates the key material.
	//
	// To create a KMS key with no key material (for imported key material), set
	// the value to EXTERNAL. For more information about importing key material
	// into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
	// in the Key Management Service Developer Guide. This value is valid only for
	// symmetric KMS keys.
	//
	// To create a KMS key in an KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
	// and create its key material in the associated CloudHSM cluster, set this
	// value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to
	// identify the custom key store. This value is valid only for symmetric KMS
	// keys.
	Origin *string `type:"string" enum:"OriginType"`

	// The key policy to attach to the KMS key.
	//
	// If you provide a key policy, it must meet the following criteria:
	//
	//    * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy
	//    must allow the principal that is making the CreateKey request to make
	//    a subsequent PutKeyPolicy request on the KMS key. This reduces the risk
	//    that the KMS key becomes unmanageable. For more information, refer to
	//    the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
	//    section of the Key Management Service Developer Guide .
	//
	//    * Each statement in the key policy must contain one or more principals.
	//    The principals in the key policy must exist and be visible to KMS. When
	//    you create a new Amazon Web Services principal (for example, an IAM user
	//    or role), you might need to enforce a delay before including the new principal
	//    in a key policy because the new principal might not be immediately visible
	//    to KMS. For more information, see Changes that I make are not always immediately
	//    visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency)
	//    in the Amazon Web Services Identity and Access Management User Guide.
	//
	// If you do not provide a key policy, KMS attaches a default key policy to
	// the KMS key. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default)
	// in the Key Management Service Developer Guide.
	//
	// The key policy size quota is 32 kilobytes (32768 bytes).
	//
	// For help writing and formatting a JSON policy document, see the IAM JSON
	// Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
	// in the Identity and Access Management User Guide .
	Policy *string `min:"1" type:"string"`

	// Assigns one or more tags to the KMS key. Use this parameter to tag the KMS
	// key when it is created. To tag an existing KMS key, use the TagResource operation.
	//
	// Tagging or untagging a KMS key can allow or deny permission to the KMS key.
	// For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html)
	// in the Key Management Service Developer Guide.
	//
	// To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
	// permission in an IAM policy.
	//
	// Each tag consists of a tag key and a tag value. Both the tag key and the
	// tag value are required, but the tag value can be an empty (null) string.
	// You cannot have more than one tag on a KMS key with the same tag key. If
	// you specify an existing tag key with a different tag value, KMS replaces
	// the current tag value with the specified one.
	//
	// When you add tags to an Amazon Web Services resource, Amazon Web Services
	// generates a cost allocation report with usage and costs aggregated by tags.
	// Tags can also be used to control access to a KMS key. For details, see Tagging
	// Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html).
	Tags []*Tag `type:"list"`
	// contains filtered or unexported fields
}

func (CreateKeyInput) GoString added in v0.6.5

func (s CreateKeyInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateKeyInput) SetBypassPolicyLockoutSafetyCheck added in v1.5.0

func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput

SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value.

func (*CreateKeyInput) SetCustomKeyStoreId added in v1.15.83

func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (*CreateKeyInput) SetCustomerMasterKeySpec added in v1.25.42

func (s *CreateKeyInput) SetCustomerMasterKeySpec(v string) *CreateKeyInput

SetCustomerMasterKeySpec sets the CustomerMasterKeySpec field's value.

func (*CreateKeyInput) SetDescription added in v1.5.0

func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput

SetDescription sets the Description field's value.

func (*CreateKeyInput) SetKeySpec added in v1.40.33

func (s *CreateKeyInput) SetKeySpec(v string) *CreateKeyInput

SetKeySpec sets the KeySpec field's value.

func (*CreateKeyInput) SetKeyUsage added in v1.5.0

func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput

SetKeyUsage sets the KeyUsage field's value.

func (*CreateKeyInput) SetMultiRegion added in v1.38.63

func (s *CreateKeyInput) SetMultiRegion(v bool) *CreateKeyInput

SetMultiRegion sets the MultiRegion field's value.

func (*CreateKeyInput) SetOrigin added in v1.5.0

func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput

SetOrigin sets the Origin field's value.

func (*CreateKeyInput) SetPolicy added in v1.5.0

func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput

SetPolicy sets the Policy field's value.

func (*CreateKeyInput) SetTags added in v1.6.23

func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput

SetTags sets the Tags field's value.

func (CreateKeyInput) String added in v0.6.5

func (s CreateKeyInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateKeyInput) Validate added in v1.1.21

func (s *CreateKeyInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type CreateKeyOutput

type CreateKeyOutput struct {

	// Metadata associated with the KMS key.
	KeyMetadata *KeyMetadata `type:"structure"`
	// contains filtered or unexported fields
}

func (CreateKeyOutput) GoString added in v0.6.5

func (s CreateKeyOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CreateKeyOutput) SetKeyMetadata added in v1.5.0

func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput

SetKeyMetadata sets the KeyMetadata field's value.

func (CreateKeyOutput) String added in v0.6.5

func (s CreateKeyOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CustomKeyStoreHasCMKsException added in v1.28.0

type CustomKeyStoreHasCMKsException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the custom key store contains KMS keys. After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion operation to delete the KMS keys. After they are deleted, you can delete the custom key store.

func (*CustomKeyStoreHasCMKsException) Code added in v1.28.0

Code returns the exception type name.

func (*CustomKeyStoreHasCMKsException) Error added in v1.28.0

func (CustomKeyStoreHasCMKsException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CustomKeyStoreHasCMKsException) Message added in v1.28.0

Message returns the exception's message.

func (*CustomKeyStoreHasCMKsException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CustomKeyStoreHasCMKsException) RequestID added in v1.28.0

func (s *CustomKeyStoreHasCMKsException) RequestID() string

RequestID returns the service's response RequestID for request.

func (*CustomKeyStoreHasCMKsException) StatusCode added in v1.28.0

func (s *CustomKeyStoreHasCMKsException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CustomKeyStoreHasCMKsException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CustomKeyStoreInvalidStateException added in v1.28.0

type CustomKeyStoreInvalidStateException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

* You requested the CreateKey or GenerateRandom operation in a custom
key store that is not connected. These operations are valid only when
the custom key store ConnectionState is CONNECTED.

* You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation
on a custom key store that is not disconnected. This operation is valid
only when the custom key store ConnectionState is DISCONNECTED.

* You requested the ConnectCustomKeyStore operation on a custom key store
with a ConnectionState of DISCONNECTING or FAILED. This operation is valid
for all other ConnectionState values.

func (*CustomKeyStoreInvalidStateException) Code added in v1.28.0

Code returns the exception type name.

func (*CustomKeyStoreInvalidStateException) Error added in v1.28.0

func (CustomKeyStoreInvalidStateException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CustomKeyStoreInvalidStateException) Message added in v1.28.0

Message returns the exception's message.

func (*CustomKeyStoreInvalidStateException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CustomKeyStoreInvalidStateException) RequestID added in v1.28.0

RequestID returns the service's response RequestID for request.

func (*CustomKeyStoreInvalidStateException) StatusCode added in v1.28.0

func (s *CustomKeyStoreInvalidStateException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CustomKeyStoreInvalidStateException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CustomKeyStoreNameInUseException added in v1.28.0

type CustomKeyStoreNameInUseException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.

func (*CustomKeyStoreNameInUseException) Code added in v1.28.0

Code returns the exception type name.

func (*CustomKeyStoreNameInUseException) Error added in v1.28.0

func (CustomKeyStoreNameInUseException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CustomKeyStoreNameInUseException) Message added in v1.28.0

Message returns the exception's message.

func (*CustomKeyStoreNameInUseException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CustomKeyStoreNameInUseException) RequestID added in v1.28.0

RequestID returns the service's response RequestID for request.

func (*CustomKeyStoreNameInUseException) StatusCode added in v1.28.0

func (s *CustomKeyStoreNameInUseException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CustomKeyStoreNameInUseException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CustomKeyStoreNotFoundException added in v1.28.0

type CustomKeyStoreNotFoundException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

func (*CustomKeyStoreNotFoundException) Code added in v1.28.0

Code returns the exception type name.

func (*CustomKeyStoreNotFoundException) Error added in v1.28.0

func (CustomKeyStoreNotFoundException) GoString added in v1.28.0

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CustomKeyStoreNotFoundException) Message added in v1.28.0

Message returns the exception's message.

func (*CustomKeyStoreNotFoundException) OrigErr added in v1.28.0

OrigErr always returns nil, satisfies awserr.Error interface.

func (*CustomKeyStoreNotFoundException) RequestID added in v1.28.0

func (s *CustomKeyStoreNotFoundException) RequestID() string

RequestID returns the service's response RequestID for request.

func (*CustomKeyStoreNotFoundException) StatusCode added in v1.28.0

func (s *CustomKeyStoreNotFoundException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (CustomKeyStoreNotFoundException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type CustomKeyStoresListEntry added in v1.15.83

type CustomKeyStoresListEntry struct {

	// A unique identifier for the CloudHSM cluster that is associated with the
	// custom key store.
	CloudHsmClusterId *string `min:"19" type:"string"`

	// Describes the connection error. This field appears in the response only when
	// the ConnectionState is FAILED. For help resolving these errors, see How to
	// Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
	// in Key Management Service Developer Guide.
	//
	// Valid values are:
	//
	//    * CLUSTER_NOT_FOUND - KMS cannot find the CloudHSM cluster with the specified
	//    cluster ID.
	//
	//    * INSUFFICIENT_CLOUDHSM_HSMS - The associated CloudHSM cluster does not
	//    contain any active HSMs. To connect a custom key store to its CloudHSM
	//    cluster, the cluster must contain at least one active HSM.
	//
	//    * INTERNAL_ERROR - KMS could not complete the request due to an internal
	//    error. Retry the request. For ConnectCustomKeyStore requests, disconnect
	//    the custom key store before trying to connect again.
	//
	//    * INVALID_CREDENTIALS - KMS does not have the correct password for the
	//    kmsuser crypto user in the CloudHSM cluster. Before you can connect your
	//    custom key store to its CloudHSM cluster, you must change the kmsuser
	//    account password and update the key store password value for the custom
	//    key store.
	//
	//    * NETWORK_ERRORS - Network errors are preventing KMS from connecting to
	//    the custom key store.
	//
	//    * SUBNET_NOT_FOUND - A subnet in the CloudHSM cluster configuration was
	//    deleted. If KMS cannot find all of the subnets in the cluster configuration,
	//    attempts to connect the custom key store to the CloudHSM cluster fail.
	//    To fix this error, create a cluster from a recent backup and associate
	//    it with your custom key store. (This process creates a new cluster configuration
	//    with a VPC and private subnets.) For details, see How to Fix a Connection
	//    Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed)
	//    in the Key Management Service Developer Guide.
	//
	//    * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated
	//    CloudHSM cluster due to too many failed password attempts. Before you
	//    can connect your custom key store to its CloudHSM cluster, you must change
	//    the kmsuser account password and update the key store password value for
	//    the custom key store.
	//
	//    * USER_LOGGED_IN - The kmsuser CU account is logged into the the associated
	//    CloudHSM cluster. This prevents KMS from rotating the kmsuser account
	//    password and logging into the cluster. Before you can connect your custom
	//    key store to its CloudHSM cluster, you must log the kmsuser CU out of
	//    the cluster. If you changed the kmsuser password to log into the cluster,
	//    you must also and update the key store password value for the custom key
	//    store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2)
	//    in the Key Management Service Developer Guide.
	//
	//    * USER_NOT_FOUND - KMS cannot find a kmsuser CU account in the associated
	//    CloudHSM cluster. Before you can connect your custom key store to its
	//    CloudHSM cluster, you must create a kmsuser CU account in the cluster,
	//    and then update the key store password value for the custom key store.
	ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"`

	// Indicates whether the custom key store is connected to its CloudHSM cluster.
	//
	// You can create and use KMS keys in your custom key stores only when its connection
	// state is CONNECTED.
	//
	// The value is DISCONNECTED if the key store has never been connected or you
	// use the DisconnectCustomKeyStore operation to disconnect it. If the value
	// is CONNECTED but you are having trouble using the custom key store, make
	// sure that its associated CloudHSM cluster is active and contains at least
	// one active HSM.
	//
	// A value of FAILED indicates that an attempt to connect was unsuccessful.
	// The ConnectionErrorCode field in the response indicates the cause of the
	// failure. For help resolving a connection failure, see Troubleshooting a Custom
	// Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html)
	// in the Key Management Service Developer Guide.
	ConnectionState *string `type:"string" enum:"ConnectionStateType"`

	// The date and time when the custom key store was created.
	CreationDate *time.Time `type:"timestamp"`

	// A unique identifier for the custom key store.
	CustomKeyStoreId *string `min:"1" type:"string"`

	// The user-specified friendly name for the custom key store.
	CustomKeyStoreName *string `min:"1" type:"string"`

	// The trust anchor certificate of the associated CloudHSM cluster. When you
	// initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr),
	// you create this certificate and save it in the customerCA.crt file.
	TrustAnchorCertificate *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

Contains information about each custom key store in the custom key store list.

func (CustomKeyStoresListEntry) GoString added in v1.15.83

func (s CustomKeyStoresListEntry) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*CustomKeyStoresListEntry) SetCloudHsmClusterId added in v1.15.83

func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry

SetCloudHsmClusterId sets the CloudHsmClusterId field's value.

func (*CustomKeyStoresListEntry) SetConnectionErrorCode added in v1.15.83

func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry

SetConnectionErrorCode sets the ConnectionErrorCode field's value.

func (*CustomKeyStoresListEntry) SetConnectionState added in v1.15.83

func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry

SetConnectionState sets the ConnectionState field's value.

func (*CustomKeyStoresListEntry) SetCreationDate added in v1.15.83

SetCreationDate sets the CreationDate field's value.

func (*CustomKeyStoresListEntry) SetCustomKeyStoreId added in v1.15.83

func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (*CustomKeyStoresListEntry) SetCustomKeyStoreName added in v1.15.83

func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry

SetCustomKeyStoreName sets the CustomKeyStoreName field's value.

func (*CustomKeyStoresListEntry) SetTrustAnchorCertificate added in v1.15.83

func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry

SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value.

func (CustomKeyStoresListEntry) String added in v1.15.83

func (s CustomKeyStoresListEntry) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DecryptInput

type DecryptInput struct {

	// Ciphertext to be decrypted. The blob includes metadata.
	// CiphertextBlob is automatically base64 encoded/decoded by the SDK.
	//
	// CiphertextBlob is a required field
	CiphertextBlob []byte `min:"1" type:"blob" required:"true"`

	// Specifies the encryption algorithm that will be used to decrypt the ciphertext.
	// Specify the same algorithm that was used to encrypt the data. If you specify
	// a different algorithm, the Decrypt operation fails.
	//
	// This parameter is required only when the ciphertext was encrypted under an
	// asymmetric KMS key. The default value, SYMMETRIC_DEFAULT, represents the
	// only supported algorithm that is valid for symmetric KMS keys.
	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`

	// Specifies the encryption context to use when decrypting the data. An encryption
	// context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
	// with a symmetric KMS key. The standard asymmetric encryption algorithms that
	// KMS uses do not support an encryption context.
	//
	// An encryption context is a collection of non-secret key-value pairs that
	// represents additional authenticated data. When you use an encryption context
	// to encrypt data, you must specify the same (an exact case-sensitive match)
	// encryption context to decrypt the data. An encryption context is optional
	// when encrypting with a symmetric KMS key, but it is highly recommended.
	//
	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
	// in the Key Management Service Developer Guide.
	EncryptionContext map[string]*string `type:"map"`

	// A list of grant tokens.
	//
	// Use a grant token when your permission to call this operation comes from
	// a new grant that has not yet achieved eventual consistency. For more information,
	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
	// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
	// in the Key Management Service Developer Guide.
	GrantTokens []*string `type:"list"`

	// Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter a key
	// ID of the KMS key that was used to encrypt the ciphertext.
	//
	// This parameter is required only when the ciphertext was encrypted under an
	// asymmetric KMS key. If you used a symmetric KMS key, KMS can get the KMS
	// key from metadata that it adds to the symmetric ciphertext blob. However,
	// it is always recommended as a best practice. This practice ensures that you
	// use the KMS key that you intend.
	//
	// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
	// When using an alias name, prefix it with "alias/". To specify a KMS key in
	// a different Amazon Web Services account, you must use the key ARN or alias
	// ARN.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Alias name: alias/ExampleAlias
	//
	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	// To get the alias name and alias ARN, use ListAliases.
	KeyId *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

func (DecryptInput) GoString added in v0.6.5

func (s DecryptInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DecryptInput) SetCiphertextBlob added in v1.5.0

func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput

SetCiphertextBlob sets the CiphertextBlob field's value.

func (*DecryptInput) SetEncryptionAlgorithm added in v1.25.42

func (s *DecryptInput) SetEncryptionAlgorithm(v string) *DecryptInput

SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.

func (*DecryptInput) SetEncryptionContext added in v1.5.0

func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput

SetEncryptionContext sets the EncryptionContext field's value.

func (*DecryptInput) SetGrantTokens added in v1.5.0

func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput

SetGrantTokens sets the GrantTokens field's value.

func (*DecryptInput) SetKeyId added in v1.25.42

func (s *DecryptInput) SetKeyId(v string) *DecryptInput

SetKeyId sets the KeyId field's value.

func (DecryptInput) String added in v0.6.5

func (s DecryptInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DecryptInput) Validate added in v1.1.21

func (s *DecryptInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DecryptOutput

type DecryptOutput struct {

	// The encryption algorithm that was used to decrypt the ciphertext.
	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`

	// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
	// of the KMS key that was used to decrypt the ciphertext.
	KeyId *string `min:"1" type:"string"`

	// Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services
	// CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded.
	//
	// Plaintext is a sensitive parameter and its value will be
	// replaced with "sensitive" in string returned by DecryptOutput's
	// String and GoString methods.
	//
	// Plaintext is automatically base64 encoded/decoded by the SDK.
	Plaintext []byte `min:"1" type:"blob" sensitive:"true"`
	// contains filtered or unexported fields
}

func (DecryptOutput) GoString added in v0.6.5

func (s DecryptOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DecryptOutput) SetEncryptionAlgorithm added in v1.25.42

func (s *DecryptOutput) SetEncryptionAlgorithm(v string) *DecryptOutput

SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.

func (*DecryptOutput) SetKeyId added in v1.5.0

func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput

SetKeyId sets the KeyId field's value.

func (*DecryptOutput) SetPlaintext added in v1.5.0

func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput

SetPlaintext sets the Plaintext field's value.

func (DecryptOutput) String added in v0.6.5

func (s DecryptOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DeleteAliasInput

type DeleteAliasInput struct {

	// The alias to be deleted. The alias name must begin with alias/ followed by
	// the alias name, such as alias/ExampleAlias.
	//
	// AliasName is a required field
	AliasName *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DeleteAliasInput) GoString added in v0.6.5

func (s DeleteAliasInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DeleteAliasInput) SetAliasName added in v1.5.0

func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput

SetAliasName sets the AliasName field's value.

func (DeleteAliasInput) String added in v0.6.5

func (s DeleteAliasInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DeleteAliasInput) Validate added in v1.1.21

func (s *DeleteAliasInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DeleteAliasOutput

type DeleteAliasOutput struct {
	// contains filtered or unexported fields
}

func (DeleteAliasOutput) GoString added in v0.6.5

func (s DeleteAliasOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (DeleteAliasOutput) String added in v0.6.5

func (s DeleteAliasOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DeleteCustomKeyStoreInput added in v1.15.83

type DeleteCustomKeyStoreInput struct {

	// Enter the ID of the custom key store you want to delete. To find the ID of
	// a custom key store, use the DescribeCustomKeyStores operation.
	//
	// CustomKeyStoreId is a required field
	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DeleteCustomKeyStoreInput) GoString added in v1.15.83

func (s DeleteCustomKeyStoreInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DeleteCustomKeyStoreInput) SetCustomKeyStoreId added in v1.15.83

func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (DeleteCustomKeyStoreInput) String added in v1.15.83

func (s DeleteCustomKeyStoreInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DeleteCustomKeyStoreInput) Validate added in v1.15.83

func (s *DeleteCustomKeyStoreInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DeleteCustomKeyStoreOutput added in v1.15.83

type DeleteCustomKeyStoreOutput struct {
	// contains filtered or unexported fields
}

func (DeleteCustomKeyStoreOutput) GoString added in v1.15.83

func (s DeleteCustomKeyStoreOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (DeleteCustomKeyStoreOutput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DeleteImportedKeyMaterialInput added in v1.4.1

type DeleteImportedKeyMaterialInput struct {

	// Identifies the KMS key from which you are deleting imported key material.
	// The Origin of the KMS key must be EXTERNAL.
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DeleteImportedKeyMaterialInput) GoString added in v1.4.1

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DeleteImportedKeyMaterialInput) SetKeyId added in v1.5.0

SetKeyId sets the KeyId field's value.

func (DeleteImportedKeyMaterialInput) String added in v1.4.1

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DeleteImportedKeyMaterialInput) Validate added in v1.4.1

func (s *DeleteImportedKeyMaterialInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DeleteImportedKeyMaterialOutput added in v1.4.1

type DeleteImportedKeyMaterialOutput struct {
	// contains filtered or unexported fields
}

func (DeleteImportedKeyMaterialOutput) GoString added in v1.4.1

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (DeleteImportedKeyMaterialOutput) String added in v1.4.1

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DependencyTimeoutException added in v1.28.0

type DependencyTimeoutException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The system timed out while trying to fulfill the request. The request can be retried.

func (*DependencyTimeoutException) Code added in v1.28.0

Code returns the exception type name.

func (*DependencyTimeoutException) Error added in v1.28.0

func (DependencyTimeoutException) GoString added in v1.28.0

func (s DependencyTimeoutException) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DependencyTimeoutException) Message added in v1.28.0

func (s *DependencyTimeoutException) Message() string

Message returns the exception's message.

func (*DependencyTimeoutException) OrigErr added in v1.28.0

func (s *DependencyTimeoutException) OrigErr() error

OrigErr always returns nil, satisfies awserr.Error interface.

func (*DependencyTimeoutException) RequestID added in v1.28.0

func (s *DependencyTimeoutException) RequestID() string

RequestID returns the service's response RequestID for request.

func (*DependencyTimeoutException) StatusCode added in v1.28.0

func (s *DependencyTimeoutException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (DependencyTimeoutException) String added in v1.28.0

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DescribeCustomKeyStoresInput added in v1.15.83

type DescribeCustomKeyStoresInput struct {

	// Gets only information about the specified custom key store. Enter the key
	// store ID.
	//
	// By default, this operation gets information about all custom key stores in
	// the account and Region. To limit the output to a particular custom key store,
	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
	// but not both.
	CustomKeyStoreId *string `min:"1" type:"string"`

	// Gets only information about the specified custom key store. Enter the friendly
	// name of the custom key store.
	//
	// By default, this operation gets information about all custom key stores in
	// the account and Region. To limit the output to a particular custom key store,
	// you can use either the CustomKeyStoreId or CustomKeyStoreName parameter,
	// but not both.
	CustomKeyStoreName *string `min:"1" type:"string"`

	// Use this parameter to specify the maximum number of items to return. When
	// this value is present, KMS does not return more than the specified number
	// of items, but it might return fewer.
	Limit *int64 `min:"1" type:"integer"`

	// Use this parameter in a subsequent request after you receive a response with
	// truncated results. Set it to the value of NextMarker from the truncated response
	// you just received.
	Marker *string `min:"1" type:"string"`
	// contains filtered or unexported fields
}

func (DescribeCustomKeyStoresInput) GoString added in v1.15.83

func (s DescribeCustomKeyStoresInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DescribeCustomKeyStoresInput) SetCustomKeyStoreId added in v1.15.83

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (*DescribeCustomKeyStoresInput) SetCustomKeyStoreName added in v1.15.83

SetCustomKeyStoreName sets the CustomKeyStoreName field's value.

func (*DescribeCustomKeyStoresInput) SetLimit added in v1.15.83

SetLimit sets the Limit field's value.

func (*DescribeCustomKeyStoresInput) SetMarker added in v1.15.83

SetMarker sets the Marker field's value.

func (DescribeCustomKeyStoresInput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DescribeCustomKeyStoresInput) Validate added in v1.15.83

func (s *DescribeCustomKeyStoresInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DescribeCustomKeyStoresOutput added in v1.15.83

type DescribeCustomKeyStoresOutput struct {

	// Contains metadata about each custom key store.
	CustomKeyStores []*CustomKeyStoresListEntry `type:"list"`

	// When Truncated is true, this element is present and contains the value to
	// use for the Marker parameter in a subsequent request.
	NextMarker *string `min:"1" type:"string"`

	// A flag that indicates whether there are more items in the list. When this
	// value is true, the list in this response is truncated. To get more items,
	// pass the value of the NextMarker element in thisresponse to the Marker parameter
	// in a subsequent request.
	Truncated *bool `type:"boolean"`
	// contains filtered or unexported fields
}

func (DescribeCustomKeyStoresOutput) GoString added in v1.15.83

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DescribeCustomKeyStoresOutput) SetCustomKeyStores added in v1.15.83

SetCustomKeyStores sets the CustomKeyStores field's value.

func (*DescribeCustomKeyStoresOutput) SetNextMarker added in v1.15.83

SetNextMarker sets the NextMarker field's value.

func (*DescribeCustomKeyStoresOutput) SetTruncated added in v1.15.83

SetTruncated sets the Truncated field's value.

func (DescribeCustomKeyStoresOutput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DescribeKeyInput

type DescribeKeyInput struct {

	// A list of grant tokens.
	//
	// Use a grant token when your permission to call this operation comes from
	// a new grant that has not yet achieved eventual consistency. For more information,
	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
	// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
	// in the Key Management Service Developer Guide.
	GrantTokens []*string `type:"list"`

	// Describes the specified KMS key.
	//
	// If you specify a predefined Amazon Web Services alias (an Amazon Web Services
	// alias with no key ID), KMS associates the alias with an Amazon Web Services
	// managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk)
	// and returns its KeyId and Arn in the response.
	//
	// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
	// When using an alias name, prefix it with "alias/". To specify a KMS key in
	// a different Amazon Web Services account, you must use the key ARN or alias
	// ARN.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Alias name: alias/ExampleAlias
	//
	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	// To get the alias name and alias ARN, use ListAliases.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DescribeKeyInput) GoString added in v0.6.5

func (s DescribeKeyInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DescribeKeyInput) SetGrantTokens added in v1.5.0

func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput

SetGrantTokens sets the GrantTokens field's value.

func (*DescribeKeyInput) SetKeyId added in v1.5.0

func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput

SetKeyId sets the KeyId field's value.

func (DescribeKeyInput) String added in v0.6.5

func (s DescribeKeyInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DescribeKeyInput) Validate added in v1.1.21

func (s *DescribeKeyInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DescribeKeyOutput

type DescribeKeyOutput struct {

	// Metadata associated with the key.
	KeyMetadata *KeyMetadata `type:"structure"`
	// contains filtered or unexported fields
}

func (DescribeKeyOutput) GoString added in v0.6.5

func (s DescribeKeyOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DescribeKeyOutput) SetKeyMetadata added in v1.5.0

func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput

SetKeyMetadata sets the KeyMetadata field's value.

func (DescribeKeyOutput) String added in v0.6.5

func (s DescribeKeyOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DisableKeyInput

type DisableKeyInput struct {

	// Identifies the KMS key to disable.
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DisableKeyInput) GoString added in v0.6.5

func (s DisableKeyInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisableKeyInput) SetKeyId added in v1.5.0

func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput

SetKeyId sets the KeyId field's value.

func (DisableKeyInput) String added in v0.6.5

func (s DisableKeyInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisableKeyInput) Validate added in v1.1.21

func (s *DisableKeyInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DisableKeyOutput

type DisableKeyOutput struct {
	// contains filtered or unexported fields
}

func (DisableKeyOutput) GoString added in v0.6.5

func (s DisableKeyOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (DisableKeyOutput) String added in v0.6.5

func (s DisableKeyOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DisableKeyRotationInput

type DisableKeyRotationInput struct {

	// Identifies a symmetric KMS key. You cannot enable or disable automatic rotation
	// of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks),
	// KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
	// or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DisableKeyRotationInput) GoString added in v0.6.5

func (s DisableKeyRotationInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisableKeyRotationInput) SetKeyId added in v1.5.0

SetKeyId sets the KeyId field's value.

func (DisableKeyRotationInput) String added in v0.6.5

func (s DisableKeyRotationInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisableKeyRotationInput) Validate added in v1.1.21

func (s *DisableKeyRotationInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DisableKeyRotationOutput

type DisableKeyRotationOutput struct {
	// contains filtered or unexported fields
}

func (DisableKeyRotationOutput) GoString added in v0.6.5

func (s DisableKeyRotationOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (DisableKeyRotationOutput) String added in v0.6.5

func (s DisableKeyRotationOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DisabledException added in v1.28.0

type DisabledException struct {
	RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"`

	Message_ *string `locationName:"message" type:"string"`
	// contains filtered or unexported fields
}

The request was rejected because the specified KMS key is not enabled.

func (*DisabledException) Code added in v1.28.0

func (s *DisabledException) Code() string

Code returns the exception type name.

func (*DisabledException) Error added in v1.28.0

func (s *DisabledException) Error() string

func (DisabledException) GoString added in v1.28.0

func (s DisabledException) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisabledException) Message added in v1.28.0

func (s *DisabledException) Message() string

Message returns the exception's message.

func (*DisabledException) OrigErr added in v1.28.0

func (s *DisabledException) OrigErr() error

OrigErr always returns nil, satisfies awserr.Error interface.

func (*DisabledException) RequestID added in v1.28.0

func (s *DisabledException) RequestID() string

RequestID returns the service's response RequestID for request.

func (*DisabledException) StatusCode added in v1.28.0

func (s *DisabledException) StatusCode() int

Status code returns the HTTP status code for the request's response error.

func (DisabledException) String added in v1.28.0

func (s DisabledException) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type DisconnectCustomKeyStoreInput added in v1.15.83

type DisconnectCustomKeyStoreInput struct {

	// Enter the ID of the custom key store you want to disconnect. To find the
	// ID of a custom key store, use the DescribeCustomKeyStores operation.
	//
	// CustomKeyStoreId is a required field
	CustomKeyStoreId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (DisconnectCustomKeyStoreInput) GoString added in v1.15.83

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisconnectCustomKeyStoreInput) SetCustomKeyStoreId added in v1.15.83

SetCustomKeyStoreId sets the CustomKeyStoreId field's value.

func (DisconnectCustomKeyStoreInput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*DisconnectCustomKeyStoreInput) Validate added in v1.15.83

func (s *DisconnectCustomKeyStoreInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type DisconnectCustomKeyStoreOutput added in v1.15.83

type DisconnectCustomKeyStoreOutput struct {
	// contains filtered or unexported fields
}

func (DisconnectCustomKeyStoreOutput) GoString added in v1.15.83

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (DisconnectCustomKeyStoreOutput) String added in v1.15.83

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type EnableKeyInput

type EnableKeyInput struct {

	// Identifies the KMS key to enable.
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (EnableKeyInput) GoString added in v0.6.5

func (s EnableKeyInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*EnableKeyInput) SetKeyId added in v1.5.0

func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput

SetKeyId sets the KeyId field's value.

func (EnableKeyInput) String added in v0.6.5

func (s EnableKeyInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*EnableKeyInput) Validate added in v1.1.21

func (s *EnableKeyInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type EnableKeyOutput

type EnableKeyOutput struct {
	// contains filtered or unexported fields
}

func (EnableKeyOutput) GoString added in v0.6.5

func (s EnableKeyOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (EnableKeyOutput) String added in v0.6.5

func (s EnableKeyOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type EnableKeyRotationInput

type EnableKeyRotationInput struct {

	// Identifies a symmetric KMS key. You cannot enable automatic rotation of asymmetric
	// KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks),
	// KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html),
	// or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html).
	// To enable or disable automatic rotation of a set of related multi-Region
	// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key),
	// set the property on the primary key.
	//
	// Specify the key ID or key ARN of the KMS key.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`
	// contains filtered or unexported fields
}

func (EnableKeyRotationInput) GoString added in v0.6.5

func (s EnableKeyRotationInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*EnableKeyRotationInput) SetKeyId added in v1.5.0

SetKeyId sets the KeyId field's value.

func (EnableKeyRotationInput) String added in v0.6.5

func (s EnableKeyRotationInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*EnableKeyRotationInput) Validate added in v1.1.21

func (s *EnableKeyRotationInput) Validate() error

Validate inspects the fields of the type to determine if they are valid.

type EnableKeyRotationOutput

type EnableKeyRotationOutput struct {
	// contains filtered or unexported fields
}

func (EnableKeyRotationOutput) GoString added in v0.6.5

func (s EnableKeyRotationOutput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (EnableKeyRotationOutput) String added in v0.6.5

func (s EnableKeyRotationOutput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

type EncryptInput

type EncryptInput struct {

	// Specifies the encryption algorithm that KMS will use to encrypt the plaintext
	// message. The algorithm must be compatible with the KMS key that you specify.
	//
	// This parameter is required only for asymmetric KMS keys. The default value,
	// SYMMETRIC_DEFAULT, is the algorithm used for symmetric KMS keys. If you are
	// using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
	EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"`

	// Specifies the encryption context that will be used to encrypt the data. An
	// encryption context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
	// with a symmetric KMS key. The standard asymmetric encryption algorithms that
	// KMS uses do not support an encryption context.
	//
	// An encryption context is a collection of non-secret key-value pairs that
	// represents additional authenticated data. When you use an encryption context
	// to encrypt data, you must specify the same (an exact case-sensitive match)
	// encryption context to decrypt the data. An encryption context is optional
	// when encrypting with a symmetric KMS key, but it is highly recommended.
	//
	// For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context)
	// in the Key Management Service Developer Guide.
	EncryptionContext map[string]*string `type:"map"`

	// A list of grant tokens.
	//
	// Use a grant token when your permission to call this operation comes from
	// a new grant that has not yet achieved eventual consistency. For more information,
	// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
	// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
	// in the Key Management Service Developer Guide.
	GrantTokens []*string `type:"list"`

	// Identifies the KMS key to use in the encryption operation.
	//
	// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
	// When using an alias name, prefix it with "alias/". To specify a KMS key in
	// a different Amazon Web Services account, you must use the key ARN or alias
	// ARN.
	//
	// For example:
	//
	//    * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
	//
	//    * Alias name: alias/ExampleAlias
	//
	//    * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
	//
	// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
	// To get the alias name and alias ARN, use ListAliases.
	//
	// KeyId is a required field
	KeyId *string `min:"1" type:"string" required:"true"`

	// Data to be encrypted.
	//
	// Plaintext is a sensitive parameter and its value will be
	// replaced with "sensitive" in string returned by EncryptInput's
	// String and GoString methods.
	//
	// Plaintext is automatically base64 encoded/decoded by the SDK.
	//
	// Plaintext is a required field
	Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"`
	// contains filtered or unexported fields
}

func (EncryptInput) GoString added in v0.6.5

func (s EncryptInput) GoString() string

GoString returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive".

func (*EncryptInput) SetEncryptionAlgorithm added in v1.25.42

func (s *EncryptInput) SetEncryptionAlgorithm(v string) *EncryptInput

SetEncryptionAlgorithm sets the EncryptionAlgorithm field's value.

func (*EncryptInput) SetEncryptionContext added in v1.5.0

func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput

SetEncryptionContext sets the EncryptionContext field's value.

func (*EncryptInput) SetGrantTokens added in v1.5.0

func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput

SetGrantTokens sets the GrantTokens field's value.

func (*EncryptInput) SetKeyId added in v1.5.0

func (s *EncryptInput) SetKeyId(v string) *EncryptInput

SetKeyId sets the KeyId field's value.

func (*EncryptInput) SetPlaintext added in v1.5.0

func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput

SetPlaintext sets the Plaintext field's value.

func (EncryptInput) String added in v0.6.5

func (s EncryptInput) String() string

String returns the string representation.

API parameter values that are decorated as "sensitive" in the API will not be included in the string output. The member name will be present, but the value will be replaced with "sensitive"