1 /* 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with 5 * the License. A copy of the License is located at 6 * 7 * http://aws.amazon.com/apache2.0 8 * 9 * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 10 * CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions 11 * and limitations under the License. 12 */ 13 14 package software.amazon.awssdk.services.kms; 15 16 import java.util.concurrent.CompletableFuture; 17 import java.util.function.Consumer; 18 import software.amazon.awssdk.annotations.Generated; 19 import software.amazon.awssdk.annotations.SdkPublicApi; 20 import software.amazon.awssdk.annotations.ThreadSafe; 21 import software.amazon.awssdk.awscore.AwsClient; 22 import software.amazon.awssdk.services.kms.model.CancelKeyDeletionRequest; 23 import software.amazon.awssdk.services.kms.model.CancelKeyDeletionResponse; 24 import software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreRequest; 25 import software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreResponse; 26 import software.amazon.awssdk.services.kms.model.CreateAliasRequest; 27 import software.amazon.awssdk.services.kms.model.CreateAliasResponse; 28 import software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreRequest; 29 import software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreResponse; 30 import software.amazon.awssdk.services.kms.model.CreateGrantRequest; 31 import software.amazon.awssdk.services.kms.model.CreateGrantResponse; 32 import software.amazon.awssdk.services.kms.model.CreateKeyRequest; 33 import software.amazon.awssdk.services.kms.model.CreateKeyResponse; 34 import software.amazon.awssdk.services.kms.model.DecryptRequest; 35 import software.amazon.awssdk.services.kms.model.DecryptResponse; 36 import software.amazon.awssdk.services.kms.model.DeleteAliasRequest; 37 import software.amazon.awssdk.services.kms.model.DeleteAliasResponse; 38 import software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreRequest; 39 import software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreResponse; 40 import software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialRequest; 41 import software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialResponse; 42 import software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest; 43 import software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse; 44 import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; 45 import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; 46 import software.amazon.awssdk.services.kms.model.DisableKeyRequest; 47 import software.amazon.awssdk.services.kms.model.DisableKeyResponse; 48 import software.amazon.awssdk.services.kms.model.DisableKeyRotationRequest; 49 import software.amazon.awssdk.services.kms.model.DisableKeyRotationResponse; 50 import software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreRequest; 51 import software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreResponse; 52 import software.amazon.awssdk.services.kms.model.EnableKeyRequest; 53 import software.amazon.awssdk.services.kms.model.EnableKeyResponse; 54 import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest; 55 import software.amazon.awssdk.services.kms.model.EnableKeyRotationResponse; 56 import software.amazon.awssdk.services.kms.model.EncryptRequest; 57 import software.amazon.awssdk.services.kms.model.EncryptResponse; 58 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairRequest; 59 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairResponse; 60 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextRequest; 61 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextResponse; 62 import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest; 63 import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse; 64 import software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextRequest; 65 import software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextResponse; 66 import software.amazon.awssdk.services.kms.model.GenerateMacRequest; 67 import software.amazon.awssdk.services.kms.model.GenerateMacResponse; 68 import software.amazon.awssdk.services.kms.model.GenerateRandomRequest; 69 import software.amazon.awssdk.services.kms.model.GenerateRandomResponse; 70 import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest; 71 import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse; 72 import software.amazon.awssdk.services.kms.model.GetKeyRotationStatusRequest; 73 import software.amazon.awssdk.services.kms.model.GetKeyRotationStatusResponse; 74 import software.amazon.awssdk.services.kms.model.GetParametersForImportRequest; 75 import software.amazon.awssdk.services.kms.model.GetParametersForImportResponse; 76 import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest; 77 import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse; 78 import software.amazon.awssdk.services.kms.model.ImportKeyMaterialRequest; 79 import software.amazon.awssdk.services.kms.model.ImportKeyMaterialResponse; 80 import software.amazon.awssdk.services.kms.model.ListAliasesRequest; 81 import software.amazon.awssdk.services.kms.model.ListAliasesResponse; 82 import software.amazon.awssdk.services.kms.model.ListGrantsRequest; 83 import software.amazon.awssdk.services.kms.model.ListGrantsResponse; 84 import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest; 85 import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse; 86 import software.amazon.awssdk.services.kms.model.ListKeysRequest; 87 import software.amazon.awssdk.services.kms.model.ListKeysResponse; 88 import software.amazon.awssdk.services.kms.model.ListResourceTagsRequest; 89 import software.amazon.awssdk.services.kms.model.ListResourceTagsResponse; 90 import software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest; 91 import software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse; 92 import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest; 93 import software.amazon.awssdk.services.kms.model.PutKeyPolicyResponse; 94 import software.amazon.awssdk.services.kms.model.ReEncryptRequest; 95 import software.amazon.awssdk.services.kms.model.ReEncryptResponse; 96 import software.amazon.awssdk.services.kms.model.ReplicateKeyRequest; 97 import software.amazon.awssdk.services.kms.model.ReplicateKeyResponse; 98 import software.amazon.awssdk.services.kms.model.RetireGrantRequest; 99 import software.amazon.awssdk.services.kms.model.RetireGrantResponse; 100 import software.amazon.awssdk.services.kms.model.RevokeGrantRequest; 101 import software.amazon.awssdk.services.kms.model.RevokeGrantResponse; 102 import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; 103 import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionResponse; 104 import software.amazon.awssdk.services.kms.model.SignRequest; 105 import software.amazon.awssdk.services.kms.model.SignResponse; 106 import software.amazon.awssdk.services.kms.model.TagResourceRequest; 107 import software.amazon.awssdk.services.kms.model.TagResourceResponse; 108 import software.amazon.awssdk.services.kms.model.UntagResourceRequest; 109 import software.amazon.awssdk.services.kms.model.UntagResourceResponse; 110 import software.amazon.awssdk.services.kms.model.UpdateAliasRequest; 111 import software.amazon.awssdk.services.kms.model.UpdateAliasResponse; 112 import software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreRequest; 113 import software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreResponse; 114 import software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionRequest; 115 import software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionResponse; 116 import software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionRequest; 117 import software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionResponse; 118 import software.amazon.awssdk.services.kms.model.VerifyMacRequest; 119 import software.amazon.awssdk.services.kms.model.VerifyMacResponse; 120 import software.amazon.awssdk.services.kms.model.VerifyRequest; 121 import software.amazon.awssdk.services.kms.model.VerifyResponse; 122 import software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher; 123 import software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher; 124 import software.amazon.awssdk.services.kms.paginators.ListGrantsPublisher; 125 import software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesPublisher; 126 import software.amazon.awssdk.services.kms.paginators.ListKeysPublisher; 127 import software.amazon.awssdk.services.kms.paginators.ListResourceTagsPublisher; 128 import software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsPublisher; 129 130 /** 131 * Service client for accessing KMS asynchronously. This can be created using the static {@link #builder()} method. 132 * 133 * <fullname>Key Management Service</fullname> 134 * <p> 135 * Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations 136 * that you can call programmatically. For general information about KMS, see the <a 137 * href="https://docs.aws.amazon.com/kms/latest/developerguide/"> <i>Key Management Service Developer Guide</i> </a>. 138 * </p> 139 * <note> 140 * <p> 141 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has 142 * not changed. To prevent breaking changes, KMS is keeping some variations of this term. 143 * </p> 144 * <p> 145 * Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and 146 * platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access 147 * to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see 148 * below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services 149 * SDKs, including how to download and install them, see <a href="http://aws.amazon.com/tools/">Tools for Amazon Web 150 * Services</a>. 151 * </p> 152 * </note> 153 * <p> 154 * We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS. 155 * </p> 156 * <p> 157 * If you need to use FIPS 140-2 validated cryptographic modules when communicating with Amazon Web Services, use the 158 * FIPS endpoint in your preferred Amazon Web Services Region. For more information about the available FIPS endpoints, 159 * see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key 160 * Management Service topic of the <i>Amazon Web Services General Reference</i>. 161 * </p> 162 * <p> 163 * All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS). KMS recommends you always 164 * use the latest supported TLS version. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such 165 * as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as 166 * Java 7 and later support these modes. 167 * </p> 168 * <p> 169 * <b>Signing Requests</b> 170 * </p> 171 * <p> 172 * Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use 173 * your Amazon Web Services account root access key ID and secret access key for everyday work. You can use the access 174 * key ID and secret access key for an IAM user or you can use the Security Token Service (STS) to generate temporary 175 * security credentials and use those to sign requests. 176 * </p> 177 * <p> 178 * All KMS requests must be signed with <a 179 * href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>. 180 * </p> 181 * <p> 182 * <b>Logging API Requests</b> 183 * </p> 184 * <p> 185 * KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web 186 * Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by 187 * CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To 188 * learn more about CloudTrail, including how to turn it on and find your log files, see the <a 189 * href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/">CloudTrail User Guide</a>. 190 * </p> 191 * <p> 192 * <b>Additional Resources</b> 193 * </p> 194 * <p> 195 * For more information about credentials and request signing, see the following: 196 * </p> 197 * <ul> 198 * <li> 199 * <p> 200 * <a href="https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html">Amazon Web Services Security 201 * Credentials</a> - This topic provides general information about the types of credentials used to access Amazon Web 202 * Services. 203 * </p> 204 * </li> 205 * <li> 206 * <p> 207 * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security 208 * Credentials</a> - This section of the <i>IAM User Guide</i> describes how to create and use temporary security 209 * credentials. 210 * </p> 211 * </li> 212 * <li> 213 * <p> 214 * <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4 Signing 215 * Process</a> - This set of topics walks you through the process of signing a request using an access key ID and a 216 * secret access key. 217 * </p> 218 * </li> 219 * </ul> 220 * <p> 221 * <b>Commonly Used API Operations</b> 222 * </p> 223 * <p> 224 * Of the API operations discussed in this guide, the following will prove the most useful for most applications. You 225 * will likely perform operations other than these, such as creating keys and assigning policies, by using the console. 226 * </p> 227 * <ul> 228 * <li> 229 * <p> 230 * <a>Encrypt</a> 231 * </p> 232 * </li> 233 * <li> 234 * <p> 235 * <a>Decrypt</a> 236 * </p> 237 * </li> 238 * <li> 239 * <p> 240 * <a>GenerateDataKey</a> 241 * </p> 242 * </li> 243 * <li> 244 * <p> 245 * <a>GenerateDataKeyWithoutPlaintext</a> 246 * </p> 247 * </li> 248 * </ul> 249 */ 250 @Generated("software.amazon.awssdk:codegen") 251 @SdkPublicApi 252 @ThreadSafe 253 public interface KmsAsyncClient extends AwsClient { 254 String SERVICE_NAME = "kms"; 255 256 /** 257 * Value for looking up the service's metadata from the 258 * {@link software.amazon.awssdk.regions.ServiceMetadataProvider}. 259 */ 260 String SERVICE_METADATA_ID = "kms"; 261 262 /** 263 * <p> 264 * Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is 265 * <code>Disabled</code>. To enable the KMS key, use <a>EnableKey</a>. 266 * </p> 267 * <p> 268 * For more information about scheduling and canceling deletion of a KMS key, see <a 269 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 270 * <i>Key Management Service Developer Guide</i>. 271 * </p> 272 * <p> 273 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 274 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 275 * <i>Key Management Service Developer Guide</i>. 276 * </p> 277 * <p> 278 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 279 * account. 280 * </p> 281 * <p> 282 * <b>Required permissions</b>: <a 283 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 284 * >kms:CancelKeyDeletion</a> (key policy) 285 * </p> 286 * <p> 287 * <b>Related operations</b>: <a>ScheduleKeyDeletion</a> 288 * </p> 289 * <p> 290 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 291 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 292 * consistency</a>. 293 * </p> 294 * 295 * @param cancelKeyDeletionRequest 296 * @return A Java Future containing the result of the CancelKeyDeletion operation returned by the service.<br/> 297 * The CompletableFuture returned by this method can be completed exceptionally with the following 298 * exceptions. 299 * <ul> 300 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 301 * found.</li> 302 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 303 * not valid.</li> 304 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 305 * the request.</li> 306 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 307 * be retried.</li> 308 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 309 * valid for this request.</p> 310 * <p> 311 * This exceptions means one of the following: 312 * </p> 313 * <ul> 314 * <li> 315 * <p> 316 * The key state of the KMS key is not compatible with the operation. 317 * </p> 318 * <p> 319 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 320 * are compatible with each KMS operation, see <a 321 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 322 * the <i> <i>Key Management Service Developer Guide</i> </i>. 323 * </p> 324 * </li> 325 * <li> 326 * <p> 327 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 328 * failure with many possible causes. To identify the cause, see the error message that accompanies the 329 * exception. 330 * </p> 331 * </li></li> 332 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 333 * Can be used for catch all scenarios.</li> 334 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 335 * credentials, etc.</li> 336 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 337 * of this type.</li> 338 * </ul> 339 * @sample KmsAsyncClient.CancelKeyDeletion 340 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion" target="_top">AWS API 341 * Documentation</a> 342 */ cancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest)343 default CompletableFuture<CancelKeyDeletionResponse> cancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest) { 344 throw new UnsupportedOperationException(); 345 } 346 347 /** 348 * <p> 349 * Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is 350 * <code>Disabled</code>. To enable the KMS key, use <a>EnableKey</a>. 351 * </p> 352 * <p> 353 * For more information about scheduling and canceling deletion of a KMS key, see <a 354 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 355 * <i>Key Management Service Developer Guide</i>. 356 * </p> 357 * <p> 358 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 359 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 360 * <i>Key Management Service Developer Guide</i>. 361 * </p> 362 * <p> 363 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 364 * account. 365 * </p> 366 * <p> 367 * <b>Required permissions</b>: <a 368 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 369 * >kms:CancelKeyDeletion</a> (key policy) 370 * </p> 371 * <p> 372 * <b>Related operations</b>: <a>ScheduleKeyDeletion</a> 373 * </p> 374 * <p> 375 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 376 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 377 * consistency</a>. 378 * </p> 379 * <br/> 380 * <p> 381 * This is a convenience which creates an instance of the {@link CancelKeyDeletionRequest.Builder} avoiding the need 382 * to create one manually via {@link CancelKeyDeletionRequest#builder()} 383 * </p> 384 * 385 * @param cancelKeyDeletionRequest 386 * A {@link Consumer} that will call methods on 387 * {@link software.amazon.awssdk.services.kms.model.CancelKeyDeletionRequest.Builder} to create a request. 388 * @return A Java Future containing the result of the CancelKeyDeletion operation returned by the service.<br/> 389 * The CompletableFuture returned by this method can be completed exceptionally with the following 390 * exceptions. 391 * <ul> 392 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 393 * found.</li> 394 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 395 * not valid.</li> 396 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 397 * the request.</li> 398 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 399 * be retried.</li> 400 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 401 * valid for this request.</p> 402 * <p> 403 * This exceptions means one of the following: 404 * </p> 405 * <ul> 406 * <li> 407 * <p> 408 * The key state of the KMS key is not compatible with the operation. 409 * </p> 410 * <p> 411 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 412 * are compatible with each KMS operation, see <a 413 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 414 * the <i> <i>Key Management Service Developer Guide</i> </i>. 415 * </p> 416 * </li> 417 * <li> 418 * <p> 419 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 420 * failure with many possible causes. To identify the cause, see the error message that accompanies the 421 * exception. 422 * </p> 423 * </li></li> 424 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 425 * Can be used for catch all scenarios.</li> 426 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 427 * credentials, etc.</li> 428 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 429 * of this type.</li> 430 * </ul> 431 * @sample KmsAsyncClient.CancelKeyDeletion 432 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion" target="_top">AWS API 433 * Documentation</a> 434 */ cancelKeyDeletion( Consumer<CancelKeyDeletionRequest.Builder> cancelKeyDeletionRequest)435 default CompletableFuture<CancelKeyDeletionResponse> cancelKeyDeletion( 436 Consumer<CancelKeyDeletionRequest.Builder> cancelKeyDeletionRequest) { 437 return cancelKeyDeletion(CancelKeyDeletionRequest.builder().applyMutation(cancelKeyDeletionRequest).build()); 438 } 439 440 /** 441 * <p> 442 * Connects or reconnects a <a 443 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 444 * to its backing key store. For an CloudHSM key store, <code>ConnectCustomKeyStore</code> connects the key store to 445 * its associated CloudHSM cluster. For an external key store, <code>ConnectCustomKeyStore</code> connects the key 446 * store to the external key store proxy that communicates with your external key manager. 447 * </p> 448 * <p> 449 * The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it 450 * contains. You can disconnect and reconnect a custom key store at any time. 451 * </p> 452 * <p> 453 * The connection process for a custom key store can take an extended amount of time to complete. This operation 454 * starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly 455 * returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that 456 * the custom key store is connected. To get the connection state of the custom key store, use the 457 * <a>DescribeCustomKeyStores</a> operation. 458 * </p> 459 * <p> 460 * This operation is part of the <a 461 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 462 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 463 * a key store that you own and manage. 464 * </p> 465 * <p> 466 * The <code>ConnectCustomKeyStore</code> operation might fail for various reasons. To find the reason, use the 467 * <a>DescribeCustomKeyStores</a> operation and see the <code>ConnectionErrorCode</code> in the response. For help 468 * interpreting the <code>ConnectionErrorCode</code>, see <a>CustomKeyStoresListEntry</a>. 469 * </p> 470 * <p> 471 * To fix the failure, use the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store, correct 472 * the error, use the <a>UpdateCustomKeyStore</a> operation if necessary, and then use 473 * <code>ConnectCustomKeyStore</code> again. 474 * </p> 475 * <p> 476 * <b>CloudHSM key store</b> 477 * </p> 478 * <p> 479 * During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated with 480 * the custom key store, creates the connection infrastructure, connects to the cluster, logs into the CloudHSM 481 * client as the <code>kmsuser</code> CU, and rotates its password. 482 * </p> 483 * <p> 484 * To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active HSM. To get the 485 * number of active HSMs in a cluster, use the <a 486 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> 487 * operation. To add HSMs to the cluster, use the <a 488 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation. Also, 489 * the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser"> 490 * <code>kmsuser</code> crypto user</a> (CU) must not be logged into the cluster. This prevents KMS from using this 491 * account to log in. 492 * </p> 493 * <p> 494 * If you are having trouble connecting or disconnecting a CloudHSM key store, see <a 495 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 496 * store</a> in the <i>Key Management Service Developer Guide</i>. 497 * </p> 498 * <p> 499 * <b>External key store</b> 500 * </p> 501 * <p> 502 * When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to 503 * communicate with your external key manager by sending a request via the external key store proxy. 504 * </p> 505 * <p> 506 * When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the 507 * networking elements that it needs to communicate with your external key manager via the external key store proxy. 508 * This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic 509 * between KMS and the VPC endpoint service. 510 * </p> 511 * <p> 512 * To connect an external key store, KMS must be able to connect to the external key store proxy, the external key 513 * store proxy must be able to communicate with your external key manager, and the external key manager must be 514 * available for cryptographic operations. 515 * </p> 516 * <p> 517 * If you are having trouble connecting or disconnecting an external key store, see <a 518 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 519 * key store</a> in the <i>Key Management Service Developer Guide</i>. 520 * </p> 521 * <p> 522 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 523 * Services account. 524 * </p> 525 * <p> 526 * <b>Required permissions</b>: <a 527 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 528 * >kms:ConnectCustomKeyStore</a> (IAM policy) 529 * </p> 530 * <p> 531 * <b>Related operations</b> 532 * </p> 533 * <ul> 534 * <li> 535 * <p> 536 * <a>CreateCustomKeyStore</a> 537 * </p> 538 * </li> 539 * <li> 540 * <p> 541 * <a>DeleteCustomKeyStore</a> 542 * </p> 543 * </li> 544 * <li> 545 * <p> 546 * <a>DescribeCustomKeyStores</a> 547 * </p> 548 * </li> 549 * <li> 550 * <p> 551 * <a>DisconnectCustomKeyStore</a> 552 * </p> 553 * </li> 554 * <li> 555 * <p> 556 * <a>UpdateCustomKeyStore</a> 557 * </p> 558 * </li> 559 * </ul> 560 * <p> 561 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 562 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 563 * consistency</a>. 564 * </p> 565 * 566 * @param connectCustomKeyStoreRequest 567 * @return A Java Future containing the result of the ConnectCustomKeyStore operation returned by the service.<br/> 568 * The CompletableFuture returned by this method can be completed exceptionally with the following 569 * exceptions. 570 * <ul> 571 * <li>CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated 572 * with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. 573 * For detailed instructions, see <a 574 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 575 * the <i>CloudHSM User Guide</i>.</li> 576 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 577 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 578 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 579 * <p> 580 * This exception is thrown under the following conditions: 581 * </p> 582 * <ul> 583 * <li> 584 * <p> 585 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 586 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 587 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 588 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 589 * <code>ConnectCustomKeyStore</code>). 590 * </p> 591 * </li> 592 * <li> 593 * <p> 594 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 595 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 596 * </p> 597 * </li> 598 * <li> 599 * <p> 600 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 601 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 602 * is valid for all other <code>ConnectionState</code> values. 603 * </p> 604 * </li> 605 * <li> 606 * <p> 607 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 608 * store that is not disconnected. This operation is valid only when the custom key store 609 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 610 * </p> 611 * </li> 612 * <li> 613 * <p> 614 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 615 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 616 * <code>CONNECTED</code>. 617 * </p> 618 * </li></li> 619 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 620 * with the specified key store name or ID.</li> 621 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 622 * be retried.</li> 623 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 624 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 625 * <ul> 626 * <li> 627 * <p> 628 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 629 * in the Region. 630 * </p> 631 * </li> 632 * <li> 633 * <p> 634 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 635 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 636 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 637 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 638 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 639 * security group, use the <a 640 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 641 * >DescribeSecurityGroups</a> operation. 642 * </p> 643 * </li> 644 * <li> 645 * <p> 646 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 647 * CloudHSM <a 648 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 649 * operation. 650 * </p> 651 * <p> 652 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 653 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 654 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 655 * </p> 656 * </li> 657 * </ul> 658 * <p> 659 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 660 * store, see <a 661 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 662 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 663 * about creating a private subnet for an CloudHSM cluster, see <a 664 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 665 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 666 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 667 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 668 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 669 * Can be used for catch all scenarios.</li> 670 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 671 * credentials, etc.</li> 672 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 673 * of this type.</li> 674 * </ul> 675 * @sample KmsAsyncClient.ConnectCustomKeyStore 676 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore" target="_top">AWS API 677 * Documentation</a> 678 */ connectCustomKeyStore( ConnectCustomKeyStoreRequest connectCustomKeyStoreRequest)679 default CompletableFuture<ConnectCustomKeyStoreResponse> connectCustomKeyStore( 680 ConnectCustomKeyStoreRequest connectCustomKeyStoreRequest) { 681 throw new UnsupportedOperationException(); 682 } 683 684 /** 685 * <p> 686 * Connects or reconnects a <a 687 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 688 * to its backing key store. For an CloudHSM key store, <code>ConnectCustomKeyStore</code> connects the key store to 689 * its associated CloudHSM cluster. For an external key store, <code>ConnectCustomKeyStore</code> connects the key 690 * store to the external key store proxy that communicates with your external key manager. 691 * </p> 692 * <p> 693 * The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it 694 * contains. You can disconnect and reconnect a custom key store at any time. 695 * </p> 696 * <p> 697 * The connection process for a custom key store can take an extended amount of time to complete. This operation 698 * starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly 699 * returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that 700 * the custom key store is connected. To get the connection state of the custom key store, use the 701 * <a>DescribeCustomKeyStores</a> operation. 702 * </p> 703 * <p> 704 * This operation is part of the <a 705 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 706 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 707 * a key store that you own and manage. 708 * </p> 709 * <p> 710 * The <code>ConnectCustomKeyStore</code> operation might fail for various reasons. To find the reason, use the 711 * <a>DescribeCustomKeyStores</a> operation and see the <code>ConnectionErrorCode</code> in the response. For help 712 * interpreting the <code>ConnectionErrorCode</code>, see <a>CustomKeyStoresListEntry</a>. 713 * </p> 714 * <p> 715 * To fix the failure, use the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store, correct 716 * the error, use the <a>UpdateCustomKeyStore</a> operation if necessary, and then use 717 * <code>ConnectCustomKeyStore</code> again. 718 * </p> 719 * <p> 720 * <b>CloudHSM key store</b> 721 * </p> 722 * <p> 723 * During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated with 724 * the custom key store, creates the connection infrastructure, connects to the cluster, logs into the CloudHSM 725 * client as the <code>kmsuser</code> CU, and rotates its password. 726 * </p> 727 * <p> 728 * To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active HSM. To get the 729 * number of active HSMs in a cluster, use the <a 730 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> 731 * operation. To add HSMs to the cluster, use the <a 732 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation. Also, 733 * the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser"> 734 * <code>kmsuser</code> crypto user</a> (CU) must not be logged into the cluster. This prevents KMS from using this 735 * account to log in. 736 * </p> 737 * <p> 738 * If you are having trouble connecting or disconnecting a CloudHSM key store, see <a 739 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 740 * store</a> in the <i>Key Management Service Developer Guide</i>. 741 * </p> 742 * <p> 743 * <b>External key store</b> 744 * </p> 745 * <p> 746 * When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to 747 * communicate with your external key manager by sending a request via the external key store proxy. 748 * </p> 749 * <p> 750 * When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the 751 * networking elements that it needs to communicate with your external key manager via the external key store proxy. 752 * This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic 753 * between KMS and the VPC endpoint service. 754 * </p> 755 * <p> 756 * To connect an external key store, KMS must be able to connect to the external key store proxy, the external key 757 * store proxy must be able to communicate with your external key manager, and the external key manager must be 758 * available for cryptographic operations. 759 * </p> 760 * <p> 761 * If you are having trouble connecting or disconnecting an external key store, see <a 762 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 763 * key store</a> in the <i>Key Management Service Developer Guide</i>. 764 * </p> 765 * <p> 766 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 767 * Services account. 768 * </p> 769 * <p> 770 * <b>Required permissions</b>: <a 771 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 772 * >kms:ConnectCustomKeyStore</a> (IAM policy) 773 * </p> 774 * <p> 775 * <b>Related operations</b> 776 * </p> 777 * <ul> 778 * <li> 779 * <p> 780 * <a>CreateCustomKeyStore</a> 781 * </p> 782 * </li> 783 * <li> 784 * <p> 785 * <a>DeleteCustomKeyStore</a> 786 * </p> 787 * </li> 788 * <li> 789 * <p> 790 * <a>DescribeCustomKeyStores</a> 791 * </p> 792 * </li> 793 * <li> 794 * <p> 795 * <a>DisconnectCustomKeyStore</a> 796 * </p> 797 * </li> 798 * <li> 799 * <p> 800 * <a>UpdateCustomKeyStore</a> 801 * </p> 802 * </li> 803 * </ul> 804 * <p> 805 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 806 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 807 * consistency</a>. 808 * </p> 809 * <br/> 810 * <p> 811 * This is a convenience which creates an instance of the {@link ConnectCustomKeyStoreRequest.Builder} avoiding the 812 * need to create one manually via {@link ConnectCustomKeyStoreRequest#builder()} 813 * </p> 814 * 815 * @param connectCustomKeyStoreRequest 816 * A {@link Consumer} that will call methods on 817 * {@link software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreRequest.Builder} to create a 818 * request. 819 * @return A Java Future containing the result of the ConnectCustomKeyStore operation returned by the service.<br/> 820 * The CompletableFuture returned by this method can be completed exceptionally with the following 821 * exceptions. 822 * <ul> 823 * <li>CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated 824 * with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. 825 * For detailed instructions, see <a 826 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 827 * the <i>CloudHSM User Guide</i>.</li> 828 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 829 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 830 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 831 * <p> 832 * This exception is thrown under the following conditions: 833 * </p> 834 * <ul> 835 * <li> 836 * <p> 837 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 838 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 839 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 840 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 841 * <code>ConnectCustomKeyStore</code>). 842 * </p> 843 * </li> 844 * <li> 845 * <p> 846 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 847 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 848 * </p> 849 * </li> 850 * <li> 851 * <p> 852 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 853 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 854 * is valid for all other <code>ConnectionState</code> values. 855 * </p> 856 * </li> 857 * <li> 858 * <p> 859 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 860 * store that is not disconnected. This operation is valid only when the custom key store 861 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 862 * </p> 863 * </li> 864 * <li> 865 * <p> 866 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 867 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 868 * <code>CONNECTED</code>. 869 * </p> 870 * </li></li> 871 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 872 * with the specified key store name or ID.</li> 873 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 874 * be retried.</li> 875 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 876 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 877 * <ul> 878 * <li> 879 * <p> 880 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 881 * in the Region. 882 * </p> 883 * </li> 884 * <li> 885 * <p> 886 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 887 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 888 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 889 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 890 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 891 * security group, use the <a 892 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 893 * >DescribeSecurityGroups</a> operation. 894 * </p> 895 * </li> 896 * <li> 897 * <p> 898 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 899 * CloudHSM <a 900 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 901 * operation. 902 * </p> 903 * <p> 904 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 905 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 906 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 907 * </p> 908 * </li> 909 * </ul> 910 * <p> 911 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 912 * store, see <a 913 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 914 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 915 * about creating a private subnet for an CloudHSM cluster, see <a 916 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 917 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 918 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 919 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 920 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 921 * Can be used for catch all scenarios.</li> 922 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 923 * credentials, etc.</li> 924 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 925 * of this type.</li> 926 * </ul> 927 * @sample KmsAsyncClient.ConnectCustomKeyStore 928 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore" target="_top">AWS API 929 * Documentation</a> 930 */ connectCustomKeyStore( Consumer<ConnectCustomKeyStoreRequest.Builder> connectCustomKeyStoreRequest)931 default CompletableFuture<ConnectCustomKeyStoreResponse> connectCustomKeyStore( 932 Consumer<ConnectCustomKeyStoreRequest.Builder> connectCustomKeyStoreRequest) { 933 return connectCustomKeyStore(ConnectCustomKeyStoreRequest.builder().applyMutation(connectCustomKeyStoreRequest).build()); 934 } 935 936 /** 937 * <p> 938 * Creates a friendly name for a KMS key. 939 * </p> 940 * <note> 941 * <p> 942 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 943 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 944 * Service Developer Guide</i>. 945 * </p> 946 * </note> 947 * <p> 948 * You can use an alias to identify a KMS key in the KMS console, in the <a>DescribeKey</a> operation and in <a 949 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 950 * operations</a>, such as <a>Encrypt</a> and <a>GenerateDataKey</a>. You can also change the KMS key that's 951 * associated with the alias (<a>UpdateAlias</a>) or delete the alias (<a>DeleteAlias</a>) at any time. These 952 * operations don't affect the underlying KMS key. 953 * </p> 954 * <p> 955 * You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is 956 * associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. 957 * You can't create an alias without a KMS key. 958 * </p> 959 * <p> 960 * The alias must be unique in the account and Region, but you can have aliases with the same name in different 961 * Regions. For detailed information about aliases, see <a 962 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">Using aliases</a> in the <i>Key 963 * Management Service Developer Guide</i>. 964 * </p> 965 * <p> 966 * This operation does not return a response. To get the alias that you created, use the <a>ListAliases</a> 967 * operation. 968 * </p> 969 * <p> 970 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 971 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 972 * <i>Key Management Service Developer Guide</i>. 973 * </p> 974 * <p> 975 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 976 * account. 977 * </p> 978 * <p> 979 * <b>Required permissions</b> 980 * </p> 981 * <ul> 982 * <li> 983 * <p> 984 * <a 985 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 986 * </a> on the alias (IAM policy). 987 * </p> 988 * </li> 989 * <li> 990 * <p> 991 * <a 992 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 993 * </a> on the KMS key (key policy). 994 * </p> 995 * </li> 996 * </ul> 997 * <p> 998 * For details, see <a 999 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 1000 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 1001 * </p> 1002 * <p> 1003 * <b>Related operations:</b> 1004 * </p> 1005 * <ul> 1006 * <li> 1007 * <p> 1008 * <a>DeleteAlias</a> 1009 * </p> 1010 * </li> 1011 * <li> 1012 * <p> 1013 * <a>ListAliases</a> 1014 * </p> 1015 * </li> 1016 * <li> 1017 * <p> 1018 * <a>UpdateAlias</a> 1019 * </p> 1020 * </li> 1021 * </ul> 1022 * <p> 1023 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1024 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1025 * consistency</a>. 1026 * </p> 1027 * 1028 * @param createAliasRequest 1029 * @return A Java Future containing the result of the CreateAlias operation returned by the service.<br/> 1030 * The CompletableFuture returned by this method can be completed exceptionally with the following 1031 * exceptions. 1032 * <ul> 1033 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 1034 * the request.</li> 1035 * <li>AlreadyExistsException The request was rejected because it attempted to create a resource that 1036 * already exists.</li> 1037 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 1038 * found.</li> 1039 * <li>InvalidAliasNameException The request was rejected because the specified alias name is not valid.</li> 1040 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 1041 * be retried.</li> 1042 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 1043 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1044 * Management Service Developer Guide</i>.</li> 1045 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 1046 * valid for this request.</p> 1047 * <p> 1048 * This exceptions means one of the following: 1049 * </p> 1050 * <ul> 1051 * <li> 1052 * <p> 1053 * The key state of the KMS key is not compatible with the operation. 1054 * </p> 1055 * <p> 1056 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 1057 * are compatible with each KMS operation, see <a 1058 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 1059 * the <i> <i>Key Management Service Developer Guide</i> </i>. 1060 * </p> 1061 * </li> 1062 * <li> 1063 * <p> 1064 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 1065 * failure with many possible causes. To identify the cause, see the error message that accompanies the 1066 * exception. 1067 * </p> 1068 * </li></li> 1069 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 1070 * Can be used for catch all scenarios.</li> 1071 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 1072 * credentials, etc.</li> 1073 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 1074 * of this type.</li> 1075 * </ul> 1076 * @sample KmsAsyncClient.CreateAlias 1077 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias" target="_top">AWS API 1078 * Documentation</a> 1079 */ createAlias(CreateAliasRequest createAliasRequest)1080 default CompletableFuture<CreateAliasResponse> createAlias(CreateAliasRequest createAliasRequest) { 1081 throw new UnsupportedOperationException(); 1082 } 1083 1084 /** 1085 * <p> 1086 * Creates a friendly name for a KMS key. 1087 * </p> 1088 * <note> 1089 * <p> 1090 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 1091 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 1092 * Service Developer Guide</i>. 1093 * </p> 1094 * </note> 1095 * <p> 1096 * You can use an alias to identify a KMS key in the KMS console, in the <a>DescribeKey</a> operation and in <a 1097 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 1098 * operations</a>, such as <a>Encrypt</a> and <a>GenerateDataKey</a>. You can also change the KMS key that's 1099 * associated with the alias (<a>UpdateAlias</a>) or delete the alias (<a>DeleteAlias</a>) at any time. These 1100 * operations don't affect the underlying KMS key. 1101 * </p> 1102 * <p> 1103 * You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is 1104 * associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. 1105 * You can't create an alias without a KMS key. 1106 * </p> 1107 * <p> 1108 * The alias must be unique in the account and Region, but you can have aliases with the same name in different 1109 * Regions. For detailed information about aliases, see <a 1110 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">Using aliases</a> in the <i>Key 1111 * Management Service Developer Guide</i>. 1112 * </p> 1113 * <p> 1114 * This operation does not return a response. To get the alias that you created, use the <a>ListAliases</a> 1115 * operation. 1116 * </p> 1117 * <p> 1118 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 1119 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 1120 * <i>Key Management Service Developer Guide</i>. 1121 * </p> 1122 * <p> 1123 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 1124 * account. 1125 * </p> 1126 * <p> 1127 * <b>Required permissions</b> 1128 * </p> 1129 * <ul> 1130 * <li> 1131 * <p> 1132 * <a 1133 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 1134 * </a> on the alias (IAM policy). 1135 * </p> 1136 * </li> 1137 * <li> 1138 * <p> 1139 * <a 1140 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 1141 * </a> on the KMS key (key policy). 1142 * </p> 1143 * </li> 1144 * </ul> 1145 * <p> 1146 * For details, see <a 1147 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 1148 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 1149 * </p> 1150 * <p> 1151 * <b>Related operations:</b> 1152 * </p> 1153 * <ul> 1154 * <li> 1155 * <p> 1156 * <a>DeleteAlias</a> 1157 * </p> 1158 * </li> 1159 * <li> 1160 * <p> 1161 * <a>ListAliases</a> 1162 * </p> 1163 * </li> 1164 * <li> 1165 * <p> 1166 * <a>UpdateAlias</a> 1167 * </p> 1168 * </li> 1169 * </ul> 1170 * <p> 1171 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1172 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1173 * consistency</a>. 1174 * </p> 1175 * <br/> 1176 * <p> 1177 * This is a convenience which creates an instance of the {@link CreateAliasRequest.Builder} avoiding the need to 1178 * create one manually via {@link CreateAliasRequest#builder()} 1179 * </p> 1180 * 1181 * @param createAliasRequest 1182 * A {@link Consumer} that will call methods on 1183 * {@link software.amazon.awssdk.services.kms.model.CreateAliasRequest.Builder} to create a request. 1184 * @return A Java Future containing the result of the CreateAlias operation returned by the service.<br/> 1185 * The CompletableFuture returned by this method can be completed exceptionally with the following 1186 * exceptions. 1187 * <ul> 1188 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 1189 * the request.</li> 1190 * <li>AlreadyExistsException The request was rejected because it attempted to create a resource that 1191 * already exists.</li> 1192 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 1193 * found.</li> 1194 * <li>InvalidAliasNameException The request was rejected because the specified alias name is not valid.</li> 1195 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 1196 * be retried.</li> 1197 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 1198 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1199 * Management Service Developer Guide</i>.</li> 1200 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 1201 * valid for this request.</p> 1202 * <p> 1203 * This exceptions means one of the following: 1204 * </p> 1205 * <ul> 1206 * <li> 1207 * <p> 1208 * The key state of the KMS key is not compatible with the operation. 1209 * </p> 1210 * <p> 1211 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 1212 * are compatible with each KMS operation, see <a 1213 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 1214 * the <i> <i>Key Management Service Developer Guide</i> </i>. 1215 * </p> 1216 * </li> 1217 * <li> 1218 * <p> 1219 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 1220 * failure with many possible causes. To identify the cause, see the error message that accompanies the 1221 * exception. 1222 * </p> 1223 * </li></li> 1224 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 1225 * Can be used for catch all scenarios.</li> 1226 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 1227 * credentials, etc.</li> 1228 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 1229 * of this type.</li> 1230 * </ul> 1231 * @sample KmsAsyncClient.CreateAlias 1232 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias" target="_top">AWS API 1233 * Documentation</a> 1234 */ createAlias(Consumer<CreateAliasRequest.Builder> createAliasRequest)1235 default CompletableFuture<CreateAliasResponse> createAlias(Consumer<CreateAliasRequest.Builder> createAliasRequest) { 1236 return createAlias(CreateAliasRequest.builder().applyMutation(createAliasRequest).build()); 1237 } 1238 1239 /** 1240 * <p> 1241 * Creates a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 1242 * key store</a> backed by a key store that you own and manage. When you use a KMS key in a custom key store for a 1243 * cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS 1244 * supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 1245 * stores</a> backed by an <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html">CloudHSM 1246 * cluster</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external 1247 * key stores</a> backed by an external key store proxy and external key manager outside of Amazon Web Services. 1248 * </p> 1249 * <p> 1250 * This operation is part of the <a 1251 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 1252 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 1253 * a key store that you own and manage. 1254 * </p> 1255 * <p> 1256 * Before you create the custom key store, the required elements must be in place and operational. We recommend that 1257 * you use the test tools that KMS provides to verify the configuration your external key store proxy. For details 1258 * about the required elements and verification tests, see <a 1259 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the 1260 * prerequisites (for CloudHSM key stores)</a> or <a 1261 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements">Assemble 1262 * the prerequisites (for external key stores)</a> in the <i>Key Management Service Developer Guide</i>. 1263 * </p> 1264 * <p> 1265 * To create a custom key store, use the following parameters. 1266 * </p> 1267 * <ul> 1268 * <li> 1269 * <p> 1270 * To create an CloudHSM key store, specify the <code>CustomKeyStoreName</code>, <code>CloudHsmClusterId</code>, 1271 * <code>KeyStorePassword</code>, and <code>TrustAnchorCertificate</code>. The <code>CustomKeyStoreType</code> 1272 * parameter is optional for CloudHSM key stores. If you include it, set it to the default value, 1273 * <code>AWS_CLOUDHSM</code>. For help with failures, see <a 1274 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 1275 * store</a> in the <i>Key Management Service Developer Guide</i>. 1276 * </p> 1277 * </li> 1278 * <li> 1279 * <p> 1280 * To create an external key store, specify the <code>CustomKeyStoreName</code> and a 1281 * <code>CustomKeyStoreType</code> of <code>EXTERNAL_KEY_STORE</code>. Also, specify values for 1282 * <code>XksProxyConnectivity</code>, <code>XksProxyAuthenticationCredential</code>, 1283 * <code>XksProxyUriEndpoint</code>, and <code>XksProxyUriPath</code>. If your <code>XksProxyConnectivity</code> 1284 * value is <code>VPC_ENDPOINT_SERVICE</code>, specify the <code>XksProxyVpcEndpointServiceName</code> parameter. 1285 * For help with failures, see <a 1286 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 1287 * key store</a> in the <i>Key Management Service Developer Guide</i>. 1288 * </p> 1289 * </li> 1290 * </ul> 1291 * <note> 1292 * <p> 1293 * For external key stores: 1294 * </p> 1295 * <p> 1296 * Some external key managers provide a simpler method for creating an external key store. For details, see your 1297 * external key manager documentation. 1298 * </p> 1299 * <p> 1300 * When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 1301 * the desired values. You cannot use a proxy configuration with the <code>CreateCustomKeyStore</code> operation. 1302 * However, you can use the values in the file to help you determine the correct values for the 1303 * <code>CreateCustomKeyStore</code> parameters. 1304 * </p> 1305 * </note> 1306 * <p> 1307 * When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your 1308 * new custom key store, you need to use the <a>ConnectCustomKeyStore</a> operation to connect a new CloudHSM key 1309 * store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your 1310 * external key manager. Even if you are not going to use your custom key store immediately, you might want to 1311 * connect it to verify that all settings are correct and then disconnect it until you are ready to use it. 1312 * </p> 1313 * <p> 1314 * For help with failures, see <a 1315 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting a custom key 1316 * store</a> in the <i>Key Management Service Developer Guide</i>. 1317 * </p> 1318 * <p> 1319 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 1320 * Services account. 1321 * </p> 1322 * <p> 1323 * <b>Required permissions</b>: <a 1324 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1325 * >kms:CreateCustomKeyStore</a> (IAM policy). 1326 * </p> 1327 * <p> 1328 * <b>Related operations:</b> 1329 * </p> 1330 * <ul> 1331 * <li> 1332 * <p> 1333 * <a>ConnectCustomKeyStore</a> 1334 * </p> 1335 * </li> 1336 * <li> 1337 * <p> 1338 * <a>DeleteCustomKeyStore</a> 1339 * </p> 1340 * </li> 1341 * <li> 1342 * <p> 1343 * <a>DescribeCustomKeyStores</a> 1344 * </p> 1345 * </li> 1346 * <li> 1347 * <p> 1348 * <a>DisconnectCustomKeyStore</a> 1349 * </p> 1350 * </li> 1351 * <li> 1352 * <p> 1353 * <a>UpdateCustomKeyStore</a> 1354 * </p> 1355 * </li> 1356 * </ul> 1357 * <p> 1358 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1359 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1360 * consistency</a>. 1361 * </p> 1362 * 1363 * @param createCustomKeyStoreRequest 1364 * @return A Java Future containing the result of the CreateCustomKeyStore operation returned by the service.<br/> 1365 * The CompletableFuture returned by this method can be completed exceptionally with the following 1366 * exceptions. 1367 * <ul> 1368 * <li>CloudHsmClusterInUseException The request was rejected because the specified CloudHSM cluster is 1369 * already associated with an CloudHSM key store in the account, or it shares a backup history with an 1370 * CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a 1371 * different CloudHSM cluster.</p> 1372 * <p> 1373 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 1374 * certificate of an CloudHSM cluster, use the <a 1375 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 1376 * >DescribeClusters</a> operation.</li> 1377 * <li>CustomKeyStoreNameInUseException The request was rejected because the specified custom key store name 1378 * is already assigned to another custom key store in the account. Try again with a custom key store name 1379 * that is unique in the account.</li> 1380 * <li>CloudHsmClusterNotFoundException The request was rejected because KMS cannot find the CloudHSM 1381 * cluster with the specified cluster ID. Retry the request with a different cluster ID.</li> 1382 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 1383 * be retried.</li> 1384 * <li>CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated 1385 * with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. 1386 * For detailed instructions, see <a 1387 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 1388 * the <i>CloudHSM User Guide</i>.</li> 1389 * <li>IncorrectTrustAnchorException The request was rejected because the trust anchor certificate in the 1390 * request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM 1391 * cluster.</p> 1392 * <p> 1393 * When you <a 1394 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr">initialize 1395 * the CloudHSM cluster</a>, you create the trust anchor certificate and save it in the 1396 * <code>customerCA.crt</code> file.</li> 1397 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 1398 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 1399 * <ul> 1400 * <li> 1401 * <p> 1402 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 1403 * in the Region. 1404 * </p> 1405 * </li> 1406 * <li> 1407 * <p> 1408 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 1409 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 1410 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 1411 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 1412 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 1413 * security group, use the <a 1414 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 1415 * >DescribeSecurityGroups</a> operation. 1416 * </p> 1417 * </li> 1418 * <li> 1419 * <p> 1420 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 1421 * CloudHSM <a 1422 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 1423 * operation. 1424 * </p> 1425 * <p> 1426 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 1427 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 1428 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 1429 * </p> 1430 * </li> 1431 * </ul> 1432 * <p> 1433 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 1434 * store, see <a 1435 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 1436 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 1437 * about creating a private subnet for an CloudHSM cluster, see <a 1438 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 1439 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 1440 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 1441 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 1442 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 1443 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1444 * Management Service Developer Guide</i>.</li> 1445 * <li>XksProxyUriInUseException The request was rejected because the concatenation of the 1446 * <code>XksProxyUriEndpoint</code> and <code>XksProxyUriPath</code> is already associated with another 1447 * external key store in this Amazon Web Services Region. Each external key store in a Region must use a 1448 * unique external key store proxy API address.</li> 1449 * <li>XksProxyUriEndpointInUseException The request was rejected because the 1450 * <code>XksProxyUriEndpoint</code> is already associated with another external key store in this Amazon Web 1451 * Services Region. To identify the cause, see the error message that accompanies the exception.</li> 1452 * <li>XksProxyUriUnreachableException KMS was unable to reach the specified <code>XksProxyUriPath</code>. 1453 * The path must be reachable before you create the external key store or update its settings.</p> 1454 * <p> 1455 * This exception is also thrown when the external key store proxy response to a 1456 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable.</li> 1457 * <li>XksProxyIncorrectAuthenticationCredentialException The request was rejected because the proxy 1458 * credentials failed to authenticate to the specified external key store proxy. The specified external key 1459 * store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in 1460 * the credentials or in the identification of the external key store proxy.</li> 1461 * <li>XksProxyVpcEndpointServiceInUseException The request was rejected because the specified Amazon VPC 1462 * endpoint service is already associated with another external key store in this Amazon Web Services 1463 * Region. Each external key store in a Region must use a different Amazon VPC endpoint service.</li> 1464 * <li>XksProxyVpcEndpointServiceNotFoundException The request was rejected because KMS could not find the 1465 * specified VPC endpoint service. Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service 1466 * name for the external key store. Also, confirm that the <code>Allow principals</code> list for the VPC 1467 * endpoint service includes the KMS service principal for the Region, such as 1468 * <code>cks.kms.us-east-1.amazonaws.com</code>.</li> 1469 * <li>XksProxyVpcEndpointServiceInvalidConfigurationException The request was rejected because the Amazon 1470 * VPC endpoint service configuration does not fulfill the requirements for an external key store. To 1471 * identify the cause, see the error message that accompanies the exception and <a 1472 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 1473 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store.</li> 1474 * <li>XksProxyInvalidResponseException 1475 * <p> 1476 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 1477 * poorly constructed response, but it could also be a transient network issue. If you see this error 1478 * repeatedly, report it to the proxy vendor.</li> 1479 * <li>XksProxyInvalidConfigurationException The request was rejected because the external key store proxy 1480 * is not configured correctly. To identify the cause, see the error message that accompanies the exception. 1481 * </li> 1482 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 1483 * Can be used for catch all scenarios.</li> 1484 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 1485 * credentials, etc.</li> 1486 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 1487 * of this type.</li> 1488 * </ul> 1489 * @sample KmsAsyncClient.CreateCustomKeyStore 1490 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore" target="_top">AWS API 1491 * Documentation</a> 1492 */ createCustomKeyStore( CreateCustomKeyStoreRequest createCustomKeyStoreRequest)1493 default CompletableFuture<CreateCustomKeyStoreResponse> createCustomKeyStore( 1494 CreateCustomKeyStoreRequest createCustomKeyStoreRequest) { 1495 throw new UnsupportedOperationException(); 1496 } 1497 1498 /** 1499 * <p> 1500 * Creates a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 1501 * key store</a> backed by a key store that you own and manage. When you use a KMS key in a custom key store for a 1502 * cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS 1503 * supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 1504 * stores</a> backed by an <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html">CloudHSM 1505 * cluster</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external 1506 * key stores</a> backed by an external key store proxy and external key manager outside of Amazon Web Services. 1507 * </p> 1508 * <p> 1509 * This operation is part of the <a 1510 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 1511 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 1512 * a key store that you own and manage. 1513 * </p> 1514 * <p> 1515 * Before you create the custom key store, the required elements must be in place and operational. We recommend that 1516 * you use the test tools that KMS provides to verify the configuration your external key store proxy. For details 1517 * about the required elements and verification tests, see <a 1518 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the 1519 * prerequisites (for CloudHSM key stores)</a> or <a 1520 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements">Assemble 1521 * the prerequisites (for external key stores)</a> in the <i>Key Management Service Developer Guide</i>. 1522 * </p> 1523 * <p> 1524 * To create a custom key store, use the following parameters. 1525 * </p> 1526 * <ul> 1527 * <li> 1528 * <p> 1529 * To create an CloudHSM key store, specify the <code>CustomKeyStoreName</code>, <code>CloudHsmClusterId</code>, 1530 * <code>KeyStorePassword</code>, and <code>TrustAnchorCertificate</code>. The <code>CustomKeyStoreType</code> 1531 * parameter is optional for CloudHSM key stores. If you include it, set it to the default value, 1532 * <code>AWS_CLOUDHSM</code>. For help with failures, see <a 1533 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 1534 * store</a> in the <i>Key Management Service Developer Guide</i>. 1535 * </p> 1536 * </li> 1537 * <li> 1538 * <p> 1539 * To create an external key store, specify the <code>CustomKeyStoreName</code> and a 1540 * <code>CustomKeyStoreType</code> of <code>EXTERNAL_KEY_STORE</code>. Also, specify values for 1541 * <code>XksProxyConnectivity</code>, <code>XksProxyAuthenticationCredential</code>, 1542 * <code>XksProxyUriEndpoint</code>, and <code>XksProxyUriPath</code>. If your <code>XksProxyConnectivity</code> 1543 * value is <code>VPC_ENDPOINT_SERVICE</code>, specify the <code>XksProxyVpcEndpointServiceName</code> parameter. 1544 * For help with failures, see <a 1545 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 1546 * key store</a> in the <i>Key Management Service Developer Guide</i>. 1547 * </p> 1548 * </li> 1549 * </ul> 1550 * <note> 1551 * <p> 1552 * For external key stores: 1553 * </p> 1554 * <p> 1555 * Some external key managers provide a simpler method for creating an external key store. For details, see your 1556 * external key manager documentation. 1557 * </p> 1558 * <p> 1559 * When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 1560 * the desired values. You cannot use a proxy configuration with the <code>CreateCustomKeyStore</code> operation. 1561 * However, you can use the values in the file to help you determine the correct values for the 1562 * <code>CreateCustomKeyStore</code> parameters. 1563 * </p> 1564 * </note> 1565 * <p> 1566 * When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your 1567 * new custom key store, you need to use the <a>ConnectCustomKeyStore</a> operation to connect a new CloudHSM key 1568 * store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your 1569 * external key manager. Even if you are not going to use your custom key store immediately, you might want to 1570 * connect it to verify that all settings are correct and then disconnect it until you are ready to use it. 1571 * </p> 1572 * <p> 1573 * For help with failures, see <a 1574 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting a custom key 1575 * store</a> in the <i>Key Management Service Developer Guide</i>. 1576 * </p> 1577 * <p> 1578 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 1579 * Services account. 1580 * </p> 1581 * <p> 1582 * <b>Required permissions</b>: <a 1583 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1584 * >kms:CreateCustomKeyStore</a> (IAM policy). 1585 * </p> 1586 * <p> 1587 * <b>Related operations:</b> 1588 * </p> 1589 * <ul> 1590 * <li> 1591 * <p> 1592 * <a>ConnectCustomKeyStore</a> 1593 * </p> 1594 * </li> 1595 * <li> 1596 * <p> 1597 * <a>DeleteCustomKeyStore</a> 1598 * </p> 1599 * </li> 1600 * <li> 1601 * <p> 1602 * <a>DescribeCustomKeyStores</a> 1603 * </p> 1604 * </li> 1605 * <li> 1606 * <p> 1607 * <a>DisconnectCustomKeyStore</a> 1608 * </p> 1609 * </li> 1610 * <li> 1611 * <p> 1612 * <a>UpdateCustomKeyStore</a> 1613 * </p> 1614 * </li> 1615 * </ul> 1616 * <p> 1617 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1618 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1619 * consistency</a>. 1620 * </p> 1621 * <br/> 1622 * <p> 1623 * This is a convenience which creates an instance of the {@link CreateCustomKeyStoreRequest.Builder} avoiding the 1624 * need to create one manually via {@link CreateCustomKeyStoreRequest#builder()} 1625 * </p> 1626 * 1627 * @param createCustomKeyStoreRequest 1628 * A {@link Consumer} that will call methods on 1629 * {@link software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreRequest.Builder} to create a request. 1630 * @return A Java Future containing the result of the CreateCustomKeyStore operation returned by the service.<br/> 1631 * The CompletableFuture returned by this method can be completed exceptionally with the following 1632 * exceptions. 1633 * <ul> 1634 * <li>CloudHsmClusterInUseException The request was rejected because the specified CloudHSM cluster is 1635 * already associated with an CloudHSM key store in the account, or it shares a backup history with an 1636 * CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a 1637 * different CloudHSM cluster.</p> 1638 * <p> 1639 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 1640 * certificate of an CloudHSM cluster, use the <a 1641 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 1642 * >DescribeClusters</a> operation.</li> 1643 * <li>CustomKeyStoreNameInUseException The request was rejected because the specified custom key store name 1644 * is already assigned to another custom key store in the account. Try again with a custom key store name 1645 * that is unique in the account.</li> 1646 * <li>CloudHsmClusterNotFoundException The request was rejected because KMS cannot find the CloudHSM 1647 * cluster with the specified cluster ID. Retry the request with a different cluster ID.</li> 1648 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 1649 * be retried.</li> 1650 * <li>CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated 1651 * with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. 1652 * For detailed instructions, see <a 1653 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 1654 * the <i>CloudHSM User Guide</i>.</li> 1655 * <li>IncorrectTrustAnchorException The request was rejected because the trust anchor certificate in the 1656 * request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM 1657 * cluster.</p> 1658 * <p> 1659 * When you <a 1660 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr">initialize 1661 * the CloudHSM cluster</a>, you create the trust anchor certificate and save it in the 1662 * <code>customerCA.crt</code> file.</li> 1663 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 1664 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 1665 * <ul> 1666 * <li> 1667 * <p> 1668 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 1669 * in the Region. 1670 * </p> 1671 * </li> 1672 * <li> 1673 * <p> 1674 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 1675 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 1676 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 1677 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 1678 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 1679 * security group, use the <a 1680 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 1681 * >DescribeSecurityGroups</a> operation. 1682 * </p> 1683 * </li> 1684 * <li> 1685 * <p> 1686 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 1687 * CloudHSM <a 1688 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 1689 * operation. 1690 * </p> 1691 * <p> 1692 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 1693 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 1694 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 1695 * </p> 1696 * </li> 1697 * </ul> 1698 * <p> 1699 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 1700 * store, see <a 1701 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 1702 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 1703 * about creating a private subnet for an CloudHSM cluster, see <a 1704 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 1705 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 1706 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 1707 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 1708 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 1709 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1710 * Management Service Developer Guide</i>.</li> 1711 * <li>XksProxyUriInUseException The request was rejected because the concatenation of the 1712 * <code>XksProxyUriEndpoint</code> and <code>XksProxyUriPath</code> is already associated with another 1713 * external key store in this Amazon Web Services Region. Each external key store in a Region must use a 1714 * unique external key store proxy API address.</li> 1715 * <li>XksProxyUriEndpointInUseException The request was rejected because the 1716 * <code>XksProxyUriEndpoint</code> is already associated with another external key store in this Amazon Web 1717 * Services Region. To identify the cause, see the error message that accompanies the exception.</li> 1718 * <li>XksProxyUriUnreachableException KMS was unable to reach the specified <code>XksProxyUriPath</code>. 1719 * The path must be reachable before you create the external key store or update its settings.</p> 1720 * <p> 1721 * This exception is also thrown when the external key store proxy response to a 1722 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable.</li> 1723 * <li>XksProxyIncorrectAuthenticationCredentialException The request was rejected because the proxy 1724 * credentials failed to authenticate to the specified external key store proxy. The specified external key 1725 * store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in 1726 * the credentials or in the identification of the external key store proxy.</li> 1727 * <li>XksProxyVpcEndpointServiceInUseException The request was rejected because the specified Amazon VPC 1728 * endpoint service is already associated with another external key store in this Amazon Web Services 1729 * Region. Each external key store in a Region must use a different Amazon VPC endpoint service.</li> 1730 * <li>XksProxyVpcEndpointServiceNotFoundException The request was rejected because KMS could not find the 1731 * specified VPC endpoint service. Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service 1732 * name for the external key store. Also, confirm that the <code>Allow principals</code> list for the VPC 1733 * endpoint service includes the KMS service principal for the Region, such as 1734 * <code>cks.kms.us-east-1.amazonaws.com</code>.</li> 1735 * <li>XksProxyVpcEndpointServiceInvalidConfigurationException The request was rejected because the Amazon 1736 * VPC endpoint service configuration does not fulfill the requirements for an external key store. To 1737 * identify the cause, see the error message that accompanies the exception and <a 1738 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 1739 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store.</li> 1740 * <li>XksProxyInvalidResponseException 1741 * <p> 1742 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 1743 * poorly constructed response, but it could also be a transient network issue. If you see this error 1744 * repeatedly, report it to the proxy vendor.</li> 1745 * <li>XksProxyInvalidConfigurationException The request was rejected because the external key store proxy 1746 * is not configured correctly. To identify the cause, see the error message that accompanies the exception. 1747 * </li> 1748 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 1749 * Can be used for catch all scenarios.</li> 1750 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 1751 * credentials, etc.</li> 1752 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 1753 * of this type.</li> 1754 * </ul> 1755 * @sample KmsAsyncClient.CreateCustomKeyStore 1756 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore" target="_top">AWS API 1757 * Documentation</a> 1758 */ createCustomKeyStore( Consumer<CreateCustomKeyStoreRequest.Builder> createCustomKeyStoreRequest)1759 default CompletableFuture<CreateCustomKeyStoreResponse> createCustomKeyStore( 1760 Consumer<CreateCustomKeyStoreRequest.Builder> createCustomKeyStoreRequest) { 1761 return createCustomKeyStore(CreateCustomKeyStoreRequest.builder().applyMutation(createCustomKeyStoreRequest).build()); 1762 } 1763 1764 /** 1765 * <p> 1766 * Adds a grant to a KMS key. 1767 * </p> 1768 * <p> 1769 * A <i>grant</i> is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic 1770 * operations. It also can allow them to view a KMS key (<a>DescribeKey</a>) and create and manage grants. When 1771 * authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often 1772 * used for temporary permissions because you can create one, use its permissions, and delete it without changing 1773 * your key policies or IAM policies. 1774 * </p> 1775 * <p> 1776 * For detailed information about grants, including grant terminology, see <a 1777 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 1778 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 1779 * languages, see <a 1780 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 1781 * </p> 1782 * <p> 1783 * The <code>CreateGrant</code> operation returns a <code>GrantToken</code> and a <code>GrantId</code>. 1784 * </p> 1785 * <ul> 1786 * <li> 1787 * <p> 1788 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 1789 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. Once the grant has 1790 * achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the 1791 * grant. 1792 * </p> 1793 * <p> 1794 * However, to use the permissions in the grant immediately, use the <code>GrantToken</code> that 1795 * <code>CreateGrant</code> returns. For details, see <a 1796 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token">Using a grant 1797 * token</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 1798 * </p> 1799 * </li> 1800 * <li> 1801 * <p> 1802 * The <code>CreateGrant</code> operation also returns a <code>GrantId</code>. You can use the <code>GrantId</code> 1803 * and a key identifier to identify the grant in the <a>RetireGrant</a> and <a>RevokeGrant</a> operations. To find 1804 * the grant ID, use the <a>ListGrants</a> or <a>ListRetirableGrants</a> operations. 1805 * </p> 1806 * </li> 1807 * </ul> 1808 * <p> 1809 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 1810 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 1811 * <i>Key Management Service Developer Guide</i>. 1812 * </p> 1813 * <p> 1814 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 1815 * specify the key ARN in the value of the <code>KeyId</code> parameter. 1816 * </p> 1817 * <p> 1818 * <b>Required permissions</b>: <a 1819 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1820 * >kms:CreateGrant</a> (key policy) 1821 * </p> 1822 * <p> 1823 * <b>Related operations:</b> 1824 * </p> 1825 * <ul> 1826 * <li> 1827 * <p> 1828 * <a>ListGrants</a> 1829 * </p> 1830 * </li> 1831 * <li> 1832 * <p> 1833 * <a>ListRetirableGrants</a> 1834 * </p> 1835 * </li> 1836 * <li> 1837 * <p> 1838 * <a>RetireGrant</a> 1839 * </p> 1840 * </li> 1841 * <li> 1842 * <p> 1843 * <a>RevokeGrant</a> 1844 * </p> 1845 * </li> 1846 * </ul> 1847 * <p> 1848 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1849 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1850 * consistency</a>. 1851 * </p> 1852 * 1853 * @param createGrantRequest 1854 * @return A Java Future containing the result of the CreateGrant operation returned by the service.<br/> 1855 * The CompletableFuture returned by this method can be completed exceptionally with the following 1856 * exceptions. 1857 * <ul> 1858 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 1859 * found.</li> 1860 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 1861 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 1862 * the request.</li> 1863 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 1864 * not valid.</li> 1865 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 1866 * be retried.</li> 1867 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 1868 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 1869 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1870 * Management Service Developer Guide</i>.</li> 1871 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 1872 * valid for this request.</p> 1873 * <p> 1874 * This exceptions means one of the following: 1875 * </p> 1876 * <ul> 1877 * <li> 1878 * <p> 1879 * The key state of the KMS key is not compatible with the operation. 1880 * </p> 1881 * <p> 1882 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 1883 * are compatible with each KMS operation, see <a 1884 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 1885 * the <i> <i>Key Management Service Developer Guide</i> </i>. 1886 * </p> 1887 * </li> 1888 * <li> 1889 * <p> 1890 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 1891 * failure with many possible causes. To identify the cause, see the error message that accompanies the 1892 * exception. 1893 * </p> 1894 * </li></li> 1895 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 1896 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 1897 * Can be used for catch all scenarios.</li> 1898 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 1899 * credentials, etc.</li> 1900 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 1901 * of this type.</li> 1902 * </ul> 1903 * @sample KmsAsyncClient.CreateGrant 1904 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant" target="_top">AWS API 1905 * Documentation</a> 1906 */ createGrant(CreateGrantRequest createGrantRequest)1907 default CompletableFuture<CreateGrantResponse> createGrant(CreateGrantRequest createGrantRequest) { 1908 throw new UnsupportedOperationException(); 1909 } 1910 1911 /** 1912 * <p> 1913 * Adds a grant to a KMS key. 1914 * </p> 1915 * <p> 1916 * A <i>grant</i> is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic 1917 * operations. It also can allow them to view a KMS key (<a>DescribeKey</a>) and create and manage grants. When 1918 * authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often 1919 * used for temporary permissions because you can create one, use its permissions, and delete it without changing 1920 * your key policies or IAM policies. 1921 * </p> 1922 * <p> 1923 * For detailed information about grants, including grant terminology, see <a 1924 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 1925 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 1926 * languages, see <a 1927 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 1928 * </p> 1929 * <p> 1930 * The <code>CreateGrant</code> operation returns a <code>GrantToken</code> and a <code>GrantId</code>. 1931 * </p> 1932 * <ul> 1933 * <li> 1934 * <p> 1935 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 1936 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. Once the grant has 1937 * achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the 1938 * grant. 1939 * </p> 1940 * <p> 1941 * However, to use the permissions in the grant immediately, use the <code>GrantToken</code> that 1942 * <code>CreateGrant</code> returns. For details, see <a 1943 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token">Using a grant 1944 * token</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 1945 * </p> 1946 * </li> 1947 * <li> 1948 * <p> 1949 * The <code>CreateGrant</code> operation also returns a <code>GrantId</code>. You can use the <code>GrantId</code> 1950 * and a key identifier to identify the grant in the <a>RetireGrant</a> and <a>RevokeGrant</a> operations. To find 1951 * the grant ID, use the <a>ListGrants</a> or <a>ListRetirableGrants</a> operations. 1952 * </p> 1953 * </li> 1954 * </ul> 1955 * <p> 1956 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 1957 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 1958 * <i>Key Management Service Developer Guide</i>. 1959 * </p> 1960 * <p> 1961 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 1962 * specify the key ARN in the value of the <code>KeyId</code> parameter. 1963 * </p> 1964 * <p> 1965 * <b>Required permissions</b>: <a 1966 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1967 * >kms:CreateGrant</a> (key policy) 1968 * </p> 1969 * <p> 1970 * <b>Related operations:</b> 1971 * </p> 1972 * <ul> 1973 * <li> 1974 * <p> 1975 * <a>ListGrants</a> 1976 * </p> 1977 * </li> 1978 * <li> 1979 * <p> 1980 * <a>ListRetirableGrants</a> 1981 * </p> 1982 * </li> 1983 * <li> 1984 * <p> 1985 * <a>RetireGrant</a> 1986 * </p> 1987 * </li> 1988 * <li> 1989 * <p> 1990 * <a>RevokeGrant</a> 1991 * </p> 1992 * </li> 1993 * </ul> 1994 * <p> 1995 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1996 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1997 * consistency</a>. 1998 * </p> 1999 * <br/> 2000 * <p> 2001 * This is a convenience which creates an instance of the {@link CreateGrantRequest.Builder} avoiding the need to 2002 * create one manually via {@link CreateGrantRequest#builder()} 2003 * </p> 2004 * 2005 * @param createGrantRequest 2006 * A {@link Consumer} that will call methods on 2007 * {@link software.amazon.awssdk.services.kms.model.CreateGrantRequest.Builder} to create a request. 2008 * @return A Java Future containing the result of the CreateGrant operation returned by the service.<br/> 2009 * The CompletableFuture returned by this method can be completed exceptionally with the following 2010 * exceptions. 2011 * <ul> 2012 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 2013 * found.</li> 2014 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 2015 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 2016 * the request.</li> 2017 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 2018 * not valid.</li> 2019 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 2020 * be retried.</li> 2021 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 2022 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 2023 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 2024 * Management Service Developer Guide</i>.</li> 2025 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 2026 * valid for this request.</p> 2027 * <p> 2028 * This exceptions means one of the following: 2029 * </p> 2030 * <ul> 2031 * <li> 2032 * <p> 2033 * The key state of the KMS key is not compatible with the operation. 2034 * </p> 2035 * <p> 2036 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 2037 * are compatible with each KMS operation, see <a 2038 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 2039 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2040 * </p> 2041 * </li> 2042 * <li> 2043 * <p> 2044 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 2045 * failure with many possible causes. To identify the cause, see the error message that accompanies the 2046 * exception. 2047 * </p> 2048 * </li></li> 2049 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 2050 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 2051 * Can be used for catch all scenarios.</li> 2052 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 2053 * credentials, etc.</li> 2054 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 2055 * of this type.</li> 2056 * </ul> 2057 * @sample KmsAsyncClient.CreateGrant 2058 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant" target="_top">AWS API 2059 * Documentation</a> 2060 */ createGrant(Consumer<CreateGrantRequest.Builder> createGrantRequest)2061 default CompletableFuture<CreateGrantResponse> createGrant(Consumer<CreateGrantRequest.Builder> createGrantRequest) { 2062 return createGrant(CreateGrantRequest.builder().applyMutation(createGrantRequest).build()); 2063 } 2064 2065 /** 2066 * <p> 2067 * Creates a unique customer managed <a 2068 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon 2069 * Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and 2070 * signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your 2071 * service resources. 2072 * </p> 2073 * <p> 2074 * A KMS key is a logical representation of a cryptographic key. In addition to the key material used in 2075 * cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, 2076 * description, and key state. For details, see <a 2077 * href="https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html">Managing keys</a> in the <i>Key 2078 * Management Service Developer Guide</i> 2079 * </p> 2080 * <p> 2081 * Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its 2082 * key policy, description, tags, and other properties. 2083 * </p> 2084 * <note> 2085 * <p> 2086 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept 2087 * has not changed. To prevent breaking changes, KMS is keeping some variations of this term. 2088 * </p> 2089 * </note> 2090 * <p> 2091 * To create different types of KMS keys, use the following guidance: 2092 * </p> 2093 * <dl> 2094 * <dt>Symmetric encryption KMS key</dt> 2095 * <dd> 2096 * <p> 2097 * By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. 2098 * This is the basic and most widely used type of KMS key, and provides the best performance. 2099 * </p> 2100 * <p> 2101 * To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for 2102 * <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, 2103 * <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a 2104 * symmetric encryption KMS key with KMS key material. 2105 * </p> 2106 * <p> 2107 * If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in 2108 * an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption 2109 * key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 2110 * 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see 2111 * <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. 2112 * </p> 2113 * <p> 2114 * </p></dd> 2115 * <dt>Asymmetric KMS keys</dt> 2116 * <dd> 2117 * <p> 2118 * To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in 2119 * the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to 2120 * encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. 2121 * </p> 2122 * <p> 2123 * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions 2124 * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the 2125 * <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or 2126 * SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with 2127 * ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a 2128 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 2129 * the <i>Key Management Service Developer Guide</i>. 2130 * </p> 2131 * <p> 2132 * </p></dd> 2133 * <dt>HMAC KMS key</dt> 2134 * <dd> 2135 * <p> 2136 * To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set 2137 * the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though 2138 * <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these 2139 * properties after the KMS key is created. 2140 * </p> 2141 * <p> 2142 * HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate 2143 * (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. 2144 * </p> 2145 * <p> 2146 * </p></dd> 2147 * <dt>Multi-Region primary keys</dt> 2148 * <dt>Imported key material</dt> 2149 * <dd> 2150 * <p> 2151 * To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region, use the 2152 * <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region <i>replica 2153 * key</i>, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web 2154 * Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary 2155 * key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. 2156 * </p> 2157 * <p> 2158 * You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2159 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2160 * imported key material. However, you can't create multi-Region keys in a custom key store. 2161 * </p> 2162 * <p> 2163 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 2164 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 2165 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 2166 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 2167 * information about multi-Region keys, see <a 2168 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2169 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2170 * </p> 2171 * <p> 2172 * </p></dd> 2173 * <dd> 2174 * <p> 2175 * To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use 2176 * the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use 2177 * <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to 2178 * encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. 2179 * For step-by-step instructions, see <a 2180 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 2181 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2182 * </p> 2183 * <p> 2184 * You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2185 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2186 * imported key material. However, you can't import key material into a KMS key in a custom key store. 2187 * </p> 2188 * <p> 2189 * To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of 2190 * <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a 2191 * value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> 2192 * operation. For instructions, see <a 2193 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html ">Importing key 2194 * material into multi-Region keys</a>. For more information about multi-Region keys, see <a 2195 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2196 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2197 * </p> 2198 * <p> 2199 * </p></dd> 2200 * <dt>Custom key store</dt> 2201 * <dd> 2202 * <p> 2203 * A <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key 2204 * store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and 2205 * manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is 2206 * performed in the backing key store using its cryptographic keys. 2207 * </p> 2208 * <p> 2209 * KMS supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 2210 * stores</a> backed by an CloudHSM cluster and <a 2211 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a> 2212 * backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key 2213 * store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you 2214 * create a KMS key in an external key store, you specify an existing encryption key in the external key manager. 2215 * </p> 2216 * <note> 2217 * <p> 2218 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2219 * see your external key manager documentation. 2220 * </p> 2221 * </note> 2222 * <p> 2223 * Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be 2224 * <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find 2225 * the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. 2226 * </p> 2227 * <p> 2228 * To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default 2229 * <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, 2230 * <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key 2231 * store. 2232 * </p> 2233 * <p> 2234 * To create a KMS key in an <a 2235 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key store</a>, use 2236 * the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is 2237 * associated with the custom key store must have at least two active HSMs in different Availability Zones in the 2238 * Amazon Web Services Region. 2239 * </p> 2240 * <p> 2241 * To create a KMS key in an <a 2242 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use 2243 * the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> 2244 * parameter that identifies an existing external key. 2245 * </p> 2246 * <note> 2247 * <p> 2248 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2249 * see your external key manager documentation. 2250 * </p> 2251 * </note></dd> 2252 * </dl> 2253 * <p> 2254 * <b>Cross-account use</b>: No. You cannot use this operation to create a KMS key in a different Amazon Web 2255 * Services account. 2256 * </p> 2257 * <p> 2258 * <b>Required permissions</b>: <a 2259 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> 2260 * (IAM policy). To use the <code>Tags</code> parameter, <a 2261 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 2262 * >kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a 2263 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key" 2264 * >Allow a user to create KMS keys</a> in the <i>Key Management Service Developer Guide</i>. 2265 * </p> 2266 * <p> 2267 * <b>Related operations:</b> 2268 * </p> 2269 * <ul> 2270 * <li> 2271 * <p> 2272 * <a>DescribeKey</a> 2273 * </p> 2274 * </li> 2275 * <li> 2276 * <p> 2277 * <a>ListKeys</a> 2278 * </p> 2279 * </li> 2280 * <li> 2281 * <p> 2282 * <a>ScheduleKeyDeletion</a> 2283 * </p> 2284 * </li> 2285 * </ul> 2286 * <p> 2287 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 2288 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 2289 * consistency</a>. 2290 * </p> 2291 * 2292 * @param createKeyRequest 2293 * @return A Java Future containing the result of the CreateKey operation returned by the service.<br/> 2294 * The CompletableFuture returned by this method can be completed exceptionally with the following 2295 * exceptions. 2296 * <ul> 2297 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 2298 * syntactically or semantically correct.</li> 2299 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 2300 * the request.</li> 2301 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 2302 * not valid.</li> 2303 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 2304 * or a specified resource is not valid for this operation.</li> 2305 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 2306 * be retried.</li> 2307 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 2308 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 2309 * Management Service Developer Guide</i>.</li> 2310 * <li>TagException The request was rejected because one or more tags are not valid.</li> 2311 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 2312 * with the specified key store name or ID.</li> 2313 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 2314 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 2315 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 2316 * <p> 2317 * This exception is thrown under the following conditions: 2318 * </p> 2319 * <ul> 2320 * <li> 2321 * <p> 2322 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 2323 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 2324 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 2325 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 2326 * <code>ConnectCustomKeyStore</code>). 2327 * </p> 2328 * </li> 2329 * <li> 2330 * <p> 2331 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 2332 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 2333 * </p> 2334 * </li> 2335 * <li> 2336 * <p> 2337 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 2338 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 2339 * is valid for all other <code>ConnectionState</code> values. 2340 * </p> 2341 * </li> 2342 * <li> 2343 * <p> 2344 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 2345 * store that is not disconnected. This operation is valid only when the custom key store 2346 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 2347 * </p> 2348 * </li> 2349 * <li> 2350 * <p> 2351 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 2352 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 2353 * <code>CONNECTED</code>. 2354 * </p> 2355 * </li></li> 2356 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 2357 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 2358 * <ul> 2359 * <li> 2360 * <p> 2361 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 2362 * in the Region. 2363 * </p> 2364 * </li> 2365 * <li> 2366 * <p> 2367 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 2368 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 2369 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 2370 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 2371 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 2372 * security group, use the <a 2373 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 2374 * >DescribeSecurityGroups</a> operation. 2375 * </p> 2376 * </li> 2377 * <li> 2378 * <p> 2379 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 2380 * CloudHSM <a 2381 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 2382 * operation. 2383 * </p> 2384 * <p> 2385 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 2386 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 2387 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 2388 * </p> 2389 * </li> 2390 * </ul> 2391 * <p> 2392 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 2393 * store, see <a 2394 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 2395 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 2396 * about creating a private subnet for an CloudHSM cluster, see <a 2397 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 2398 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 2399 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 2400 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 2401 * <li>XksKeyInvalidConfigurationException The request was rejected because the external key specified by 2402 * the <code>XksKeyId</code> parameter did not meet the configuration requirements for an external key 2403 * store.</p> 2404 * <p> 2405 * The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. 2406 * </li> 2407 * <li>XksKeyAlreadyInUseException The request was rejected because the (<code>XksKeyId</code>) is already 2408 * associated with another KMS key in this external key store. Each KMS key in an external key store must be 2409 * associated with a different external key.</li> 2410 * <li>XksKeyNotFoundException The request was rejected because the external key store proxy could not find 2411 * the external key. This exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't 2412 * identify a key in the external key manager associated with the external key proxy.</p> 2413 * <p> 2414 * Verify that the <code>XksKeyId</code> represents an existing key in the external key manager. Use the key 2415 * identifier that the external key store proxy uses to identify the key. For details, see the documentation 2416 * provided with your external key store proxy or key manager.</li> 2417 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 2418 * Can be used for catch all scenarios.</li> 2419 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 2420 * credentials, etc.</li> 2421 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 2422 * of this type.</li> 2423 * </ul> 2424 * @sample KmsAsyncClient.CreateKey 2425 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API 2426 * Documentation</a> 2427 */ createKey(CreateKeyRequest createKeyRequest)2428 default CompletableFuture<CreateKeyResponse> createKey(CreateKeyRequest createKeyRequest) { 2429 throw new UnsupportedOperationException(); 2430 } 2431 2432 /** 2433 * <p> 2434 * Creates a unique customer managed <a 2435 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon 2436 * Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and 2437 * signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your 2438 * service resources. 2439 * </p> 2440 * <p> 2441 * A KMS key is a logical representation of a cryptographic key. In addition to the key material used in 2442 * cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, 2443 * description, and key state. For details, see <a 2444 * href="https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html">Managing keys</a> in the <i>Key 2445 * Management Service Developer Guide</i> 2446 * </p> 2447 * <p> 2448 * Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its 2449 * key policy, description, tags, and other properties. 2450 * </p> 2451 * <note> 2452 * <p> 2453 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept 2454 * has not changed. To prevent breaking changes, KMS is keeping some variations of this term. 2455 * </p> 2456 * </note> 2457 * <p> 2458 * To create different types of KMS keys, use the following guidance: 2459 * </p> 2460 * <dl> 2461 * <dt>Symmetric encryption KMS key</dt> 2462 * <dd> 2463 * <p> 2464 * By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. 2465 * This is the basic and most widely used type of KMS key, and provides the best performance. 2466 * </p> 2467 * <p> 2468 * To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for 2469 * <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, 2470 * <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a 2471 * symmetric encryption KMS key with KMS key material. 2472 * </p> 2473 * <p> 2474 * If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in 2475 * an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption 2476 * key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 2477 * 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see 2478 * <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. 2479 * </p> 2480 * <p> 2481 * </p></dd> 2482 * <dt>Asymmetric KMS keys</dt> 2483 * <dd> 2484 * <p> 2485 * To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in 2486 * the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to 2487 * encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. 2488 * </p> 2489 * <p> 2490 * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions 2491 * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the 2492 * <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or 2493 * SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with 2494 * ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a 2495 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 2496 * the <i>Key Management Service Developer Guide</i>. 2497 * </p> 2498 * <p> 2499 * </p></dd> 2500 * <dt>HMAC KMS key</dt> 2501 * <dd> 2502 * <p> 2503 * To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set 2504 * the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though 2505 * <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these 2506 * properties after the KMS key is created. 2507 * </p> 2508 * <p> 2509 * HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate 2510 * (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. 2511 * </p> 2512 * <p> 2513 * </p></dd> 2514 * <dt>Multi-Region primary keys</dt> 2515 * <dt>Imported key material</dt> 2516 * <dd> 2517 * <p> 2518 * To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region, use the 2519 * <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region <i>replica 2520 * key</i>, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web 2521 * Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary 2522 * key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. 2523 * </p> 2524 * <p> 2525 * You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2526 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2527 * imported key material. However, you can't create multi-Region keys in a custom key store. 2528 * </p> 2529 * <p> 2530 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 2531 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 2532 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 2533 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 2534 * information about multi-Region keys, see <a 2535 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2536 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2537 * </p> 2538 * <p> 2539 * </p></dd> 2540 * <dd> 2541 * <p> 2542 * To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use 2543 * the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use 2544 * <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to 2545 * encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. 2546 * For step-by-step instructions, see <a 2547 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 2548 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2549 * </p> 2550 * <p> 2551 * You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2552 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2553 * imported key material. However, you can't import key material into a KMS key in a custom key store. 2554 * </p> 2555 * <p> 2556 * To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of 2557 * <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a 2558 * value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> 2559 * operation. For instructions, see <a 2560 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html ">Importing key 2561 * material into multi-Region keys</a>. For more information about multi-Region keys, see <a 2562 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2563 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2564 * </p> 2565 * <p> 2566 * </p></dd> 2567 * <dt>Custom key store</dt> 2568 * <dd> 2569 * <p> 2570 * A <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key 2571 * store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and 2572 * manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is 2573 * performed in the backing key store using its cryptographic keys. 2574 * </p> 2575 * <p> 2576 * KMS supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 2577 * stores</a> backed by an CloudHSM cluster and <a 2578 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a> 2579 * backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key 2580 * store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you 2581 * create a KMS key in an external key store, you specify an existing encryption key in the external key manager. 2582 * </p> 2583 * <note> 2584 * <p> 2585 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2586 * see your external key manager documentation. 2587 * </p> 2588 * </note> 2589 * <p> 2590 * Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be 2591 * <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find 2592 * the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. 2593 * </p> 2594 * <p> 2595 * To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default 2596 * <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, 2597 * <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key 2598 * store. 2599 * </p> 2600 * <p> 2601 * To create a KMS key in an <a 2602 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key store</a>, use 2603 * the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is 2604 * associated with the custom key store must have at least two active HSMs in different Availability Zones in the 2605 * Amazon Web Services Region. 2606 * </p> 2607 * <p> 2608 * To create a KMS key in an <a 2609 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use 2610 * the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> 2611 * parameter that identifies an existing external key. 2612 * </p> 2613 * <note> 2614 * <p> 2615 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2616 * see your external key manager documentation. 2617 * </p> 2618 * </note></dd> 2619 * </dl> 2620 * <p> 2621 * <b>Cross-account use</b>: No. You cannot use this operation to create a KMS key in a different Amazon Web 2622 * Services account. 2623 * </p> 2624 * <p> 2625 * <b>Required permissions</b>: <a 2626 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> 2627 * (IAM policy). To use the <code>Tags</code> parameter, <a 2628 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 2629 * >kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a 2630 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key" 2631 * >Allow a user to create KMS keys</a> in the <i>Key Management Service Developer Guide</i>. 2632 * </p> 2633 * <p> 2634 * <b>Related operations:</b> 2635 * </p> 2636 * <ul> 2637 * <li> 2638 * <p> 2639 * <a>DescribeKey</a> 2640 * </p> 2641 * </li> 2642 * <li> 2643 * <p> 2644 * <a>ListKeys</a> 2645 * </p> 2646 * </li> 2647 * <li> 2648 * <p> 2649 * <a>ScheduleKeyDeletion</a> 2650 * </p> 2651 * </li> 2652 * </ul> 2653 * <p> 2654 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 2655 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 2656 * consistency</a>. 2657 * </p> 2658 * <br/> 2659 * <p> 2660 * This is a convenience which creates an instance of the {@link CreateKeyRequest.Builder} avoiding the need to 2661 * create one manually via {@link CreateKeyRequest#builder()} 2662 * </p> 2663 * 2664 * @param createKeyRequest 2665 * A {@link Consumer} that will call methods on 2666 * {@link software.amazon.awssdk.services.kms.model.CreateKeyRequest.Builder} to create a request. 2667 * @return A Java Future containing the result of the CreateKey operation returned by the service.<br/> 2668 * The CompletableFuture returned by this method can be completed exceptionally with the following 2669 * exceptions. 2670 * <ul> 2671 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 2672 * syntactically or semantically correct.</li> 2673 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 2674 * the request.</li> 2675 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 2676 * not valid.</li> 2677 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 2678 * or a specified resource is not valid for this operation.</li> 2679 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 2680 * be retried.</li> 2681 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 2682 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 2683 * Management Service Developer Guide</i>.</li> 2684 * <li>TagException The request was rejected because one or more tags are not valid.</li> 2685 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 2686 * with the specified key store name or ID.</li> 2687 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 2688 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 2689 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 2690 * <p> 2691 * This exception is thrown under the following conditions: 2692 * </p> 2693 * <ul> 2694 * <li> 2695 * <p> 2696 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 2697 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 2698 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 2699 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 2700 * <code>ConnectCustomKeyStore</code>). 2701 * </p> 2702 * </li> 2703 * <li> 2704 * <p> 2705 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 2706 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 2707 * </p> 2708 * </li> 2709 * <li> 2710 * <p> 2711 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 2712 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 2713 * is valid for all other <code>ConnectionState</code> values. 2714 * </p> 2715 * </li> 2716 * <li> 2717 * <p> 2718 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 2719 * store that is not disconnected. This operation is valid only when the custom key store 2720 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 2721 * </p> 2722 * </li> 2723 * <li> 2724 * <p> 2725 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 2726 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 2727 * <code>CONNECTED</code>. 2728 * </p> 2729 * </li></li> 2730 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 2731 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 2732 * <ul> 2733 * <li> 2734 * <p> 2735 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 2736 * in the Region. 2737 * </p> 2738 * </li> 2739 * <li> 2740 * <p> 2741 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 2742 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 2743 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 2744 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 2745 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 2746 * security group, use the <a 2747 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 2748 * >DescribeSecurityGroups</a> operation. 2749 * </p> 2750 * </li> 2751 * <li> 2752 * <p> 2753 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 2754 * CloudHSM <a 2755 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 2756 * operation. 2757 * </p> 2758 * <p> 2759 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 2760 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 2761 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 2762 * </p> 2763 * </li> 2764 * </ul> 2765 * <p> 2766 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 2767 * store, see <a 2768 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 2769 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 2770 * about creating a private subnet for an CloudHSM cluster, see <a 2771 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 2772 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 2773 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 2774 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 2775 * <li>XksKeyInvalidConfigurationException The request was rejected because the external key specified by 2776 * the <code>XksKeyId</code> parameter did not meet the configuration requirements for an external key 2777 * store.</p> 2778 * <p> 2779 * The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. 2780 * </li> 2781 * <li>XksKeyAlreadyInUseException The request was rejected because the (<code>XksKeyId</code>) is already 2782 * associated with another KMS key in this external key store. Each KMS key in an external key store must be 2783 * associated with a different external key.</li> 2784 * <li>XksKeyNotFoundException The request was rejected because the external key store proxy could not find 2785 * the external key. This exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't 2786 * identify a key in the external key manager associated with the external key proxy.</p> 2787 * <p> 2788 * Verify that the <code>XksKeyId</code> represents an existing key in the external key manager. Use the key 2789 * identifier that the external key store proxy uses to identify the key. For details, see the documentation 2790 * provided with your external key store proxy or key manager.</li> 2791 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 2792 * Can be used for catch all scenarios.</li> 2793 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 2794 * credentials, etc.</li> 2795 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 2796 * of this type.</li> 2797 * </ul> 2798 * @sample KmsAsyncClient.CreateKey 2799 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API 2800 * Documentation</a> 2801 */ createKey(Consumer<CreateKeyRequest.Builder> createKeyRequest)2802 default CompletableFuture<CreateKeyResponse> createKey(Consumer<CreateKeyRequest.Builder> createKeyRequest) { 2803 return createKey(CreateKeyRequest.builder().applyMutation(createKeyRequest).build()); 2804 } 2805 2806 /** 2807 * <p> 2808 * Creates a unique customer managed <a 2809 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon 2810 * Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and 2811 * signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your 2812 * service resources. 2813 * </p> 2814 * <p> 2815 * A KMS key is a logical representation of a cryptographic key. In addition to the key material used in 2816 * cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, 2817 * description, and key state. For details, see <a 2818 * href="https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html">Managing keys</a> in the <i>Key 2819 * Management Service Developer Guide</i> 2820 * </p> 2821 * <p> 2822 * Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its 2823 * key policy, description, tags, and other properties. 2824 * </p> 2825 * <note> 2826 * <p> 2827 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept 2828 * has not changed. To prevent breaking changes, KMS is keeping some variations of this term. 2829 * </p> 2830 * </note> 2831 * <p> 2832 * To create different types of KMS keys, use the following guidance: 2833 * </p> 2834 * <dl> 2835 * <dt>Symmetric encryption KMS key</dt> 2836 * <dd> 2837 * <p> 2838 * By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. 2839 * This is the basic and most widely used type of KMS key, and provides the best performance. 2840 * </p> 2841 * <p> 2842 * To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for 2843 * <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, 2844 * <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a 2845 * symmetric encryption KMS key with KMS key material. 2846 * </p> 2847 * <p> 2848 * If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in 2849 * an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption 2850 * key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 2851 * 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see 2852 * <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. 2853 * </p> 2854 * <p> 2855 * </p></dd> 2856 * <dt>Asymmetric KMS keys</dt> 2857 * <dd> 2858 * <p> 2859 * To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in 2860 * the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to 2861 * encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. 2862 * </p> 2863 * <p> 2864 * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions 2865 * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the 2866 * <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or 2867 * SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with 2868 * ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a 2869 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 2870 * the <i>Key Management Service Developer Guide</i>. 2871 * </p> 2872 * <p> 2873 * </p></dd> 2874 * <dt>HMAC KMS key</dt> 2875 * <dd> 2876 * <p> 2877 * To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set 2878 * the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though 2879 * <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these 2880 * properties after the KMS key is created. 2881 * </p> 2882 * <p> 2883 * HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate 2884 * (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. 2885 * </p> 2886 * <p> 2887 * </p></dd> 2888 * <dt>Multi-Region primary keys</dt> 2889 * <dt>Imported key material</dt> 2890 * <dd> 2891 * <p> 2892 * To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region, use the 2893 * <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region <i>replica 2894 * key</i>, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web 2895 * Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary 2896 * key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. 2897 * </p> 2898 * <p> 2899 * You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2900 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2901 * imported key material. However, you can't create multi-Region keys in a custom key store. 2902 * </p> 2903 * <p> 2904 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 2905 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 2906 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 2907 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 2908 * information about multi-Region keys, see <a 2909 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2910 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2911 * </p> 2912 * <p> 2913 * </p></dd> 2914 * <dd> 2915 * <p> 2916 * To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use 2917 * the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use 2918 * <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to 2919 * encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. 2920 * For step-by-step instructions, see <a 2921 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 2922 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2923 * </p> 2924 * <p> 2925 * You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2926 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2927 * imported key material. However, you can't import key material into a KMS key in a custom key store. 2928 * </p> 2929 * <p> 2930 * To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of 2931 * <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a 2932 * value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> 2933 * operation. For instructions, see <a 2934 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html ">Importing key 2935 * material into multi-Region keys</a>. For more information about multi-Region keys, see <a 2936 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2937 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2938 * </p> 2939 * <p> 2940 * </p></dd> 2941 * <dt>Custom key store</dt> 2942 * <dd> 2943 * <p> 2944 * A <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key 2945 * store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and 2946 * manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is 2947 * performed in the backing key store using its cryptographic keys. 2948 * </p> 2949 * <p> 2950 * KMS supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 2951 * stores</a> backed by an CloudHSM cluster and <a 2952 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a> 2953 * backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key 2954 * store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you 2955 * create a KMS key in an external key store, you specify an existing encryption key in the external key manager. 2956 * </p> 2957 * <note> 2958 * <p> 2959 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2960 * see your external key manager documentation. 2961 * </p> 2962 * </note> 2963 * <p> 2964 * Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be 2965 * <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find 2966 * the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. 2967 * </p> 2968 * <p> 2969 * To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default 2970 * <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, 2971 * <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key 2972 * store. 2973 * </p> 2974 * <p> 2975 * To create a KMS key in an <a 2976 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key store</a>, use 2977 * the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is 2978 * associated with the custom key store must have at least two active HSMs in different Availability Zones in the 2979 * Amazon Web Services Region. 2980 * </p> 2981 * <p> 2982 * To create a KMS key in an <a 2983 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use 2984 * the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> 2985 * parameter that identifies an existing external key. 2986 * </p> 2987 * <note> 2988 * <p> 2989 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2990 * see your external key manager documentation. 2991 * </p> 2992 * </note></dd> 2993 * </dl> 2994 * <p> 2995 * <b>Cross-account use</b>: No. You cannot use this operation to create a KMS key in a different Amazon Web 2996 * Services account. 2997 * </p> 2998 * <p> 2999 * <b>Required permissions</b>: <a 3000 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> 3001 * (IAM policy). To use the <code>Tags</code> parameter, <a 3002 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 3003 * >kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a 3004 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key" 3005 * >Allow a user to create KMS keys</a> in the <i>Key Management Service Developer Guide</i>. 3006 * </p> 3007 * <p> 3008 * <b>Related operations:</b> 3009 * </p> 3010 * <ul> 3011 * <li> 3012 * <p> 3013 * <a>DescribeKey</a> 3014 * </p> 3015 * </li> 3016 * <li> 3017 * <p> 3018 * <a>ListKeys</a> 3019 * </p> 3020 * </li> 3021 * <li> 3022 * <p> 3023 * <a>ScheduleKeyDeletion</a> 3024 * </p> 3025 * </li> 3026 * </ul> 3027 * <p> 3028 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3029 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3030 * consistency</a>. 3031 * </p> 3032 * 3033 * @return A Java Future containing the result of the CreateKey operation returned by the service.<br/> 3034 * The CompletableFuture returned by this method can be completed exceptionally with the following 3035 * exceptions. 3036 * <ul> 3037 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 3038 * syntactically or semantically correct.</li> 3039 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 3040 * the request.</li> 3041 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 3042 * not valid.</li> 3043 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 3044 * or a specified resource is not valid for this operation.</li> 3045 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 3046 * be retried.</li> 3047 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 3048 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 3049 * Management Service Developer Guide</i>.</li> 3050 * <li>TagException The request was rejected because one or more tags are not valid.</li> 3051 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 3052 * with the specified key store name or ID.</li> 3053 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 3054 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 3055 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 3056 * <p> 3057 * This exception is thrown under the following conditions: 3058 * </p> 3059 * <ul> 3060 * <li> 3061 * <p> 3062 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 3063 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 3064 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 3065 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 3066 * <code>ConnectCustomKeyStore</code>). 3067 * </p> 3068 * </li> 3069 * <li> 3070 * <p> 3071 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 3072 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 3073 * </p> 3074 * </li> 3075 * <li> 3076 * <p> 3077 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 3078 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 3079 * is valid for all other <code>ConnectionState</code> values. 3080 * </p> 3081 * </li> 3082 * <li> 3083 * <p> 3084 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 3085 * store that is not disconnected. This operation is valid only when the custom key store 3086 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 3087 * </p> 3088 * </li> 3089 * <li> 3090 * <p> 3091 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 3092 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 3093 * <code>CONNECTED</code>. 3094 * </p> 3095 * </li></li> 3096 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 3097 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 3098 * <ul> 3099 * <li> 3100 * <p> 3101 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 3102 * in the Region. 3103 * </p> 3104 * </li> 3105 * <li> 3106 * <p> 3107 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 3108 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 3109 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 3110 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 3111 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 3112 * security group, use the <a 3113 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 3114 * >DescribeSecurityGroups</a> operation. 3115 * </p> 3116 * </li> 3117 * <li> 3118 * <p> 3119 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 3120 * CloudHSM <a 3121 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 3122 * operation. 3123 * </p> 3124 * <p> 3125 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 3126 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 3127 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 3128 * </p> 3129 * </li> 3130 * </ul> 3131 * <p> 3132 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 3133 * store, see <a 3134 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 3135 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 3136 * about creating a private subnet for an CloudHSM cluster, see <a 3137 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 3138 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 3139 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 3140 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 3141 * <li>XksKeyInvalidConfigurationException The request was rejected because the external key specified by 3142 * the <code>XksKeyId</code> parameter did not meet the configuration requirements for an external key 3143 * store.</p> 3144 * <p> 3145 * The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. 3146 * </li> 3147 * <li>XksKeyAlreadyInUseException The request was rejected because the (<code>XksKeyId</code>) is already 3148 * associated with another KMS key in this external key store. Each KMS key in an external key store must be 3149 * associated with a different external key.</li> 3150 * <li>XksKeyNotFoundException The request was rejected because the external key store proxy could not find 3151 * the external key. This exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't 3152 * identify a key in the external key manager associated with the external key proxy.</p> 3153 * <p> 3154 * Verify that the <code>XksKeyId</code> represents an existing key in the external key manager. Use the key 3155 * identifier that the external key store proxy uses to identify the key. For details, see the documentation 3156 * provided with your external key store proxy or key manager.</li> 3157 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 3158 * Can be used for catch all scenarios.</li> 3159 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 3160 * credentials, etc.</li> 3161 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 3162 * of this type.</li> 3163 * </ul> 3164 * @sample KmsAsyncClient.CreateKey 3165 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API 3166 * Documentation</a> 3167 */ createKey()3168 default CompletableFuture<CreateKeyResponse> createKey() { 3169 return createKey(CreateKeyRequest.builder().build()); 3170 } 3171 3172 /** 3173 * <p> 3174 * Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: 3175 * </p> 3176 * <ul> 3177 * <li> 3178 * <p> 3179 * <a>Encrypt</a> 3180 * </p> 3181 * </li> 3182 * <li> 3183 * <p> 3184 * <a>GenerateDataKey</a> 3185 * </p> 3186 * </li> 3187 * <li> 3188 * <p> 3189 * <a>GenerateDataKeyPair</a> 3190 * </p> 3191 * </li> 3192 * <li> 3193 * <p> 3194 * <a>GenerateDataKeyWithoutPlaintext</a> 3195 * </p> 3196 * </li> 3197 * <li> 3198 * <p> 3199 * <a>GenerateDataKeyPairWithoutPlaintext</a> 3200 * </p> 3201 * </li> 3202 * </ul> 3203 * <p> 3204 * You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an 3205 * asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption 3206 * algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a 3207 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 3208 * the <i>Key Management Service Developer Guide</i>. 3209 * </p> 3210 * <p> 3211 * The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the public key 3212 * in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by other libraries, such 3213 * as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services 3214 * Encryption SDK</a> or <a 3215 * href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 3216 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 3217 * </p> 3218 * <p> 3219 * If the ciphertext was encrypted under a symmetric encryption KMS key, the <code>KeyId</code> parameter is 3220 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 3221 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 3222 * was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as 3223 * a best practice. When you use the <code>KeyId</code> parameter to specify a KMS key, KMS only uses the KMS key 3224 * you specify. If the ciphertext was encrypted under a different KMS key, the <code>Decrypt</code> operation fails. 3225 * This practice ensures that you use the KMS key that you intend. 3226 * </p> 3227 * <p> 3228 * Whenever possible, use key policies to give users permission to call the <code>Decrypt</code> operation on a 3229 * particular KMS key, instead of using &IAM; policies. Otherwise, you might create an &IAM; policy that 3230 * gives the user <code>Decrypt</code> permission on all KMS keys. This user could decrypt ciphertext that was 3231 * encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must 3232 * use an IAM policy for <code>Decrypt</code> permissions, limit the user to particular KMS keys or particular 3233 * trusted accounts. For details, see <a 3234 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best 3235 * practices for IAM policies</a> in the <i>Key Management Service Developer Guide</i>. 3236 * </p> 3237 * <p> 3238 * <code>Decrypt</code> also supports <a 3239 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 3240 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>Decrypt</code> for a 3241 * Nitro enclave, use the <a 3242 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 3243 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 3244 * attestation document for the enclave. Instead of the plaintext data, the response includes the plaintext data 3245 * encrypted with the public key from the attestation document (<code>CiphertextForRecipient</code>). For 3246 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 3247 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 3248 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 3249 * </p> 3250 * <p> 3251 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 3252 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 3253 * <i>Key Management Service Developer Guide</i>. 3254 * </p> 3255 * <p> 3256 * <b>Cross-account use</b>: Yes. If you use the <code>KeyId</code> parameter to identify a KMS key in a different 3257 * Amazon Web Services account, specify the key ARN or the alias ARN of the KMS key. 3258 * </p> 3259 * <p> 3260 * <b>Required permissions</b>: <a 3261 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Decrypt</a> 3262 * (key policy) 3263 * </p> 3264 * <p> 3265 * <b>Related operations:</b> 3266 * </p> 3267 * <ul> 3268 * <li> 3269 * <p> 3270 * <a>Encrypt</a> 3271 * </p> 3272 * </li> 3273 * <li> 3274 * <p> 3275 * <a>GenerateDataKey</a> 3276 * </p> 3277 * </li> 3278 * <li> 3279 * <p> 3280 * <a>GenerateDataKeyPair</a> 3281 * </p> 3282 * </li> 3283 * <li> 3284 * <p> 3285 * <a>ReEncrypt</a> 3286 * </p> 3287 * </li> 3288 * </ul> 3289 * <p> 3290 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3291 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3292 * consistency</a>. 3293 * </p> 3294 * 3295 * @param decryptRequest 3296 * @return A Java Future containing the result of the Decrypt operation returned by the service.<br/> 3297 * The CompletableFuture returned by this method can be completed exceptionally with the following 3298 * exceptions. 3299 * <ul> 3300 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 3301 * found.</li> 3302 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 3303 * <li>InvalidCiphertextException From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was 3304 * rejected because the specified ciphertext, or additional authenticated data incorporated into the 3305 * ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.</p> 3306 * <p> 3307 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 3308 * encrypted (wrapped) key material.</li> 3309 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 3310 * can retry the request.</li> 3311 * <li>IncorrectKeyException The request was rejected because the specified KMS key cannot decrypt the data. 3312 * The <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> 3313 * request must identify the same KMS key that was used to encrypt the ciphertext.</li> 3314 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 3315 * <ul> 3316 * <li> 3317 * <p> 3318 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 3319 * </p> 3320 * </li> 3321 * <li> 3322 * <p> 3323 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 3324 * of key material in the KMS key <code>(KeySpec</code>). 3325 * </p> 3326 * </li> 3327 * </ul> 3328 * <p> 3329 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 3330 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 3331 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 3332 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 3333 * KMS key, use the <a>DescribeKey</a> operation. 3334 * </p> 3335 * <p> 3336 * To find the encryption or signing algorithms supported for a particular KMS key, use the 3337 * <a>DescribeKey</a> operation.</li> 3338 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 3339 * the request.</li> 3340 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 3341 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 3342 * be retried.</li> 3343 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 3344 * valid for this request.</p> 3345 * <p> 3346 * This exceptions means one of the following: 3347 * </p> 3348 * <ul> 3349 * <li> 3350 * <p> 3351 * The key state of the KMS key is not compatible with the operation. 3352 * </p> 3353 * <p> 3354 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3355 * are compatible with each KMS operation, see <a 3356 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3357 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3358 * </p> 3359 * </li> 3360 * <li> 3361 * <p> 3362 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3363 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3364 * exception. 3365 * </p> 3366 * </li></li> 3367 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 3368 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 3369 * Can be used for catch all scenarios.</li> 3370 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 3371 * credentials, etc.</li> 3372 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 3373 * of this type.</li> 3374 * </ul> 3375 * @sample KmsAsyncClient.Decrypt 3376 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt" target="_top">AWS API 3377 * Documentation</a> 3378 */ decrypt(DecryptRequest decryptRequest)3379 default CompletableFuture<DecryptResponse> decrypt(DecryptRequest decryptRequest) { 3380 throw new UnsupportedOperationException(); 3381 } 3382 3383 /** 3384 * <p> 3385 * Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: 3386 * </p> 3387 * <ul> 3388 * <li> 3389 * <p> 3390 * <a>Encrypt</a> 3391 * </p> 3392 * </li> 3393 * <li> 3394 * <p> 3395 * <a>GenerateDataKey</a> 3396 * </p> 3397 * </li> 3398 * <li> 3399 * <p> 3400 * <a>GenerateDataKeyPair</a> 3401 * </p> 3402 * </li> 3403 * <li> 3404 * <p> 3405 * <a>GenerateDataKeyWithoutPlaintext</a> 3406 * </p> 3407 * </li> 3408 * <li> 3409 * <p> 3410 * <a>GenerateDataKeyPairWithoutPlaintext</a> 3411 * </p> 3412 * </li> 3413 * </ul> 3414 * <p> 3415 * You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an 3416 * asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption 3417 * algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a 3418 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 3419 * the <i>Key Management Service Developer Guide</i>. 3420 * </p> 3421 * <p> 3422 * The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the public key 3423 * in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by other libraries, such 3424 * as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services 3425 * Encryption SDK</a> or <a 3426 * href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 3427 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 3428 * </p> 3429 * <p> 3430 * If the ciphertext was encrypted under a symmetric encryption KMS key, the <code>KeyId</code> parameter is 3431 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 3432 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 3433 * was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as 3434 * a best practice. When you use the <code>KeyId</code> parameter to specify a KMS key, KMS only uses the KMS key 3435 * you specify. If the ciphertext was encrypted under a different KMS key, the <code>Decrypt</code> operation fails. 3436 * This practice ensures that you use the KMS key that you intend. 3437 * </p> 3438 * <p> 3439 * Whenever possible, use key policies to give users permission to call the <code>Decrypt</code> operation on a 3440 * particular KMS key, instead of using &IAM; policies. Otherwise, you might create an &IAM; policy that 3441 * gives the user <code>Decrypt</code> permission on all KMS keys. This user could decrypt ciphertext that was 3442 * encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must 3443 * use an IAM policy for <code>Decrypt</code> permissions, limit the user to particular KMS keys or particular 3444 * trusted accounts. For details, see <a 3445 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best 3446 * practices for IAM policies</a> in the <i>Key Management Service Developer Guide</i>. 3447 * </p> 3448 * <p> 3449 * <code>Decrypt</code> also supports <a 3450 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 3451 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>Decrypt</code> for a 3452 * Nitro enclave, use the <a 3453 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 3454 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 3455 * attestation document for the enclave. Instead of the plaintext data, the response includes the plaintext data 3456 * encrypted with the public key from the attestation document (<code>CiphertextForRecipient</code>). For 3457 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 3458 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 3459 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 3460 * </p> 3461 * <p> 3462 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 3463 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 3464 * <i>Key Management Service Developer Guide</i>. 3465 * </p> 3466 * <p> 3467 * <b>Cross-account use</b>: Yes. If you use the <code>KeyId</code> parameter to identify a KMS key in a different 3468 * Amazon Web Services account, specify the key ARN or the alias ARN of the KMS key. 3469 * </p> 3470 * <p> 3471 * <b>Required permissions</b>: <a 3472 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Decrypt</a> 3473 * (key policy) 3474 * </p> 3475 * <p> 3476 * <b>Related operations:</b> 3477 * </p> 3478 * <ul> 3479 * <li> 3480 * <p> 3481 * <a>Encrypt</a> 3482 * </p> 3483 * </li> 3484 * <li> 3485 * <p> 3486 * <a>GenerateDataKey</a> 3487 * </p> 3488 * </li> 3489 * <li> 3490 * <p> 3491 * <a>GenerateDataKeyPair</a> 3492 * </p> 3493 * </li> 3494 * <li> 3495 * <p> 3496 * <a>ReEncrypt</a> 3497 * </p> 3498 * </li> 3499 * </ul> 3500 * <p> 3501 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3502 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3503 * consistency</a>. 3504 * </p> 3505 * <br/> 3506 * <p> 3507 * This is a convenience which creates an instance of the {@link DecryptRequest.Builder} avoiding the need to create 3508 * one manually via {@link DecryptRequest#builder()} 3509 * </p> 3510 * 3511 * @param decryptRequest 3512 * A {@link Consumer} that will call methods on 3513 * {@link software.amazon.awssdk.services.kms.model.DecryptRequest.Builder} to create a request. 3514 * @return A Java Future containing the result of the Decrypt operation returned by the service.<br/> 3515 * The CompletableFuture returned by this method can be completed exceptionally with the following 3516 * exceptions. 3517 * <ul> 3518 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 3519 * found.</li> 3520 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 3521 * <li>InvalidCiphertextException From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was 3522 * rejected because the specified ciphertext, or additional authenticated data incorporated into the 3523 * ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.</p> 3524 * <p> 3525 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 3526 * encrypted (wrapped) key material.</li> 3527 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 3528 * can retry the request.</li> 3529 * <li>IncorrectKeyException The request was rejected because the specified KMS key cannot decrypt the data. 3530 * The <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> 3531 * request must identify the same KMS key that was used to encrypt the ciphertext.</li> 3532 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 3533 * <ul> 3534 * <li> 3535 * <p> 3536 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 3537 * </p> 3538 * </li> 3539 * <li> 3540 * <p> 3541 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 3542 * of key material in the KMS key <code>(KeySpec</code>). 3543 * </p> 3544 * </li> 3545 * </ul> 3546 * <p> 3547 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 3548 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 3549 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 3550 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 3551 * KMS key, use the <a>DescribeKey</a> operation. 3552 * </p> 3553 * <p> 3554 * To find the encryption or signing algorithms supported for a particular KMS key, use the 3555 * <a>DescribeKey</a> operation.</li> 3556 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 3557 * the request.</li> 3558 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 3559 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 3560 * be retried.</li> 3561 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 3562 * valid for this request.</p> 3563 * <p> 3564 * This exceptions means one of the following: 3565 * </p> 3566 * <ul> 3567 * <li> 3568 * <p> 3569 * The key state of the KMS key is not compatible with the operation. 3570 * </p> 3571 * <p> 3572 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3573 * are compatible with each KMS operation, see <a 3574 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3575 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3576 * </p> 3577 * </li> 3578 * <li> 3579 * <p> 3580 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3581 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3582 * exception. 3583 * </p> 3584 * </li></li> 3585 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 3586 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 3587 * Can be used for catch all scenarios.</li> 3588 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 3589 * credentials, etc.</li> 3590 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 3591 * of this type.</li> 3592 * </ul> 3593 * @sample KmsAsyncClient.Decrypt 3594 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt" target="_top">AWS API 3595 * Documentation</a> 3596 */ decrypt(Consumer<DecryptRequest.Builder> decryptRequest)3597 default CompletableFuture<DecryptResponse> decrypt(Consumer<DecryptRequest.Builder> decryptRequest) { 3598 return decrypt(DecryptRequest.builder().applyMutation(decryptRequest).build()); 3599 } 3600 3601 /** 3602 * <p> 3603 * Deletes the specified alias. 3604 * </p> 3605 * <note> 3606 * <p> 3607 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 3608 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 3609 * Service Developer Guide</i>. 3610 * </p> 3611 * </note> 3612 * <p> 3613 * Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without 3614 * affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. To get 3615 * the aliases of all KMS keys, use the <a>ListAliases</a> operation. 3616 * </p> 3617 * <p> 3618 * Each KMS key can have multiple aliases. To change the alias of a KMS key, use <a>DeleteAlias</a> to delete the 3619 * current alias and <a>CreateAlias</a> to create a new alias. To associate an existing alias with a different KMS 3620 * key, call <a>UpdateAlias</a>. 3621 * </p> 3622 * <p> 3623 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 3624 * account. 3625 * </p> 3626 * <p> 3627 * <b>Required permissions</b> 3628 * </p> 3629 * <ul> 3630 * <li> 3631 * <p> 3632 * <a 3633 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3634 * </a> on the alias (IAM policy). 3635 * </p> 3636 * </li> 3637 * <li> 3638 * <p> 3639 * <a 3640 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3641 * </a> on the KMS key (key policy). 3642 * </p> 3643 * </li> 3644 * </ul> 3645 * <p> 3646 * For details, see <a 3647 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 3648 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 3649 * </p> 3650 * <p> 3651 * <b>Related operations:</b> 3652 * </p> 3653 * <ul> 3654 * <li> 3655 * <p> 3656 * <a>CreateAlias</a> 3657 * </p> 3658 * </li> 3659 * <li> 3660 * <p> 3661 * <a>ListAliases</a> 3662 * </p> 3663 * </li> 3664 * <li> 3665 * <p> 3666 * <a>UpdateAlias</a> 3667 * </p> 3668 * </li> 3669 * </ul> 3670 * <p> 3671 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3672 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3673 * consistency</a>. 3674 * </p> 3675 * 3676 * @param deleteAliasRequest 3677 * @return A Java Future containing the result of the DeleteAlias operation returned by the service.<br/> 3678 * The CompletableFuture returned by this method can be completed exceptionally with the following 3679 * exceptions. 3680 * <ul> 3681 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 3682 * the request.</li> 3683 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 3684 * found.</li> 3685 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 3686 * be retried.</li> 3687 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 3688 * valid for this request.</p> 3689 * <p> 3690 * This exceptions means one of the following: 3691 * </p> 3692 * <ul> 3693 * <li> 3694 * <p> 3695 * The key state of the KMS key is not compatible with the operation. 3696 * </p> 3697 * <p> 3698 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3699 * are compatible with each KMS operation, see <a 3700 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3701 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3702 * </p> 3703 * </li> 3704 * <li> 3705 * <p> 3706 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3707 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3708 * exception. 3709 * </p> 3710 * </li></li> 3711 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 3712 * Can be used for catch all scenarios.</li> 3713 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 3714 * credentials, etc.</li> 3715 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 3716 * of this type.</li> 3717 * </ul> 3718 * @sample KmsAsyncClient.DeleteAlias 3719 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias" target="_top">AWS API 3720 * Documentation</a> 3721 */ deleteAlias(DeleteAliasRequest deleteAliasRequest)3722 default CompletableFuture<DeleteAliasResponse> deleteAlias(DeleteAliasRequest deleteAliasRequest) { 3723 throw new UnsupportedOperationException(); 3724 } 3725 3726 /** 3727 * <p> 3728 * Deletes the specified alias. 3729 * </p> 3730 * <note> 3731 * <p> 3732 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 3733 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 3734 * Service Developer Guide</i>. 3735 * </p> 3736 * </note> 3737 * <p> 3738 * Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without 3739 * affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. To get 3740 * the aliases of all KMS keys, use the <a>ListAliases</a> operation. 3741 * </p> 3742 * <p> 3743 * Each KMS key can have multiple aliases. To change the alias of a KMS key, use <a>DeleteAlias</a> to delete the 3744 * current alias and <a>CreateAlias</a> to create a new alias. To associate an existing alias with a different KMS 3745 * key, call <a>UpdateAlias</a>. 3746 * </p> 3747 * <p> 3748 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 3749 * account. 3750 * </p> 3751 * <p> 3752 * <b>Required permissions</b> 3753 * </p> 3754 * <ul> 3755 * <li> 3756 * <p> 3757 * <a 3758 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3759 * </a> on the alias (IAM policy). 3760 * </p> 3761 * </li> 3762 * <li> 3763 * <p> 3764 * <a 3765 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3766 * </a> on the KMS key (key policy). 3767 * </p> 3768 * </li> 3769 * </ul> 3770 * <p> 3771 * For details, see <a 3772 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 3773 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 3774 * </p> 3775 * <p> 3776 * <b>Related operations:</b> 3777 * </p> 3778 * <ul> 3779 * <li> 3780 * <p> 3781 * <a>CreateAlias</a> 3782 * </p> 3783 * </li> 3784 * <li> 3785 * <p> 3786 * <a>ListAliases</a> 3787 * </p> 3788 * </li> 3789 * <li> 3790 * <p> 3791 * <a>UpdateAlias</a> 3792 * </p> 3793 * </li> 3794 * </ul> 3795 * <p> 3796 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3797 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3798 * consistency</a>. 3799 * </p> 3800 * <br/> 3801 * <p> 3802 * This is a convenience which creates an instance of the {@link DeleteAliasRequest.Builder} avoiding the need to 3803 * create one manually via {@link DeleteAliasRequest#builder()} 3804 * </p> 3805 * 3806 * @param deleteAliasRequest 3807 * A {@link Consumer} that will call methods on 3808 * {@link software.amazon.awssdk.services.kms.model.DeleteAliasRequest.Builder} to create a request. 3809 * @return A Java Future containing the result of the DeleteAlias operation returned by the service.<br/> 3810 * The CompletableFuture returned by this method can be completed exceptionally with the following 3811 * exceptions. 3812 * <ul> 3813 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 3814 * the request.</li> 3815 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 3816 * found.</li> 3817 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 3818 * be retried.</li> 3819 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 3820 * valid for this request.</p> 3821 * <p> 3822 * This exceptions means one of the following: 3823 * </p> 3824 * <ul> 3825 * <li> 3826 * <p> 3827 * The key state of the KMS key is not compatible with the operation. 3828 * </p> 3829 * <p> 3830 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3831 * are compatible with each KMS operation, see <a 3832 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3833 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3834 * </p> 3835 * </li> 3836 * <li> 3837 * <p> 3838 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3839 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3840 * exception. 3841 * </p> 3842 * </li></li> 3843 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 3844 * Can be used for catch all scenarios.</li> 3845 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 3846 * credentials, etc.</li> 3847 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 3848 * of this type.</li> 3849 * </ul> 3850 * @sample KmsAsyncClient.DeleteAlias 3851 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias" target="_top">AWS API 3852 * Documentation</a> 3853 */ deleteAlias(Consumer<DeleteAliasRequest.Builder> deleteAliasRequest)3854 default CompletableFuture<DeleteAliasResponse> deleteAlias(Consumer<DeleteAliasRequest.Builder> deleteAliasRequest) { 3855 return deleteAlias(DeleteAliasRequest.builder().applyMutation(deleteAliasRequest).build()); 3856 } 3857 3858 /** 3859 * <p> 3860 * Deletes a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 3861 * key store</a>. This operation does not affect any backing elements of the custom key store. It does not delete 3862 * the CloudHSM cluster that is associated with an CloudHSM key store, or affect any users or keys in the cluster. 3863 * For an external key store, it does not affect the external key store proxy, external key manager, or any external 3864 * keys. 3865 * </p> 3866 * <p> 3867 * This operation is part of the <a 3868 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 3869 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 3870 * a key store that you own and manage. 3871 * </p> 3872 * <p> 3873 * The custom key store that you delete cannot contain any <a 3874 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys">KMS keys</a>. Before deleting 3875 * the key store, verify that you will never need to use any of the KMS keys in the key store for any <a 3876 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 3877 * operations</a>. Then, use <a>ScheduleKeyDeletion</a> to delete the KMS keys from the key store. After the 3878 * required waiting period expires and all KMS keys are deleted from the custom key store, use 3879 * <a>DisconnectCustomKeyStore</a> to disconnect the key store from KMS. Then, you can delete the custom key store. 3880 * </p> 3881 * <p> 3882 * For keys in an CloudHSM key store, the <code>ScheduleKeyDeletion</code> operation makes a best effort to delete 3883 * the key material from the associated cluster. However, you might need to manually <a 3884 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 3885 * the orphaned key material</a> from the cluster and its backups. KMS never creates, manages, or deletes 3886 * cryptographic keys in the external key manager associated with an external key store. You must manage them using 3887 * your external key manager tools. 3888 * </p> 3889 * <p> 3890 * Instead of deleting the custom key store, consider using the <a>DisconnectCustomKeyStore</a> operation to 3891 * disconnect the custom key store from its backing key store. While the key store is disconnected, you cannot 3892 * create or use the KMS keys in the key store. But, you do not need to delete KMS keys and you can reconnect a 3893 * disconnected custom key store at any time. 3894 * </p> 3895 * <p> 3896 * If the operation succeeds, it returns a JSON object with no properties. 3897 * </p> 3898 * <p> 3899 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 3900 * Services account. 3901 * </p> 3902 * <p> 3903 * <b>Required permissions</b>: <a 3904 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 3905 * >kms:DeleteCustomKeyStore</a> (IAM policy) 3906 * </p> 3907 * <p> 3908 * <b>Related operations:</b> 3909 * </p> 3910 * <ul> 3911 * <li> 3912 * <p> 3913 * <a>ConnectCustomKeyStore</a> 3914 * </p> 3915 * </li> 3916 * <li> 3917 * <p> 3918 * <a>CreateCustomKeyStore</a> 3919 * </p> 3920 * </li> 3921 * <li> 3922 * <p> 3923 * <a>DescribeCustomKeyStores</a> 3924 * </p> 3925 * </li> 3926 * <li> 3927 * <p> 3928 * <a>DisconnectCustomKeyStore</a> 3929 * </p> 3930 * </li> 3931 * <li> 3932 * <p> 3933 * <a>UpdateCustomKeyStore</a> 3934 * </p> 3935 * </li> 3936 * </ul> 3937 * <p> 3938 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3939 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3940 * consistency</a>. 3941 * </p> 3942 * 3943 * @param deleteCustomKeyStoreRequest 3944 * @return A Java Future containing the result of the DeleteCustomKeyStore operation returned by the service.<br/> 3945 * The CompletableFuture returned by this method can be completed exceptionally with the following 3946 * exceptions. 3947 * <ul> 3948 * <li>CustomKeyStoreHasCmKsException The request was rejected because the custom key store contains KMS 3949 * keys. After verifying that you do not need to use the KMS keys, use the <a>ScheduleKeyDeletion</a> 3950 * operation to delete the KMS keys. After they are deleted, you can delete the custom key store.</li> 3951 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 3952 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 3953 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 3954 * <p> 3955 * This exception is thrown under the following conditions: 3956 * </p> 3957 * <ul> 3958 * <li> 3959 * <p> 3960 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 3961 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 3962 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 3963 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 3964 * <code>ConnectCustomKeyStore</code>). 3965 * </p> 3966 * </li> 3967 * <li> 3968 * <p> 3969 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 3970 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 3971 * </p> 3972 * </li> 3973 * <li> 3974 * <p> 3975 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 3976 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 3977 * is valid for all other <code>ConnectionState</code> values. 3978 * </p> 3979 * </li> 3980 * <li> 3981 * <p> 3982 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 3983 * store that is not disconnected. This operation is valid only when the custom key store 3984 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 3985 * </p> 3986 * </li> 3987 * <li> 3988 * <p> 3989 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 3990 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 3991 * <code>CONNECTED</code>. 3992 * </p> 3993 * </li></li> 3994 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 3995 * with the specified key store name or ID.</li> 3996 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 3997 * be retried.</li> 3998 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 3999 * Can be used for catch all scenarios.</li> 4000 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4001 * credentials, etc.</li> 4002 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4003 * of this type.</li> 4004 * </ul> 4005 * @sample KmsAsyncClient.DeleteCustomKeyStore 4006 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore" target="_top">AWS API 4007 * Documentation</a> 4008 */ deleteCustomKeyStore( DeleteCustomKeyStoreRequest deleteCustomKeyStoreRequest)4009 default CompletableFuture<DeleteCustomKeyStoreResponse> deleteCustomKeyStore( 4010 DeleteCustomKeyStoreRequest deleteCustomKeyStoreRequest) { 4011 throw new UnsupportedOperationException(); 4012 } 4013 4014 /** 4015 * <p> 4016 * Deletes a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 4017 * key store</a>. This operation does not affect any backing elements of the custom key store. It does not delete 4018 * the CloudHSM cluster that is associated with an CloudHSM key store, or affect any users or keys in the cluster. 4019 * For an external key store, it does not affect the external key store proxy, external key manager, or any external 4020 * keys. 4021 * </p> 4022 * <p> 4023 * This operation is part of the <a 4024 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4025 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4026 * a key store that you own and manage. 4027 * </p> 4028 * <p> 4029 * The custom key store that you delete cannot contain any <a 4030 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys">KMS keys</a>. Before deleting 4031 * the key store, verify that you will never need to use any of the KMS keys in the key store for any <a 4032 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 4033 * operations</a>. Then, use <a>ScheduleKeyDeletion</a> to delete the KMS keys from the key store. After the 4034 * required waiting period expires and all KMS keys are deleted from the custom key store, use 4035 * <a>DisconnectCustomKeyStore</a> to disconnect the key store from KMS. Then, you can delete the custom key store. 4036 * </p> 4037 * <p> 4038 * For keys in an CloudHSM key store, the <code>ScheduleKeyDeletion</code> operation makes a best effort to delete 4039 * the key material from the associated cluster. However, you might need to manually <a 4040 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 4041 * the orphaned key material</a> from the cluster and its backups. KMS never creates, manages, or deletes 4042 * cryptographic keys in the external key manager associated with an external key store. You must manage them using 4043 * your external key manager tools. 4044 * </p> 4045 * <p> 4046 * Instead of deleting the custom key store, consider using the <a>DisconnectCustomKeyStore</a> operation to 4047 * disconnect the custom key store from its backing key store. While the key store is disconnected, you cannot 4048 * create or use the KMS keys in the key store. But, you do not need to delete KMS keys and you can reconnect a 4049 * disconnected custom key store at any time. 4050 * </p> 4051 * <p> 4052 * If the operation succeeds, it returns a JSON object with no properties. 4053 * </p> 4054 * <p> 4055 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4056 * Services account. 4057 * </p> 4058 * <p> 4059 * <b>Required permissions</b>: <a 4060 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4061 * >kms:DeleteCustomKeyStore</a> (IAM policy) 4062 * </p> 4063 * <p> 4064 * <b>Related operations:</b> 4065 * </p> 4066 * <ul> 4067 * <li> 4068 * <p> 4069 * <a>ConnectCustomKeyStore</a> 4070 * </p> 4071 * </li> 4072 * <li> 4073 * <p> 4074 * <a>CreateCustomKeyStore</a> 4075 * </p> 4076 * </li> 4077 * <li> 4078 * <p> 4079 * <a>DescribeCustomKeyStores</a> 4080 * </p> 4081 * </li> 4082 * <li> 4083 * <p> 4084 * <a>DisconnectCustomKeyStore</a> 4085 * </p> 4086 * </li> 4087 * <li> 4088 * <p> 4089 * <a>UpdateCustomKeyStore</a> 4090 * </p> 4091 * </li> 4092 * </ul> 4093 * <p> 4094 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4095 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4096 * consistency</a>. 4097 * </p> 4098 * <br/> 4099 * <p> 4100 * This is a convenience which creates an instance of the {@link DeleteCustomKeyStoreRequest.Builder} avoiding the 4101 * need to create one manually via {@link DeleteCustomKeyStoreRequest#builder()} 4102 * </p> 4103 * 4104 * @param deleteCustomKeyStoreRequest 4105 * A {@link Consumer} that will call methods on 4106 * {@link software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreRequest.Builder} to create a request. 4107 * @return A Java Future containing the result of the DeleteCustomKeyStore operation returned by the service.<br/> 4108 * The CompletableFuture returned by this method can be completed exceptionally with the following 4109 * exceptions. 4110 * <ul> 4111 * <li>CustomKeyStoreHasCmKsException The request was rejected because the custom key store contains KMS 4112 * keys. After verifying that you do not need to use the KMS keys, use the <a>ScheduleKeyDeletion</a> 4113 * operation to delete the KMS keys. After they are deleted, you can delete the custom key store.</li> 4114 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 4115 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 4116 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 4117 * <p> 4118 * This exception is thrown under the following conditions: 4119 * </p> 4120 * <ul> 4121 * <li> 4122 * <p> 4123 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 4124 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 4125 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 4126 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 4127 * <code>ConnectCustomKeyStore</code>). 4128 * </p> 4129 * </li> 4130 * <li> 4131 * <p> 4132 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 4133 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 4134 * </p> 4135 * </li> 4136 * <li> 4137 * <p> 4138 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 4139 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 4140 * is valid for all other <code>ConnectionState</code> values. 4141 * </p> 4142 * </li> 4143 * <li> 4144 * <p> 4145 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 4146 * store that is not disconnected. This operation is valid only when the custom key store 4147 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 4148 * </p> 4149 * </li> 4150 * <li> 4151 * <p> 4152 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 4153 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 4154 * <code>CONNECTED</code>. 4155 * </p> 4156 * </li></li> 4157 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4158 * with the specified key store name or ID.</li> 4159 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4160 * be retried.</li> 4161 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4162 * Can be used for catch all scenarios.</li> 4163 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4164 * credentials, etc.</li> 4165 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4166 * of this type.</li> 4167 * </ul> 4168 * @sample KmsAsyncClient.DeleteCustomKeyStore 4169 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore" target="_top">AWS API 4170 * Documentation</a> 4171 */ deleteCustomKeyStore( Consumer<DeleteCustomKeyStoreRequest.Builder> deleteCustomKeyStoreRequest)4172 default CompletableFuture<DeleteCustomKeyStoreResponse> deleteCustomKeyStore( 4173 Consumer<DeleteCustomKeyStoreRequest.Builder> deleteCustomKeyStoreRequest) { 4174 return deleteCustomKeyStore(DeleteCustomKeyStoreRequest.builder().applyMutation(deleteCustomKeyStoreRequest).build()); 4175 } 4176 4177 /** 4178 * <p> 4179 * Deletes key material that was previously imported. This operation makes the specified KMS key temporarily 4180 * unusable. To restore the usability of the KMS key, reimport the same key material. For more information about 4181 * importing key material into KMS, see <a 4182 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 4183 * the <i>Key Management Service Developer Guide</i>. 4184 * </p> 4185 * <p> 4186 * When the specified KMS key is in the <code>PendingDeletion</code> state, this operation does not change the KMS 4187 * key's state. Otherwise, it changes the KMS key's state to <code>PendingImport</code>. 4188 * </p> 4189 * <p> 4190 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 4191 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 4192 * <i>Key Management Service Developer Guide</i>. 4193 * </p> 4194 * <p> 4195 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 4196 * account. 4197 * </p> 4198 * <p> 4199 * <b>Required permissions</b>: <a 4200 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4201 * >kms:DeleteImportedKeyMaterial</a> (key policy) 4202 * </p> 4203 * <p> 4204 * <b>Related operations:</b> 4205 * </p> 4206 * <ul> 4207 * <li> 4208 * <p> 4209 * <a>GetParametersForImport</a> 4210 * </p> 4211 * </li> 4212 * <li> 4213 * <p> 4214 * <a>ImportKeyMaterial</a> 4215 * </p> 4216 * </li> 4217 * </ul> 4218 * <p> 4219 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4220 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4221 * consistency</a>. 4222 * </p> 4223 * 4224 * @param deleteImportedKeyMaterialRequest 4225 * @return A Java Future containing the result of the DeleteImportedKeyMaterial operation returned by the service.<br/> 4226 * The CompletableFuture returned by this method can be completed exceptionally with the following 4227 * exceptions. 4228 * <ul> 4229 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 4230 * not valid.</li> 4231 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 4232 * or a specified resource is not valid for this operation.</li> 4233 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 4234 * the request.</li> 4235 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 4236 * found.</li> 4237 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4238 * be retried.</li> 4239 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 4240 * valid for this request.</p> 4241 * <p> 4242 * This exceptions means one of the following: 4243 * </p> 4244 * <ul> 4245 * <li> 4246 * <p> 4247 * The key state of the KMS key is not compatible with the operation. 4248 * </p> 4249 * <p> 4250 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 4251 * are compatible with each KMS operation, see <a 4252 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 4253 * the <i> <i>Key Management Service Developer Guide</i> </i>. 4254 * </p> 4255 * </li> 4256 * <li> 4257 * <p> 4258 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 4259 * failure with many possible causes. To identify the cause, see the error message that accompanies the 4260 * exception. 4261 * </p> 4262 * </li></li> 4263 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4264 * Can be used for catch all scenarios.</li> 4265 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4266 * credentials, etc.</li> 4267 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4268 * of this type.</li> 4269 * </ul> 4270 * @sample KmsAsyncClient.DeleteImportedKeyMaterial 4271 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial" target="_top">AWS 4272 * API Documentation</a> 4273 */ deleteImportedKeyMaterial( DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest)4274 default CompletableFuture<DeleteImportedKeyMaterialResponse> deleteImportedKeyMaterial( 4275 DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest) { 4276 throw new UnsupportedOperationException(); 4277 } 4278 4279 /** 4280 * <p> 4281 * Deletes key material that was previously imported. This operation makes the specified KMS key temporarily 4282 * unusable. To restore the usability of the KMS key, reimport the same key material. For more information about 4283 * importing key material into KMS, see <a 4284 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 4285 * the <i>Key Management Service Developer Guide</i>. 4286 * </p> 4287 * <p> 4288 * When the specified KMS key is in the <code>PendingDeletion</code> state, this operation does not change the KMS 4289 * key's state. Otherwise, it changes the KMS key's state to <code>PendingImport</code>. 4290 * </p> 4291 * <p> 4292 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 4293 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 4294 * <i>Key Management Service Developer Guide</i>. 4295 * </p> 4296 * <p> 4297 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 4298 * account. 4299 * </p> 4300 * <p> 4301 * <b>Required permissions</b>: <a 4302 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4303 * >kms:DeleteImportedKeyMaterial</a> (key policy) 4304 * </p> 4305 * <p> 4306 * <b>Related operations:</b> 4307 * </p> 4308 * <ul> 4309 * <li> 4310 * <p> 4311 * <a>GetParametersForImport</a> 4312 * </p> 4313 * </li> 4314 * <li> 4315 * <p> 4316 * <a>ImportKeyMaterial</a> 4317 * </p> 4318 * </li> 4319 * </ul> 4320 * <p> 4321 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4322 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4323 * consistency</a>. 4324 * </p> 4325 * <br/> 4326 * <p> 4327 * This is a convenience which creates an instance of the {@link DeleteImportedKeyMaterialRequest.Builder} avoiding 4328 * the need to create one manually via {@link DeleteImportedKeyMaterialRequest#builder()} 4329 * </p> 4330 * 4331 * @param deleteImportedKeyMaterialRequest 4332 * A {@link Consumer} that will call methods on 4333 * {@link software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialRequest.Builder} to create a 4334 * request. 4335 * @return A Java Future containing the result of the DeleteImportedKeyMaterial operation returned by the service.<br/> 4336 * The CompletableFuture returned by this method can be completed exceptionally with the following 4337 * exceptions. 4338 * <ul> 4339 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 4340 * not valid.</li> 4341 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 4342 * or a specified resource is not valid for this operation.</li> 4343 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 4344 * the request.</li> 4345 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 4346 * found.</li> 4347 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4348 * be retried.</li> 4349 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 4350 * valid for this request.</p> 4351 * <p> 4352 * This exceptions means one of the following: 4353 * </p> 4354 * <ul> 4355 * <li> 4356 * <p> 4357 * The key state of the KMS key is not compatible with the operation. 4358 * </p> 4359 * <p> 4360 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 4361 * are compatible with each KMS operation, see <a 4362 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 4363 * the <i> <i>Key Management Service Developer Guide</i> </i>. 4364 * </p> 4365 * </li> 4366 * <li> 4367 * <p> 4368 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 4369 * failure with many possible causes. To identify the cause, see the error message that accompanies the 4370 * exception. 4371 * </p> 4372 * </li></li> 4373 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4374 * Can be used for catch all scenarios.</li> 4375 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4376 * credentials, etc.</li> 4377 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4378 * of this type.</li> 4379 * </ul> 4380 * @sample KmsAsyncClient.DeleteImportedKeyMaterial 4381 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial" target="_top">AWS 4382 * API Documentation</a> 4383 */ deleteImportedKeyMaterial( Consumer<DeleteImportedKeyMaterialRequest.Builder> deleteImportedKeyMaterialRequest)4384 default CompletableFuture<DeleteImportedKeyMaterialResponse> deleteImportedKeyMaterial( 4385 Consumer<DeleteImportedKeyMaterialRequest.Builder> deleteImportedKeyMaterialRequest) { 4386 return deleteImportedKeyMaterial(DeleteImportedKeyMaterialRequest.builder() 4387 .applyMutation(deleteImportedKeyMaterialRequest).build()); 4388 } 4389 4390 /** 4391 * <p> 4392 * Gets information about <a 4393 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4394 * in the account and Region. 4395 * </p> 4396 * <p> 4397 * This operation is part of the <a 4398 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4399 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4400 * a key store that you own and manage. 4401 * </p> 4402 * <p> 4403 * By default, this operation returns information about all custom key stores in the account and Region. To get only 4404 * information about a particular custom key store, use either the <code>CustomKeyStoreName</code> or 4405 * <code>CustomKeyStoreId</code> parameter (but not both). 4406 * </p> 4407 * <p> 4408 * To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use 4409 * the <code>ConnectionState</code> element in the response. If an attempt to connect the custom key store failed, 4410 * the <code>ConnectionState</code> value is <code>FAILED</code> and the <code>ConnectionErrorCode</code> element in 4411 * the response indicates the cause of the failure. For help interpreting the <code>ConnectionErrorCode</code>, see 4412 * <a>CustomKeyStoresListEntry</a>. 4413 * </p> 4414 * <p> 4415 * Custom key stores have a <code>DISCONNECTED</code> connection state if the key store has never been connected or 4416 * you used the <a>DisconnectCustomKeyStore</a> operation to disconnect it. Otherwise, the connection state is 4417 * CONNECTED. If your custom key store connection state is <code>CONNECTED</code> but you are having trouble using 4418 * it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated 4419 * CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an 4420 * external key store, verify that the external key store proxy and its associated external key manager are 4421 * reachable and enabled. 4422 * </p> 4423 * <p> 4424 * For help repairing your CloudHSM key store, see the <a 4425 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key 4426 * stores</a>. For help repairing your external key store, see the <a 4427 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external 4428 * key stores</a>. Both topics are in the <i>Key Management Service Developer Guide</i>. 4429 * </p> 4430 * <p> 4431 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4432 * Services account. 4433 * </p> 4434 * <p> 4435 * <b>Required permissions</b>: <a 4436 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4437 * >kms:DescribeCustomKeyStores</a> (IAM policy) 4438 * </p> 4439 * <p> 4440 * <b>Related operations:</b> 4441 * </p> 4442 * <ul> 4443 * <li> 4444 * <p> 4445 * <a>ConnectCustomKeyStore</a> 4446 * </p> 4447 * </li> 4448 * <li> 4449 * <p> 4450 * <a>CreateCustomKeyStore</a> 4451 * </p> 4452 * </li> 4453 * <li> 4454 * <p> 4455 * <a>DeleteCustomKeyStore</a> 4456 * </p> 4457 * </li> 4458 * <li> 4459 * <p> 4460 * <a>DisconnectCustomKeyStore</a> 4461 * </p> 4462 * </li> 4463 * <li> 4464 * <p> 4465 * <a>UpdateCustomKeyStore</a> 4466 * </p> 4467 * </li> 4468 * </ul> 4469 * <p> 4470 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4471 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4472 * consistency</a>. 4473 * </p> 4474 * 4475 * @param describeCustomKeyStoresRequest 4476 * @return A Java Future containing the result of the DescribeCustomKeyStores operation returned by the service.<br/> 4477 * The CompletableFuture returned by this method can be completed exceptionally with the following 4478 * exceptions. 4479 * <ul> 4480 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4481 * with the specified key store name or ID.</li> 4482 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 4483 * should next begin is not valid.</li> 4484 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4485 * be retried.</li> 4486 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4487 * Can be used for catch all scenarios.</li> 4488 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4489 * credentials, etc.</li> 4490 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4491 * of this type.</li> 4492 * </ul> 4493 * @sample KmsAsyncClient.DescribeCustomKeyStores 4494 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4495 * API Documentation</a> 4496 */ describeCustomKeyStores( DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest)4497 default CompletableFuture<DescribeCustomKeyStoresResponse> describeCustomKeyStores( 4498 DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest) { 4499 throw new UnsupportedOperationException(); 4500 } 4501 4502 /** 4503 * <p> 4504 * Gets information about <a 4505 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4506 * in the account and Region. 4507 * </p> 4508 * <p> 4509 * This operation is part of the <a 4510 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4511 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4512 * a key store that you own and manage. 4513 * </p> 4514 * <p> 4515 * By default, this operation returns information about all custom key stores in the account and Region. To get only 4516 * information about a particular custom key store, use either the <code>CustomKeyStoreName</code> or 4517 * <code>CustomKeyStoreId</code> parameter (but not both). 4518 * </p> 4519 * <p> 4520 * To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use 4521 * the <code>ConnectionState</code> element in the response. If an attempt to connect the custom key store failed, 4522 * the <code>ConnectionState</code> value is <code>FAILED</code> and the <code>ConnectionErrorCode</code> element in 4523 * the response indicates the cause of the failure. For help interpreting the <code>ConnectionErrorCode</code>, see 4524 * <a>CustomKeyStoresListEntry</a>. 4525 * </p> 4526 * <p> 4527 * Custom key stores have a <code>DISCONNECTED</code> connection state if the key store has never been connected or 4528 * you used the <a>DisconnectCustomKeyStore</a> operation to disconnect it. Otherwise, the connection state is 4529 * CONNECTED. If your custom key store connection state is <code>CONNECTED</code> but you are having trouble using 4530 * it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated 4531 * CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an 4532 * external key store, verify that the external key store proxy and its associated external key manager are 4533 * reachable and enabled. 4534 * </p> 4535 * <p> 4536 * For help repairing your CloudHSM key store, see the <a 4537 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key 4538 * stores</a>. For help repairing your external key store, see the <a 4539 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external 4540 * key stores</a>. Both topics are in the <i>Key Management Service Developer Guide</i>. 4541 * </p> 4542 * <p> 4543 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4544 * Services account. 4545 * </p> 4546 * <p> 4547 * <b>Required permissions</b>: <a 4548 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4549 * >kms:DescribeCustomKeyStores</a> (IAM policy) 4550 * </p> 4551 * <p> 4552 * <b>Related operations:</b> 4553 * </p> 4554 * <ul> 4555 * <li> 4556 * <p> 4557 * <a>ConnectCustomKeyStore</a> 4558 * </p> 4559 * </li> 4560 * <li> 4561 * <p> 4562 * <a>CreateCustomKeyStore</a> 4563 * </p> 4564 * </li> 4565 * <li> 4566 * <p> 4567 * <a>DeleteCustomKeyStore</a> 4568 * </p> 4569 * </li> 4570 * <li> 4571 * <p> 4572 * <a>DisconnectCustomKeyStore</a> 4573 * </p> 4574 * </li> 4575 * <li> 4576 * <p> 4577 * <a>UpdateCustomKeyStore</a> 4578 * </p> 4579 * </li> 4580 * </ul> 4581 * <p> 4582 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4583 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4584 * consistency</a>. 4585 * </p> 4586 * <br/> 4587 * <p> 4588 * This is a convenience which creates an instance of the {@link DescribeCustomKeyStoresRequest.Builder} avoiding 4589 * the need to create one manually via {@link DescribeCustomKeyStoresRequest#builder()} 4590 * </p> 4591 * 4592 * @param describeCustomKeyStoresRequest 4593 * A {@link Consumer} that will call methods on 4594 * {@link software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest.Builder} to create a 4595 * request. 4596 * @return A Java Future containing the result of the DescribeCustomKeyStores operation returned by the service.<br/> 4597 * The CompletableFuture returned by this method can be completed exceptionally with the following 4598 * exceptions. 4599 * <ul> 4600 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4601 * with the specified key store name or ID.</li> 4602 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 4603 * should next begin is not valid.</li> 4604 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4605 * be retried.</li> 4606 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4607 * Can be used for catch all scenarios.</li> 4608 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4609 * credentials, etc.</li> 4610 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4611 * of this type.</li> 4612 * </ul> 4613 * @sample KmsAsyncClient.DescribeCustomKeyStores 4614 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4615 * API Documentation</a> 4616 */ describeCustomKeyStores( Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest)4617 default CompletableFuture<DescribeCustomKeyStoresResponse> describeCustomKeyStores( 4618 Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest) { 4619 return describeCustomKeyStores(DescribeCustomKeyStoresRequest.builder().applyMutation(describeCustomKeyStoresRequest) 4620 .build()); 4621 } 4622 4623 /** 4624 * <p> 4625 * Gets information about <a 4626 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4627 * in the account and Region. 4628 * </p> 4629 * <p> 4630 * This operation is part of the <a 4631 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4632 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4633 * a key store that you own and manage. 4634 * </p> 4635 * <p> 4636 * By default, this operation returns information about all custom key stores in the account and Region. To get only 4637 * information about a particular custom key store, use either the <code>CustomKeyStoreName</code> or 4638 * <code>CustomKeyStoreId</code> parameter (but not both). 4639 * </p> 4640 * <p> 4641 * To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use 4642 * the <code>ConnectionState</code> element in the response. If an attempt to connect the custom key store failed, 4643 * the <code>ConnectionState</code> value is <code>FAILED</code> and the <code>ConnectionErrorCode</code> element in 4644 * the response indicates the cause of the failure. For help interpreting the <code>ConnectionErrorCode</code>, see 4645 * <a>CustomKeyStoresListEntry</a>. 4646 * </p> 4647 * <p> 4648 * Custom key stores have a <code>DISCONNECTED</code> connection state if the key store has never been connected or 4649 * you used the <a>DisconnectCustomKeyStore</a> operation to disconnect it. Otherwise, the connection state is 4650 * CONNECTED. If your custom key store connection state is <code>CONNECTED</code> but you are having trouble using 4651 * it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated 4652 * CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an 4653 * external key store, verify that the external key store proxy and its associated external key manager are 4654 * reachable and enabled. 4655 * </p> 4656 * <p> 4657 * For help repairing your CloudHSM key store, see the <a 4658 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key 4659 * stores</a>. For help repairing your external key store, see the <a 4660 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external 4661 * key stores</a>. Both topics are in the <i>Key Management Service Developer Guide</i>. 4662 * </p> 4663 * <p> 4664 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4665 * Services account. 4666 * </p> 4667 * <p> 4668 * <b>Required permissions</b>: <a 4669 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4670 * >kms:DescribeCustomKeyStores</a> (IAM policy) 4671 * </p> 4672 * <p> 4673 * <b>Related operations:</b> 4674 * </p> 4675 * <ul> 4676 * <li> 4677 * <p> 4678 * <a>ConnectCustomKeyStore</a> 4679 * </p> 4680 * </li> 4681 * <li> 4682 * <p> 4683 * <a>CreateCustomKeyStore</a> 4684 * </p> 4685 * </li> 4686 * <li> 4687 * <p> 4688 * <a>DeleteCustomKeyStore</a> 4689 * </p> 4690 * </li> 4691 * <li> 4692 * <p> 4693 * <a>DisconnectCustomKeyStore</a> 4694 * </p> 4695 * </li> 4696 * <li> 4697 * <p> 4698 * <a>UpdateCustomKeyStore</a> 4699 * </p> 4700 * </li> 4701 * </ul> 4702 * <p> 4703 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4704 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4705 * consistency</a>. 4706 * </p> 4707 * 4708 * @return A Java Future containing the result of the DescribeCustomKeyStores operation returned by the service.<br/> 4709 * The CompletableFuture returned by this method can be completed exceptionally with the following 4710 * exceptions. 4711 * <ul> 4712 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4713 * with the specified key store name or ID.</li> 4714 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 4715 * should next begin is not valid.</li> 4716 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4717 * be retried.</li> 4718 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4719 * Can be used for catch all scenarios.</li> 4720 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4721 * credentials, etc.</li> 4722 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4723 * of this type.</li> 4724 * </ul> 4725 * @sample KmsAsyncClient.DescribeCustomKeyStores 4726 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4727 * API Documentation</a> 4728 */ describeCustomKeyStores()4729 default CompletableFuture<DescribeCustomKeyStoresResponse> describeCustomKeyStores() { 4730 return describeCustomKeyStores(DescribeCustomKeyStoresRequest.builder().build()); 4731 } 4732 4733 /** 4734 * <p> 4735 * This is a variant of 4736 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4737 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 4738 * SDK will internally handle making service calls for you. 4739 * </p> 4740 * <p> 4741 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 4742 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 4743 * failures only after you start streaming the data. The subscribe method should be called as a request to start 4744 * streaming data. For more info, see 4745 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 4746 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 4747 * starting request. 4748 * </p> 4749 * 4750 * <p> 4751 * The following are few ways to use the response class: 4752 * </p> 4753 * 1) Using the subscribe helper method 4754 * 4755 * <pre> 4756 * {@code 4757 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher publisher = client.describeCustomKeyStoresPaginator(request); 4758 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 4759 * future.get(); 4760 * } 4761 * </pre> 4762 * 4763 * 2) Using a custom subscriber 4764 * 4765 * <pre> 4766 * {@code 4767 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher publisher = client.describeCustomKeyStoresPaginator(request); 4768 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse>() { 4769 * 4770 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 4771 * 4772 * 4773 * public void onNext(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse response) { //... }; 4774 * });} 4775 * </pre> 4776 * 4777 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 4778 * <p> 4779 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 4780 * only limits the number of results in each page.</b> 4781 * </p> 4782 * <p> 4783 * <b>Note: If you prefer to have control on service calls, use the 4784 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4785 * operation.</b> 4786 * </p> 4787 * 4788 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 4789 * The CompletableFuture returned by this method can be completed exceptionally with the following 4790 * exceptions. 4791 * <ul> 4792 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4793 * with the specified key store name or ID.</li> 4794 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 4795 * should next begin is not valid.</li> 4796 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4797 * be retried.</li> 4798 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4799 * Can be used for catch all scenarios.</li> 4800 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4801 * credentials, etc.</li> 4802 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4803 * of this type.</li> 4804 * </ul> 4805 * @sample KmsAsyncClient.DescribeCustomKeyStores 4806 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4807 * API Documentation</a> 4808 */ describeCustomKeyStoresPaginator()4809 default DescribeCustomKeyStoresPublisher describeCustomKeyStoresPaginator() { 4810 return describeCustomKeyStoresPaginator(DescribeCustomKeyStoresRequest.builder().build()); 4811 } 4812 4813 /** 4814 * <p> 4815 * This is a variant of 4816 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4817 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 4818 * SDK will internally handle making service calls for you. 4819 * </p> 4820 * <p> 4821 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 4822 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 4823 * failures only after you start streaming the data. The subscribe method should be called as a request to start 4824 * streaming data. For more info, see 4825 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 4826 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 4827 * starting request. 4828 * </p> 4829 * 4830 * <p> 4831 * The following are few ways to use the response class: 4832 * </p> 4833 * 1) Using the subscribe helper method 4834 * 4835 * <pre> 4836 * {@code 4837 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher publisher = client.describeCustomKeyStoresPaginator(request); 4838 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 4839 * future.get(); 4840 * } 4841 * </pre> 4842 * 4843 * 2) Using a custom subscriber 4844 * 4845 * <pre> 4846 * {@code 4847 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher publisher = client.describeCustomKeyStoresPaginator(request); 4848 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse>() { 4849 * 4850 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 4851 * 4852 * 4853 * public void onNext(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse response) { //... }; 4854 * });} 4855 * </pre> 4856 * 4857 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 4858 * <p> 4859 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 4860 * only limits the number of results in each page.</b> 4861 * </p> 4862 * <p> 4863 * <b>Note: If you prefer to have control on service calls, use the 4864 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4865 * operation.</b> 4866 * </p> 4867 * 4868 * @param describeCustomKeyStoresRequest 4869 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 4870 * The CompletableFuture returned by this method can be completed exceptionally with the following 4871 * exceptions. 4872 * <ul> 4873 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4874 * with the specified key store name or ID.</li> 4875 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 4876 * should next begin is not valid.</li> 4877 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4878 * be retried.</li> 4879 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4880 * Can be used for catch all scenarios.</li> 4881 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4882 * credentials, etc.</li> 4883 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4884 * of this type.</li> 4885 * </ul> 4886 * @sample KmsAsyncClient.DescribeCustomKeyStores 4887 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4888 * API Documentation</a> 4889 */ describeCustomKeyStoresPaginator( DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest)4890 default DescribeCustomKeyStoresPublisher describeCustomKeyStoresPaginator( 4891 DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest) { 4892 return new DescribeCustomKeyStoresPublisher(this, describeCustomKeyStoresRequest); 4893 } 4894 4895 /** 4896 * <p> 4897 * This is a variant of 4898 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4899 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 4900 * SDK will internally handle making service calls for you. 4901 * </p> 4902 * <p> 4903 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 4904 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 4905 * failures only after you start streaming the data. The subscribe method should be called as a request to start 4906 * streaming data. For more info, see 4907 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 4908 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 4909 * starting request. 4910 * </p> 4911 * 4912 * <p> 4913 * The following are few ways to use the response class: 4914 * </p> 4915 * 1) Using the subscribe helper method 4916 * 4917 * <pre> 4918 * {@code 4919 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher publisher = client.describeCustomKeyStoresPaginator(request); 4920 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 4921 * future.get(); 4922 * } 4923 * </pre> 4924 * 4925 * 2) Using a custom subscriber 4926 * 4927 * <pre> 4928 * {@code 4929 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresPublisher publisher = client.describeCustomKeyStoresPaginator(request); 4930 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse>() { 4931 * 4932 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 4933 * 4934 * 4935 * public void onNext(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse response) { //... }; 4936 * });} 4937 * </pre> 4938 * 4939 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 4940 * <p> 4941 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 4942 * only limits the number of results in each page.</b> 4943 * </p> 4944 * <p> 4945 * <b>Note: If you prefer to have control on service calls, use the 4946 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4947 * operation.</b> 4948 * </p> 4949 * <br/> 4950 * <p> 4951 * This is a convenience which creates an instance of the {@link DescribeCustomKeyStoresRequest.Builder} avoiding 4952 * the need to create one manually via {@link DescribeCustomKeyStoresRequest#builder()} 4953 * </p> 4954 * 4955 * @param describeCustomKeyStoresRequest 4956 * A {@link Consumer} that will call methods on 4957 * {@link software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest.Builder} to create a 4958 * request. 4959 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 4960 * The CompletableFuture returned by this method can be completed exceptionally with the following 4961 * exceptions. 4962 * <ul> 4963 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 4964 * with the specified key store name or ID.</li> 4965 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 4966 * should next begin is not valid.</li> 4967 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 4968 * be retried.</li> 4969 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 4970 * Can be used for catch all scenarios.</li> 4971 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 4972 * credentials, etc.</li> 4973 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 4974 * of this type.</li> 4975 * </ul> 4976 * @sample KmsAsyncClient.DescribeCustomKeyStores 4977 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4978 * API Documentation</a> 4979 */ describeCustomKeyStoresPaginator( Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest)4980 default DescribeCustomKeyStoresPublisher describeCustomKeyStoresPaginator( 4981 Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest) { 4982 return describeCustomKeyStoresPaginator(DescribeCustomKeyStoresRequest.builder() 4983 .applyMutation(describeCustomKeyStoresRequest).build()); 4984 } 4985 4986 /** 4987 * <p> 4988 * Provides detailed information about a KMS key. You can run <code>DescribeKey</code> on a <a 4989 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a> 4990 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web 4991 * Services managed key</a>. 4992 * </p> 4993 * <p> 4994 * This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, 4995 * and the origin and expiration date (if any) of the key material. It includes fields, like <code>KeySpec</code>, 4996 * that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or 4997 * generating and verifying MACs) and the algorithms that the KMS key supports. 4998 * </p> 4999 * <p> 5000 * For <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region 5001 * keys</a>, <code>DescribeKey</code> displays the primary key and all related replica keys. For KMS keys in <a 5002 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key stores</a>, it 5003 * includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in 5004 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a>, 5005 * it includes the custom key store ID and the ID of the external key. 5006 * </p> 5007 * <p> 5008 * <code>DescribeKey</code> does not return the following information: 5009 * </p> 5010 * <ul> 5011 * <li> 5012 * <p> 5013 * Aliases associated with the KMS key. To get this information, use <a>ListAliases</a>. 5014 * </p> 5015 * </li> 5016 * <li> 5017 * <p> 5018 * Whether automatic key rotation is enabled on the KMS key. To get this information, use 5019 * <a>GetKeyRotationStatus</a>. Also, some key states prevent a KMS key from being automatically rotated. For 5020 * details, see <a 5021 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works">How 5022 * Automatic Key Rotation Works</a> in the <i>Key Management Service Developer Guide</i>. 5023 * </p> 5024 * </li> 5025 * <li> 5026 * <p> 5027 * Tags on the KMS key. To get this information, use <a>ListResourceTags</a>. 5028 * </p> 5029 * </li> 5030 * <li> 5031 * <p> 5032 * Key policies and grants on the KMS key. To get this information, use <a>GetKeyPolicy</a> and <a>ListGrants</a>. 5033 * </p> 5034 * </li> 5035 * </ul> 5036 * <p> 5037 * In general, <code>DescribeKey</code> is a non-mutating operation. It returns data about KMS keys, but doesn't 5038 * change them. However, Amazon Web Services services use <code>DescribeKey</code> to create <a 5039 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5040 * managed keys</a> from a <i>predefined Amazon Web Services alias</i> with no key ID. 5041 * </p> 5042 * <p> 5043 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 5044 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 5045 * </p> 5046 * <p> 5047 * <b>Required permissions</b>: <a 5048 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5049 * >kms:DescribeKey</a> (key policy) 5050 * </p> 5051 * <p> 5052 * <b>Related operations:</b> 5053 * </p> 5054 * <ul> 5055 * <li> 5056 * <p> 5057 * <a>GetKeyPolicy</a> 5058 * </p> 5059 * </li> 5060 * <li> 5061 * <p> 5062 * <a>GetKeyRotationStatus</a> 5063 * </p> 5064 * </li> 5065 * <li> 5066 * <p> 5067 * <a>ListAliases</a> 5068 * </p> 5069 * </li> 5070 * <li> 5071 * <p> 5072 * <a>ListGrants</a> 5073 * </p> 5074 * </li> 5075 * <li> 5076 * <p> 5077 * <a>ListKeys</a> 5078 * </p> 5079 * </li> 5080 * <li> 5081 * <p> 5082 * <a>ListResourceTags</a> 5083 * </p> 5084 * </li> 5085 * <li> 5086 * <p> 5087 * <a>ListRetirableGrants</a> 5088 * </p> 5089 * </li> 5090 * </ul> 5091 * <p> 5092 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5093 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5094 * consistency</a>. 5095 * </p> 5096 * 5097 * @param describeKeyRequest 5098 * @return A Java Future containing the result of the DescribeKey operation returned by the service.<br/> 5099 * The CompletableFuture returned by this method can be completed exceptionally with the following 5100 * exceptions. 5101 * <ul> 5102 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 5103 * found.</li> 5104 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 5105 * not valid.</li> 5106 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 5107 * the request.</li> 5108 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5109 * be retried.</li> 5110 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5111 * Can be used for catch all scenarios.</li> 5112 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5113 * credentials, etc.</li> 5114 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5115 * of this type.</li> 5116 * </ul> 5117 * @sample KmsAsyncClient.DescribeKey 5118 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey" target="_top">AWS API 5119 * Documentation</a> 5120 */ describeKey(DescribeKeyRequest describeKeyRequest)5121 default CompletableFuture<DescribeKeyResponse> describeKey(DescribeKeyRequest describeKeyRequest) { 5122 throw new UnsupportedOperationException(); 5123 } 5124 5125 /** 5126 * <p> 5127 * Provides detailed information about a KMS key. You can run <code>DescribeKey</code> on a <a 5128 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a> 5129 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web 5130 * Services managed key</a>. 5131 * </p> 5132 * <p> 5133 * This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, 5134 * and the origin and expiration date (if any) of the key material. It includes fields, like <code>KeySpec</code>, 5135 * that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or 5136 * generating and verifying MACs) and the algorithms that the KMS key supports. 5137 * </p> 5138 * <p> 5139 * For <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region 5140 * keys</a>, <code>DescribeKey</code> displays the primary key and all related replica keys. For KMS keys in <a 5141 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key stores</a>, it 5142 * includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in 5143 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a>, 5144 * it includes the custom key store ID and the ID of the external key. 5145 * </p> 5146 * <p> 5147 * <code>DescribeKey</code> does not return the following information: 5148 * </p> 5149 * <ul> 5150 * <li> 5151 * <p> 5152 * Aliases associated with the KMS key. To get this information, use <a>ListAliases</a>. 5153 * </p> 5154 * </li> 5155 * <li> 5156 * <p> 5157 * Whether automatic key rotation is enabled on the KMS key. To get this information, use 5158 * <a>GetKeyRotationStatus</a>. Also, some key states prevent a KMS key from being automatically rotated. For 5159 * details, see <a 5160 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works">How 5161 * Automatic Key Rotation Works</a> in the <i>Key Management Service Developer Guide</i>. 5162 * </p> 5163 * </li> 5164 * <li> 5165 * <p> 5166 * Tags on the KMS key. To get this information, use <a>ListResourceTags</a>. 5167 * </p> 5168 * </li> 5169 * <li> 5170 * <p> 5171 * Key policies and grants on the KMS key. To get this information, use <a>GetKeyPolicy</a> and <a>ListGrants</a>. 5172 * </p> 5173 * </li> 5174 * </ul> 5175 * <p> 5176 * In general, <code>DescribeKey</code> is a non-mutating operation. It returns data about KMS keys, but doesn't 5177 * change them. However, Amazon Web Services services use <code>DescribeKey</code> to create <a 5178 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5179 * managed keys</a> from a <i>predefined Amazon Web Services alias</i> with no key ID. 5180 * </p> 5181 * <p> 5182 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 5183 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 5184 * </p> 5185 * <p> 5186 * <b>Required permissions</b>: <a 5187 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5188 * >kms:DescribeKey</a> (key policy) 5189 * </p> 5190 * <p> 5191 * <b>Related operations:</b> 5192 * </p> 5193 * <ul> 5194 * <li> 5195 * <p> 5196 * <a>GetKeyPolicy</a> 5197 * </p> 5198 * </li> 5199 * <li> 5200 * <p> 5201 * <a>GetKeyRotationStatus</a> 5202 * </p> 5203 * </li> 5204 * <li> 5205 * <p> 5206 * <a>ListAliases</a> 5207 * </p> 5208 * </li> 5209 * <li> 5210 * <p> 5211 * <a>ListGrants</a> 5212 * </p> 5213 * </li> 5214 * <li> 5215 * <p> 5216 * <a>ListKeys</a> 5217 * </p> 5218 * </li> 5219 * <li> 5220 * <p> 5221 * <a>ListResourceTags</a> 5222 * </p> 5223 * </li> 5224 * <li> 5225 * <p> 5226 * <a>ListRetirableGrants</a> 5227 * </p> 5228 * </li> 5229 * </ul> 5230 * <p> 5231 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5232 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5233 * consistency</a>. 5234 * </p> 5235 * <br/> 5236 * <p> 5237 * This is a convenience which creates an instance of the {@link DescribeKeyRequest.Builder} avoiding the need to 5238 * create one manually via {@link DescribeKeyRequest#builder()} 5239 * </p> 5240 * 5241 * @param describeKeyRequest 5242 * A {@link Consumer} that will call methods on 5243 * {@link software.amazon.awssdk.services.kms.model.DescribeKeyRequest.Builder} to create a request. 5244 * @return A Java Future containing the result of the DescribeKey operation returned by the service.<br/> 5245 * The CompletableFuture returned by this method can be completed exceptionally with the following 5246 * exceptions. 5247 * <ul> 5248 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 5249 * found.</li> 5250 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 5251 * not valid.</li> 5252 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 5253 * the request.</li> 5254 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5255 * be retried.</li> 5256 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5257 * Can be used for catch all scenarios.</li> 5258 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5259 * credentials, etc.</li> 5260 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5261 * of this type.</li> 5262 * </ul> 5263 * @sample KmsAsyncClient.DescribeKey 5264 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey" target="_top">AWS API 5265 * Documentation</a> 5266 */ describeKey(Consumer<DescribeKeyRequest.Builder> describeKeyRequest)5267 default CompletableFuture<DescribeKeyResponse> describeKey(Consumer<DescribeKeyRequest.Builder> describeKeyRequest) { 5268 return describeKey(DescribeKeyRequest.builder().applyMutation(describeKeyRequest).build()); 5269 } 5270 5271 /** 5272 * <p> 5273 * Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for <a 5274 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5275 * operations</a>. 5276 * </p> 5277 * <p> 5278 * For more information about how key state affects the use of a KMS key, see <a 5279 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i> 5280 * <i>Key Management Service Developer Guide</i> </i>. 5281 * </p> 5282 * <p> 5283 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5284 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5285 * <i>Key Management Service Developer Guide</i>. 5286 * </p> 5287 * <p> 5288 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5289 * account. 5290 * </p> 5291 * <p> 5292 * <b>Required permissions</b>: <a 5293 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5294 * >kms:DisableKey</a> (key policy) 5295 * </p> 5296 * <p> 5297 * <b>Related operations</b>: <a>EnableKey</a> 5298 * </p> 5299 * <p> 5300 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5301 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5302 * consistency</a>. 5303 * </p> 5304 * 5305 * @param disableKeyRequest 5306 * @return A Java Future containing the result of the DisableKey operation returned by the service.<br/> 5307 * The CompletableFuture returned by this method can be completed exceptionally with the following 5308 * exceptions. 5309 * <ul> 5310 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 5311 * found.</li> 5312 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 5313 * not valid.</li> 5314 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 5315 * the request.</li> 5316 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5317 * be retried.</li> 5318 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 5319 * valid for this request.</p> 5320 * <p> 5321 * This exceptions means one of the following: 5322 * </p> 5323 * <ul> 5324 * <li> 5325 * <p> 5326 * The key state of the KMS key is not compatible with the operation. 5327 * </p> 5328 * <p> 5329 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5330 * are compatible with each KMS operation, see <a 5331 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5332 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5333 * </p> 5334 * </li> 5335 * <li> 5336 * <p> 5337 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5338 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5339 * exception. 5340 * </p> 5341 * </li></li> 5342 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5343 * Can be used for catch all scenarios.</li> 5344 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5345 * credentials, etc.</li> 5346 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5347 * of this type.</li> 5348 * </ul> 5349 * @sample KmsAsyncClient.DisableKey 5350 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey" target="_top">AWS API 5351 * Documentation</a> 5352 */ disableKey(DisableKeyRequest disableKeyRequest)5353 default CompletableFuture<DisableKeyResponse> disableKey(DisableKeyRequest disableKeyRequest) { 5354 throw new UnsupportedOperationException(); 5355 } 5356 5357 /** 5358 * <p> 5359 * Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for <a 5360 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5361 * operations</a>. 5362 * </p> 5363 * <p> 5364 * For more information about how key state affects the use of a KMS key, see <a 5365 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i> 5366 * <i>Key Management Service Developer Guide</i> </i>. 5367 * </p> 5368 * <p> 5369 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5370 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5371 * <i>Key Management Service Developer Guide</i>. 5372 * </p> 5373 * <p> 5374 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5375 * account. 5376 * </p> 5377 * <p> 5378 * <b>Required permissions</b>: <a 5379 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5380 * >kms:DisableKey</a> (key policy) 5381 * </p> 5382 * <p> 5383 * <b>Related operations</b>: <a>EnableKey</a> 5384 * </p> 5385 * <p> 5386 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5387 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5388 * consistency</a>. 5389 * </p> 5390 * <br/> 5391 * <p> 5392 * This is a convenience which creates an instance of the {@link DisableKeyRequest.Builder} avoiding the need to 5393 * create one manually via {@link DisableKeyRequest#builder()} 5394 * </p> 5395 * 5396 * @param disableKeyRequest 5397 * A {@link Consumer} that will call methods on 5398 * {@link software.amazon.awssdk.services.kms.model.DisableKeyRequest.Builder} to create a request. 5399 * @return A Java Future containing the result of the DisableKey operation returned by the service.<br/> 5400 * The CompletableFuture returned by this method can be completed exceptionally with the following 5401 * exceptions. 5402 * <ul> 5403 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 5404 * found.</li> 5405 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 5406 * not valid.</li> 5407 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 5408 * the request.</li> 5409 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5410 * be retried.</li> 5411 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 5412 * valid for this request.</p> 5413 * <p> 5414 * This exceptions means one of the following: 5415 * </p> 5416 * <ul> 5417 * <li> 5418 * <p> 5419 * The key state of the KMS key is not compatible with the operation. 5420 * </p> 5421 * <p> 5422 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5423 * are compatible with each KMS operation, see <a 5424 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5425 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5426 * </p> 5427 * </li> 5428 * <li> 5429 * <p> 5430 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5431 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5432 * exception. 5433 * </p> 5434 * </li></li> 5435 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5436 * Can be used for catch all scenarios.</li> 5437 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5438 * credentials, etc.</li> 5439 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5440 * of this type.</li> 5441 * </ul> 5442 * @sample KmsAsyncClient.DisableKey 5443 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey" target="_top">AWS API 5444 * Documentation</a> 5445 */ disableKey(Consumer<DisableKeyRequest.Builder> disableKeyRequest)5446 default CompletableFuture<DisableKeyResponse> disableKey(Consumer<DisableKeyRequest.Builder> disableKeyRequest) { 5447 return disableKey(DisableKeyRequest.builder().applyMutation(disableKeyRequest).build()); 5448 } 5449 5450 /** 5451 * <p> 5452 * Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 5453 * the key material</a> of the specified symmetric encryption KMS key. 5454 * </p> 5455 * <p> 5456 * Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation 5457 * of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS 5458 * keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys 5459 * with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key 5460 * material</a>, or KMS keys in a <a 5461 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 5462 * To enable or disable automatic rotation of a set of related <a 5463 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 5464 * >multi-Region keys</a>, set the property on the primary key. 5465 * </p> 5466 * <p> 5467 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the key material in <a 5468 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 5469 * keys</a>. Key material rotation of <a 5470 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5471 * managed KMS keys</a> is not configurable. KMS always rotates the key material for every year. Rotation of <a 5472 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 5473 * owned KMS keys</a> varies. 5474 * </p> 5475 * <note> 5476 * <p> 5477 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 5478 * every year. For details, see <a>EnableKeyRotation</a>. 5479 * </p> 5480 * </note> 5481 * <p> 5482 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5483 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5484 * <i>Key Management Service Developer Guide</i>. 5485 * </p> 5486 * <p> 5487 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5488 * account. 5489 * </p> 5490 * <p> 5491 * <b>Required permissions</b>: <a 5492 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5493 * >kms:DisableKeyRotation</a> (key policy) 5494 * </p> 5495 * <p> 5496 * <b>Related operations:</b> 5497 * </p> 5498 * <ul> 5499 * <li> 5500 * <p> 5501 * <a>EnableKeyRotation</a> 5502 * </p> 5503 * </li> 5504 * <li> 5505 * <p> 5506 * <a>GetKeyRotationStatus</a> 5507 * </p> 5508 * </li> 5509 * </ul> 5510 * <p> 5511 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5512 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5513 * consistency</a>. 5514 * </p> 5515 * 5516 * @param disableKeyRotationRequest 5517 * @return A Java Future containing the result of the DisableKeyRotation operation returned by the service.<br/> 5518 * The CompletableFuture returned by this method can be completed exceptionally with the following 5519 * exceptions. 5520 * <ul> 5521 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 5522 * found.</li> 5523 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 5524 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 5525 * not valid.</li> 5526 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 5527 * the request.</li> 5528 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5529 * be retried.</li> 5530 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 5531 * valid for this request.</p> 5532 * <p> 5533 * This exceptions means one of the following: 5534 * </p> 5535 * <ul> 5536 * <li> 5537 * <p> 5538 * The key state of the KMS key is not compatible with the operation. 5539 * </p> 5540 * <p> 5541 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5542 * are compatible with each KMS operation, see <a 5543 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5544 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5545 * </p> 5546 * </li> 5547 * <li> 5548 * <p> 5549 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5550 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5551 * exception. 5552 * </p> 5553 * </li></li> 5554 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 5555 * or a specified resource is not valid for this operation.</li> 5556 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5557 * Can be used for catch all scenarios.</li> 5558 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5559 * credentials, etc.</li> 5560 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5561 * of this type.</li> 5562 * </ul> 5563 * @sample KmsAsyncClient.DisableKeyRotation 5564 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation" target="_top">AWS API 5565 * Documentation</a> 5566 */ disableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest)5567 default CompletableFuture<DisableKeyRotationResponse> disableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest) { 5568 throw new UnsupportedOperationException(); 5569 } 5570 5571 /** 5572 * <p> 5573 * Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 5574 * the key material</a> of the specified symmetric encryption KMS key. 5575 * </p> 5576 * <p> 5577 * Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation 5578 * of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS 5579 * keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys 5580 * with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key 5581 * material</a>, or KMS keys in a <a 5582 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 5583 * To enable or disable automatic rotation of a set of related <a 5584 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 5585 * >multi-Region keys</a>, set the property on the primary key. 5586 * </p> 5587 * <p> 5588 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the key material in <a 5589 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 5590 * keys</a>. Key material rotation of <a 5591 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5592 * managed KMS keys</a> is not configurable. KMS always rotates the key material for every year. Rotation of <a 5593 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 5594 * owned KMS keys</a> varies. 5595 * </p> 5596 * <note> 5597 * <p> 5598 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 5599 * every year. For details, see <a>EnableKeyRotation</a>. 5600 * </p> 5601 * </note> 5602 * <p> 5603 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5604 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5605 * <i>Key Management Service Developer Guide</i>. 5606 * </p> 5607 * <p> 5608 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5609 * account. 5610 * </p> 5611 * <p> 5612 * <b>Required permissions</b>: <a 5613 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5614 * >kms:DisableKeyRotation</a> (key policy) 5615 * </p> 5616 * <p> 5617 * <b>Related operations:</b> 5618 * </p> 5619 * <ul> 5620 * <li> 5621 * <p> 5622 * <a>EnableKeyRotation</a> 5623 * </p> 5624 * </li> 5625 * <li> 5626 * <p> 5627 * <a>GetKeyRotationStatus</a> 5628 * </p> 5629 * </li> 5630 * </ul> 5631 * <p> 5632 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5633 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5634 * consistency</a>. 5635 * </p> 5636 * <br/> 5637 * <p> 5638 * This is a convenience which creates an instance of the {@link DisableKeyRotationRequest.Builder} avoiding the 5639 * need to create one manually via {@link DisableKeyRotationRequest#builder()} 5640 * </p> 5641 * 5642 * @param disableKeyRotationRequest 5643 * A {@link Consumer} that will call methods on 5644 * {@link software.amazon.awssdk.services.kms.model.DisableKeyRotationRequest.Builder} to create a request. 5645 * @return A Java Future containing the result of the DisableKeyRotation operation returned by the service.<br/> 5646 * The CompletableFuture returned by this method can be completed exceptionally with the following 5647 * exceptions. 5648 * <ul> 5649 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 5650 * found.</li> 5651 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 5652 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 5653 * not valid.</li> 5654 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 5655 * the request.</li> 5656 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5657 * be retried.</li> 5658 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 5659 * valid for this request.</p> 5660 * <p> 5661 * This exceptions means one of the following: 5662 * </p> 5663 * <ul> 5664 * <li> 5665 * <p> 5666 * The key state of the KMS key is not compatible with the operation. 5667 * </p> 5668 * <p> 5669 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5670 * are compatible with each KMS operation, see <a 5671 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5672 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5673 * </p> 5674 * </li> 5675 * <li> 5676 * <p> 5677 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5678 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5679 * exception. 5680 * </p> 5681 * </li></li> 5682 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 5683 * or a specified resource is not valid for this operation.</li> 5684 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5685 * Can be used for catch all scenarios.</li> 5686 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5687 * credentials, etc.</li> 5688 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5689 * of this type.</li> 5690 * </ul> 5691 * @sample KmsAsyncClient.DisableKeyRotation 5692 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation" target="_top">AWS API 5693 * Documentation</a> 5694 */ disableKeyRotation( Consumer<DisableKeyRotationRequest.Builder> disableKeyRotationRequest)5695 default CompletableFuture<DisableKeyRotationResponse> disableKeyRotation( 5696 Consumer<DisableKeyRotationRequest.Builder> disableKeyRotationRequest) { 5697 return disableKeyRotation(DisableKeyRotationRequest.builder().applyMutation(disableKeyRotationRequest).build()); 5698 } 5699 5700 /** 5701 * <p> 5702 * Disconnects the <a 5703 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 5704 * from its backing key store. This operation disconnects an CloudHSM key store from its associated CloudHSM cluster 5705 * or disconnects an external key store from the external key store proxy that communicates with your external key 5706 * manager. 5707 * </p> 5708 * <p> 5709 * This operation is part of the <a 5710 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 5711 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 5712 * a key store that you own and manage. 5713 * </p> 5714 * <p> 5715 * While a custom key store is disconnected, you can manage the custom key store and its KMS keys, but you cannot 5716 * create or use its KMS keys. You can reconnect the custom key store at any time. 5717 * </p> 5718 * <note> 5719 * <p> 5720 * While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use 5721 * existing KMS keys in <a 5722 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5723 * operations</a> will fail. This action can prevent users from storing and accessing sensitive data. 5724 * </p> 5725 * </note> 5726 * <p> 5727 * When you disconnect a custom key store, its <code>ConnectionState</code> changes to <code>Disconnected</code>. To 5728 * find the connection state of a custom key store, use the <a>DescribeCustomKeyStores</a> operation. To reconnect a 5729 * custom key store, use the <a>ConnectCustomKeyStore</a> operation. 5730 * </p> 5731 * <p> 5732 * If the operation succeeds, it returns a JSON object with no properties. 5733 * </p> 5734 * <p> 5735 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 5736 * Services account. 5737 * </p> 5738 * <p> 5739 * <b>Required permissions</b>: <a 5740 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5741 * >kms:DisconnectCustomKeyStore</a> (IAM policy) 5742 * </p> 5743 * <p> 5744 * <b>Related operations:</b> 5745 * </p> 5746 * <ul> 5747 * <li> 5748 * <p> 5749 * <a>ConnectCustomKeyStore</a> 5750 * </p> 5751 * </li> 5752 * <li> 5753 * <p> 5754 * <a>CreateCustomKeyStore</a> 5755 * </p> 5756 * </li> 5757 * <li> 5758 * <p> 5759 * <a>DeleteCustomKeyStore</a> 5760 * </p> 5761 * </li> 5762 * <li> 5763 * <p> 5764 * <a>DescribeCustomKeyStores</a> 5765 * </p> 5766 * </li> 5767 * <li> 5768 * <p> 5769 * <a>UpdateCustomKeyStore</a> 5770 * </p> 5771 * </li> 5772 * </ul> 5773 * <p> 5774 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5775 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5776 * consistency</a>. 5777 * </p> 5778 * 5779 * @param disconnectCustomKeyStoreRequest 5780 * @return A Java Future containing the result of the DisconnectCustomKeyStore operation returned by the service.<br/> 5781 * The CompletableFuture returned by this method can be completed exceptionally with the following 5782 * exceptions. 5783 * <ul> 5784 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 5785 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 5786 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 5787 * <p> 5788 * This exception is thrown under the following conditions: 5789 * </p> 5790 * <ul> 5791 * <li> 5792 * <p> 5793 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 5794 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 5795 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 5796 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 5797 * <code>ConnectCustomKeyStore</code>). 5798 * </p> 5799 * </li> 5800 * <li> 5801 * <p> 5802 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 5803 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 5804 * </p> 5805 * </li> 5806 * <li> 5807 * <p> 5808 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 5809 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 5810 * is valid for all other <code>ConnectionState</code> values. 5811 * </p> 5812 * </li> 5813 * <li> 5814 * <p> 5815 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 5816 * store that is not disconnected. This operation is valid only when the custom key store 5817 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 5818 * </p> 5819 * </li> 5820 * <li> 5821 * <p> 5822 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 5823 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 5824 * <code>CONNECTED</code>. 5825 * </p> 5826 * </li></li> 5827 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 5828 * with the specified key store name or ID.</li> 5829 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5830 * be retried.</li> 5831 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5832 * Can be used for catch all scenarios.</li> 5833 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5834 * credentials, etc.</li> 5835 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5836 * of this type.</li> 5837 * </ul> 5838 * @sample KmsAsyncClient.DisconnectCustomKeyStore 5839 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore" target="_top">AWS 5840 * API Documentation</a> 5841 */ disconnectCustomKeyStore( DisconnectCustomKeyStoreRequest disconnectCustomKeyStoreRequest)5842 default CompletableFuture<DisconnectCustomKeyStoreResponse> disconnectCustomKeyStore( 5843 DisconnectCustomKeyStoreRequest disconnectCustomKeyStoreRequest) { 5844 throw new UnsupportedOperationException(); 5845 } 5846 5847 /** 5848 * <p> 5849 * Disconnects the <a 5850 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 5851 * from its backing key store. This operation disconnects an CloudHSM key store from its associated CloudHSM cluster 5852 * or disconnects an external key store from the external key store proxy that communicates with your external key 5853 * manager. 5854 * </p> 5855 * <p> 5856 * This operation is part of the <a 5857 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 5858 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 5859 * a key store that you own and manage. 5860 * </p> 5861 * <p> 5862 * While a custom key store is disconnected, you can manage the custom key store and its KMS keys, but you cannot 5863 * create or use its KMS keys. You can reconnect the custom key store at any time. 5864 * </p> 5865 * <note> 5866 * <p> 5867 * While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use 5868 * existing KMS keys in <a 5869 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5870 * operations</a> will fail. This action can prevent users from storing and accessing sensitive data. 5871 * </p> 5872 * </note> 5873 * <p> 5874 * When you disconnect a custom key store, its <code>ConnectionState</code> changes to <code>Disconnected</code>. To 5875 * find the connection state of a custom key store, use the <a>DescribeCustomKeyStores</a> operation. To reconnect a 5876 * custom key store, use the <a>ConnectCustomKeyStore</a> operation. 5877 * </p> 5878 * <p> 5879 * If the operation succeeds, it returns a JSON object with no properties. 5880 * </p> 5881 * <p> 5882 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 5883 * Services account. 5884 * </p> 5885 * <p> 5886 * <b>Required permissions</b>: <a 5887 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5888 * >kms:DisconnectCustomKeyStore</a> (IAM policy) 5889 * </p> 5890 * <p> 5891 * <b>Related operations:</b> 5892 * </p> 5893 * <ul> 5894 * <li> 5895 * <p> 5896 * <a>ConnectCustomKeyStore</a> 5897 * </p> 5898 * </li> 5899 * <li> 5900 * <p> 5901 * <a>CreateCustomKeyStore</a> 5902 * </p> 5903 * </li> 5904 * <li> 5905 * <p> 5906 * <a>DeleteCustomKeyStore</a> 5907 * </p> 5908 * </li> 5909 * <li> 5910 * <p> 5911 * <a>DescribeCustomKeyStores</a> 5912 * </p> 5913 * </li> 5914 * <li> 5915 * <p> 5916 * <a>UpdateCustomKeyStore</a> 5917 * </p> 5918 * </li> 5919 * </ul> 5920 * <p> 5921 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5922 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5923 * consistency</a>. 5924 * </p> 5925 * <br/> 5926 * <p> 5927 * This is a convenience which creates an instance of the {@link DisconnectCustomKeyStoreRequest.Builder} avoiding 5928 * the need to create one manually via {@link DisconnectCustomKeyStoreRequest#builder()} 5929 * </p> 5930 * 5931 * @param disconnectCustomKeyStoreRequest 5932 * A {@link Consumer} that will call methods on 5933 * {@link software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreRequest.Builder} to create a 5934 * request. 5935 * @return A Java Future containing the result of the DisconnectCustomKeyStore operation returned by the service.<br/> 5936 * The CompletableFuture returned by this method can be completed exceptionally with the following 5937 * exceptions. 5938 * <ul> 5939 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 5940 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 5941 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 5942 * <p> 5943 * This exception is thrown under the following conditions: 5944 * </p> 5945 * <ul> 5946 * <li> 5947 * <p> 5948 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 5949 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 5950 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 5951 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 5952 * <code>ConnectCustomKeyStore</code>). 5953 * </p> 5954 * </li> 5955 * <li> 5956 * <p> 5957 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 5958 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 5959 * </p> 5960 * </li> 5961 * <li> 5962 * <p> 5963 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 5964 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 5965 * is valid for all other <code>ConnectionState</code> values. 5966 * </p> 5967 * </li> 5968 * <li> 5969 * <p> 5970 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 5971 * store that is not disconnected. This operation is valid only when the custom key store 5972 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 5973 * </p> 5974 * </li> 5975 * <li> 5976 * <p> 5977 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 5978 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 5979 * <code>CONNECTED</code>. 5980 * </p> 5981 * </li></li> 5982 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 5983 * with the specified key store name or ID.</li> 5984 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 5985 * be retried.</li> 5986 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 5987 * Can be used for catch all scenarios.</li> 5988 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 5989 * credentials, etc.</li> 5990 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 5991 * of this type.</li> 5992 * </ul> 5993 * @sample KmsAsyncClient.DisconnectCustomKeyStore 5994 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore" target="_top">AWS 5995 * API Documentation</a> 5996 */ disconnectCustomKeyStore( Consumer<DisconnectCustomKeyStoreRequest.Builder> disconnectCustomKeyStoreRequest)5997 default CompletableFuture<DisconnectCustomKeyStoreResponse> disconnectCustomKeyStore( 5998 Consumer<DisconnectCustomKeyStoreRequest.Builder> disconnectCustomKeyStoreRequest) { 5999 return disconnectCustomKeyStore(DisconnectCustomKeyStoreRequest.builder().applyMutation(disconnectCustomKeyStoreRequest) 6000 .build()); 6001 } 6002 6003 /** 6004 * <p> 6005 * Sets the key state of a KMS key to enabled. This allows you to use the KMS key for <a 6006 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 6007 * operations</a>. 6008 * </p> 6009 * <p> 6010 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6011 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6012 * <i>Key Management Service Developer Guide</i>. 6013 * </p> 6014 * <p> 6015 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6016 * account. 6017 * </p> 6018 * <p> 6019 * <b>Required permissions</b>: <a 6020 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:EnableKey</a> 6021 * (key policy) 6022 * </p> 6023 * <p> 6024 * <b>Related operations</b>: <a>DisableKey</a> 6025 * </p> 6026 * <p> 6027 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6028 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6029 * consistency</a>. 6030 * </p> 6031 * 6032 * @param enableKeyRequest 6033 * @return A Java Future containing the result of the EnableKey operation returned by the service.<br/> 6034 * The CompletableFuture returned by this method can be completed exceptionally with the following 6035 * exceptions. 6036 * <ul> 6037 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 6038 * found.</li> 6039 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 6040 * not valid.</li> 6041 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 6042 * the request.</li> 6043 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 6044 * be retried.</li> 6045 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 6046 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 6047 * Management Service Developer Guide</i>.</li> 6048 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 6049 * valid for this request.</p> 6050 * <p> 6051 * This exceptions means one of the following: 6052 * </p> 6053 * <ul> 6054 * <li> 6055 * <p> 6056 * The key state of the KMS key is not compatible with the operation. 6057 * </p> 6058 * <p> 6059 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6060 * are compatible with each KMS operation, see <a 6061 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6062 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6063 * </p> 6064 * </li> 6065 * <li> 6066 * <p> 6067 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6068 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6069 * exception. 6070 * </p> 6071 * </li></li> 6072 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 6073 * Can be used for catch all scenarios.</li> 6074 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 6075 * credentials, etc.</li> 6076 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 6077 * of this type.</li> 6078 * </ul> 6079 * @sample KmsAsyncClient.EnableKey 6080 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey" target="_top">AWS API 6081 * Documentation</a> 6082 */ enableKey(EnableKeyRequest enableKeyRequest)6083 default CompletableFuture<EnableKeyResponse> enableKey(EnableKeyRequest enableKeyRequest) { 6084 throw new UnsupportedOperationException(); 6085 } 6086 6087 /** 6088 * <p> 6089 * Sets the key state of a KMS key to enabled. This allows you to use the KMS key for <a 6090 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 6091 * operations</a>. 6092 * </p> 6093 * <p> 6094 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6095 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6096 * <i>Key Management Service Developer Guide</i>. 6097 * </p> 6098 * <p> 6099 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6100 * account. 6101 * </p> 6102 * <p> 6103 * <b>Required permissions</b>: <a 6104 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:EnableKey</a> 6105 * (key policy) 6106 * </p> 6107 * <p> 6108 * <b>Related operations</b>: <a>DisableKey</a> 6109 * </p> 6110 * <p> 6111 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6112 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6113 * consistency</a>. 6114 * </p> 6115 * <br/> 6116 * <p> 6117 * This is a convenience which creates an instance of the {@link EnableKeyRequest.Builder} avoiding the need to 6118 * create one manually via {@link EnableKeyRequest#builder()} 6119 * </p> 6120 * 6121 * @param enableKeyRequest 6122 * A {@link Consumer} that will call methods on 6123 * {@link software.amazon.awssdk.services.kms.model.EnableKeyRequest.Builder} to create a request. 6124 * @return A Java Future containing the result of the EnableKey operation returned by the service.<br/> 6125 * The CompletableFuture returned by this method can be completed exceptionally with the following 6126 * exceptions. 6127 * <ul> 6128 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 6129 * found.</li> 6130 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 6131 * not valid.</li> 6132 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 6133 * the request.</li> 6134 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 6135 * be retried.</li> 6136 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 6137 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 6138 * Management Service Developer Guide</i>.</li> 6139 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 6140 * valid for this request.</p> 6141 * <p> 6142 * This exceptions means one of the following: 6143 * </p> 6144 * <ul> 6145 * <li> 6146 * <p> 6147 * The key state of the KMS key is not compatible with the operation. 6148 * </p> 6149 * <p> 6150 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6151 * are compatible with each KMS operation, see <a 6152 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6153 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6154 * </p> 6155 * </li> 6156 * <li> 6157 * <p> 6158 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6159 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6160 * exception. 6161 * </p> 6162 * </li></li> 6163 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 6164 * Can be used for catch all scenarios.</li> 6165 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 6166 * credentials, etc.</li> 6167 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 6168 * of this type.</li> 6169 * </ul> 6170 * @sample KmsAsyncClient.EnableKey 6171 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey" target="_top">AWS API 6172 * Documentation</a> 6173 */ enableKey(Consumer<EnableKeyRequest.Builder> enableKeyRequest)6174 default CompletableFuture<EnableKeyResponse> enableKey(Consumer<EnableKeyRequest.Builder> enableKeyRequest) { 6175 return enableKey(EnableKeyRequest.builder().applyMutation(enableKeyRequest).build()); 6176 } 6177 6178 /** 6179 * <p> 6180 * Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 6181 * the key material</a> of the specified symmetric encryption KMS key. 6182 * </p> 6183 * <p> 6184 * When you enable automatic rotation of a <a 6185 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 6186 * key</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 6187 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 6188 * CloudWatch. To disable rotation of the key material in a customer managed KMS key, use the 6189 * <a>DisableKeyRotation</a> operation. 6190 * </p> 6191 * <p> 6192 * Automatic key rotation is supported only on <a 6193 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 6194 * KMS keys</a>. You cannot enable automatic rotation of <a 6195 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 6196 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 6197 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 6198 * KMS keys in a <a 6199 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 6200 * To enable or disable automatic rotation of a set of related <a 6201 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 6202 * >multi-Region keys</a>, set the property on the primary key. 6203 * </p> 6204 * <p> 6205 * You cannot enable or disable automatic rotation <a 6206 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 6207 * managed KMS keys</a>. KMS always rotates the key material of Amazon Web Services managed keys every year. 6208 * Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon 6209 * Web Services owned KMS keys</a> varies. 6210 * </p> 6211 * <note> 6212 * <p> 6213 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years 6214 * (approximately 1,095 days) to every year (approximately 365 days). 6215 * </p> 6216 * <p> 6217 * New Amazon Web Services managed keys are automatically rotated one year after they are created, and approximately 6218 * every year thereafter. 6219 * </p> 6220 * <p> 6221 * Existing Amazon Web Services managed keys are automatically rotated one year after their most recent rotation, 6222 * and every year thereafter. 6223 * </p> 6224 * </note> 6225 * <p> 6226 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6227 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6228 * <i>Key Management Service Developer Guide</i>. 6229 * </p> 6230 * <p> 6231 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6232 * account. 6233 * </p> 6234 * <p> 6235 * <b>Required permissions</b>: <a 6236 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 6237 * >kms:EnableKeyRotation</a> (key policy) 6238 * </p> 6239 * <p> 6240 * <b>Related operations:</b> 6241 * </p> 6242 * <ul> 6243 * <li> 6244 * <p> 6245 * <a>DisableKeyRotation</a> 6246 * </p> 6247 * </li> 6248 * <li> 6249 * <p> 6250 * <a>GetKeyRotationStatus</a> 6251 * </p> 6252 * </li> 6253 * </ul> 6254 * <p> 6255 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6256 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6257 * consistency</a>. 6258 * </p> 6259 * 6260 * @param enableKeyRotationRequest 6261 * @return A Java Future containing the result of the EnableKeyRotation operation returned by the service.<br/> 6262 * The CompletableFuture returned by this method can be completed exceptionally with the following 6263 * exceptions. 6264 * <ul> 6265 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 6266 * found.</li> 6267 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 6268 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 6269 * not valid.</li> 6270 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 6271 * the request.</li> 6272 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 6273 * be retried.</li> 6274 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 6275 * valid for this request.</p> 6276 * <p> 6277 * This exceptions means one of the following: 6278 * </p> 6279 * <ul> 6280 * <li> 6281 * <p> 6282 * The key state of the KMS key is not compatible with the operation. 6283 * </p> 6284 * <p> 6285 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6286 * are compatible with each KMS operation, see <a 6287 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6288 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6289 * </p> 6290 * </li> 6291 * <li> 6292 * <p> 6293 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6294 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6295 * exception. 6296 * </p> 6297 * </li></li> 6298 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 6299 * or a specified resource is not valid for this operation.</li> 6300 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 6301 * Can be used for catch all scenarios.</li> 6302 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 6303 * credentials, etc.</li> 6304 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 6305 * of this type.</li> 6306 * </ul> 6307 * @sample KmsAsyncClient.EnableKeyRotation 6308 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation" target="_top">AWS API 6309 * Documentation</a> 6310 */ enableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest)6311 default CompletableFuture<EnableKeyRotationResponse> enableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest) { 6312 throw new UnsupportedOperationException(); 6313 } 6314 6315 /** 6316 * <p> 6317 * Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 6318 * the key material</a> of the specified symmetric encryption KMS key. 6319 * </p> 6320 * <p> 6321 * When you enable automatic rotation of a <a 6322 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 6323 * key</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 6324 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 6325 * CloudWatch. To disable rotation of the key material in a customer managed KMS key, use the 6326 * <a>DisableKeyRotation</a> operation. 6327 * </p> 6328 * <p> 6329 * Automatic key rotation is supported only on <a 6330 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 6331 * KMS keys</a>. You cannot enable automatic rotation of <a 6332 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 6333 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 6334 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 6335 * KMS keys in a <a 6336 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 6337 * To enable or disable automatic rotation of a set of related <a 6338 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 6339 * >multi-Region keys</a>, set the property on the primary key. 6340 * </p> 6341 * <p> 6342 * You cannot enable or disable automatic rotation <a 6343 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 6344 * managed KMS keys</a>. KMS always rotates the key material of Amazon Web Services managed keys every year. 6345 * Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon 6346 * Web Services owned KMS keys</a> varies. 6347 * </p> 6348 * <note> 6349 * <p> 6350 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years 6351 * (approximately 1,095 days) to every year (approximately 365 days). 6352 * </p> 6353 * <p> 6354 * New Amazon Web Services managed keys are automatically rotated one year after they are created, and approximately 6355 * every year thereafter. 6356 * </p> 6357 * <p> 6358 * Existing Amazon Web Services managed keys are automatically rotated one year after their most recent rotation, 6359 * and every year thereafter. 6360 * </p> 6361 * </note> 6362 * <p> 6363 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6364 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6365 * <i>Key Management Service Developer Guide</i>. 6366 * </p> 6367 * <p> 6368 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6369 * account. 6370 * </p> 6371 * <p> 6372 * <b>Required permissions</b>: <a 6373 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 6374 * >kms:EnableKeyRotation</a> (key policy) 6375 * </p> 6376 * <p> 6377 * <b>Related operations:</b> 6378 * </p> 6379 * <ul> 6380 * <li> 6381 * <p> 6382 * <a>DisableKeyRotation</a> 6383 * </p> 6384 * </li> 6385 * <li> 6386 * <p> 6387 * <a>GetKeyRotationStatus</a> 6388 * </p> 6389 * </li> 6390 * </ul> 6391 * <p> 6392 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6393 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6394 * consistency</a>. 6395 * </p> 6396 * <br/> 6397 * <p> 6398 * This is a convenience which creates an instance of the {@link EnableKeyRotationRequest.Builder} avoiding the need 6399 * to create one manually via {@link EnableKeyRotationRequest#builder()} 6400 * </p> 6401 * 6402 * @param enableKeyRotationRequest 6403 * A {@link Consumer} that will call methods on 6404 * {@link software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest.Builder} to create a request. 6405 * @return A Java Future containing the result of the EnableKeyRotation operation returned by the service.<br/> 6406 * The CompletableFuture returned by this method can be completed exceptionally with the following 6407 * exceptions. 6408 * <ul> 6409 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 6410 * found.</li> 6411 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 6412 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 6413 * not valid.</li> 6414 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 6415 * the request.</li> 6416 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 6417 * be retried.</li> 6418 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 6419 * valid for this request.</p> 6420 * <p> 6421 * This exceptions means one of the following: 6422 * </p> 6423 * <ul> 6424 * <li> 6425 * <p> 6426 * The key state of the KMS key is not compatible with the operation. 6427 * </p> 6428 * <p> 6429 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6430 * are compatible with each KMS operation, see <a 6431 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6432 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6433 * </p> 6434 * </li> 6435 * <li> 6436 * <p> 6437 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6438 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6439 * exception. 6440 * </p> 6441 * </li></li> 6442 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 6443 * or a specified resource is not valid for this operation.</li> 6444 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 6445 * Can be used for catch all scenarios.</li> 6446 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 6447 * credentials, etc.</li> 6448 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 6449 * of this type.</li> 6450 * </ul> 6451 * @sample KmsAsyncClient.EnableKeyRotation 6452 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation" target="_top">AWS API 6453 * Documentation</a> 6454 */ enableKeyRotation( Consumer<EnableKeyRotationRequest.Builder> enableKeyRotationRequest)6455 default CompletableFuture<EnableKeyRotationResponse> enableKeyRotation( 6456 Consumer<EnableKeyRotationRequest.Builder> enableKeyRotationRequest) { 6457 return enableKeyRotation(EnableKeyRotationRequest.builder().applyMutation(enableKeyRotationRequest).build()); 6458 } 6459 6460 /** 6461 * <p> 6462 * Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or asymmetric KMS key with a 6463 * <code>KeyUsage</code> of <code>ENCRYPT_DECRYPT</code>. 6464 * </p> 6465 * <p> 6466 * You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or database 6467 * password, or other sensitive information. You don't need to use the <code>Encrypt</code> operation to encrypt a 6468 * data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a plaintext data key and an 6469 * encrypted copy of that data key. 6470 * </p> 6471 * <p> 6472 * If you use a symmetric encryption KMS key, you can use an encryption context to add additional security to your 6473 * encryption operation. If you specify an <code>EncryptionContext</code> when encrypting data, you must specify the 6474 * same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to 6475 * decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a 6476 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 6477 * in the <i>Key Management Service Developer Guide</i>. 6478 * </p> 6479 * <p> 6480 * If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be 6481 * compatible with the KMS key spec. 6482 * </p> 6483 * <important> 6484 * <p> 6485 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 6486 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 6487 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 6488 * operation fails. 6489 * </p> 6490 * <p> 6491 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 6492 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 6493 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 6494 * fields. 6495 * </p> 6496 * </important> 6497 * <p> 6498 * The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm 6499 * that you choose. 6500 * </p> 6501 * <ul> 6502 * <li> 6503 * <p> 6504 * Symmetric encryption KMS keys 6505 * </p> 6506 * <ul> 6507 * <li> 6508 * <p> 6509 * <code>SYMMETRIC_DEFAULT</code>: 4096 bytes 6510 * </p> 6511 * </li> 6512 * </ul> 6513 * </li> 6514 * <li> 6515 * <p> 6516 * <code>RSA_2048</code> 6517 * </p> 6518 * <ul> 6519 * <li> 6520 * <p> 6521 * <code>RSAES_OAEP_SHA_1</code>: 214 bytes 6522 * </p> 6523 * </li> 6524 * <li> 6525 * <p> 6526 * <code>RSAES_OAEP_SHA_256</code>: 190 bytes 6527 * </p> 6528 * </li> 6529 * </ul> 6530 * </li> 6531 * <li> 6532 * <p> 6533 * <code>RSA_3072</code> 6534 * </p> 6535 * <ul> 6536 * <li> 6537 * <p> 6538 * <code>RSAES_OAEP_SHA_1</code>: 342 bytes 6539 * </p> 6540 * </li> 6541 * <li> 6542 * <p> 6543 * <code>RSAES_OAEP_SHA_256</code>: 318 bytes 6544 * </p> 6545 * </li> 6546 * </ul> 6547 * </li> 6548 * <li> 6549 * <p> 6550 * <code>RSA_4096</code> 6551 * </p> 6552 * <ul> 6553 * <li> 6554 * <p> 6555 * <code>RSAES_OAEP_SHA_1</code>: 470 bytes 6556 * </p> 6557 * </li> 6558 * <li> 6559 * <p> 6560 * <code>RSAES_OAEP_SHA_256</code>: 446 bytes 6561 * </p> 6562 * </li> 6563 * </ul> 6564 * </li> 6565 * <li> 6566 * <p> 6567 * <code>SM2PKE</code>: 1024 bytes (China Regions only) 6568 * </p> 6569 * </li> 6570 * </ul> 6571 * <p> 6572 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6573 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6574 * <i>Key Management Service Developer Guide</i>. 6575 * </p> 6576 * <p> 6577 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 6578 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 6579 * </p> 6580 * <p> 6581 * <b>Required permissions</b>: <a 6582 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> 6583 * (key policy) 6584 * </p> 6585 * <p> 6586 * <b>Related operations:</b> 6587 * </p> 6588 * <ul> 6589 * <li> 6590 * <p> 6591 * <a>Decrypt</a> 6592 * </p> 6593 * </li> 6594 * <li> 6595 * <p> 6596 * <a>GenerateDataKey</a> 6597 * </p> 6598 * </li> 6599 * <li> 6600 * <p> 6601 * <a>GenerateDataKeyPair</a> 6602 * </p> 6603 * </li> 6604 * </ul> 6605 * <p> 6606 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6607 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6608 * consistency</a>. 6609 * </p> 6610 * 6611 * @param encryptRequest 6612 * @return A Java Future containing the result of the Encrypt operation returned by the service.<br/> 6613 * The CompletableFuture returned by this method can be completed exceptionally with the following 6614 * exceptions. 6615 * <ul> 6616 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 6617 * found.</li> 6618 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 6619 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 6620 * can retry the request.</li> 6621 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 6622 * the request.</li> 6623 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 6624 * <ul> 6625 * <li> 6626 * <p> 6627 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 6628 * </p> 6629 * </li> 6630 * <li> 6631 * <p> 6632 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 6633 * of key material in the KMS key <code>(KeySpec</code>). 6634 * </p> 6635 * </li> 6636 * </ul> 6637 * <p> 6638 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 6639 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 6640 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 6641 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 6642 * KMS key, use the <a>DescribeKey</a> operation. 6643 * </p> 6644 * <p> 6645 * To find the encryption or signing algorithms supported for a particular KMS key, use the 6646 * <a>DescribeKey</a> operation.</li> 6647 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 6648 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 6649 * be retried.</li> 6650 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 6651 * valid for this request.</p> 6652 * <p> 6653 * This exceptions means one of the following: 6654 * </p> 6655 * <ul> 6656 * <li> 6657 * <p> 6658 * The key state of the KMS key is not compatible with the operation. 6659 * </p> 6660 * <p> 6661 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6662 * are compatible with each KMS operation, see <a 6663 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6664 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6665 * </p> 6666 * </li> 6667 * <li> 6668 * <p> 6669 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6670 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6671 * exception. 6672 * </p> 6673 * </li></li> 6674 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 6675 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 6676 * Can be used for catch all scenarios.</li> 6677 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 6678 * credentials, etc.</li> 6679 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 6680 * of this type.</li> 6681 * </ul> 6682 * @sample KmsAsyncClient.Encrypt 6683 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt" target="_top">AWS API 6684 * Documentation</a> 6685 */ encrypt(EncryptRequest encryptRequest)6686 default CompletableFuture<EncryptResponse> encrypt(EncryptRequest encryptRequest) { 6687 throw new UnsupportedOperationException(); 6688 } 6689 6690 /** 6691 * <p> 6692 * Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or asymmetric KMS key with a 6693 * <code>KeyUsage</code> of <code>ENCRYPT_DECRYPT</code>. 6694 * </p> 6695 * <p> 6696 * You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or database 6697 * password, or other sensitive information. You don't need to use the <code>Encrypt</code> operation to encrypt a 6698 * data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a plaintext data key and an 6699 * encrypted copy of that data key. 6700 * </p> 6701 * <p> 6702 * If you use a symmetric encryption KMS key, you can use an encryption context to add additional security to your 6703 * encryption operation. If you specify an <code>EncryptionContext</code> when encrypting data, you must specify the 6704 * same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to 6705 * decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a 6706 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 6707 * in the <i>Key Management Service Developer Guide</i>. 6708 * </p> 6709 * <p> 6710 * If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be 6711 * compatible with the KMS key spec. 6712 * </p> 6713 * <important> 6714 * <p> 6715 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 6716 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 6717 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 6718 * operation fails. 6719 * </p> 6720 * <p> 6721 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 6722 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 6723 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 6724 * fields. 6725 * </p> 6726 * </important> 6727 * <p> 6728 * The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm 6729 * that you choose. 6730 * </p> 6731 * <ul> 6732 * <li> 6733 * <p> 6734 * Symmetric encryption KMS keys 6735 * </p> 6736 * <ul> 6737 * <li> 6738 * <p> 6739 * <code>SYMMETRIC_DEFAULT</code>: 4096 bytes 6740 * </p> 6741 * </li> 6742 * </ul> 6743 * </li> 6744 * <li> 6745 * <p> 6746 * <code>RSA_2048</code> 6747 * </p> 6748 * <ul> 6749 * <li> 6750 * <p> 6751 * <code>RSAES_OAEP_SHA_1</code>: 214 bytes 6752 * </p> 6753 * </li> 6754 * <li> 6755 * <p> 6756 * <code>RSAES_OAEP_SHA_256</code>: 190 bytes 6757 * </p> 6758 * </li> 6759 * </ul> 6760 * </li> 6761 * <li> 6762 * <p> 6763 * <code>RSA_3072</code> 6764 * </p> 6765 * <ul> 6766 * <li> 6767 * <p> 6768 * <code>RSAES_OAEP_SHA_1</code>: 342 bytes 6769 * </p> 6770 * </li> 6771 * <li> 6772 * <p> 6773 * <code>RSAES_OAEP_SHA_256</code>: 318 bytes 6774 * </p> 6775 * </li> 6776 * </ul> 6777 * </li> 6778 * <li> 6779 * <p> 6780 * <code>RSA_4096</code> 6781 * </p> 6782 * <ul> 6783 * <li> 6784 * <p> 6785 * <code>RSAES_OAEP_SHA_1</code>: 470 bytes 6786 * </p> 6787 * </li> 6788 * <li> 6789 * <p> 6790 * <code>RSAES_OAEP_SHA_256</code>: 446 bytes 6791 * </p> 6792 * </li> 6793 * </ul> 6794 * </li> 6795 * <li> 6796 * <p> 6797 * <code>SM2PKE</code>: 1024 bytes (China Regions only) 6798 * </p> 6799 * </li> 6800 * </ul> 6801 * <p> 6802 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6803 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6804 * <i>Key Management Service Developer Guide</i>. 6805 * </p> 6806 * <p> 6807 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 6808 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 6809 * </p> 6810 * <p> 6811 * <b>Required permissions</b>: <a 6812 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> 6813 * (key policy) 6814 * </p> 6815 * <p> 6816 * <b>Related operations:</b> 6817 * </p> 6818 * <ul> 6819 * <li> 6820 * <p> 6821 * <a>Decrypt</a> 6822 * </p> 6823 * </li> 6824 * <li> 6825 * <p> 6826 * <a>GenerateDataKey</a> 6827 * </p> 6828 * </li> 6829 * <li> 6830 * <p> 6831 * <a>GenerateDataKeyPair</a> 6832 * </p> 6833 * </li> 6834 * </ul> 6835 * <p> 6836 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6837 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6838 * consistency</a>. 6839 * </p> 6840 * <br/> 6841 * <p> 6842 * This is a convenience which creates an instance of the {@link EncryptRequest.Builder} avoiding the need to create 6843 * one manually via {@link EncryptRequest#builder()} 6844 * </p> 6845 * 6846 * @param encryptRequest 6847 * A {@link Consumer} that will call methods on 6848 * {@link software.amazon.awssdk.services.kms.model.EncryptRequest.Builder} to create a request. 6849 * @return A Java Future containing the result of the Encrypt operation returned by the service.<br/> 6850 * The CompletableFuture returned by this method can be completed exceptionally with the following 6851 * exceptions. 6852 * <ul> 6853 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 6854 * found.</li> 6855 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 6856 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 6857 * can retry the request.</li> 6858 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 6859 * the request.</li> 6860 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 6861 * <ul> 6862 * <li> 6863 * <p> 6864 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 6865 * </p> 6866 * </li> 6867 * <li> 6868 * <p> 6869 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 6870 * of key material in the KMS key <code>(KeySpec</code>). 6871 * </p> 6872 * </li> 6873 * </ul> 6874 * <p> 6875 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 6876 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 6877 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 6878 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 6879 * KMS key, use the <a>DescribeKey</a> operation. 6880 * </p> 6881 * <p> 6882 * To find the encryption or signing algorithms supported for a particular KMS key, use the 6883 * <a>DescribeKey</a> operation.</li> 6884 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 6885 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 6886 * be retried.</li> 6887 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 6888 * valid for this request.</p> 6889 * <p> 6890 * This exceptions means one of the following: 6891 * </p> 6892 * <ul> 6893 * <li> 6894 * <p> 6895 * The key state of the KMS key is not compatible with the operation. 6896 * </p> 6897 * <p> 6898 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6899 * are compatible with each KMS operation, see <a 6900 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6901 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6902 * </p> 6903 * </li> 6904 * <li> 6905 * <p> 6906 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6907 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6908 * exception. 6909 * </p> 6910 * </li></li> 6911 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 6912 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 6913 * Can be used for catch all scenarios.</li> 6914 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 6915 * credentials, etc.</li> 6916 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 6917 * of this type.</li> 6918 * </ul> 6919 * @sample KmsAsyncClient.Encrypt 6920 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt" target="_top">AWS API 6921 * Documentation</a> 6922 */ encrypt(Consumer<EncryptRequest.Builder> encryptRequest)6923 default CompletableFuture<EncryptResponse> encrypt(Consumer<EncryptRequest.Builder> encryptRequest) { 6924 return encrypt(EncryptRequest.builder().applyMutation(encryptRequest).build()); 6925 } 6926 6927 /** 6928 * <p> 6929 * Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data 6930 * key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the 6931 * plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to 6932 * encrypt your data outside of KMS and store the encrypted data key with the encrypted data. 6933 * </p> 6934 * <p> 6935 * To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You 6936 * cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the 6937 * <a>DescribeKey</a> operation. 6938 * </p> 6939 * <p> 6940 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 6941 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 6942 * <code>KeySpec</code> parameter. 6943 * </p> 6944 * <p> 6945 * To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code> value of 6946 * <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used 6947 * in China Regions to encrypt your data key is an SM4 encryption key. 6948 * </p> 6949 * <p> 6950 * To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an 6951 * asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> 6952 * operation. To get a cryptographically secure random byte string, use <a>GenerateRandom</a>. 6953 * </p> 6954 * <p> 6955 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 6956 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 6957 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 6958 * <code>InvalidCiphertextException</code>. For more information, see <a 6959 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 6960 * in the <i>Key Management Service Developer Guide</i>. 6961 * </p> 6962 * <p> 6963 * <code>GenerateDataKey</code> also supports <a 6964 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 6965 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> 6966 * for an Amazon Web Services Nitro enclave, use the <a 6967 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 6968 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 6969 * attestation document for the enclave. <code>GenerateDataKey</code> returns a copy of the data key encrypted under 6970 * the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of 6971 * the data key encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). 6972 * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 6973 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 6974 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 6975 * </p> 6976 * <p> 6977 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6978 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6979 * <i>Key Management Service Developer Guide</i>. 6980 * </p> 6981 * <p> 6982 * <b>How to use your data key</b> 6983 * </p> 6984 * <p> 6985 * We recommend that you use the following pattern to encrypt data locally in your application. You can write your 6986 * own code or use a client-side encryption library, such as the <a 6987 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a>, 6988 * the <a href="https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/">Amazon DynamoDB Encryption 6989 * Client</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 6990 * client-side encryption</a> to do these tasks for you. 6991 * </p> 6992 * <p> 6993 * To encrypt data outside of KMS: 6994 * </p> 6995 * <ol> 6996 * <li> 6997 * <p> 6998 * Use the <code>GenerateDataKey</code> operation to get a data key. 6999 * </p> 7000 * </li> 7001 * <li> 7002 * <p> 7003 * Use the plaintext data key (in the <code>Plaintext</code> field of the response) to encrypt your data outside of 7004 * KMS. Then erase the plaintext data key from memory. 7005 * </p> 7006 * </li> 7007 * <li> 7008 * <p> 7009 * Store the encrypted data key (in the <code>CiphertextBlob</code> field of the response) with the encrypted data. 7010 * </p> 7011 * </li> 7012 * </ol> 7013 * <p> 7014 * To decrypt data outside of KMS: 7015 * </p> 7016 * <ol> 7017 * <li> 7018 * <p> 7019 * Use the <a>Decrypt</a> operation to decrypt the encrypted data key. The operation returns a plaintext copy of the 7020 * data key. 7021 * </p> 7022 * </li> 7023 * <li> 7024 * <p> 7025 * Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory. 7026 * </p> 7027 * </li> 7028 * </ol> 7029 * <p> 7030 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7031 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7032 * </p> 7033 * <p> 7034 * <b>Required permissions</b>: <a 7035 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7036 * >kms:GenerateDataKey</a> (key policy) 7037 * </p> 7038 * <p> 7039 * <b>Related operations:</b> 7040 * </p> 7041 * <ul> 7042 * <li> 7043 * <p> 7044 * <a>Decrypt</a> 7045 * </p> 7046 * </li> 7047 * <li> 7048 * <p> 7049 * <a>Encrypt</a> 7050 * </p> 7051 * </li> 7052 * <li> 7053 * <p> 7054 * <a>GenerateDataKeyPair</a> 7055 * </p> 7056 * </li> 7057 * <li> 7058 * <p> 7059 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7060 * </p> 7061 * </li> 7062 * <li> 7063 * <p> 7064 * <a>GenerateDataKeyWithoutPlaintext</a> 7065 * </p> 7066 * </li> 7067 * </ul> 7068 * <p> 7069 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7070 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7071 * consistency</a>. 7072 * </p> 7073 * 7074 * @param generateDataKeyRequest 7075 * @return A Java Future containing the result of the GenerateDataKey operation returned by the service.<br/> 7076 * The CompletableFuture returned by this method can be completed exceptionally with the following 7077 * exceptions. 7078 * <ul> 7079 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 7080 * found.</li> 7081 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 7082 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 7083 * can retry the request.</li> 7084 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 7085 * the request.</li> 7086 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 7087 * <ul> 7088 * <li> 7089 * <p> 7090 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7091 * </p> 7092 * </li> 7093 * <li> 7094 * <p> 7095 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7096 * of key material in the KMS key <code>(KeySpec</code>). 7097 * </p> 7098 * </li> 7099 * </ul> 7100 * <p> 7101 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7102 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7103 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7104 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7105 * KMS key, use the <a>DescribeKey</a> operation. 7106 * </p> 7107 * <p> 7108 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7109 * <a>DescribeKey</a> operation.</li> 7110 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 7111 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 7112 * be retried.</li> 7113 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 7114 * valid for this request.</p> 7115 * <p> 7116 * This exceptions means one of the following: 7117 * </p> 7118 * <ul> 7119 * <li> 7120 * <p> 7121 * The key state of the KMS key is not compatible with the operation. 7122 * </p> 7123 * <p> 7124 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7125 * are compatible with each KMS operation, see <a 7126 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7127 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7128 * </p> 7129 * </li> 7130 * <li> 7131 * <p> 7132 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7133 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7134 * exception. 7135 * </p> 7136 * </li></li> 7137 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 7138 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 7139 * Can be used for catch all scenarios.</li> 7140 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 7141 * credentials, etc.</li> 7142 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 7143 * of this type.</li> 7144 * </ul> 7145 * @sample KmsAsyncClient.GenerateDataKey 7146 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey" target="_top">AWS API 7147 * Documentation</a> 7148 */ generateDataKey(GenerateDataKeyRequest generateDataKeyRequest)7149 default CompletableFuture<GenerateDataKeyResponse> generateDataKey(GenerateDataKeyRequest generateDataKeyRequest) { 7150 throw new UnsupportedOperationException(); 7151 } 7152 7153 /** 7154 * <p> 7155 * Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data 7156 * key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the 7157 * plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to 7158 * encrypt your data outside of KMS and store the encrypted data key with the encrypted data. 7159 * </p> 7160 * <p> 7161 * To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You 7162 * cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the 7163 * <a>DescribeKey</a> operation. 7164 * </p> 7165 * <p> 7166 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 7167 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 7168 * <code>KeySpec</code> parameter. 7169 * </p> 7170 * <p> 7171 * To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code> value of 7172 * <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used 7173 * in China Regions to encrypt your data key is an SM4 encryption key. 7174 * </p> 7175 * <p> 7176 * To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an 7177 * asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> 7178 * operation. To get a cryptographically secure random byte string, use <a>GenerateRandom</a>. 7179 * </p> 7180 * <p> 7181 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7182 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7183 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7184 * <code>InvalidCiphertextException</code>. For more information, see <a 7185 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7186 * in the <i>Key Management Service Developer Guide</i>. 7187 * </p> 7188 * <p> 7189 * <code>GenerateDataKey</code> also supports <a 7190 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7191 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> 7192 * for an Amazon Web Services Nitro enclave, use the <a 7193 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7194 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7195 * attestation document for the enclave. <code>GenerateDataKey</code> returns a copy of the data key encrypted under 7196 * the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of 7197 * the data key encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). 7198 * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7199 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7200 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7201 * </p> 7202 * <p> 7203 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7204 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7205 * <i>Key Management Service Developer Guide</i>. 7206 * </p> 7207 * <p> 7208 * <b>How to use your data key</b> 7209 * </p> 7210 * <p> 7211 * We recommend that you use the following pattern to encrypt data locally in your application. You can write your 7212 * own code or use a client-side encryption library, such as the <a 7213 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a>, 7214 * the <a href="https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/">Amazon DynamoDB Encryption 7215 * Client</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 7216 * client-side encryption</a> to do these tasks for you. 7217 * </p> 7218 * <p> 7219 * To encrypt data outside of KMS: 7220 * </p> 7221 * <ol> 7222 * <li> 7223 * <p> 7224 * Use the <code>GenerateDataKey</code> operation to get a data key. 7225 * </p> 7226 * </li> 7227 * <li> 7228 * <p> 7229 * Use the plaintext data key (in the <code>Plaintext</code> field of the response) to encrypt your data outside of 7230 * KMS. Then erase the plaintext data key from memory. 7231 * </p> 7232 * </li> 7233 * <li> 7234 * <p> 7235 * Store the encrypted data key (in the <code>CiphertextBlob</code> field of the response) with the encrypted data. 7236 * </p> 7237 * </li> 7238 * </ol> 7239 * <p> 7240 * To decrypt data outside of KMS: 7241 * </p> 7242 * <ol> 7243 * <li> 7244 * <p> 7245 * Use the <a>Decrypt</a> operation to decrypt the encrypted data key. The operation returns a plaintext copy of the 7246 * data key. 7247 * </p> 7248 * </li> 7249 * <li> 7250 * <p> 7251 * Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory. 7252 * </p> 7253 * </li> 7254 * </ol> 7255 * <p> 7256 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7257 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7258 * </p> 7259 * <p> 7260 * <b>Required permissions</b>: <a 7261 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7262 * >kms:GenerateDataKey</a> (key policy) 7263 * </p> 7264 * <p> 7265 * <b>Related operations:</b> 7266 * </p> 7267 * <ul> 7268 * <li> 7269 * <p> 7270 * <a>Decrypt</a> 7271 * </p> 7272 * </li> 7273 * <li> 7274 * <p> 7275 * <a>Encrypt</a> 7276 * </p> 7277 * </li> 7278 * <li> 7279 * <p> 7280 * <a>GenerateDataKeyPair</a> 7281 * </p> 7282 * </li> 7283 * <li> 7284 * <p> 7285 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7286 * </p> 7287 * </li> 7288 * <li> 7289 * <p> 7290 * <a>GenerateDataKeyWithoutPlaintext</a> 7291 * </p> 7292 * </li> 7293 * </ul> 7294 * <p> 7295 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7296 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7297 * consistency</a>. 7298 * </p> 7299 * <br/> 7300 * <p> 7301 * This is a convenience which creates an instance of the {@link GenerateDataKeyRequest.Builder} avoiding the need 7302 * to create one manually via {@link GenerateDataKeyRequest#builder()} 7303 * </p> 7304 * 7305 * @param generateDataKeyRequest 7306 * A {@link Consumer} that will call methods on 7307 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest.Builder} to create a request. 7308 * @return A Java Future containing the result of the GenerateDataKey operation returned by the service.<br/> 7309 * The CompletableFuture returned by this method can be completed exceptionally with the following 7310 * exceptions. 7311 * <ul> 7312 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 7313 * found.</li> 7314 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 7315 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 7316 * can retry the request.</li> 7317 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 7318 * the request.</li> 7319 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 7320 * <ul> 7321 * <li> 7322 * <p> 7323 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7324 * </p> 7325 * </li> 7326 * <li> 7327 * <p> 7328 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7329 * of key material in the KMS key <code>(KeySpec</code>). 7330 * </p> 7331 * </li> 7332 * </ul> 7333 * <p> 7334 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7335 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7336 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7337 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7338 * KMS key, use the <a>DescribeKey</a> operation. 7339 * </p> 7340 * <p> 7341 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7342 * <a>DescribeKey</a> operation.</li> 7343 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 7344 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 7345 * be retried.</li> 7346 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 7347 * valid for this request.</p> 7348 * <p> 7349 * This exceptions means one of the following: 7350 * </p> 7351 * <ul> 7352 * <li> 7353 * <p> 7354 * The key state of the KMS key is not compatible with the operation. 7355 * </p> 7356 * <p> 7357 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7358 * are compatible with each KMS operation, see <a 7359 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7360 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7361 * </p> 7362 * </li> 7363 * <li> 7364 * <p> 7365 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7366 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7367 * exception. 7368 * </p> 7369 * </li></li> 7370 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 7371 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 7372 * Can be used for catch all scenarios.</li> 7373 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 7374 * credentials, etc.</li> 7375 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 7376 * of this type.</li> 7377 * </ul> 7378 * @sample KmsAsyncClient.GenerateDataKey 7379 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey" target="_top">AWS API 7380 * Documentation</a> 7381 */ generateDataKey( Consumer<GenerateDataKeyRequest.Builder> generateDataKeyRequest)7382 default CompletableFuture<GenerateDataKeyResponse> generateDataKey( 7383 Consumer<GenerateDataKeyRequest.Builder> generateDataKeyRequest) { 7384 return generateDataKey(GenerateDataKeyRequest.builder().applyMutation(generateDataKeyRequest).build()); 7385 } 7386 7387 /** 7388 * <p> 7389 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, 7390 * a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key 7391 * you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures 7392 * outside of KMS. The bytes in the keys are random; they are not related to the caller or to the KMS key that is 7393 * used to encrypt the private key. 7394 * </p> 7395 * <p> 7396 * You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data or verify a signature 7397 * outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a 7398 * message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7399 * </p> 7400 * <p> 7401 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7402 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7403 * your KMS key, use the <a>DescribeKey</a> operation. 7404 * </p> 7405 * <p> 7406 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7407 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7408 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7409 * restrictions on the use of data key pairs outside of KMS. 7410 * </p> 7411 * <p> 7412 * If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a 7413 * private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation. 7414 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an encrypted private key, but 7415 * omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need 7416 * to decrypt the data or sign a message, use the <a>Decrypt</a> operation to decrypt the encrypted private key in 7417 * the data key pair. 7418 * </p> 7419 * <p> 7420 * <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The bytes in the keys are 7421 * random; they are not related to the caller or the KMS key that is used to encrypt the private key. The public key 7422 * is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7423 * 5280</a>. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a 7424 * href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>. 7425 * </p> 7426 * <p> 7427 * <code>GenerateDataKeyPair</code> also supports <a 7428 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7429 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call 7430 * <code>GenerateDataKeyPair</code> for an Amazon Web Services Nitro enclave, use the <a 7431 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7432 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7433 * attestation document for the enclave. <code>GenerateDataKeyPair</code> returns the public data key and a copy of 7434 * the private data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the 7435 * private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the private data key 7436 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). For 7437 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7438 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7439 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7440 * </p> 7441 * <p> 7442 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7443 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7444 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7445 * <code>InvalidCiphertextException</code>. For more information, see <a 7446 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7447 * in the <i>Key Management Service Developer Guide</i>. 7448 * </p> 7449 * <p> 7450 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7451 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7452 * <i>Key Management Service Developer Guide</i>. 7453 * </p> 7454 * <p> 7455 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7456 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7457 * </p> 7458 * <p> 7459 * <b>Required permissions</b>: <a 7460 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7461 * >kms:GenerateDataKeyPair</a> (key policy) 7462 * </p> 7463 * <p> 7464 * <b>Related operations:</b> 7465 * </p> 7466 * <ul> 7467 * <li> 7468 * <p> 7469 * <a>Decrypt</a> 7470 * </p> 7471 * </li> 7472 * <li> 7473 * <p> 7474 * <a>Encrypt</a> 7475 * </p> 7476 * </li> 7477 * <li> 7478 * <p> 7479 * <a>GenerateDataKey</a> 7480 * </p> 7481 * </li> 7482 * <li> 7483 * <p> 7484 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7485 * </p> 7486 * </li> 7487 * <li> 7488 * <p> 7489 * <a>GenerateDataKeyWithoutPlaintext</a> 7490 * </p> 7491 * </li> 7492 * </ul> 7493 * <p> 7494 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7495 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7496 * consistency</a>. 7497 * </p> 7498 * 7499 * @param generateDataKeyPairRequest 7500 * @return A Java Future containing the result of the GenerateDataKeyPair operation returned by the service.<br/> 7501 * The CompletableFuture returned by this method can be completed exceptionally with the following 7502 * exceptions. 7503 * <ul> 7504 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 7505 * found.</li> 7506 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 7507 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 7508 * can retry the request.</li> 7509 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 7510 * the request.</li> 7511 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 7512 * <ul> 7513 * <li> 7514 * <p> 7515 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7516 * </p> 7517 * </li> 7518 * <li> 7519 * <p> 7520 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7521 * of key material in the KMS key <code>(KeySpec</code>). 7522 * </p> 7523 * </li> 7524 * </ul> 7525 * <p> 7526 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7527 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7528 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7529 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7530 * KMS key, use the <a>DescribeKey</a> operation. 7531 * </p> 7532 * <p> 7533 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7534 * <a>DescribeKey</a> operation.</li> 7535 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 7536 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 7537 * be retried.</li> 7538 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 7539 * valid for this request.</p> 7540 * <p> 7541 * This exceptions means one of the following: 7542 * </p> 7543 * <ul> 7544 * <li> 7545 * <p> 7546 * The key state of the KMS key is not compatible with the operation. 7547 * </p> 7548 * <p> 7549 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7550 * are compatible with each KMS operation, see <a 7551 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7552 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7553 * </p> 7554 * </li> 7555 * <li> 7556 * <p> 7557 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7558 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7559 * exception. 7560 * </p> 7561 * </li></li> 7562 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 7563 * or a specified resource is not valid for this operation.</li> 7564 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 7565 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 7566 * Can be used for catch all scenarios.</li> 7567 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 7568 * credentials, etc.</li> 7569 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 7570 * of this type.</li> 7571 * </ul> 7572 * @sample KmsAsyncClient.GenerateDataKeyPair 7573 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair" target="_top">AWS API 7574 * Documentation</a> 7575 */ generateDataKeyPair( GenerateDataKeyPairRequest generateDataKeyPairRequest)7576 default CompletableFuture<GenerateDataKeyPairResponse> generateDataKeyPair( 7577 GenerateDataKeyPairRequest generateDataKeyPairRequest) { 7578 throw new UnsupportedOperationException(); 7579 } 7580 7581 /** 7582 * <p> 7583 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, 7584 * a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key 7585 * you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures 7586 * outside of KMS. The bytes in the keys are random; they are not related to the caller or to the KMS key that is 7587 * used to encrypt the private key. 7588 * </p> 7589 * <p> 7590 * You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data or verify a signature 7591 * outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a 7592 * message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7593 * </p> 7594 * <p> 7595 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7596 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7597 * your KMS key, use the <a>DescribeKey</a> operation. 7598 * </p> 7599 * <p> 7600 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7601 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7602 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7603 * restrictions on the use of data key pairs outside of KMS. 7604 * </p> 7605 * <p> 7606 * If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a 7607 * private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation. 7608 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an encrypted private key, but 7609 * omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need 7610 * to decrypt the data or sign a message, use the <a>Decrypt</a> operation to decrypt the encrypted private key in 7611 * the data key pair. 7612 * </p> 7613 * <p> 7614 * <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The bytes in the keys are 7615 * random; they are not related to the caller or the KMS key that is used to encrypt the private key. The public key 7616 * is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7617 * 5280</a>. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a 7618 * href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>. 7619 * </p> 7620 * <p> 7621 * <code>GenerateDataKeyPair</code> also supports <a 7622 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7623 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call 7624 * <code>GenerateDataKeyPair</code> for an Amazon Web Services Nitro enclave, use the <a 7625 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7626 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7627 * attestation document for the enclave. <code>GenerateDataKeyPair</code> returns the public data key and a copy of 7628 * the private data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the 7629 * private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the private data key 7630 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). For 7631 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7632 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7633 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7634 * </p> 7635 * <p> 7636 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7637 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7638 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7639 * <code>InvalidCiphertextException</code>. For more information, see <a 7640 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7641 * in the <i>Key Management Service Developer Guide</i>. 7642 * </p> 7643 * <p> 7644 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7645 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7646 * <i>Key Management Service Developer Guide</i>. 7647 * </p> 7648 * <p> 7649 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7650 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7651 * </p> 7652 * <p> 7653 * <b>Required permissions</b>: <a 7654 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7655 * >kms:GenerateDataKeyPair</a> (key policy) 7656 * </p> 7657 * <p> 7658 * <b>Related operations:</b> 7659 * </p> 7660 * <ul> 7661 * <li> 7662 * <p> 7663 * <a>Decrypt</a> 7664 * </p> 7665 * </li> 7666 * <li> 7667 * <p> 7668 * <a>Encrypt</a> 7669 * </p> 7670 * </li> 7671 * <li> 7672 * <p> 7673 * <a>GenerateDataKey</a> 7674 * </p> 7675 * </li> 7676 * <li> 7677 * <p> 7678 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7679 * </p> 7680 * </li> 7681 * <li> 7682 * <p> 7683 * <a>GenerateDataKeyWithoutPlaintext</a> 7684 * </p> 7685 * </li> 7686 * </ul> 7687 * <p> 7688 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7689 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7690 * consistency</a>. 7691 * </p> 7692 * <br/> 7693 * <p> 7694 * This is a convenience which creates an instance of the {@link GenerateDataKeyPairRequest.Builder} avoiding the 7695 * need to create one manually via {@link GenerateDataKeyPairRequest#builder()} 7696 * </p> 7697 * 7698 * @param generateDataKeyPairRequest 7699 * A {@link Consumer} that will call methods on 7700 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyPairRequest.Builder} to create a request. 7701 * @return A Java Future containing the result of the GenerateDataKeyPair operation returned by the service.<br/> 7702 * The CompletableFuture returned by this method can be completed exceptionally with the following 7703 * exceptions. 7704 * <ul> 7705 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 7706 * found.</li> 7707 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 7708 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 7709 * can retry the request.</li> 7710 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 7711 * the request.</li> 7712 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 7713 * <ul> 7714 * <li> 7715 * <p> 7716 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7717 * </p> 7718 * </li> 7719 * <li> 7720 * <p> 7721 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7722 * of key material in the KMS key <code>(KeySpec</code>). 7723 * </p> 7724 * </li> 7725 * </ul> 7726 * <p> 7727 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7728 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7729 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7730 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7731 * KMS key, use the <a>DescribeKey</a> operation. 7732 * </p> 7733 * <p> 7734 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7735 * <a>DescribeKey</a> operation.</li> 7736 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 7737 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 7738 * be retried.</li> 7739 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 7740 * valid for this request.</p> 7741 * <p> 7742 * This exceptions means one of the following: 7743 * </p> 7744 * <ul> 7745 * <li> 7746 * <p> 7747 * The key state of the KMS key is not compatible with the operation. 7748 * </p> 7749 * <p> 7750 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7751 * are compatible with each KMS operation, see <a 7752 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7753 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7754 * </p> 7755 * </li> 7756 * <li> 7757 * <p> 7758 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7759 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7760 * exception. 7761 * </p> 7762 * </li></li> 7763 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 7764 * or a specified resource is not valid for this operation.</li> 7765 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 7766 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 7767 * Can be used for catch all scenarios.</li> 7768 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 7769 * credentials, etc.</li> 7770 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 7771 * of this type.</li> 7772 * </ul> 7773 * @sample KmsAsyncClient.GenerateDataKeyPair 7774 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair" target="_top">AWS API 7775 * Documentation</a> 7776 */ generateDataKeyPair( Consumer<GenerateDataKeyPairRequest.Builder> generateDataKeyPairRequest)7777 default CompletableFuture<GenerateDataKeyPairResponse> generateDataKeyPair( 7778 Consumer<GenerateDataKeyPairRequest.Builder> generateDataKeyPairRequest) { 7779 return generateDataKeyPair(GenerateDataKeyPairRequest.builder().applyMutation(generateDataKeyPairRequest).build()); 7780 } 7781 7782 /** 7783 * <p> 7784 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key 7785 * and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike 7786 * <a>GenerateDataKeyPair</a>, this operation does not return a plaintext private key. The bytes in the keys are 7787 * random; they are not related to the caller or to the KMS key that is used to encrypt the private key. 7788 * </p> 7789 * <p> 7790 * You can use the public key that <code>GenerateDataKeyPairWithoutPlaintext</code> returns to encrypt data or 7791 * verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to 7792 * decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7793 * </p> 7794 * <p> 7795 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7796 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7797 * your KMS key, use the <a>DescribeKey</a> operation. 7798 * </p> 7799 * <p> 7800 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7801 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7802 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7803 * restrictions on the use of data key pairs outside of KMS. 7804 * </p> 7805 * <p> 7806 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each request. The bytes in 7807 * the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a 7808 * DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7809 * 5280</a>. 7810 * </p> 7811 * <p> 7812 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7813 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7814 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7815 * <code>InvalidCiphertextException</code>. For more information, see <a 7816 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7817 * in the <i>Key Management Service Developer Guide</i>. 7818 * </p> 7819 * <p> 7820 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7821 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7822 * <i>Key Management Service Developer Guide</i>. 7823 * </p> 7824 * <p> 7825 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7826 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7827 * </p> 7828 * <p> 7829 * <b>Required permissions</b>: <a 7830 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7831 * >kms:GenerateDataKeyPairWithoutPlaintext</a> (key policy) 7832 * </p> 7833 * <p> 7834 * <b>Related operations:</b> 7835 * </p> 7836 * <ul> 7837 * <li> 7838 * <p> 7839 * <a>Decrypt</a> 7840 * </p> 7841 * </li> 7842 * <li> 7843 * <p> 7844 * <a>Encrypt</a> 7845 * </p> 7846 * </li> 7847 * <li> 7848 * <p> 7849 * <a>GenerateDataKey</a> 7850 * </p> 7851 * </li> 7852 * <li> 7853 * <p> 7854 * <a>GenerateDataKeyPair</a> 7855 * </p> 7856 * </li> 7857 * <li> 7858 * <p> 7859 * <a>GenerateDataKeyWithoutPlaintext</a> 7860 * </p> 7861 * </li> 7862 * </ul> 7863 * <p> 7864 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7865 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7866 * consistency</a>. 7867 * </p> 7868 * 7869 * @param generateDataKeyPairWithoutPlaintextRequest 7870 * @return A Java Future containing the result of the GenerateDataKeyPairWithoutPlaintext operation returned by the 7871 * service.<br/> 7872 * The CompletableFuture returned by this method can be completed exceptionally with the following 7873 * exceptions. 7874 * <ul> 7875 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 7876 * found.</li> 7877 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 7878 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 7879 * can retry the request.</li> 7880 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 7881 * the request.</li> 7882 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 7883 * <ul> 7884 * <li> 7885 * <p> 7886 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7887 * </p> 7888 * </li> 7889 * <li> 7890 * <p> 7891 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7892 * of key material in the KMS key <code>(KeySpec</code>). 7893 * </p> 7894 * </li> 7895 * </ul> 7896 * <p> 7897 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7898 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7899 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7900 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7901 * KMS key, use the <a>DescribeKey</a> operation. 7902 * </p> 7903 * <p> 7904 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7905 * <a>DescribeKey</a> operation.</li> 7906 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 7907 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 7908 * be retried.</li> 7909 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 7910 * valid for this request.</p> 7911 * <p> 7912 * This exceptions means one of the following: 7913 * </p> 7914 * <ul> 7915 * <li> 7916 * <p> 7917 * The key state of the KMS key is not compatible with the operation. 7918 * </p> 7919 * <p> 7920 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7921 * are compatible with each KMS operation, see <a 7922 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7923 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7924 * </p> 7925 * </li> 7926 * <li> 7927 * <p> 7928 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7929 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7930 * exception. 7931 * </p> 7932 * </li></li> 7933 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 7934 * or a specified resource is not valid for this operation.</li> 7935 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 7936 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 7937 * Can be used for catch all scenarios.</li> 7938 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 7939 * credentials, etc.</li> 7940 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 7941 * of this type.</li> 7942 * </ul> 7943 * @sample KmsAsyncClient.GenerateDataKeyPairWithoutPlaintext 7944 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext" 7945 * target="_top">AWS API Documentation</a> 7946 */ generateDataKeyPairWithoutPlaintext( GenerateDataKeyPairWithoutPlaintextRequest generateDataKeyPairWithoutPlaintextRequest)7947 default CompletableFuture<GenerateDataKeyPairWithoutPlaintextResponse> generateDataKeyPairWithoutPlaintext( 7948 GenerateDataKeyPairWithoutPlaintextRequest generateDataKeyPairWithoutPlaintextRequest) { 7949 throw new UnsupportedOperationException(); 7950 } 7951 7952 /** 7953 * <p> 7954 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key 7955 * and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike 7956 * <a>GenerateDataKeyPair</a>, this operation does not return a plaintext private key. The bytes in the keys are 7957 * random; they are not related to the caller or to the KMS key that is used to encrypt the private key. 7958 * </p> 7959 * <p> 7960 * You can use the public key that <code>GenerateDataKeyPairWithoutPlaintext</code> returns to encrypt data or 7961 * verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to 7962 * decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7963 * </p> 7964 * <p> 7965 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7966 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7967 * your KMS key, use the <a>DescribeKey</a> operation. 7968 * </p> 7969 * <p> 7970 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7971 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7972 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7973 * restrictions on the use of data key pairs outside of KMS. 7974 * </p> 7975 * <p> 7976 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each request. The bytes in 7977 * the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a 7978 * DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7979 * 5280</a>. 7980 * </p> 7981 * <p> 7982 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7983 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7984 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7985 * <code>InvalidCiphertextException</code>. For more information, see <a 7986 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7987 * in the <i>Key Management Service Developer Guide</i>. 7988 * </p> 7989 * <p> 7990 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7991 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7992 * <i>Key Management Service Developer Guide</i>. 7993 * </p> 7994 * <p> 7995 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7996 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7997 * </p> 7998 * <p> 7999 * <b>Required permissions</b>: <a 8000 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8001 * >kms:GenerateDataKeyPairWithoutPlaintext</a> (key policy) 8002 * </p> 8003 * <p> 8004 * <b>Related operations:</b> 8005 * </p> 8006 * <ul> 8007 * <li> 8008 * <p> 8009 * <a>Decrypt</a> 8010 * </p> 8011 * </li> 8012 * <li> 8013 * <p> 8014 * <a>Encrypt</a> 8015 * </p> 8016 * </li> 8017 * <li> 8018 * <p> 8019 * <a>GenerateDataKey</a> 8020 * </p> 8021 * </li> 8022 * <li> 8023 * <p> 8024 * <a>GenerateDataKeyPair</a> 8025 * </p> 8026 * </li> 8027 * <li> 8028 * <p> 8029 * <a>GenerateDataKeyWithoutPlaintext</a> 8030 * </p> 8031 * </li> 8032 * </ul> 8033 * <p> 8034 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8035 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8036 * consistency</a>. 8037 * </p> 8038 * <br/> 8039 * <p> 8040 * This is a convenience which creates an instance of the {@link GenerateDataKeyPairWithoutPlaintextRequest.Builder} 8041 * avoiding the need to create one manually via {@link GenerateDataKeyPairWithoutPlaintextRequest#builder()} 8042 * </p> 8043 * 8044 * @param generateDataKeyPairWithoutPlaintextRequest 8045 * A {@link Consumer} that will call methods on 8046 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextRequest.Builder} to 8047 * create a request. 8048 * @return A Java Future containing the result of the GenerateDataKeyPairWithoutPlaintext operation returned by the 8049 * service.<br/> 8050 * The CompletableFuture returned by this method can be completed exceptionally with the following 8051 * exceptions. 8052 * <ul> 8053 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 8054 * found.</li> 8055 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 8056 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 8057 * can retry the request.</li> 8058 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 8059 * the request.</li> 8060 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 8061 * <ul> 8062 * <li> 8063 * <p> 8064 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8065 * </p> 8066 * </li> 8067 * <li> 8068 * <p> 8069 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8070 * of key material in the KMS key <code>(KeySpec</code>). 8071 * </p> 8072 * </li> 8073 * </ul> 8074 * <p> 8075 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8076 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8077 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8078 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8079 * KMS key, use the <a>DescribeKey</a> operation. 8080 * </p> 8081 * <p> 8082 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8083 * <a>DescribeKey</a> operation.</li> 8084 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 8085 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8086 * be retried.</li> 8087 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 8088 * valid for this request.</p> 8089 * <p> 8090 * This exceptions means one of the following: 8091 * </p> 8092 * <ul> 8093 * <li> 8094 * <p> 8095 * The key state of the KMS key is not compatible with the operation. 8096 * </p> 8097 * <p> 8098 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8099 * are compatible with each KMS operation, see <a 8100 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8101 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8102 * </p> 8103 * </li> 8104 * <li> 8105 * <p> 8106 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8107 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8108 * exception. 8109 * </p> 8110 * </li></li> 8111 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 8112 * or a specified resource is not valid for this operation.</li> 8113 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 8114 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8115 * Can be used for catch all scenarios.</li> 8116 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8117 * credentials, etc.</li> 8118 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8119 * of this type.</li> 8120 * </ul> 8121 * @sample KmsAsyncClient.GenerateDataKeyPairWithoutPlaintext 8122 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext" 8123 * target="_top">AWS API Documentation</a> 8124 */ generateDataKeyPairWithoutPlaintext( Consumer<GenerateDataKeyPairWithoutPlaintextRequest.Builder> generateDataKeyPairWithoutPlaintextRequest)8125 default CompletableFuture<GenerateDataKeyPairWithoutPlaintextResponse> generateDataKeyPairWithoutPlaintext( 8126 Consumer<GenerateDataKeyPairWithoutPlaintextRequest.Builder> generateDataKeyPairWithoutPlaintextRequest) { 8127 return generateDataKeyPairWithoutPlaintext(GenerateDataKeyPairWithoutPlaintextRequest.builder() 8128 .applyMutation(generateDataKeyPairWithoutPlaintextRequest).build()); 8129 } 8130 8131 /** 8132 * <p> 8133 * Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted 8134 * under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to 8135 * the caller or to the KMS key. 8136 * </p> 8137 * <p> 8138 * <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that it 8139 * does not return a plaintext copy of the data key. 8140 * </p> 8141 * <p> 8142 * This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need 8143 * to encrypt the data, you call the <a>Decrypt</a> operation on the encrypted copy of the key. 8144 * </p> 8145 * <p> 8146 * It's also useful in distributed systems with different levels of trust. For example, you might store encrypted 8147 * data in containers. One component of your system creates new containers and stores an encrypted data key with 8148 * each container. Then, a different component puts the data into the containers. That component first decrypts the 8149 * data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then 8150 * destroys the plaintext data key. In this system, the component that creates the containers never sees the 8151 * plaintext data key. 8152 * </p> 8153 * <p> 8154 * To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or 8155 * <a>GenerateDataKeyPairWithoutPlaintext</a> operations. 8156 * </p> 8157 * <p> 8158 * To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. 8159 * You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of 8160 * your KMS key, use the <a>DescribeKey</a> operation. 8161 * </p> 8162 * <p> 8163 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 8164 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 8165 * <code>KeySpec</code> parameter. 8166 * </p> 8167 * <p> 8168 * To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of <code>AES_128</code> or 8169 * <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used in China Regions to 8170 * encrypt your data key is an SM4 encryption key. 8171 * </p> 8172 * <p> 8173 * If the operation succeeds, you will find the encrypted copy of the data key in the <code>CiphertextBlob</code> 8174 * field. 8175 * </p> 8176 * <p> 8177 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 8178 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 8179 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 8180 * <code>InvalidCiphertextException</code>. For more information, see <a 8181 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 8182 * in the <i>Key Management Service Developer Guide</i>. 8183 * </p> 8184 * <p> 8185 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8186 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8187 * <i>Key Management Service Developer Guide</i>. 8188 * </p> 8189 * <p> 8190 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8191 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8192 * </p> 8193 * <p> 8194 * <b>Required permissions</b>: <a 8195 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8196 * >kms:GenerateDataKeyWithoutPlaintext</a> (key policy) 8197 * </p> 8198 * <p> 8199 * <b>Related operations:</b> 8200 * </p> 8201 * <ul> 8202 * <li> 8203 * <p> 8204 * <a>Decrypt</a> 8205 * </p> 8206 * </li> 8207 * <li> 8208 * <p> 8209 * <a>Encrypt</a> 8210 * </p> 8211 * </li> 8212 * <li> 8213 * <p> 8214 * <a>GenerateDataKey</a> 8215 * </p> 8216 * </li> 8217 * <li> 8218 * <p> 8219 * <a>GenerateDataKeyPair</a> 8220 * </p> 8221 * </li> 8222 * <li> 8223 * <p> 8224 * <a>GenerateDataKeyPairWithoutPlaintext</a> 8225 * </p> 8226 * </li> 8227 * </ul> 8228 * <p> 8229 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8230 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8231 * consistency</a>. 8232 * </p> 8233 * 8234 * @param generateDataKeyWithoutPlaintextRequest 8235 * @return A Java Future containing the result of the GenerateDataKeyWithoutPlaintext operation returned by the 8236 * service.<br/> 8237 * The CompletableFuture returned by this method can be completed exceptionally with the following 8238 * exceptions. 8239 * <ul> 8240 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 8241 * found.</li> 8242 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 8243 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 8244 * can retry the request.</li> 8245 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 8246 * the request.</li> 8247 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 8248 * <ul> 8249 * <li> 8250 * <p> 8251 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8252 * </p> 8253 * </li> 8254 * <li> 8255 * <p> 8256 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8257 * of key material in the KMS key <code>(KeySpec</code>). 8258 * </p> 8259 * </li> 8260 * </ul> 8261 * <p> 8262 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8263 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8264 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8265 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8266 * KMS key, use the <a>DescribeKey</a> operation. 8267 * </p> 8268 * <p> 8269 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8270 * <a>DescribeKey</a> operation.</li> 8271 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 8272 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8273 * be retried.</li> 8274 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 8275 * valid for this request.</p> 8276 * <p> 8277 * This exceptions means one of the following: 8278 * </p> 8279 * <ul> 8280 * <li> 8281 * <p> 8282 * The key state of the KMS key is not compatible with the operation. 8283 * </p> 8284 * <p> 8285 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8286 * are compatible with each KMS operation, see <a 8287 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8288 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8289 * </p> 8290 * </li> 8291 * <li> 8292 * <p> 8293 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8294 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8295 * exception. 8296 * </p> 8297 * </li></li> 8298 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 8299 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8300 * Can be used for catch all scenarios.</li> 8301 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8302 * credentials, etc.</li> 8303 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8304 * of this type.</li> 8305 * </ul> 8306 * @sample KmsAsyncClient.GenerateDataKeyWithoutPlaintext 8307 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext" 8308 * target="_top">AWS API Documentation</a> 8309 */ generateDataKeyWithoutPlaintext( GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest)8310 default CompletableFuture<GenerateDataKeyWithoutPlaintextResponse> generateDataKeyWithoutPlaintext( 8311 GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest) { 8312 throw new UnsupportedOperationException(); 8313 } 8314 8315 /** 8316 * <p> 8317 * Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted 8318 * under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to 8319 * the caller or to the KMS key. 8320 * </p> 8321 * <p> 8322 * <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that it 8323 * does not return a plaintext copy of the data key. 8324 * </p> 8325 * <p> 8326 * This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need 8327 * to encrypt the data, you call the <a>Decrypt</a> operation on the encrypted copy of the key. 8328 * </p> 8329 * <p> 8330 * It's also useful in distributed systems with different levels of trust. For example, you might store encrypted 8331 * data in containers. One component of your system creates new containers and stores an encrypted data key with 8332 * each container. Then, a different component puts the data into the containers. That component first decrypts the 8333 * data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then 8334 * destroys the plaintext data key. In this system, the component that creates the containers never sees the 8335 * plaintext data key. 8336 * </p> 8337 * <p> 8338 * To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or 8339 * <a>GenerateDataKeyPairWithoutPlaintext</a> operations. 8340 * </p> 8341 * <p> 8342 * To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. 8343 * You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of 8344 * your KMS key, use the <a>DescribeKey</a> operation. 8345 * </p> 8346 * <p> 8347 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 8348 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 8349 * <code>KeySpec</code> parameter. 8350 * </p> 8351 * <p> 8352 * To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of <code>AES_128</code> or 8353 * <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used in China Regions to 8354 * encrypt your data key is an SM4 encryption key. 8355 * </p> 8356 * <p> 8357 * If the operation succeeds, you will find the encrypted copy of the data key in the <code>CiphertextBlob</code> 8358 * field. 8359 * </p> 8360 * <p> 8361 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 8362 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 8363 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 8364 * <code>InvalidCiphertextException</code>. For more information, see <a 8365 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 8366 * in the <i>Key Management Service Developer Guide</i>. 8367 * </p> 8368 * <p> 8369 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8370 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8371 * <i>Key Management Service Developer Guide</i>. 8372 * </p> 8373 * <p> 8374 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8375 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8376 * </p> 8377 * <p> 8378 * <b>Required permissions</b>: <a 8379 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8380 * >kms:GenerateDataKeyWithoutPlaintext</a> (key policy) 8381 * </p> 8382 * <p> 8383 * <b>Related operations:</b> 8384 * </p> 8385 * <ul> 8386 * <li> 8387 * <p> 8388 * <a>Decrypt</a> 8389 * </p> 8390 * </li> 8391 * <li> 8392 * <p> 8393 * <a>Encrypt</a> 8394 * </p> 8395 * </li> 8396 * <li> 8397 * <p> 8398 * <a>GenerateDataKey</a> 8399 * </p> 8400 * </li> 8401 * <li> 8402 * <p> 8403 * <a>GenerateDataKeyPair</a> 8404 * </p> 8405 * </li> 8406 * <li> 8407 * <p> 8408 * <a>GenerateDataKeyPairWithoutPlaintext</a> 8409 * </p> 8410 * </li> 8411 * </ul> 8412 * <p> 8413 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8414 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8415 * consistency</a>. 8416 * </p> 8417 * <br/> 8418 * <p> 8419 * This is a convenience which creates an instance of the {@link GenerateDataKeyWithoutPlaintextRequest.Builder} 8420 * avoiding the need to create one manually via {@link GenerateDataKeyWithoutPlaintextRequest#builder()} 8421 * </p> 8422 * 8423 * @param generateDataKeyWithoutPlaintextRequest 8424 * A {@link Consumer} that will call methods on 8425 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextRequest.Builder} to create 8426 * a request. 8427 * @return A Java Future containing the result of the GenerateDataKeyWithoutPlaintext operation returned by the 8428 * service.<br/> 8429 * The CompletableFuture returned by this method can be completed exceptionally with the following 8430 * exceptions. 8431 * <ul> 8432 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 8433 * found.</li> 8434 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 8435 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 8436 * can retry the request.</li> 8437 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 8438 * the request.</li> 8439 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 8440 * <ul> 8441 * <li> 8442 * <p> 8443 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8444 * </p> 8445 * </li> 8446 * <li> 8447 * <p> 8448 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8449 * of key material in the KMS key <code>(KeySpec</code>). 8450 * </p> 8451 * </li> 8452 * </ul> 8453 * <p> 8454 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8455 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8456 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8457 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8458 * KMS key, use the <a>DescribeKey</a> operation. 8459 * </p> 8460 * <p> 8461 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8462 * <a>DescribeKey</a> operation.</li> 8463 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 8464 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8465 * be retried.</li> 8466 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 8467 * valid for this request.</p> 8468 * <p> 8469 * This exceptions means one of the following: 8470 * </p> 8471 * <ul> 8472 * <li> 8473 * <p> 8474 * The key state of the KMS key is not compatible with the operation. 8475 * </p> 8476 * <p> 8477 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8478 * are compatible with each KMS operation, see <a 8479 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8480 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8481 * </p> 8482 * </li> 8483 * <li> 8484 * <p> 8485 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8486 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8487 * exception. 8488 * </p> 8489 * </li></li> 8490 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 8491 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8492 * Can be used for catch all scenarios.</li> 8493 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8494 * credentials, etc.</li> 8495 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8496 * of this type.</li> 8497 * </ul> 8498 * @sample KmsAsyncClient.GenerateDataKeyWithoutPlaintext 8499 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext" 8500 * target="_top">AWS API Documentation</a> 8501 */ generateDataKeyWithoutPlaintext( Consumer<GenerateDataKeyWithoutPlaintextRequest.Builder> generateDataKeyWithoutPlaintextRequest)8502 default CompletableFuture<GenerateDataKeyWithoutPlaintextResponse> generateDataKeyWithoutPlaintext( 8503 Consumer<GenerateDataKeyWithoutPlaintextRequest.Builder> generateDataKeyWithoutPlaintextRequest) { 8504 return generateDataKeyWithoutPlaintext(GenerateDataKeyWithoutPlaintextRequest.builder() 8505 .applyMutation(generateDataKeyWithoutPlaintextRequest).build()); 8506 } 8507 8508 /** 8509 * <p> 8510 * Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm 8511 * that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined 8512 * in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 8513 * </p> 8514 * <p> 8515 * You can use value that GenerateMac returns in the <a>VerifyMac</a> operation to demonstrate that the original 8516 * message has not changed. Also, because a secret key is used to create the hash, you can verify that the party 8517 * that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based 8518 * algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For 8519 * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in 8520 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8521 * </p> 8522 * <note> 8523 * <p> 8524 * Best practices recommend that you limit the time during which any signing mechanism, including an HMAC, is 8525 * effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long 8526 * after the message is superseded. HMAC tags do not include a timestamp, but you can include a timestamp in the 8527 * token or message to help you detect when its time to refresh the HMAC. 8528 * </p> 8529 * </note> 8530 * <p> 8531 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8532 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8533 * <i>Key Management Service Developer Guide</i>. 8534 * </p> 8535 * <p> 8536 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8537 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8538 * </p> 8539 * <p> 8540 * <b>Required permissions</b>: <a 8541 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8542 * >kms:GenerateMac</a> (key policy) 8543 * </p> 8544 * <p> 8545 * <b>Related operations</b>: <a>VerifyMac</a> 8546 * </p> 8547 * <p> 8548 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8549 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8550 * consistency</a>. 8551 * </p> 8552 * 8553 * @param generateMacRequest 8554 * @return A Java Future containing the result of the GenerateMac operation returned by the service.<br/> 8555 * The CompletableFuture returned by this method can be completed exceptionally with the following 8556 * exceptions. 8557 * <ul> 8558 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 8559 * found.</li> 8560 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 8561 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 8562 * can retry the request.</li> 8563 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 8564 * <ul> 8565 * <li> 8566 * <p> 8567 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8568 * </p> 8569 * </li> 8570 * <li> 8571 * <p> 8572 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8573 * of key material in the KMS key <code>(KeySpec</code>). 8574 * </p> 8575 * </li> 8576 * </ul> 8577 * <p> 8578 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8579 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8580 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8581 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8582 * KMS key, use the <a>DescribeKey</a> operation. 8583 * </p> 8584 * <p> 8585 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8586 * <a>DescribeKey</a> operation.</li> 8587 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 8588 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8589 * be retried.</li> 8590 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 8591 * valid for this request.</p> 8592 * <p> 8593 * This exceptions means one of the following: 8594 * </p> 8595 * <ul> 8596 * <li> 8597 * <p> 8598 * The key state of the KMS key is not compatible with the operation. 8599 * </p> 8600 * <p> 8601 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8602 * are compatible with each KMS operation, see <a 8603 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8604 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8605 * </p> 8606 * </li> 8607 * <li> 8608 * <p> 8609 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8610 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8611 * exception. 8612 * </p> 8613 * </li></li> 8614 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 8615 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8616 * Can be used for catch all scenarios.</li> 8617 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8618 * credentials, etc.</li> 8619 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8620 * of this type.</li> 8621 * </ul> 8622 * @sample KmsAsyncClient.GenerateMac 8623 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac" target="_top">AWS API 8624 * Documentation</a> 8625 */ generateMac(GenerateMacRequest generateMacRequest)8626 default CompletableFuture<GenerateMacResponse> generateMac(GenerateMacRequest generateMacRequest) { 8627 throw new UnsupportedOperationException(); 8628 } 8629 8630 /** 8631 * <p> 8632 * Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm 8633 * that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined 8634 * in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 8635 * </p> 8636 * <p> 8637 * You can use value that GenerateMac returns in the <a>VerifyMac</a> operation to demonstrate that the original 8638 * message has not changed. Also, because a secret key is used to create the hash, you can verify that the party 8639 * that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based 8640 * algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For 8641 * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in 8642 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8643 * </p> 8644 * <note> 8645 * <p> 8646 * Best practices recommend that you limit the time during which any signing mechanism, including an HMAC, is 8647 * effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long 8648 * after the message is superseded. HMAC tags do not include a timestamp, but you can include a timestamp in the 8649 * token or message to help you detect when its time to refresh the HMAC. 8650 * </p> 8651 * </note> 8652 * <p> 8653 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8654 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8655 * <i>Key Management Service Developer Guide</i>. 8656 * </p> 8657 * <p> 8658 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8659 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8660 * </p> 8661 * <p> 8662 * <b>Required permissions</b>: <a 8663 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8664 * >kms:GenerateMac</a> (key policy) 8665 * </p> 8666 * <p> 8667 * <b>Related operations</b>: <a>VerifyMac</a> 8668 * </p> 8669 * <p> 8670 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8671 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8672 * consistency</a>. 8673 * </p> 8674 * <br/> 8675 * <p> 8676 * This is a convenience which creates an instance of the {@link GenerateMacRequest.Builder} avoiding the need to 8677 * create one manually via {@link GenerateMacRequest#builder()} 8678 * </p> 8679 * 8680 * @param generateMacRequest 8681 * A {@link Consumer} that will call methods on 8682 * {@link software.amazon.awssdk.services.kms.model.GenerateMacRequest.Builder} to create a request. 8683 * @return A Java Future containing the result of the GenerateMac operation returned by the service.<br/> 8684 * The CompletableFuture returned by this method can be completed exceptionally with the following 8685 * exceptions. 8686 * <ul> 8687 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 8688 * found.</li> 8689 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 8690 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 8691 * can retry the request.</li> 8692 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 8693 * <ul> 8694 * <li> 8695 * <p> 8696 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8697 * </p> 8698 * </li> 8699 * <li> 8700 * <p> 8701 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8702 * of key material in the KMS key <code>(KeySpec</code>). 8703 * </p> 8704 * </li> 8705 * </ul> 8706 * <p> 8707 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8708 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8709 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8710 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8711 * KMS key, use the <a>DescribeKey</a> operation. 8712 * </p> 8713 * <p> 8714 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8715 * <a>DescribeKey</a> operation.</li> 8716 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 8717 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8718 * be retried.</li> 8719 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 8720 * valid for this request.</p> 8721 * <p> 8722 * This exceptions means one of the following: 8723 * </p> 8724 * <ul> 8725 * <li> 8726 * <p> 8727 * The key state of the KMS key is not compatible with the operation. 8728 * </p> 8729 * <p> 8730 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8731 * are compatible with each KMS operation, see <a 8732 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8733 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8734 * </p> 8735 * </li> 8736 * <li> 8737 * <p> 8738 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8739 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8740 * exception. 8741 * </p> 8742 * </li></li> 8743 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 8744 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8745 * Can be used for catch all scenarios.</li> 8746 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8747 * credentials, etc.</li> 8748 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8749 * of this type.</li> 8750 * </ul> 8751 * @sample KmsAsyncClient.GenerateMac 8752 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac" target="_top">AWS API 8753 * Documentation</a> 8754 */ generateMac(Consumer<GenerateMacRequest.Builder> generateMacRequest)8755 default CompletableFuture<GenerateMacResponse> generateMac(Consumer<GenerateMacRequest.Builder> generateMacRequest) { 8756 return generateMac(GenerateMacRequest.builder().applyMutation(generateMacRequest).build()); 8757 } 8758 8759 /** 8760 * <p> 8761 * Returns a random byte string that is cryptographically secure. 8762 * </p> 8763 * <p> 8764 * You must use the <code>NumberOfBytes</code> parameter to specify the length of the random byte string. There is 8765 * no default value for string length. 8766 * </p> 8767 * <p> 8768 * By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster 8769 * associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code> parameter. 8770 * </p> 8771 * <p> 8772 * <code>GenerateRandom</code> also supports <a 8773 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 8774 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> 8775 * for a Nitro enclave, use the <a 8776 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 8777 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 8778 * attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes 8779 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>).For 8780 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 8781 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 8782 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 8783 * </p> 8784 * <p> 8785 * For more information about entropy and random number generation, see <a 8786 * href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic 8787 * Details</a>. 8788 * </p> 8789 * <p> 8790 * <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific 8791 * resources, such as KMS keys. 8792 * </p> 8793 * <p> 8794 * <b>Required permissions</b>: <a 8795 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8796 * >kms:GenerateRandom</a> (IAM policy) 8797 * </p> 8798 * <p> 8799 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8800 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8801 * consistency</a>. 8802 * </p> 8803 * 8804 * @param generateRandomRequest 8805 * @return A Java Future containing the result of the GenerateRandom operation returned by the service.<br/> 8806 * The CompletableFuture returned by this method can be completed exceptionally with the following 8807 * exceptions. 8808 * <ul> 8809 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 8810 * the request.</li> 8811 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8812 * be retried.</li> 8813 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 8814 * or a specified resource is not valid for this operation.</li> 8815 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 8816 * with the specified key store name or ID.</li> 8817 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 8818 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 8819 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 8820 * <p> 8821 * This exception is thrown under the following conditions: 8822 * </p> 8823 * <ul> 8824 * <li> 8825 * <p> 8826 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 8827 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 8828 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 8829 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 8830 * <code>ConnectCustomKeyStore</code>). 8831 * </p> 8832 * </li> 8833 * <li> 8834 * <p> 8835 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 8836 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 8837 * </p> 8838 * </li> 8839 * <li> 8840 * <p> 8841 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 8842 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 8843 * is valid for all other <code>ConnectionState</code> values. 8844 * </p> 8845 * </li> 8846 * <li> 8847 * <p> 8848 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 8849 * store that is not disconnected. This operation is valid only when the custom key store 8850 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 8851 * </p> 8852 * </li> 8853 * <li> 8854 * <p> 8855 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 8856 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 8857 * <code>CONNECTED</code>. 8858 * </p> 8859 * </li></li> 8860 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8861 * Can be used for catch all scenarios.</li> 8862 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8863 * credentials, etc.</li> 8864 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8865 * of this type.</li> 8866 * </ul> 8867 * @sample KmsAsyncClient.GenerateRandom 8868 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API 8869 * Documentation</a> 8870 */ generateRandom(GenerateRandomRequest generateRandomRequest)8871 default CompletableFuture<GenerateRandomResponse> generateRandom(GenerateRandomRequest generateRandomRequest) { 8872 throw new UnsupportedOperationException(); 8873 } 8874 8875 /** 8876 * <p> 8877 * Returns a random byte string that is cryptographically secure. 8878 * </p> 8879 * <p> 8880 * You must use the <code>NumberOfBytes</code> parameter to specify the length of the random byte string. There is 8881 * no default value for string length. 8882 * </p> 8883 * <p> 8884 * By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster 8885 * associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code> parameter. 8886 * </p> 8887 * <p> 8888 * <code>GenerateRandom</code> also supports <a 8889 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 8890 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> 8891 * for a Nitro enclave, use the <a 8892 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 8893 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 8894 * attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes 8895 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>).For 8896 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 8897 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 8898 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 8899 * </p> 8900 * <p> 8901 * For more information about entropy and random number generation, see <a 8902 * href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic 8903 * Details</a>. 8904 * </p> 8905 * <p> 8906 * <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific 8907 * resources, such as KMS keys. 8908 * </p> 8909 * <p> 8910 * <b>Required permissions</b>: <a 8911 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8912 * >kms:GenerateRandom</a> (IAM policy) 8913 * </p> 8914 * <p> 8915 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8916 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8917 * consistency</a>. 8918 * </p> 8919 * <br/> 8920 * <p> 8921 * This is a convenience which creates an instance of the {@link GenerateRandomRequest.Builder} avoiding the need to 8922 * create one manually via {@link GenerateRandomRequest#builder()} 8923 * </p> 8924 * 8925 * @param generateRandomRequest 8926 * A {@link Consumer} that will call methods on 8927 * {@link software.amazon.awssdk.services.kms.model.GenerateRandomRequest.Builder} to create a request. 8928 * @return A Java Future containing the result of the GenerateRandom operation returned by the service.<br/> 8929 * The CompletableFuture returned by this method can be completed exceptionally with the following 8930 * exceptions. 8931 * <ul> 8932 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 8933 * the request.</li> 8934 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 8935 * be retried.</li> 8936 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 8937 * or a specified resource is not valid for this operation.</li> 8938 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 8939 * with the specified key store name or ID.</li> 8940 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 8941 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 8942 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 8943 * <p> 8944 * This exception is thrown under the following conditions: 8945 * </p> 8946 * <ul> 8947 * <li> 8948 * <p> 8949 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 8950 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 8951 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 8952 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 8953 * <code>ConnectCustomKeyStore</code>). 8954 * </p> 8955 * </li> 8956 * <li> 8957 * <p> 8958 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 8959 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 8960 * </p> 8961 * </li> 8962 * <li> 8963 * <p> 8964 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 8965 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 8966 * is valid for all other <code>ConnectionState</code> values. 8967 * </p> 8968 * </li> 8969 * <li> 8970 * <p> 8971 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 8972 * store that is not disconnected. This operation is valid only when the custom key store 8973 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 8974 * </p> 8975 * </li> 8976 * <li> 8977 * <p> 8978 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 8979 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 8980 * <code>CONNECTED</code>. 8981 * </p> 8982 * </li></li> 8983 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 8984 * Can be used for catch all scenarios.</li> 8985 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 8986 * credentials, etc.</li> 8987 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 8988 * of this type.</li> 8989 * </ul> 8990 * @sample KmsAsyncClient.GenerateRandom 8991 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API 8992 * Documentation</a> 8993 */ generateRandom(Consumer<GenerateRandomRequest.Builder> generateRandomRequest)8994 default CompletableFuture<GenerateRandomResponse> generateRandom(Consumer<GenerateRandomRequest.Builder> generateRandomRequest) { 8995 return generateRandom(GenerateRandomRequest.builder().applyMutation(generateRandomRequest).build()); 8996 } 8997 8998 /** 8999 * <p> 9000 * Returns a random byte string that is cryptographically secure. 9001 * </p> 9002 * <p> 9003 * You must use the <code>NumberOfBytes</code> parameter to specify the length of the random byte string. There is 9004 * no default value for string length. 9005 * </p> 9006 * <p> 9007 * By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster 9008 * associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code> parameter. 9009 * </p> 9010 * <p> 9011 * <code>GenerateRandom</code> also supports <a 9012 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 9013 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> 9014 * for a Nitro enclave, use the <a 9015 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 9016 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 9017 * attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes 9018 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>).For 9019 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 9020 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 9021 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 9022 * </p> 9023 * <p> 9024 * For more information about entropy and random number generation, see <a 9025 * href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic 9026 * Details</a>. 9027 * </p> 9028 * <p> 9029 * <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific 9030 * resources, such as KMS keys. 9031 * </p> 9032 * <p> 9033 * <b>Required permissions</b>: <a 9034 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9035 * >kms:GenerateRandom</a> (IAM policy) 9036 * </p> 9037 * <p> 9038 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9039 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9040 * consistency</a>. 9041 * </p> 9042 * 9043 * @return A Java Future containing the result of the GenerateRandom operation returned by the service.<br/> 9044 * The CompletableFuture returned by this method can be completed exceptionally with the following 9045 * exceptions. 9046 * <ul> 9047 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9048 * the request.</li> 9049 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9050 * be retried.</li> 9051 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 9052 * or a specified resource is not valid for this operation.</li> 9053 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 9054 * with the specified key store name or ID.</li> 9055 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 9056 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 9057 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 9058 * <p> 9059 * This exception is thrown under the following conditions: 9060 * </p> 9061 * <ul> 9062 * <li> 9063 * <p> 9064 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 9065 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 9066 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 9067 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 9068 * <code>ConnectCustomKeyStore</code>). 9069 * </p> 9070 * </li> 9071 * <li> 9072 * <p> 9073 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 9074 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 9075 * </p> 9076 * </li> 9077 * <li> 9078 * <p> 9079 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 9080 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 9081 * is valid for all other <code>ConnectionState</code> values. 9082 * </p> 9083 * </li> 9084 * <li> 9085 * <p> 9086 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 9087 * store that is not disconnected. This operation is valid only when the custom key store 9088 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 9089 * </p> 9090 * </li> 9091 * <li> 9092 * <p> 9093 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 9094 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 9095 * <code>CONNECTED</code>. 9096 * </p> 9097 * </li></li> 9098 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9099 * Can be used for catch all scenarios.</li> 9100 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9101 * credentials, etc.</li> 9102 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9103 * of this type.</li> 9104 * </ul> 9105 * @sample KmsAsyncClient.GenerateRandom 9106 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API 9107 * Documentation</a> 9108 */ generateRandom()9109 default CompletableFuture<GenerateRandomResponse> generateRandom() { 9110 return generateRandom(GenerateRandomRequest.builder().build()); 9111 } 9112 9113 /** 9114 * <p> 9115 * Gets a key policy attached to the specified KMS key. 9116 * </p> 9117 * <p> 9118 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9119 * account. 9120 * </p> 9121 * <p> 9122 * <b>Required permissions</b>: <a 9123 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9124 * >kms:GetKeyPolicy</a> (key policy) 9125 * </p> 9126 * <p> 9127 * <b>Related operations</b>: <a 9128 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 9129 * </p> 9130 * <p> 9131 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9132 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9133 * consistency</a>. 9134 * </p> 9135 * 9136 * @param getKeyPolicyRequest 9137 * @return A Java Future containing the result of the GetKeyPolicy operation returned by the service.<br/> 9138 * The CompletableFuture returned by this method can be completed exceptionally with the following 9139 * exceptions. 9140 * <ul> 9141 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9142 * found.</li> 9143 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 9144 * not valid.</li> 9145 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9146 * the request.</li> 9147 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9148 * be retried.</li> 9149 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 9150 * valid for this request.</p> 9151 * <p> 9152 * This exceptions means one of the following: 9153 * </p> 9154 * <ul> 9155 * <li> 9156 * <p> 9157 * The key state of the KMS key is not compatible with the operation. 9158 * </p> 9159 * <p> 9160 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9161 * are compatible with each KMS operation, see <a 9162 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9163 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9164 * </p> 9165 * </li> 9166 * <li> 9167 * <p> 9168 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9169 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9170 * exception. 9171 * </p> 9172 * </li></li> 9173 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9174 * Can be used for catch all scenarios.</li> 9175 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9176 * credentials, etc.</li> 9177 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9178 * of this type.</li> 9179 * </ul> 9180 * @sample KmsAsyncClient.GetKeyPolicy 9181 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy" target="_top">AWS API 9182 * Documentation</a> 9183 */ getKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest)9184 default CompletableFuture<GetKeyPolicyResponse> getKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest) { 9185 throw new UnsupportedOperationException(); 9186 } 9187 9188 /** 9189 * <p> 9190 * Gets a key policy attached to the specified KMS key. 9191 * </p> 9192 * <p> 9193 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9194 * account. 9195 * </p> 9196 * <p> 9197 * <b>Required permissions</b>: <a 9198 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9199 * >kms:GetKeyPolicy</a> (key policy) 9200 * </p> 9201 * <p> 9202 * <b>Related operations</b>: <a 9203 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 9204 * </p> 9205 * <p> 9206 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9207 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9208 * consistency</a>. 9209 * </p> 9210 * <br/> 9211 * <p> 9212 * This is a convenience which creates an instance of the {@link GetKeyPolicyRequest.Builder} avoiding the need to 9213 * create one manually via {@link GetKeyPolicyRequest#builder()} 9214 * </p> 9215 * 9216 * @param getKeyPolicyRequest 9217 * A {@link Consumer} that will call methods on 9218 * {@link software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest.Builder} to create a request. 9219 * @return A Java Future containing the result of the GetKeyPolicy operation returned by the service.<br/> 9220 * The CompletableFuture returned by this method can be completed exceptionally with the following 9221 * exceptions. 9222 * <ul> 9223 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9224 * found.</li> 9225 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 9226 * not valid.</li> 9227 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9228 * the request.</li> 9229 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9230 * be retried.</li> 9231 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 9232 * valid for this request.</p> 9233 * <p> 9234 * This exceptions means one of the following: 9235 * </p> 9236 * <ul> 9237 * <li> 9238 * <p> 9239 * The key state of the KMS key is not compatible with the operation. 9240 * </p> 9241 * <p> 9242 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9243 * are compatible with each KMS operation, see <a 9244 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9245 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9246 * </p> 9247 * </li> 9248 * <li> 9249 * <p> 9250 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9251 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9252 * exception. 9253 * </p> 9254 * </li></li> 9255 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9256 * Can be used for catch all scenarios.</li> 9257 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9258 * credentials, etc.</li> 9259 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9260 * of this type.</li> 9261 * </ul> 9262 * @sample KmsAsyncClient.GetKeyPolicy 9263 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy" target="_top">AWS API 9264 * Documentation</a> 9265 */ getKeyPolicy(Consumer<GetKeyPolicyRequest.Builder> getKeyPolicyRequest)9266 default CompletableFuture<GetKeyPolicyResponse> getKeyPolicy(Consumer<GetKeyPolicyRequest.Builder> getKeyPolicyRequest) { 9267 return getKeyPolicy(GetKeyPolicyRequest.builder().applyMutation(getKeyPolicyRequest).build()); 9268 } 9269 9270 /** 9271 * <p> 9272 * Gets a Boolean value that indicates whether <a 9273 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key 9274 * material</a> is enabled for the specified KMS key. 9275 * </p> 9276 * <p> 9277 * When you enable automatic rotation for <a 9278 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 9279 * keys</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 9280 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 9281 * CloudWatch. 9282 * </p> 9283 * <p> 9284 * Automatic key rotation is supported only on <a 9285 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 9286 * KMS keys</a>. You cannot enable automatic rotation of <a 9287 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 9288 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 9289 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 9290 * KMS keys in a <a 9291 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9292 * To enable or disable automatic rotation of a set of related <a 9293 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 9294 * >multi-Region keys</a>, set the property on the primary key.. 9295 * </p> 9296 * <p> 9297 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key 9298 * material in customer managed KMS keys. Key material rotation of <a 9299 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 9300 * managed KMS keys</a> is not configurable. KMS always rotates the key material in Amazon Web Services managed KMS 9301 * keys every year. The key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>. 9302 * </p> 9303 * <note> 9304 * <p> 9305 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 9306 * every year. For details, see <a>EnableKeyRotation</a>. 9307 * </p> 9308 * </note> 9309 * <p> 9310 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9311 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9312 * <i>Key Management Service Developer Guide</i>. 9313 * </p> 9314 * <ul> 9315 * <li> 9316 * <p> 9317 * Disabled: The key rotation status does not change when you disable a KMS key. However, while the KMS key is 9318 * disabled, KMS does not rotate the key material. When you re-enable the KMS key, rotation resumes. If the key 9319 * material in the re-enabled KMS key hasn't been rotated in one year, KMS rotates it immediately, and every year 9320 * thereafter. If it's been less than a year since the key material in the re-enabled KMS key was rotated, the KMS 9321 * key resumes its prior rotation schedule. 9322 * </p> 9323 * </li> 9324 * <li> 9325 * <p> 9326 * Pending deletion: While a KMS key is pending deletion, its key rotation status is <code>false</code> and KMS does 9327 * not rotate the key material. If you cancel the deletion, the original key rotation status returns to 9328 * <code>true</code>. 9329 * </p> 9330 * </li> 9331 * </ul> 9332 * <p> 9333 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 9334 * specify the key ARN in the value of the <code>KeyId</code> parameter. 9335 * </p> 9336 * <p> 9337 * <b>Required permissions</b>: <a 9338 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9339 * >kms:GetKeyRotationStatus</a> (key policy) 9340 * </p> 9341 * <p> 9342 * <b>Related operations:</b> 9343 * </p> 9344 * <ul> 9345 * <li> 9346 * <p> 9347 * <a>DisableKeyRotation</a> 9348 * </p> 9349 * </li> 9350 * <li> 9351 * <p> 9352 * <a>EnableKeyRotation</a> 9353 * </p> 9354 * </li> 9355 * </ul> 9356 * <p> 9357 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9358 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9359 * consistency</a>. 9360 * </p> 9361 * 9362 * @param getKeyRotationStatusRequest 9363 * @return A Java Future containing the result of the GetKeyRotationStatus operation returned by the service.<br/> 9364 * The CompletableFuture returned by this method can be completed exceptionally with the following 9365 * exceptions. 9366 * <ul> 9367 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9368 * found.</li> 9369 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 9370 * not valid.</li> 9371 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9372 * the request.</li> 9373 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9374 * be retried.</li> 9375 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 9376 * valid for this request.</p> 9377 * <p> 9378 * This exceptions means one of the following: 9379 * </p> 9380 * <ul> 9381 * <li> 9382 * <p> 9383 * The key state of the KMS key is not compatible with the operation. 9384 * </p> 9385 * <p> 9386 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9387 * are compatible with each KMS operation, see <a 9388 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9389 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9390 * </p> 9391 * </li> 9392 * <li> 9393 * <p> 9394 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9395 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9396 * exception. 9397 * </p> 9398 * </li></li> 9399 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 9400 * or a specified resource is not valid for this operation.</li> 9401 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9402 * Can be used for catch all scenarios.</li> 9403 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9404 * credentials, etc.</li> 9405 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9406 * of this type.</li> 9407 * </ul> 9408 * @sample KmsAsyncClient.GetKeyRotationStatus 9409 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus" target="_top">AWS API 9410 * Documentation</a> 9411 */ getKeyRotationStatus( GetKeyRotationStatusRequest getKeyRotationStatusRequest)9412 default CompletableFuture<GetKeyRotationStatusResponse> getKeyRotationStatus( 9413 GetKeyRotationStatusRequest getKeyRotationStatusRequest) { 9414 throw new UnsupportedOperationException(); 9415 } 9416 9417 /** 9418 * <p> 9419 * Gets a Boolean value that indicates whether <a 9420 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key 9421 * material</a> is enabled for the specified KMS key. 9422 * </p> 9423 * <p> 9424 * When you enable automatic rotation for <a 9425 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 9426 * keys</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 9427 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 9428 * CloudWatch. 9429 * </p> 9430 * <p> 9431 * Automatic key rotation is supported only on <a 9432 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 9433 * KMS keys</a>. You cannot enable automatic rotation of <a 9434 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 9435 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 9436 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 9437 * KMS keys in a <a 9438 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9439 * To enable or disable automatic rotation of a set of related <a 9440 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 9441 * >multi-Region keys</a>, set the property on the primary key.. 9442 * </p> 9443 * <p> 9444 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key 9445 * material in customer managed KMS keys. Key material rotation of <a 9446 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 9447 * managed KMS keys</a> is not configurable. KMS always rotates the key material in Amazon Web Services managed KMS 9448 * keys every year. The key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>. 9449 * </p> 9450 * <note> 9451 * <p> 9452 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 9453 * every year. For details, see <a>EnableKeyRotation</a>. 9454 * </p> 9455 * </note> 9456 * <p> 9457 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9458 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9459 * <i>Key Management Service Developer Guide</i>. 9460 * </p> 9461 * <ul> 9462 * <li> 9463 * <p> 9464 * Disabled: The key rotation status does not change when you disable a KMS key. However, while the KMS key is 9465 * disabled, KMS does not rotate the key material. When you re-enable the KMS key, rotation resumes. If the key 9466 * material in the re-enabled KMS key hasn't been rotated in one year, KMS rotates it immediately, and every year 9467 * thereafter. If it's been less than a year since the key material in the re-enabled KMS key was rotated, the KMS 9468 * key resumes its prior rotation schedule. 9469 * </p> 9470 * </li> 9471 * <li> 9472 * <p> 9473 * Pending deletion: While a KMS key is pending deletion, its key rotation status is <code>false</code> and KMS does 9474 * not rotate the key material. If you cancel the deletion, the original key rotation status returns to 9475 * <code>true</code>. 9476 * </p> 9477 * </li> 9478 * </ul> 9479 * <p> 9480 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 9481 * specify the key ARN in the value of the <code>KeyId</code> parameter. 9482 * </p> 9483 * <p> 9484 * <b>Required permissions</b>: <a 9485 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9486 * >kms:GetKeyRotationStatus</a> (key policy) 9487 * </p> 9488 * <p> 9489 * <b>Related operations:</b> 9490 * </p> 9491 * <ul> 9492 * <li> 9493 * <p> 9494 * <a>DisableKeyRotation</a> 9495 * </p> 9496 * </li> 9497 * <li> 9498 * <p> 9499 * <a>EnableKeyRotation</a> 9500 * </p> 9501 * </li> 9502 * </ul> 9503 * <p> 9504 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9505 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9506 * consistency</a>. 9507 * </p> 9508 * <br/> 9509 * <p> 9510 * This is a convenience which creates an instance of the {@link GetKeyRotationStatusRequest.Builder} avoiding the 9511 * need to create one manually via {@link GetKeyRotationStatusRequest#builder()} 9512 * </p> 9513 * 9514 * @param getKeyRotationStatusRequest 9515 * A {@link Consumer} that will call methods on 9516 * {@link software.amazon.awssdk.services.kms.model.GetKeyRotationStatusRequest.Builder} to create a request. 9517 * @return A Java Future containing the result of the GetKeyRotationStatus operation returned by the service.<br/> 9518 * The CompletableFuture returned by this method can be completed exceptionally with the following 9519 * exceptions. 9520 * <ul> 9521 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9522 * found.</li> 9523 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 9524 * not valid.</li> 9525 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9526 * the request.</li> 9527 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9528 * be retried.</li> 9529 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 9530 * valid for this request.</p> 9531 * <p> 9532 * This exceptions means one of the following: 9533 * </p> 9534 * <ul> 9535 * <li> 9536 * <p> 9537 * The key state of the KMS key is not compatible with the operation. 9538 * </p> 9539 * <p> 9540 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9541 * are compatible with each KMS operation, see <a 9542 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9543 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9544 * </p> 9545 * </li> 9546 * <li> 9547 * <p> 9548 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9549 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9550 * exception. 9551 * </p> 9552 * </li></li> 9553 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 9554 * or a specified resource is not valid for this operation.</li> 9555 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9556 * Can be used for catch all scenarios.</li> 9557 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9558 * credentials, etc.</li> 9559 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9560 * of this type.</li> 9561 * </ul> 9562 * @sample KmsAsyncClient.GetKeyRotationStatus 9563 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus" target="_top">AWS API 9564 * Documentation</a> 9565 */ getKeyRotationStatus( Consumer<GetKeyRotationStatusRequest.Builder> getKeyRotationStatusRequest)9566 default CompletableFuture<GetKeyRotationStatusResponse> getKeyRotationStatus( 9567 Consumer<GetKeyRotationStatusRequest.Builder> getKeyRotationStatusRequest) { 9568 return getKeyRotationStatus(GetKeyRotationStatusRequest.builder().applyMutation(getKeyRotationStatusRequest).build()); 9569 } 9570 9571 /** 9572 * <p> 9573 * Returns the public key and an import token you need to import or reimport key material for a KMS key. 9574 * </p> 9575 * <p> 9576 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 9577 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 9578 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 9579 * information about importing key material into KMS, see <a 9580 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 9581 * the <i>Key Management Service Developer Guide</i>. 9582 * </p> 9583 * <p> 9584 * Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a> operation with an 9585 * <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with no key material. You can import key 9586 * material for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric signing 9587 * KMS key. You can also import key material into a <a 9588 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> 9589 * of any supported type. However, you can't import key material into a KMS key in a <a 9590 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9591 * You can also use <code>GetParametersForImport</code> to get a public key and import token to <a 9592 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 9593 * the original key material</a> into a KMS key whose key material expired or was deleted. 9594 * </p> 9595 * <p> 9596 * <code>GetParametersForImport</code> returns the items that you need to import your key material. 9597 * </p> 9598 * <ul> 9599 * <li> 9600 * <p> 9601 * The public key (or "wrapping key") of an RSA key pair that KMS generates. 9602 * </p> 9603 * <p> 9604 * You will use this public key to encrypt ("wrap") your key material while it's in transit to KMS. 9605 * </p> 9606 * </li> 9607 * <li> 9608 * <p> 9609 * A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key. 9610 * </p> 9611 * </li> 9612 * </ul> 9613 * <p> 9614 * The public key and its import token are permanently linked and must be used together. Each public key and import 9615 * token set is valid for 24 hours. The expiration date and time appear in the <code>ParametersValidTo</code> field 9616 * in the <code>GetParametersForImport</code> response. You cannot use an expired public key or import token in an 9617 * <a>ImportKeyMaterial</a> request. If your key and token expire, send another <code>GetParametersForImport</code> 9618 * request. 9619 * </p> 9620 * <p> 9621 * <code>GetParametersForImport</code> requires the following information: 9622 * </p> 9623 * <ul> 9624 * <li> 9625 * <p> 9626 * The key ID of the KMS key for which you are importing the key material. 9627 * </p> 9628 * </li> 9629 * <li> 9630 * <p> 9631 * The key spec of the public key ("wrapping key") that you will use to encrypt your key material during import. 9632 * </p> 9633 * </li> 9634 * <li> 9635 * <p> 9636 * The wrapping algorithm that you will use with the public key to encrypt your key material. 9637 * </p> 9638 * </li> 9639 * </ul> 9640 * <p> 9641 * You can use the same or a different public key spec and wrapping algorithm each time you import or reimport the 9642 * same key material. 9643 * </p> 9644 * <p> 9645 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9646 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9647 * <i>Key Management Service Developer Guide</i>. 9648 * </p> 9649 * <p> 9650 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9651 * account. 9652 * </p> 9653 * <p> 9654 * <b>Required permissions</b>: <a 9655 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9656 * >kms:GetParametersForImport</a> (key policy) 9657 * </p> 9658 * <p> 9659 * <b>Related operations:</b> 9660 * </p> 9661 * <ul> 9662 * <li> 9663 * <p> 9664 * <a>ImportKeyMaterial</a> 9665 * </p> 9666 * </li> 9667 * <li> 9668 * <p> 9669 * <a>DeleteImportedKeyMaterial</a> 9670 * </p> 9671 * </li> 9672 * </ul> 9673 * <p> 9674 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9675 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9676 * consistency</a>. 9677 * </p> 9678 * 9679 * @param getParametersForImportRequest 9680 * @return A Java Future containing the result of the GetParametersForImport operation returned by the service.<br/> 9681 * The CompletableFuture returned by this method can be completed exceptionally with the following 9682 * exceptions. 9683 * <ul> 9684 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 9685 * not valid.</li> 9686 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 9687 * or a specified resource is not valid for this operation.</li> 9688 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9689 * the request.</li> 9690 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9691 * found.</li> 9692 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9693 * be retried.</li> 9694 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 9695 * valid for this request.</p> 9696 * <p> 9697 * This exceptions means one of the following: 9698 * </p> 9699 * <ul> 9700 * <li> 9701 * <p> 9702 * The key state of the KMS key is not compatible with the operation. 9703 * </p> 9704 * <p> 9705 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9706 * are compatible with each KMS operation, see <a 9707 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9708 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9709 * </p> 9710 * </li> 9711 * <li> 9712 * <p> 9713 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9714 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9715 * exception. 9716 * </p> 9717 * </li></li> 9718 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9719 * Can be used for catch all scenarios.</li> 9720 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9721 * credentials, etc.</li> 9722 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9723 * of this type.</li> 9724 * </ul> 9725 * @sample KmsAsyncClient.GetParametersForImport 9726 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport" target="_top">AWS 9727 * API Documentation</a> 9728 */ getParametersForImport( GetParametersForImportRequest getParametersForImportRequest)9729 default CompletableFuture<GetParametersForImportResponse> getParametersForImport( 9730 GetParametersForImportRequest getParametersForImportRequest) { 9731 throw new UnsupportedOperationException(); 9732 } 9733 9734 /** 9735 * <p> 9736 * Returns the public key and an import token you need to import or reimport key material for a KMS key. 9737 * </p> 9738 * <p> 9739 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 9740 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 9741 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 9742 * information about importing key material into KMS, see <a 9743 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 9744 * the <i>Key Management Service Developer Guide</i>. 9745 * </p> 9746 * <p> 9747 * Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a> operation with an 9748 * <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with no key material. You can import key 9749 * material for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric signing 9750 * KMS key. You can also import key material into a <a 9751 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> 9752 * of any supported type. However, you can't import key material into a KMS key in a <a 9753 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9754 * You can also use <code>GetParametersForImport</code> to get a public key and import token to <a 9755 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 9756 * the original key material</a> into a KMS key whose key material expired or was deleted. 9757 * </p> 9758 * <p> 9759 * <code>GetParametersForImport</code> returns the items that you need to import your key material. 9760 * </p> 9761 * <ul> 9762 * <li> 9763 * <p> 9764 * The public key (or "wrapping key") of an RSA key pair that KMS generates. 9765 * </p> 9766 * <p> 9767 * You will use this public key to encrypt ("wrap") your key material while it's in transit to KMS. 9768 * </p> 9769 * </li> 9770 * <li> 9771 * <p> 9772 * A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key. 9773 * </p> 9774 * </li> 9775 * </ul> 9776 * <p> 9777 * The public key and its import token are permanently linked and must be used together. Each public key and import 9778 * token set is valid for 24 hours. The expiration date and time appear in the <code>ParametersValidTo</code> field 9779 * in the <code>GetParametersForImport</code> response. You cannot use an expired public key or import token in an 9780 * <a>ImportKeyMaterial</a> request. If your key and token expire, send another <code>GetParametersForImport</code> 9781 * request. 9782 * </p> 9783 * <p> 9784 * <code>GetParametersForImport</code> requires the following information: 9785 * </p> 9786 * <ul> 9787 * <li> 9788 * <p> 9789 * The key ID of the KMS key for which you are importing the key material. 9790 * </p> 9791 * </li> 9792 * <li> 9793 * <p> 9794 * The key spec of the public key ("wrapping key") that you will use to encrypt your key material during import. 9795 * </p> 9796 * </li> 9797 * <li> 9798 * <p> 9799 * The wrapping algorithm that you will use with the public key to encrypt your key material. 9800 * </p> 9801 * </li> 9802 * </ul> 9803 * <p> 9804 * You can use the same or a different public key spec and wrapping algorithm each time you import or reimport the 9805 * same key material. 9806 * </p> 9807 * <p> 9808 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9809 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9810 * <i>Key Management Service Developer Guide</i>. 9811 * </p> 9812 * <p> 9813 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9814 * account. 9815 * </p> 9816 * <p> 9817 * <b>Required permissions</b>: <a 9818 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9819 * >kms:GetParametersForImport</a> (key policy) 9820 * </p> 9821 * <p> 9822 * <b>Related operations:</b> 9823 * </p> 9824 * <ul> 9825 * <li> 9826 * <p> 9827 * <a>ImportKeyMaterial</a> 9828 * </p> 9829 * </li> 9830 * <li> 9831 * <p> 9832 * <a>DeleteImportedKeyMaterial</a> 9833 * </p> 9834 * </li> 9835 * </ul> 9836 * <p> 9837 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9838 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9839 * consistency</a>. 9840 * </p> 9841 * <br/> 9842 * <p> 9843 * This is a convenience which creates an instance of the {@link GetParametersForImportRequest.Builder} avoiding the 9844 * need to create one manually via {@link GetParametersForImportRequest#builder()} 9845 * </p> 9846 * 9847 * @param getParametersForImportRequest 9848 * A {@link Consumer} that will call methods on 9849 * {@link software.amazon.awssdk.services.kms.model.GetParametersForImportRequest.Builder} to create a 9850 * request. 9851 * @return A Java Future containing the result of the GetParametersForImport operation returned by the service.<br/> 9852 * The CompletableFuture returned by this method can be completed exceptionally with the following 9853 * exceptions. 9854 * <ul> 9855 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 9856 * not valid.</li> 9857 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 9858 * or a specified resource is not valid for this operation.</li> 9859 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 9860 * the request.</li> 9861 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9862 * found.</li> 9863 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 9864 * be retried.</li> 9865 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 9866 * valid for this request.</p> 9867 * <p> 9868 * This exceptions means one of the following: 9869 * </p> 9870 * <ul> 9871 * <li> 9872 * <p> 9873 * The key state of the KMS key is not compatible with the operation. 9874 * </p> 9875 * <p> 9876 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9877 * are compatible with each KMS operation, see <a 9878 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9879 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9880 * </p> 9881 * </li> 9882 * <li> 9883 * <p> 9884 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9885 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9886 * exception. 9887 * </p> 9888 * </li></li> 9889 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 9890 * Can be used for catch all scenarios.</li> 9891 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 9892 * credentials, etc.</li> 9893 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 9894 * of this type.</li> 9895 * </ul> 9896 * @sample KmsAsyncClient.GetParametersForImport 9897 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport" target="_top">AWS 9898 * API Documentation</a> 9899 */ getParametersForImport( Consumer<GetParametersForImportRequest.Builder> getParametersForImportRequest)9900 default CompletableFuture<GetParametersForImportResponse> getParametersForImport( 9901 Consumer<GetParametersForImportRequest.Builder> getParametersForImportRequest) { 9902 return getParametersForImport(GetParametersForImportRequest.builder().applyMutation(getParametersForImportRequest) 9903 .build()); 9904 } 9905 9906 /** 9907 * <p> 9908 * Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric KMS key, which never 9909 * leaves KMS unencrypted, callers with <code>kms:GetPublicKey</code> permission can download the public key of an 9910 * asymmetric KMS key. You can share the public key to allow others to encrypt messages and verify signatures 9911 * outside of KMS. For information about asymmetric KMS keys, see <a 9912 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 9913 * the <i>Key Management Service Developer Guide</i>. 9914 * </p> 9915 * <p> 9916 * You do not need to download the public key. Instead, you can use the public key within KMS by calling the 9917 * <a>Encrypt</a>, <a>ReEncrypt</a>, or <a>Verify</a> operations with the identifier of an asymmetric KMS key. When 9918 * you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part 9919 * of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are 9920 * not effective outside of KMS. 9921 * </p> 9922 * <p> 9923 * To help you use the public key safely outside of KMS, <code>GetPublicKey</code> returns important information 9924 * about the public key in the response, including: 9925 * </p> 9926 * <ul> 9927 * <li> 9928 * <p> 9929 * <a href= 9930 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec" 9931 * >KeySpec</a>: The type of key material in the public key, such as <code>RSA_4096</code> or 9932 * <code>ECC_NIST_P521</code>. 9933 * </p> 9934 * </li> 9935 * <li> 9936 * <p> 9937 * <a href= 9938 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage" 9939 * >KeyUsage</a>: Whether the key is used for encryption or signing. 9940 * </p> 9941 * </li> 9942 * <li> 9943 * <p> 9944 * <a href= 9945 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms" 9946 * >EncryptionAlgorithms</a> or <a href= 9947 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms" 9948 * >SigningAlgorithms</a>: A list of the encryption algorithms or the signing algorithms for the key. 9949 * </p> 9950 * </li> 9951 * </ul> 9952 * <p> 9953 * Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this 9954 * information to prevent the public key from being used improperly. For example, you can prevent a public signing 9955 * key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is 9956 * not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification 9957 * operation. 9958 * </p> 9959 * <p> 9960 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 9961 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 9962 * information, see <a href= 9963 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 9964 * >Offline verification with SM2 key pairs</a>. 9965 * </p> 9966 * <p> 9967 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9968 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9969 * <i>Key Management Service Developer Guide</i>. 9970 * </p> 9971 * <p> 9972 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 9973 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 9974 * </p> 9975 * <p> 9976 * <b>Required permissions</b>: <a 9977 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9978 * >kms:GetPublicKey</a> (key policy) 9979 * </p> 9980 * <p> 9981 * <b>Related operations</b>: <a>CreateKey</a> 9982 * </p> 9983 * <p> 9984 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9985 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9986 * consistency</a>. 9987 * </p> 9988 * 9989 * @param getPublicKeyRequest 9990 * @return A Java Future containing the result of the GetPublicKey operation returned by the service.<br/> 9991 * The CompletableFuture returned by this method can be completed exceptionally with the following 9992 * exceptions. 9993 * <ul> 9994 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 9995 * found.</li> 9996 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 9997 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 9998 * can retry the request.</li> 9999 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10000 * the request.</li> 10001 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 10002 * or a specified resource is not valid for this operation.</li> 10003 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10004 * not valid.</li> 10005 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 10006 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 10007 * <ul> 10008 * <li> 10009 * <p> 10010 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 10011 * </p> 10012 * </li> 10013 * <li> 10014 * <p> 10015 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 10016 * of key material in the KMS key <code>(KeySpec</code>). 10017 * </p> 10018 * </li> 10019 * </ul> 10020 * <p> 10021 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 10022 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 10023 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 10024 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 10025 * KMS key, use the <a>DescribeKey</a> operation. 10026 * </p> 10027 * <p> 10028 * To find the encryption or signing algorithms supported for a particular KMS key, use the 10029 * <a>DescribeKey</a> operation.</li> 10030 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10031 * be retried.</li> 10032 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 10033 * valid for this request.</p> 10034 * <p> 10035 * This exceptions means one of the following: 10036 * </p> 10037 * <ul> 10038 * <li> 10039 * <p> 10040 * The key state of the KMS key is not compatible with the operation. 10041 * </p> 10042 * <p> 10043 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10044 * are compatible with each KMS operation, see <a 10045 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10046 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10047 * </p> 10048 * </li> 10049 * <li> 10050 * <p> 10051 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10052 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10053 * exception. 10054 * </p> 10055 * </li></li> 10056 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10057 * Can be used for catch all scenarios.</li> 10058 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10059 * credentials, etc.</li> 10060 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10061 * of this type.</li> 10062 * </ul> 10063 * @sample KmsAsyncClient.GetPublicKey 10064 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey" target="_top">AWS API 10065 * Documentation</a> 10066 */ getPublicKey(GetPublicKeyRequest getPublicKeyRequest)10067 default CompletableFuture<GetPublicKeyResponse> getPublicKey(GetPublicKeyRequest getPublicKeyRequest) { 10068 throw new UnsupportedOperationException(); 10069 } 10070 10071 /** 10072 * <p> 10073 * Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric KMS key, which never 10074 * leaves KMS unencrypted, callers with <code>kms:GetPublicKey</code> permission can download the public key of an 10075 * asymmetric KMS key. You can share the public key to allow others to encrypt messages and verify signatures 10076 * outside of KMS. For information about asymmetric KMS keys, see <a 10077 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 10078 * the <i>Key Management Service Developer Guide</i>. 10079 * </p> 10080 * <p> 10081 * You do not need to download the public key. Instead, you can use the public key within KMS by calling the 10082 * <a>Encrypt</a>, <a>ReEncrypt</a>, or <a>Verify</a> operations with the identifier of an asymmetric KMS key. When 10083 * you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part 10084 * of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are 10085 * not effective outside of KMS. 10086 * </p> 10087 * <p> 10088 * To help you use the public key safely outside of KMS, <code>GetPublicKey</code> returns important information 10089 * about the public key in the response, including: 10090 * </p> 10091 * <ul> 10092 * <li> 10093 * <p> 10094 * <a href= 10095 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec" 10096 * >KeySpec</a>: The type of key material in the public key, such as <code>RSA_4096</code> or 10097 * <code>ECC_NIST_P521</code>. 10098 * </p> 10099 * </li> 10100 * <li> 10101 * <p> 10102 * <a href= 10103 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage" 10104 * >KeyUsage</a>: Whether the key is used for encryption or signing. 10105 * </p> 10106 * </li> 10107 * <li> 10108 * <p> 10109 * <a href= 10110 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms" 10111 * >EncryptionAlgorithms</a> or <a href= 10112 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms" 10113 * >SigningAlgorithms</a>: A list of the encryption algorithms or the signing algorithms for the key. 10114 * </p> 10115 * </li> 10116 * </ul> 10117 * <p> 10118 * Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this 10119 * information to prevent the public key from being used improperly. For example, you can prevent a public signing 10120 * key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is 10121 * not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification 10122 * operation. 10123 * </p> 10124 * <p> 10125 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 10126 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 10127 * information, see <a href= 10128 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 10129 * >Offline verification with SM2 key pairs</a>. 10130 * </p> 10131 * <p> 10132 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10133 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10134 * <i>Key Management Service Developer Guide</i>. 10135 * </p> 10136 * <p> 10137 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 10138 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 10139 * </p> 10140 * <p> 10141 * <b>Required permissions</b>: <a 10142 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10143 * >kms:GetPublicKey</a> (key policy) 10144 * </p> 10145 * <p> 10146 * <b>Related operations</b>: <a>CreateKey</a> 10147 * </p> 10148 * <p> 10149 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10150 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10151 * consistency</a>. 10152 * </p> 10153 * <br/> 10154 * <p> 10155 * This is a convenience which creates an instance of the {@link GetPublicKeyRequest.Builder} avoiding the need to 10156 * create one manually via {@link GetPublicKeyRequest#builder()} 10157 * </p> 10158 * 10159 * @param getPublicKeyRequest 10160 * A {@link Consumer} that will call methods on 10161 * {@link software.amazon.awssdk.services.kms.model.GetPublicKeyRequest.Builder} to create a request. 10162 * @return A Java Future containing the result of the GetPublicKey operation returned by the service.<br/> 10163 * The CompletableFuture returned by this method can be completed exceptionally with the following 10164 * exceptions. 10165 * <ul> 10166 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 10167 * found.</li> 10168 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 10169 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 10170 * can retry the request.</li> 10171 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10172 * the request.</li> 10173 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 10174 * or a specified resource is not valid for this operation.</li> 10175 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10176 * not valid.</li> 10177 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 10178 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 10179 * <ul> 10180 * <li> 10181 * <p> 10182 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 10183 * </p> 10184 * </li> 10185 * <li> 10186 * <p> 10187 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 10188 * of key material in the KMS key <code>(KeySpec</code>). 10189 * </p> 10190 * </li> 10191 * </ul> 10192 * <p> 10193 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 10194 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 10195 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 10196 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 10197 * KMS key, use the <a>DescribeKey</a> operation. 10198 * </p> 10199 * <p> 10200 * To find the encryption or signing algorithms supported for a particular KMS key, use the 10201 * <a>DescribeKey</a> operation.</li> 10202 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10203 * be retried.</li> 10204 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 10205 * valid for this request.</p> 10206 * <p> 10207 * This exceptions means one of the following: 10208 * </p> 10209 * <ul> 10210 * <li> 10211 * <p> 10212 * The key state of the KMS key is not compatible with the operation. 10213 * </p> 10214 * <p> 10215 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10216 * are compatible with each KMS operation, see <a 10217 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10218 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10219 * </p> 10220 * </li> 10221 * <li> 10222 * <p> 10223 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10224 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10225 * exception. 10226 * </p> 10227 * </li></li> 10228 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10229 * Can be used for catch all scenarios.</li> 10230 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10231 * credentials, etc.</li> 10232 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10233 * of this type.</li> 10234 * </ul> 10235 * @sample KmsAsyncClient.GetPublicKey 10236 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey" target="_top">AWS API 10237 * Documentation</a> 10238 */ getPublicKey(Consumer<GetPublicKeyRequest.Builder> getPublicKeyRequest)10239 default CompletableFuture<GetPublicKeyResponse> getPublicKey(Consumer<GetPublicKeyRequest.Builder> getPublicKeyRequest) { 10240 return getPublicKey(GetPublicKeyRequest.builder().applyMutation(getPublicKeyRequest).build()); 10241 } 10242 10243 /** 10244 * <p> 10245 * Imports or reimports key material into an existing KMS key that was created without key material. 10246 * <code>ImportKeyMaterial</code> also sets the expiration model and expiration date of the imported key material. 10247 * </p> 10248 * <p> 10249 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 10250 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 10251 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 10252 * information about importing key material into KMS, see <a 10253 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 10254 * the <i>Key Management Service Developer Guide</i>. 10255 * </p> 10256 * <p> 10257 * After you successfully import key material into a KMS key, you can <a 10258 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 10259 * the same key material</a> into that KMS key, but you cannot import different key material. You might reimport key 10260 * material to replace key material that expired or key material that you deleted. You might also reimport key 10261 * material to change the expiration model or expiration date of the key material. Before reimporting key material, 10262 * if necessary, call <a>DeleteImportedKeyMaterial</a> to delete the current imported key material. 10263 * </p> 10264 * <p> 10265 * Each time you import key material into KMS, you can determine whether (<code>ExpirationModel</code>) and when ( 10266 * <code>ValidTo</code>) the key material expires. To change the expiration of your key material, you must import it 10267 * again, either by calling <code>ImportKeyMaterial</code> or using the <a href= 10268 * "kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console" 10269 * >import features</a> of the KMS console. 10270 * </p> 10271 * <p> 10272 * Before calling <code>ImportKeyMaterial</code>: 10273 * </p> 10274 * <ul> 10275 * <li> 10276 * <p> 10277 * Create or identify a KMS key with no key material. The KMS key must have an <code>Origin</code> value of 10278 * <code>EXTERNAL</code>, which indicates that the KMS key is designed for imported key material. 10279 * </p> 10280 * <p> 10281 * To create an new KMS key for imported key material, call the <a>CreateKey</a> operation with an 10282 * <code>Origin</code> value of <code>EXTERNAL</code>. You can create a symmetric encryption KMS key, HMAC KMS key, 10283 * asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material into a <a 10284 * href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of any supported type. 10285 * However, you can't import key material into a KMS key in a <a 10286 * href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 10287 * </p> 10288 * </li> 10289 * <li> 10290 * <p> 10291 * Use the <a>DescribeKey</a> operation to verify that the <code>KeyState</code> of the KMS key is 10292 * <code>PendingImport</code>, which indicates that the KMS key has no key material. 10293 * </p> 10294 * <p> 10295 * If you are reimporting the same key material into an existing KMS key, you might need to call the 10296 * <a>DeleteImportedKeyMaterial</a> to delete its existing key material. 10297 * </p> 10298 * </li> 10299 * <li> 10300 * <p> 10301 * Call the <a>GetParametersForImport</a> operation to get a public key and import token set for importing key 10302 * material. 10303 * </p> 10304 * </li> 10305 * <li> 10306 * <p> 10307 * Use the public key in the <a>GetParametersForImport</a> response to encrypt your key material. 10308 * </p> 10309 * </li> 10310 * </ul> 10311 * <p> 10312 * Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key material and import token. When 10313 * calling this operation, you must specify the following values: 10314 * </p> 10315 * <ul> 10316 * <li> 10317 * <p> 10318 * The key ID or key ARN of the KMS key to associate with the imported key material. Its <code>Origin</code> must be 10319 * <code>EXTERNAL</code> and its <code>KeyState</code> must be <code>PendingImport</code>. You cannot perform this 10320 * operation on a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key 10321 * store</a>, or on a KMS key in a different Amazon Web Services account. To get the <code>Origin</code> and 10322 * <code>KeyState</code> of a KMS key, call <a>DescribeKey</a>. 10323 * </p> 10324 * </li> 10325 * <li> 10326 * <p> 10327 * The encrypted key material. 10328 * </p> 10329 * </li> 10330 * <li> 10331 * <p> 10332 * The import token that <a>GetParametersForImport</a> returned. You must use a public key and token from the same 10333 * <code>GetParametersForImport</code> response. 10334 * </p> 10335 * </li> 10336 * <li> 10337 * <p> 10338 * Whether the key material expires (<code>ExpirationModel</code>) and, if so, when (<code>ValidTo</code>). For help 10339 * with this choice, see <a href= 10340 * "https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration" 10341 * >Setting an expiration time</a> in the <i>Key Management Service Developer Guide</i>. 10342 * </p> 10343 * <p> 10344 * If you set an expiration date, KMS deletes the key material from the KMS key on the specified date, making the 10345 * KMS key unusable. To use the KMS key in cryptographic operations again, you must reimport the same key material. 10346 * However, you can delete and reimport the key material at any time, including before the key material expires. 10347 * Each time you reimport, you can eliminate or reset the expiration time. 10348 * </p> 10349 * </li> 10350 * </ul> 10351 * <p> 10352 * When this operation is successful, the key state of the KMS key changes from <code>PendingImport</code> to 10353 * <code>Enabled</code>, and you can use the KMS key in cryptographic operations. 10354 * </p> 10355 * <p> 10356 * If this operation fails, use the exception to help determine the problem. If the error is related to the key 10357 * material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import 10358 * token for the KMS key and repeat the import procedure. For help, see <a 10359 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview">How To 10360 * Import Key Material</a> in the <i>Key Management Service Developer Guide</i>. 10361 * </p> 10362 * <p> 10363 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10364 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10365 * <i>Key Management Service Developer Guide</i>. 10366 * </p> 10367 * <p> 10368 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 10369 * account. 10370 * </p> 10371 * <p> 10372 * <b>Required permissions</b>: <a 10373 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10374 * >kms:ImportKeyMaterial</a> (key policy) 10375 * </p> 10376 * <p> 10377 * <b>Related operations:</b> 10378 * </p> 10379 * <ul> 10380 * <li> 10381 * <p> 10382 * <a>DeleteImportedKeyMaterial</a> 10383 * </p> 10384 * </li> 10385 * <li> 10386 * <p> 10387 * <a>GetParametersForImport</a> 10388 * </p> 10389 * </li> 10390 * </ul> 10391 * <p> 10392 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10393 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10394 * consistency</a>. 10395 * </p> 10396 * 10397 * @param importKeyMaterialRequest 10398 * @return A Java Future containing the result of the ImportKeyMaterial operation returned by the service.<br/> 10399 * The CompletableFuture returned by this method can be completed exceptionally with the following 10400 * exceptions. 10401 * <ul> 10402 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10403 * not valid.</li> 10404 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 10405 * or a specified resource is not valid for this operation.</li> 10406 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10407 * the request.</li> 10408 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 10409 * found.</li> 10410 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10411 * be retried.</li> 10412 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 10413 * valid for this request.</p> 10414 * <p> 10415 * This exceptions means one of the following: 10416 * </p> 10417 * <ul> 10418 * <li> 10419 * <p> 10420 * The key state of the KMS key is not compatible with the operation. 10421 * </p> 10422 * <p> 10423 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10424 * are compatible with each KMS operation, see <a 10425 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10426 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10427 * </p> 10428 * </li> 10429 * <li> 10430 * <p> 10431 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10432 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10433 * exception. 10434 * </p> 10435 * </li></li> 10436 * <li>InvalidCiphertextException From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was 10437 * rejected because the specified ciphertext, or additional authenticated data incorporated into the 10438 * ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.</p> 10439 * <p> 10440 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 10441 * encrypted (wrapped) key material.</li> 10442 * <li>IncorrectKeyMaterialException The request was rejected because the key material in the request is, 10443 * expired, invalid, or is not the same key material that was previously imported into this KMS key.</li> 10444 * <li>ExpiredImportTokenException The request was rejected because the specified import token is expired. 10445 * Use <a>GetParametersForImport</a> to get a new import token and public key, use the new public key to 10446 * encrypt the key material, and then try the request again.</li> 10447 * <li>InvalidImportTokenException The request was rejected because the provided import token is invalid or 10448 * is associated with a different KMS key.</li> 10449 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10450 * Can be used for catch all scenarios.</li> 10451 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10452 * credentials, etc.</li> 10453 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10454 * of this type.</li> 10455 * </ul> 10456 * @sample KmsAsyncClient.ImportKeyMaterial 10457 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial" target="_top">AWS API 10458 * Documentation</a> 10459 */ importKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest)10460 default CompletableFuture<ImportKeyMaterialResponse> importKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest) { 10461 throw new UnsupportedOperationException(); 10462 } 10463 10464 /** 10465 * <p> 10466 * Imports or reimports key material into an existing KMS key that was created without key material. 10467 * <code>ImportKeyMaterial</code> also sets the expiration model and expiration date of the imported key material. 10468 * </p> 10469 * <p> 10470 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 10471 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 10472 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 10473 * information about importing key material into KMS, see <a 10474 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 10475 * the <i>Key Management Service Developer Guide</i>. 10476 * </p> 10477 * <p> 10478 * After you successfully import key material into a KMS key, you can <a 10479 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 10480 * the same key material</a> into that KMS key, but you cannot import different key material. You might reimport key 10481 * material to replace key material that expired or key material that you deleted. You might also reimport key 10482 * material to change the expiration model or expiration date of the key material. Before reimporting key material, 10483 * if necessary, call <a>DeleteImportedKeyMaterial</a> to delete the current imported key material. 10484 * </p> 10485 * <p> 10486 * Each time you import key material into KMS, you can determine whether (<code>ExpirationModel</code>) and when ( 10487 * <code>ValidTo</code>) the key material expires. To change the expiration of your key material, you must import it 10488 * again, either by calling <code>ImportKeyMaterial</code> or using the <a href= 10489 * "kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console" 10490 * >import features</a> of the KMS console. 10491 * </p> 10492 * <p> 10493 * Before calling <code>ImportKeyMaterial</code>: 10494 * </p> 10495 * <ul> 10496 * <li> 10497 * <p> 10498 * Create or identify a KMS key with no key material. The KMS key must have an <code>Origin</code> value of 10499 * <code>EXTERNAL</code>, which indicates that the KMS key is designed for imported key material. 10500 * </p> 10501 * <p> 10502 * To create an new KMS key for imported key material, call the <a>CreateKey</a> operation with an 10503 * <code>Origin</code> value of <code>EXTERNAL</code>. You can create a symmetric encryption KMS key, HMAC KMS key, 10504 * asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material into a <a 10505 * href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of any supported type. 10506 * However, you can't import key material into a KMS key in a <a 10507 * href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 10508 * </p> 10509 * </li> 10510 * <li> 10511 * <p> 10512 * Use the <a>DescribeKey</a> operation to verify that the <code>KeyState</code> of the KMS key is 10513 * <code>PendingImport</code>, which indicates that the KMS key has no key material. 10514 * </p> 10515 * <p> 10516 * If you are reimporting the same key material into an existing KMS key, you might need to call the 10517 * <a>DeleteImportedKeyMaterial</a> to delete its existing key material. 10518 * </p> 10519 * </li> 10520 * <li> 10521 * <p> 10522 * Call the <a>GetParametersForImport</a> operation to get a public key and import token set for importing key 10523 * material. 10524 * </p> 10525 * </li> 10526 * <li> 10527 * <p> 10528 * Use the public key in the <a>GetParametersForImport</a> response to encrypt your key material. 10529 * </p> 10530 * </li> 10531 * </ul> 10532 * <p> 10533 * Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key material and import token. When 10534 * calling this operation, you must specify the following values: 10535 * </p> 10536 * <ul> 10537 * <li> 10538 * <p> 10539 * The key ID or key ARN of the KMS key to associate with the imported key material. Its <code>Origin</code> must be 10540 * <code>EXTERNAL</code> and its <code>KeyState</code> must be <code>PendingImport</code>. You cannot perform this 10541 * operation on a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key 10542 * store</a>, or on a KMS key in a different Amazon Web Services account. To get the <code>Origin</code> and 10543 * <code>KeyState</code> of a KMS key, call <a>DescribeKey</a>. 10544 * </p> 10545 * </li> 10546 * <li> 10547 * <p> 10548 * The encrypted key material. 10549 * </p> 10550 * </li> 10551 * <li> 10552 * <p> 10553 * The import token that <a>GetParametersForImport</a> returned. You must use a public key and token from the same 10554 * <code>GetParametersForImport</code> response. 10555 * </p> 10556 * </li> 10557 * <li> 10558 * <p> 10559 * Whether the key material expires (<code>ExpirationModel</code>) and, if so, when (<code>ValidTo</code>). For help 10560 * with this choice, see <a href= 10561 * "https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration" 10562 * >Setting an expiration time</a> in the <i>Key Management Service Developer Guide</i>. 10563 * </p> 10564 * <p> 10565 * If you set an expiration date, KMS deletes the key material from the KMS key on the specified date, making the 10566 * KMS key unusable. To use the KMS key in cryptographic operations again, you must reimport the same key material. 10567 * However, you can delete and reimport the key material at any time, including before the key material expires. 10568 * Each time you reimport, you can eliminate or reset the expiration time. 10569 * </p> 10570 * </li> 10571 * </ul> 10572 * <p> 10573 * When this operation is successful, the key state of the KMS key changes from <code>PendingImport</code> to 10574 * <code>Enabled</code>, and you can use the KMS key in cryptographic operations. 10575 * </p> 10576 * <p> 10577 * If this operation fails, use the exception to help determine the problem. If the error is related to the key 10578 * material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import 10579 * token for the KMS key and repeat the import procedure. For help, see <a 10580 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview">How To 10581 * Import Key Material</a> in the <i>Key Management Service Developer Guide</i>. 10582 * </p> 10583 * <p> 10584 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10585 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10586 * <i>Key Management Service Developer Guide</i>. 10587 * </p> 10588 * <p> 10589 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 10590 * account. 10591 * </p> 10592 * <p> 10593 * <b>Required permissions</b>: <a 10594 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10595 * >kms:ImportKeyMaterial</a> (key policy) 10596 * </p> 10597 * <p> 10598 * <b>Related operations:</b> 10599 * </p> 10600 * <ul> 10601 * <li> 10602 * <p> 10603 * <a>DeleteImportedKeyMaterial</a> 10604 * </p> 10605 * </li> 10606 * <li> 10607 * <p> 10608 * <a>GetParametersForImport</a> 10609 * </p> 10610 * </li> 10611 * </ul> 10612 * <p> 10613 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10614 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10615 * consistency</a>. 10616 * </p> 10617 * <br/> 10618 * <p> 10619 * This is a convenience which creates an instance of the {@link ImportKeyMaterialRequest.Builder} avoiding the need 10620 * to create one manually via {@link ImportKeyMaterialRequest#builder()} 10621 * </p> 10622 * 10623 * @param importKeyMaterialRequest 10624 * A {@link Consumer} that will call methods on 10625 * {@link software.amazon.awssdk.services.kms.model.ImportKeyMaterialRequest.Builder} to create a request. 10626 * @return A Java Future containing the result of the ImportKeyMaterial operation returned by the service.<br/> 10627 * The CompletableFuture returned by this method can be completed exceptionally with the following 10628 * exceptions. 10629 * <ul> 10630 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10631 * not valid.</li> 10632 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 10633 * or a specified resource is not valid for this operation.</li> 10634 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10635 * the request.</li> 10636 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 10637 * found.</li> 10638 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10639 * be retried.</li> 10640 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 10641 * valid for this request.</p> 10642 * <p> 10643 * This exceptions means one of the following: 10644 * </p> 10645 * <ul> 10646 * <li> 10647 * <p> 10648 * The key state of the KMS key is not compatible with the operation. 10649 * </p> 10650 * <p> 10651 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10652 * are compatible with each KMS operation, see <a 10653 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10654 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10655 * </p> 10656 * </li> 10657 * <li> 10658 * <p> 10659 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10660 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10661 * exception. 10662 * </p> 10663 * </li></li> 10664 * <li>InvalidCiphertextException From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was 10665 * rejected because the specified ciphertext, or additional authenticated data incorporated into the 10666 * ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.</p> 10667 * <p> 10668 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 10669 * encrypted (wrapped) key material.</li> 10670 * <li>IncorrectKeyMaterialException The request was rejected because the key material in the request is, 10671 * expired, invalid, or is not the same key material that was previously imported into this KMS key.</li> 10672 * <li>ExpiredImportTokenException The request was rejected because the specified import token is expired. 10673 * Use <a>GetParametersForImport</a> to get a new import token and public key, use the new public key to 10674 * encrypt the key material, and then try the request again.</li> 10675 * <li>InvalidImportTokenException The request was rejected because the provided import token is invalid or 10676 * is associated with a different KMS key.</li> 10677 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10678 * Can be used for catch all scenarios.</li> 10679 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10680 * credentials, etc.</li> 10681 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10682 * of this type.</li> 10683 * </ul> 10684 * @sample KmsAsyncClient.ImportKeyMaterial 10685 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial" target="_top">AWS API 10686 * Documentation</a> 10687 */ importKeyMaterial( Consumer<ImportKeyMaterialRequest.Builder> importKeyMaterialRequest)10688 default CompletableFuture<ImportKeyMaterialResponse> importKeyMaterial( 10689 Consumer<ImportKeyMaterialRequest.Builder> importKeyMaterialRequest) { 10690 return importKeyMaterial(ImportKeyMaterialRequest.builder().applyMutation(importKeyMaterialRequest).build()); 10691 } 10692 10693 /** 10694 * <p> 10695 * Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about 10696 * aliases, see <a>CreateAlias</a>. 10697 * </p> 10698 * <p> 10699 * By default, the <code>ListAliases</code> operation returns all aliases in the account and region. To get only the 10700 * aliases associated with a particular KMS key, use the <code>KeyId</code> parameter. 10701 * </p> 10702 * <p> 10703 * The <code>ListAliases</code> response can include aliases that you created and associated with your customer 10704 * managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys 10705 * in your account. You can recognize Amazon Web Services aliases because their names have the format 10706 * <code>aws/<service-name></code>, such as <code>aws/dynamodb</code>. 10707 * </p> 10708 * <p> 10709 * The response might also include aliases that have no <code>TargetKeyId</code> field. These are predefined aliases 10710 * that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services 10711 * creates in your account, including predefined aliases, do not count against your <a 10712 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit">KMS aliases quota</a>. 10713 * </p> 10714 * <p> 10715 * <b>Cross-account use</b>: No. <code>ListAliases</code> does not return aliases in other Amazon Web Services 10716 * accounts. 10717 * </p> 10718 * <p> 10719 * <b>Required permissions</b>: <a 10720 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10721 * >kms:ListAliases</a> (IAM policy) 10722 * </p> 10723 * <p> 10724 * For details, see <a 10725 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 10726 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 10727 * </p> 10728 * <p> 10729 * <b>Related operations:</b> 10730 * </p> 10731 * <ul> 10732 * <li> 10733 * <p> 10734 * <a>CreateAlias</a> 10735 * </p> 10736 * </li> 10737 * <li> 10738 * <p> 10739 * <a>DeleteAlias</a> 10740 * </p> 10741 * </li> 10742 * <li> 10743 * <p> 10744 * <a>UpdateAlias</a> 10745 * </p> 10746 * </li> 10747 * </ul> 10748 * <p> 10749 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10750 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10751 * consistency</a>. 10752 * </p> 10753 * 10754 * @param listAliasesRequest 10755 * @return A Java Future containing the result of the ListAliases operation returned by the service.<br/> 10756 * The CompletableFuture returned by this method can be completed exceptionally with the following 10757 * exceptions. 10758 * <ul> 10759 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10760 * the request.</li> 10761 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 10762 * should next begin is not valid.</li> 10763 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10764 * be retried.</li> 10765 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10766 * not valid.</li> 10767 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 10768 * found.</li> 10769 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10770 * Can be used for catch all scenarios.</li> 10771 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10772 * credentials, etc.</li> 10773 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10774 * of this type.</li> 10775 * </ul> 10776 * @sample KmsAsyncClient.ListAliases 10777 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 10778 * Documentation</a> 10779 */ listAliases(ListAliasesRequest listAliasesRequest)10780 default CompletableFuture<ListAliasesResponse> listAliases(ListAliasesRequest listAliasesRequest) { 10781 throw new UnsupportedOperationException(); 10782 } 10783 10784 /** 10785 * <p> 10786 * Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about 10787 * aliases, see <a>CreateAlias</a>. 10788 * </p> 10789 * <p> 10790 * By default, the <code>ListAliases</code> operation returns all aliases in the account and region. To get only the 10791 * aliases associated with a particular KMS key, use the <code>KeyId</code> parameter. 10792 * </p> 10793 * <p> 10794 * The <code>ListAliases</code> response can include aliases that you created and associated with your customer 10795 * managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys 10796 * in your account. You can recognize Amazon Web Services aliases because their names have the format 10797 * <code>aws/<service-name></code>, such as <code>aws/dynamodb</code>. 10798 * </p> 10799 * <p> 10800 * The response might also include aliases that have no <code>TargetKeyId</code> field. These are predefined aliases 10801 * that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services 10802 * creates in your account, including predefined aliases, do not count against your <a 10803 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit">KMS aliases quota</a>. 10804 * </p> 10805 * <p> 10806 * <b>Cross-account use</b>: No. <code>ListAliases</code> does not return aliases in other Amazon Web Services 10807 * accounts. 10808 * </p> 10809 * <p> 10810 * <b>Required permissions</b>: <a 10811 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10812 * >kms:ListAliases</a> (IAM policy) 10813 * </p> 10814 * <p> 10815 * For details, see <a 10816 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 10817 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 10818 * </p> 10819 * <p> 10820 * <b>Related operations:</b> 10821 * </p> 10822 * <ul> 10823 * <li> 10824 * <p> 10825 * <a>CreateAlias</a> 10826 * </p> 10827 * </li> 10828 * <li> 10829 * <p> 10830 * <a>DeleteAlias</a> 10831 * </p> 10832 * </li> 10833 * <li> 10834 * <p> 10835 * <a>UpdateAlias</a> 10836 * </p> 10837 * </li> 10838 * </ul> 10839 * <p> 10840 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10841 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10842 * consistency</a>. 10843 * </p> 10844 * <br/> 10845 * <p> 10846 * This is a convenience which creates an instance of the {@link ListAliasesRequest.Builder} avoiding the need to 10847 * create one manually via {@link ListAliasesRequest#builder()} 10848 * </p> 10849 * 10850 * @param listAliasesRequest 10851 * A {@link Consumer} that will call methods on 10852 * {@link software.amazon.awssdk.services.kms.model.ListAliasesRequest.Builder} to create a request. 10853 * @return A Java Future containing the result of the ListAliases operation returned by the service.<br/> 10854 * The CompletableFuture returned by this method can be completed exceptionally with the following 10855 * exceptions. 10856 * <ul> 10857 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10858 * the request.</li> 10859 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 10860 * should next begin is not valid.</li> 10861 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10862 * be retried.</li> 10863 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10864 * not valid.</li> 10865 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 10866 * found.</li> 10867 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10868 * Can be used for catch all scenarios.</li> 10869 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10870 * credentials, etc.</li> 10871 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10872 * of this type.</li> 10873 * </ul> 10874 * @sample KmsAsyncClient.ListAliases 10875 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 10876 * Documentation</a> 10877 */ listAliases(Consumer<ListAliasesRequest.Builder> listAliasesRequest)10878 default CompletableFuture<ListAliasesResponse> listAliases(Consumer<ListAliasesRequest.Builder> listAliasesRequest) { 10879 return listAliases(ListAliasesRequest.builder().applyMutation(listAliasesRequest).build()); 10880 } 10881 10882 /** 10883 * <p> 10884 * Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about 10885 * aliases, see <a>CreateAlias</a>. 10886 * </p> 10887 * <p> 10888 * By default, the <code>ListAliases</code> operation returns all aliases in the account and region. To get only the 10889 * aliases associated with a particular KMS key, use the <code>KeyId</code> parameter. 10890 * </p> 10891 * <p> 10892 * The <code>ListAliases</code> response can include aliases that you created and associated with your customer 10893 * managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys 10894 * in your account. You can recognize Amazon Web Services aliases because their names have the format 10895 * <code>aws/<service-name></code>, such as <code>aws/dynamodb</code>. 10896 * </p> 10897 * <p> 10898 * The response might also include aliases that have no <code>TargetKeyId</code> field. These are predefined aliases 10899 * that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services 10900 * creates in your account, including predefined aliases, do not count against your <a 10901 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit">KMS aliases quota</a>. 10902 * </p> 10903 * <p> 10904 * <b>Cross-account use</b>: No. <code>ListAliases</code> does not return aliases in other Amazon Web Services 10905 * accounts. 10906 * </p> 10907 * <p> 10908 * <b>Required permissions</b>: <a 10909 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10910 * >kms:ListAliases</a> (IAM policy) 10911 * </p> 10912 * <p> 10913 * For details, see <a 10914 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 10915 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 10916 * </p> 10917 * <p> 10918 * <b>Related operations:</b> 10919 * </p> 10920 * <ul> 10921 * <li> 10922 * <p> 10923 * <a>CreateAlias</a> 10924 * </p> 10925 * </li> 10926 * <li> 10927 * <p> 10928 * <a>DeleteAlias</a> 10929 * </p> 10930 * </li> 10931 * <li> 10932 * <p> 10933 * <a>UpdateAlias</a> 10934 * </p> 10935 * </li> 10936 * </ul> 10937 * <p> 10938 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10939 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10940 * consistency</a>. 10941 * </p> 10942 * 10943 * @return A Java Future containing the result of the ListAliases operation returned by the service.<br/> 10944 * The CompletableFuture returned by this method can be completed exceptionally with the following 10945 * exceptions. 10946 * <ul> 10947 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 10948 * the request.</li> 10949 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 10950 * should next begin is not valid.</li> 10951 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 10952 * be retried.</li> 10953 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 10954 * not valid.</li> 10955 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 10956 * found.</li> 10957 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 10958 * Can be used for catch all scenarios.</li> 10959 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 10960 * credentials, etc.</li> 10961 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 10962 * of this type.</li> 10963 * </ul> 10964 * @sample KmsAsyncClient.ListAliases 10965 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 10966 * Documentation</a> 10967 */ listAliases()10968 default CompletableFuture<ListAliasesResponse> listAliases() { 10969 return listAliases(ListAliasesRequest.builder().build()); 10970 } 10971 10972 /** 10973 * <p> 10974 * This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} 10975 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 10976 * SDK will internally handle making service calls for you. 10977 * </p> 10978 * <p> 10979 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 10980 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 10981 * failures only after you start streaming the data. The subscribe method should be called as a request to start 10982 * streaming data. For more info, see 10983 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 10984 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 10985 * starting request. 10986 * </p> 10987 * 10988 * <p> 10989 * The following are few ways to use the response class: 10990 * </p> 10991 * 1) Using the subscribe helper method 10992 * 10993 * <pre> 10994 * {@code 10995 * software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher publisher = client.listAliasesPaginator(request); 10996 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 10997 * future.get(); 10998 * } 10999 * </pre> 11000 * 11001 * 2) Using a custom subscriber 11002 * 11003 * <pre> 11004 * {@code 11005 * software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher publisher = client.listAliasesPaginator(request); 11006 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListAliasesResponse>() { 11007 * 11008 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 11009 * 11010 * 11011 * public void onNext(software.amazon.awssdk.services.kms.model.ListAliasesResponse response) { //... }; 11012 * });} 11013 * </pre> 11014 * 11015 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 11016 * <p> 11017 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11018 * only limits the number of results in each page.</b> 11019 * </p> 11020 * <p> 11021 * <b>Note: If you prefer to have control on service calls, use the 11022 * {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.</b> 11023 * </p> 11024 * 11025 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 11026 * The CompletableFuture returned by this method can be completed exceptionally with the following 11027 * exceptions. 11028 * <ul> 11029 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11030 * the request.</li> 11031 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11032 * should next begin is not valid.</li> 11033 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11034 * be retried.</li> 11035 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11036 * not valid.</li> 11037 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11038 * found.</li> 11039 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11040 * Can be used for catch all scenarios.</li> 11041 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11042 * credentials, etc.</li> 11043 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11044 * of this type.</li> 11045 * </ul> 11046 * @sample KmsAsyncClient.ListAliases 11047 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11048 * Documentation</a> 11049 */ listAliasesPaginator()11050 default ListAliasesPublisher listAliasesPaginator() { 11051 return listAliasesPaginator(ListAliasesRequest.builder().build()); 11052 } 11053 11054 /** 11055 * <p> 11056 * This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} 11057 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 11058 * SDK will internally handle making service calls for you. 11059 * </p> 11060 * <p> 11061 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 11062 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 11063 * failures only after you start streaming the data. The subscribe method should be called as a request to start 11064 * streaming data. For more info, see 11065 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 11066 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 11067 * starting request. 11068 * </p> 11069 * 11070 * <p> 11071 * The following are few ways to use the response class: 11072 * </p> 11073 * 1) Using the subscribe helper method 11074 * 11075 * <pre> 11076 * {@code 11077 * software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher publisher = client.listAliasesPaginator(request); 11078 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 11079 * future.get(); 11080 * } 11081 * </pre> 11082 * 11083 * 2) Using a custom subscriber 11084 * 11085 * <pre> 11086 * {@code 11087 * software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher publisher = client.listAliasesPaginator(request); 11088 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListAliasesResponse>() { 11089 * 11090 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 11091 * 11092 * 11093 * public void onNext(software.amazon.awssdk.services.kms.model.ListAliasesResponse response) { //... }; 11094 * });} 11095 * </pre> 11096 * 11097 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 11098 * <p> 11099 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11100 * only limits the number of results in each page.</b> 11101 * </p> 11102 * <p> 11103 * <b>Note: If you prefer to have control on service calls, use the 11104 * {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.</b> 11105 * </p> 11106 * 11107 * @param listAliasesRequest 11108 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 11109 * The CompletableFuture returned by this method can be completed exceptionally with the following 11110 * exceptions. 11111 * <ul> 11112 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11113 * the request.</li> 11114 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11115 * should next begin is not valid.</li> 11116 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11117 * be retried.</li> 11118 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11119 * not valid.</li> 11120 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11121 * found.</li> 11122 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11123 * Can be used for catch all scenarios.</li> 11124 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11125 * credentials, etc.</li> 11126 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11127 * of this type.</li> 11128 * </ul> 11129 * @sample KmsAsyncClient.ListAliases 11130 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11131 * Documentation</a> 11132 */ listAliasesPaginator(ListAliasesRequest listAliasesRequest)11133 default ListAliasesPublisher listAliasesPaginator(ListAliasesRequest listAliasesRequest) { 11134 return new ListAliasesPublisher(this, listAliasesRequest); 11135 } 11136 11137 /** 11138 * <p> 11139 * This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} 11140 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 11141 * SDK will internally handle making service calls for you. 11142 * </p> 11143 * <p> 11144 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 11145 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 11146 * failures only after you start streaming the data. The subscribe method should be called as a request to start 11147 * streaming data. For more info, see 11148 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 11149 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 11150 * starting request. 11151 * </p> 11152 * 11153 * <p> 11154 * The following are few ways to use the response class: 11155 * </p> 11156 * 1) Using the subscribe helper method 11157 * 11158 * <pre> 11159 * {@code 11160 * software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher publisher = client.listAliasesPaginator(request); 11161 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 11162 * future.get(); 11163 * } 11164 * </pre> 11165 * 11166 * 2) Using a custom subscriber 11167 * 11168 * <pre> 11169 * {@code 11170 * software.amazon.awssdk.services.kms.paginators.ListAliasesPublisher publisher = client.listAliasesPaginator(request); 11171 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListAliasesResponse>() { 11172 * 11173 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 11174 * 11175 * 11176 * public void onNext(software.amazon.awssdk.services.kms.model.ListAliasesResponse response) { //... }; 11177 * });} 11178 * </pre> 11179 * 11180 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 11181 * <p> 11182 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11183 * only limits the number of results in each page.</b> 11184 * </p> 11185 * <p> 11186 * <b>Note: If you prefer to have control on service calls, use the 11187 * {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.</b> 11188 * </p> 11189 * <br/> 11190 * <p> 11191 * This is a convenience which creates an instance of the {@link ListAliasesRequest.Builder} avoiding the need to 11192 * create one manually via {@link ListAliasesRequest#builder()} 11193 * </p> 11194 * 11195 * @param listAliasesRequest 11196 * A {@link Consumer} that will call methods on 11197 * {@link software.amazon.awssdk.services.kms.model.ListAliasesRequest.Builder} to create a request. 11198 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 11199 * The CompletableFuture returned by this method can be completed exceptionally with the following 11200 * exceptions. 11201 * <ul> 11202 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11203 * the request.</li> 11204 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11205 * should next begin is not valid.</li> 11206 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11207 * be retried.</li> 11208 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11209 * not valid.</li> 11210 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11211 * found.</li> 11212 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11213 * Can be used for catch all scenarios.</li> 11214 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11215 * credentials, etc.</li> 11216 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11217 * of this type.</li> 11218 * </ul> 11219 * @sample KmsAsyncClient.ListAliases 11220 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11221 * Documentation</a> 11222 */ listAliasesPaginator(Consumer<ListAliasesRequest.Builder> listAliasesRequest)11223 default ListAliasesPublisher listAliasesPaginator(Consumer<ListAliasesRequest.Builder> listAliasesRequest) { 11224 return listAliasesPaginator(ListAliasesRequest.builder().applyMutation(listAliasesRequest).build()); 11225 } 11226 11227 /** 11228 * <p> 11229 * Gets a list of all grants for the specified KMS key. 11230 * </p> 11231 * <p> 11232 * You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal. 11233 * </p> 11234 * <p> 11235 * For detailed information about grants, including grant terminology, see <a 11236 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 11237 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 11238 * languages, see <a 11239 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 11240 * </p> 11241 * <note> 11242 * <p> 11243 * The <code>GranteePrincipal</code> field in the <code>ListGrants</code> response usually contains the user or role 11244 * designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon 11245 * Web Services service, the <code>GranteePrincipal</code> field contains the <a href= 11246 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services" 11247 * >service principal</a>, which might represent several different grantee principals. 11248 * </p> 11249 * </note> 11250 * <p> 11251 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 11252 * specify the key ARN in the value of the <code>KeyId</code> parameter. 11253 * </p> 11254 * <p> 11255 * <b>Required permissions</b>: <a 11256 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11257 * >kms:ListGrants</a> (key policy) 11258 * </p> 11259 * <p> 11260 * <b>Related operations:</b> 11261 * </p> 11262 * <ul> 11263 * <li> 11264 * <p> 11265 * <a>CreateGrant</a> 11266 * </p> 11267 * </li> 11268 * <li> 11269 * <p> 11270 * <a>ListRetirableGrants</a> 11271 * </p> 11272 * </li> 11273 * <li> 11274 * <p> 11275 * <a>RetireGrant</a> 11276 * </p> 11277 * </li> 11278 * <li> 11279 * <p> 11280 * <a>RevokeGrant</a> 11281 * </p> 11282 * </li> 11283 * </ul> 11284 * <p> 11285 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11286 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11287 * consistency</a>. 11288 * </p> 11289 * 11290 * @param listGrantsRequest 11291 * @return A Java Future containing the result of the ListGrants operation returned by the service.<br/> 11292 * The CompletableFuture returned by this method can be completed exceptionally with the following 11293 * exceptions. 11294 * <ul> 11295 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11296 * found.</li> 11297 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11298 * the request.</li> 11299 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11300 * should next begin is not valid.</li> 11301 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 11302 * valid.</li> 11303 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11304 * not valid.</li> 11305 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11306 * be retried.</li> 11307 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11308 * valid for this request.</p> 11309 * <p> 11310 * This exceptions means one of the following: 11311 * </p> 11312 * <ul> 11313 * <li> 11314 * <p> 11315 * The key state of the KMS key is not compatible with the operation. 11316 * </p> 11317 * <p> 11318 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11319 * are compatible with each KMS operation, see <a 11320 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11321 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11322 * </p> 11323 * </li> 11324 * <li> 11325 * <p> 11326 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11327 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11328 * exception. 11329 * </p> 11330 * </li></li> 11331 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11332 * Can be used for catch all scenarios.</li> 11333 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11334 * credentials, etc.</li> 11335 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11336 * of this type.</li> 11337 * </ul> 11338 * @sample KmsAsyncClient.ListGrants 11339 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11340 * Documentation</a> 11341 */ listGrants(ListGrantsRequest listGrantsRequest)11342 default CompletableFuture<ListGrantsResponse> listGrants(ListGrantsRequest listGrantsRequest) { 11343 throw new UnsupportedOperationException(); 11344 } 11345 11346 /** 11347 * <p> 11348 * Gets a list of all grants for the specified KMS key. 11349 * </p> 11350 * <p> 11351 * You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal. 11352 * </p> 11353 * <p> 11354 * For detailed information about grants, including grant terminology, see <a 11355 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 11356 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 11357 * languages, see <a 11358 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 11359 * </p> 11360 * <note> 11361 * <p> 11362 * The <code>GranteePrincipal</code> field in the <code>ListGrants</code> response usually contains the user or role 11363 * designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon 11364 * Web Services service, the <code>GranteePrincipal</code> field contains the <a href= 11365 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services" 11366 * >service principal</a>, which might represent several different grantee principals. 11367 * </p> 11368 * </note> 11369 * <p> 11370 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 11371 * specify the key ARN in the value of the <code>KeyId</code> parameter. 11372 * </p> 11373 * <p> 11374 * <b>Required permissions</b>: <a 11375 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11376 * >kms:ListGrants</a> (key policy) 11377 * </p> 11378 * <p> 11379 * <b>Related operations:</b> 11380 * </p> 11381 * <ul> 11382 * <li> 11383 * <p> 11384 * <a>CreateGrant</a> 11385 * </p> 11386 * </li> 11387 * <li> 11388 * <p> 11389 * <a>ListRetirableGrants</a> 11390 * </p> 11391 * </li> 11392 * <li> 11393 * <p> 11394 * <a>RetireGrant</a> 11395 * </p> 11396 * </li> 11397 * <li> 11398 * <p> 11399 * <a>RevokeGrant</a> 11400 * </p> 11401 * </li> 11402 * </ul> 11403 * <p> 11404 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11405 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11406 * consistency</a>. 11407 * </p> 11408 * <br/> 11409 * <p> 11410 * This is a convenience which creates an instance of the {@link ListGrantsRequest.Builder} avoiding the need to 11411 * create one manually via {@link ListGrantsRequest#builder()} 11412 * </p> 11413 * 11414 * @param listGrantsRequest 11415 * A {@link Consumer} that will call methods on 11416 * {@link software.amazon.awssdk.services.kms.model.ListGrantsRequest.Builder} to create a request. 11417 * @return A Java Future containing the result of the ListGrants operation returned by the service.<br/> 11418 * The CompletableFuture returned by this method can be completed exceptionally with the following 11419 * exceptions. 11420 * <ul> 11421 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11422 * found.</li> 11423 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11424 * the request.</li> 11425 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11426 * should next begin is not valid.</li> 11427 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 11428 * valid.</li> 11429 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11430 * not valid.</li> 11431 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11432 * be retried.</li> 11433 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11434 * valid for this request.</p> 11435 * <p> 11436 * This exceptions means one of the following: 11437 * </p> 11438 * <ul> 11439 * <li> 11440 * <p> 11441 * The key state of the KMS key is not compatible with the operation. 11442 * </p> 11443 * <p> 11444 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11445 * are compatible with each KMS operation, see <a 11446 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11447 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11448 * </p> 11449 * </li> 11450 * <li> 11451 * <p> 11452 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11453 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11454 * exception. 11455 * </p> 11456 * </li></li> 11457 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11458 * Can be used for catch all scenarios.</li> 11459 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11460 * credentials, etc.</li> 11461 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11462 * of this type.</li> 11463 * </ul> 11464 * @sample KmsAsyncClient.ListGrants 11465 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11466 * Documentation</a> 11467 */ listGrants(Consumer<ListGrantsRequest.Builder> listGrantsRequest)11468 default CompletableFuture<ListGrantsResponse> listGrants(Consumer<ListGrantsRequest.Builder> listGrantsRequest) { 11469 return listGrants(ListGrantsRequest.builder().applyMutation(listGrantsRequest).build()); 11470 } 11471 11472 /** 11473 * <p> 11474 * This is a variant of {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation. 11475 * The return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 11476 * internally handle making service calls for you. 11477 * </p> 11478 * <p> 11479 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 11480 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 11481 * failures only after you start streaming the data. The subscribe method should be called as a request to start 11482 * streaming data. For more info, see 11483 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 11484 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 11485 * starting request. 11486 * </p> 11487 * 11488 * <p> 11489 * The following are few ways to use the response class: 11490 * </p> 11491 * 1) Using the subscribe helper method 11492 * 11493 * <pre> 11494 * {@code 11495 * software.amazon.awssdk.services.kms.paginators.ListGrantsPublisher publisher = client.listGrantsPaginator(request); 11496 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 11497 * future.get(); 11498 * } 11499 * </pre> 11500 * 11501 * 2) Using a custom subscriber 11502 * 11503 * <pre> 11504 * {@code 11505 * software.amazon.awssdk.services.kms.paginators.ListGrantsPublisher publisher = client.listGrantsPaginator(request); 11506 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListGrantsResponse>() { 11507 * 11508 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 11509 * 11510 * 11511 * public void onNext(software.amazon.awssdk.services.kms.model.ListGrantsResponse response) { //... }; 11512 * });} 11513 * </pre> 11514 * 11515 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 11516 * <p> 11517 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11518 * only limits the number of results in each page.</b> 11519 * </p> 11520 * <p> 11521 * <b>Note: If you prefer to have control on service calls, use the 11522 * {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation.</b> 11523 * </p> 11524 * 11525 * @param listGrantsRequest 11526 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 11527 * The CompletableFuture returned by this method can be completed exceptionally with the following 11528 * exceptions. 11529 * <ul> 11530 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11531 * found.</li> 11532 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11533 * the request.</li> 11534 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11535 * should next begin is not valid.</li> 11536 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 11537 * valid.</li> 11538 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11539 * not valid.</li> 11540 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11541 * be retried.</li> 11542 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11543 * valid for this request.</p> 11544 * <p> 11545 * This exceptions means one of the following: 11546 * </p> 11547 * <ul> 11548 * <li> 11549 * <p> 11550 * The key state of the KMS key is not compatible with the operation. 11551 * </p> 11552 * <p> 11553 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11554 * are compatible with each KMS operation, see <a 11555 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11556 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11557 * </p> 11558 * </li> 11559 * <li> 11560 * <p> 11561 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11562 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11563 * exception. 11564 * </p> 11565 * </li></li> 11566 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11567 * Can be used for catch all scenarios.</li> 11568 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11569 * credentials, etc.</li> 11570 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11571 * of this type.</li> 11572 * </ul> 11573 * @sample KmsAsyncClient.ListGrants 11574 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11575 * Documentation</a> 11576 */ listGrantsPaginator(ListGrantsRequest listGrantsRequest)11577 default ListGrantsPublisher listGrantsPaginator(ListGrantsRequest listGrantsRequest) { 11578 return new ListGrantsPublisher(this, listGrantsRequest); 11579 } 11580 11581 /** 11582 * <p> 11583 * This is a variant of {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation. 11584 * The return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 11585 * internally handle making service calls for you. 11586 * </p> 11587 * <p> 11588 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 11589 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 11590 * failures only after you start streaming the data. The subscribe method should be called as a request to start 11591 * streaming data. For more info, see 11592 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 11593 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 11594 * starting request. 11595 * </p> 11596 * 11597 * <p> 11598 * The following are few ways to use the response class: 11599 * </p> 11600 * 1) Using the subscribe helper method 11601 * 11602 * <pre> 11603 * {@code 11604 * software.amazon.awssdk.services.kms.paginators.ListGrantsPublisher publisher = client.listGrantsPaginator(request); 11605 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 11606 * future.get(); 11607 * } 11608 * </pre> 11609 * 11610 * 2) Using a custom subscriber 11611 * 11612 * <pre> 11613 * {@code 11614 * software.amazon.awssdk.services.kms.paginators.ListGrantsPublisher publisher = client.listGrantsPaginator(request); 11615 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListGrantsResponse>() { 11616 * 11617 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 11618 * 11619 * 11620 * public void onNext(software.amazon.awssdk.services.kms.model.ListGrantsResponse response) { //... }; 11621 * });} 11622 * </pre> 11623 * 11624 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 11625 * <p> 11626 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11627 * only limits the number of results in each page.</b> 11628 * </p> 11629 * <p> 11630 * <b>Note: If you prefer to have control on service calls, use the 11631 * {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation.</b> 11632 * </p> 11633 * <br/> 11634 * <p> 11635 * This is a convenience which creates an instance of the {@link ListGrantsRequest.Builder} avoiding the need to 11636 * create one manually via {@link ListGrantsRequest#builder()} 11637 * </p> 11638 * 11639 * @param listGrantsRequest 11640 * A {@link Consumer} that will call methods on 11641 * {@link software.amazon.awssdk.services.kms.model.ListGrantsRequest.Builder} to create a request. 11642 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 11643 * The CompletableFuture returned by this method can be completed exceptionally with the following 11644 * exceptions. 11645 * <ul> 11646 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11647 * found.</li> 11648 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11649 * the request.</li> 11650 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 11651 * should next begin is not valid.</li> 11652 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 11653 * valid.</li> 11654 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11655 * not valid.</li> 11656 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11657 * be retried.</li> 11658 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11659 * valid for this request.</p> 11660 * <p> 11661 * This exceptions means one of the following: 11662 * </p> 11663 * <ul> 11664 * <li> 11665 * <p> 11666 * The key state of the KMS key is not compatible with the operation. 11667 * </p> 11668 * <p> 11669 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11670 * are compatible with each KMS operation, see <a 11671 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11672 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11673 * </p> 11674 * </li> 11675 * <li> 11676 * <p> 11677 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11678 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11679 * exception. 11680 * </p> 11681 * </li></li> 11682 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11683 * Can be used for catch all scenarios.</li> 11684 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11685 * credentials, etc.</li> 11686 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11687 * of this type.</li> 11688 * </ul> 11689 * @sample KmsAsyncClient.ListGrants 11690 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11691 * Documentation</a> 11692 */ listGrantsPaginator(Consumer<ListGrantsRequest.Builder> listGrantsRequest)11693 default ListGrantsPublisher listGrantsPaginator(Consumer<ListGrantsRequest.Builder> listGrantsRequest) { 11694 return listGrantsPaginator(ListGrantsRequest.builder().applyMutation(listGrantsRequest).build()); 11695 } 11696 11697 /** 11698 * <p> 11699 * Gets the names of the key policies that are attached to a KMS key. This operation is designed to get policy names 11700 * that you can use in a <a>GetKeyPolicy</a> operation. However, the only valid policy name is <code>default</code>. 11701 * </p> 11702 * <p> 11703 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 11704 * account. 11705 * </p> 11706 * <p> 11707 * <b>Required permissions</b>: <a 11708 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11709 * >kms:ListKeyPolicies</a> (key policy) 11710 * </p> 11711 * <p> 11712 * <b>Related operations:</b> 11713 * </p> 11714 * <ul> 11715 * <li> 11716 * <p> 11717 * <a>GetKeyPolicy</a> 11718 * </p> 11719 * </li> 11720 * <li> 11721 * <p> 11722 * <a href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 11723 * </p> 11724 * </li> 11725 * </ul> 11726 * <p> 11727 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11728 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11729 * consistency</a>. 11730 * </p> 11731 * 11732 * @param listKeyPoliciesRequest 11733 * @return A Java Future containing the result of the ListKeyPolicies operation returned by the service.<br/> 11734 * The CompletableFuture returned by this method can be completed exceptionally with the following 11735 * exceptions. 11736 * <ul> 11737 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11738 * found.</li> 11739 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11740 * not valid.</li> 11741 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11742 * the request.</li> 11743 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11744 * be retried.</li> 11745 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11746 * valid for this request.</p> 11747 * <p> 11748 * This exceptions means one of the following: 11749 * </p> 11750 * <ul> 11751 * <li> 11752 * <p> 11753 * The key state of the KMS key is not compatible with the operation. 11754 * </p> 11755 * <p> 11756 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11757 * are compatible with each KMS operation, see <a 11758 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11759 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11760 * </p> 11761 * </li> 11762 * <li> 11763 * <p> 11764 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11765 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11766 * exception. 11767 * </p> 11768 * </li></li> 11769 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11770 * Can be used for catch all scenarios.</li> 11771 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11772 * credentials, etc.</li> 11773 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11774 * of this type.</li> 11775 * </ul> 11776 * @sample KmsAsyncClient.ListKeyPolicies 11777 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 11778 * Documentation</a> 11779 */ listKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest)11780 default CompletableFuture<ListKeyPoliciesResponse> listKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest) { 11781 throw new UnsupportedOperationException(); 11782 } 11783 11784 /** 11785 * <p> 11786 * Gets the names of the key policies that are attached to a KMS key. This operation is designed to get policy names 11787 * that you can use in a <a>GetKeyPolicy</a> operation. However, the only valid policy name is <code>default</code>. 11788 * </p> 11789 * <p> 11790 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 11791 * account. 11792 * </p> 11793 * <p> 11794 * <b>Required permissions</b>: <a 11795 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11796 * >kms:ListKeyPolicies</a> (key policy) 11797 * </p> 11798 * <p> 11799 * <b>Related operations:</b> 11800 * </p> 11801 * <ul> 11802 * <li> 11803 * <p> 11804 * <a>GetKeyPolicy</a> 11805 * </p> 11806 * </li> 11807 * <li> 11808 * <p> 11809 * <a href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 11810 * </p> 11811 * </li> 11812 * </ul> 11813 * <p> 11814 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11815 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11816 * consistency</a>. 11817 * </p> 11818 * <br/> 11819 * <p> 11820 * This is a convenience which creates an instance of the {@link ListKeyPoliciesRequest.Builder} avoiding the need 11821 * to create one manually via {@link ListKeyPoliciesRequest#builder()} 11822 * </p> 11823 * 11824 * @param listKeyPoliciesRequest 11825 * A {@link Consumer} that will call methods on 11826 * {@link software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest.Builder} to create a request. 11827 * @return A Java Future containing the result of the ListKeyPolicies operation returned by the service.<br/> 11828 * The CompletableFuture returned by this method can be completed exceptionally with the following 11829 * exceptions. 11830 * <ul> 11831 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11832 * found.</li> 11833 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11834 * not valid.</li> 11835 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11836 * the request.</li> 11837 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11838 * be retried.</li> 11839 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11840 * valid for this request.</p> 11841 * <p> 11842 * This exceptions means one of the following: 11843 * </p> 11844 * <ul> 11845 * <li> 11846 * <p> 11847 * The key state of the KMS key is not compatible with the operation. 11848 * </p> 11849 * <p> 11850 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11851 * are compatible with each KMS operation, see <a 11852 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11853 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11854 * </p> 11855 * </li> 11856 * <li> 11857 * <p> 11858 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11859 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11860 * exception. 11861 * </p> 11862 * </li></li> 11863 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11864 * Can be used for catch all scenarios.</li> 11865 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11866 * credentials, etc.</li> 11867 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11868 * of this type.</li> 11869 * </ul> 11870 * @sample KmsAsyncClient.ListKeyPolicies 11871 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 11872 * Documentation</a> 11873 */ listKeyPolicies( Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest)11874 default CompletableFuture<ListKeyPoliciesResponse> listKeyPolicies( 11875 Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest) { 11876 return listKeyPolicies(ListKeyPoliciesRequest.builder().applyMutation(listKeyPoliciesRequest).build()); 11877 } 11878 11879 /** 11880 * <p> 11881 * This is a variant of {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} 11882 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 11883 * SDK will internally handle making service calls for you. 11884 * </p> 11885 * <p> 11886 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 11887 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 11888 * failures only after you start streaming the data. The subscribe method should be called as a request to start 11889 * streaming data. For more info, see 11890 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 11891 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 11892 * starting request. 11893 * </p> 11894 * 11895 * <p> 11896 * The following are few ways to use the response class: 11897 * </p> 11898 * 1) Using the subscribe helper method 11899 * 11900 * <pre> 11901 * {@code 11902 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesPublisher publisher = client.listKeyPoliciesPaginator(request); 11903 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 11904 * future.get(); 11905 * } 11906 * </pre> 11907 * 11908 * 2) Using a custom subscriber 11909 * 11910 * <pre> 11911 * {@code 11912 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesPublisher publisher = client.listKeyPoliciesPaginator(request); 11913 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse>() { 11914 * 11915 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 11916 * 11917 * 11918 * public void onNext(software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse response) { //... }; 11919 * });} 11920 * </pre> 11921 * 11922 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 11923 * <p> 11924 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11925 * only limits the number of results in each page.</b> 11926 * </p> 11927 * <p> 11928 * <b>Note: If you prefer to have control on service calls, use the 11929 * {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} operation.</b> 11930 * </p> 11931 * 11932 * @param listKeyPoliciesRequest 11933 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 11934 * The CompletableFuture returned by this method can be completed exceptionally with the following 11935 * exceptions. 11936 * <ul> 11937 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 11938 * found.</li> 11939 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 11940 * not valid.</li> 11941 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 11942 * the request.</li> 11943 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 11944 * be retried.</li> 11945 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 11946 * valid for this request.</p> 11947 * <p> 11948 * This exceptions means one of the following: 11949 * </p> 11950 * <ul> 11951 * <li> 11952 * <p> 11953 * The key state of the KMS key is not compatible with the operation. 11954 * </p> 11955 * <p> 11956 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11957 * are compatible with each KMS operation, see <a 11958 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11959 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11960 * </p> 11961 * </li> 11962 * <li> 11963 * <p> 11964 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11965 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11966 * exception. 11967 * </p> 11968 * </li></li> 11969 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 11970 * Can be used for catch all scenarios.</li> 11971 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 11972 * credentials, etc.</li> 11973 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 11974 * of this type.</li> 11975 * </ul> 11976 * @sample KmsAsyncClient.ListKeyPolicies 11977 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 11978 * Documentation</a> 11979 */ listKeyPoliciesPaginator(ListKeyPoliciesRequest listKeyPoliciesRequest)11980 default ListKeyPoliciesPublisher listKeyPoliciesPaginator(ListKeyPoliciesRequest listKeyPoliciesRequest) { 11981 return new ListKeyPoliciesPublisher(this, listKeyPoliciesRequest); 11982 } 11983 11984 /** 11985 * <p> 11986 * This is a variant of {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} 11987 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 11988 * SDK will internally handle making service calls for you. 11989 * </p> 11990 * <p> 11991 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 11992 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 11993 * failures only after you start streaming the data. The subscribe method should be called as a request to start 11994 * streaming data. For more info, see 11995 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 11996 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 11997 * starting request. 11998 * </p> 11999 * 12000 * <p> 12001 * The following are few ways to use the response class: 12002 * </p> 12003 * 1) Using the subscribe helper method 12004 * 12005 * <pre> 12006 * {@code 12007 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesPublisher publisher = client.listKeyPoliciesPaginator(request); 12008 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 12009 * future.get(); 12010 * } 12011 * </pre> 12012 * 12013 * 2) Using a custom subscriber 12014 * 12015 * <pre> 12016 * {@code 12017 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesPublisher publisher = client.listKeyPoliciesPaginator(request); 12018 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse>() { 12019 * 12020 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 12021 * 12022 * 12023 * public void onNext(software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse response) { //... }; 12024 * });} 12025 * </pre> 12026 * 12027 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 12028 * <p> 12029 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12030 * only limits the number of results in each page.</b> 12031 * </p> 12032 * <p> 12033 * <b>Note: If you prefer to have control on service calls, use the 12034 * {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} operation.</b> 12035 * </p> 12036 * <br/> 12037 * <p> 12038 * This is a convenience which creates an instance of the {@link ListKeyPoliciesRequest.Builder} avoiding the need 12039 * to create one manually via {@link ListKeyPoliciesRequest#builder()} 12040 * </p> 12041 * 12042 * @param listKeyPoliciesRequest 12043 * A {@link Consumer} that will call methods on 12044 * {@link software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest.Builder} to create a request. 12045 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 12046 * The CompletableFuture returned by this method can be completed exceptionally with the following 12047 * exceptions. 12048 * <ul> 12049 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 12050 * found.</li> 12051 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 12052 * not valid.</li> 12053 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12054 * the request.</li> 12055 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12056 * be retried.</li> 12057 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 12058 * valid for this request.</p> 12059 * <p> 12060 * This exceptions means one of the following: 12061 * </p> 12062 * <ul> 12063 * <li> 12064 * <p> 12065 * The key state of the KMS key is not compatible with the operation. 12066 * </p> 12067 * <p> 12068 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 12069 * are compatible with each KMS operation, see <a 12070 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 12071 * the <i> <i>Key Management Service Developer Guide</i> </i>. 12072 * </p> 12073 * </li> 12074 * <li> 12075 * <p> 12076 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 12077 * failure with many possible causes. To identify the cause, see the error message that accompanies the 12078 * exception. 12079 * </p> 12080 * </li></li> 12081 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12082 * Can be used for catch all scenarios.</li> 12083 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12084 * credentials, etc.</li> 12085 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12086 * of this type.</li> 12087 * </ul> 12088 * @sample KmsAsyncClient.ListKeyPolicies 12089 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 12090 * Documentation</a> 12091 */ listKeyPoliciesPaginator(Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest)12092 default ListKeyPoliciesPublisher listKeyPoliciesPaginator(Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest) { 12093 return listKeyPoliciesPaginator(ListKeyPoliciesRequest.builder().applyMutation(listKeyPoliciesRequest).build()); 12094 } 12095 12096 /** 12097 * <p> 12098 * Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. 12099 * </p> 12100 * <p> 12101 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12102 * account. 12103 * </p> 12104 * <p> 12105 * <b>Required permissions</b>: <a 12106 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListKeys</a> 12107 * (IAM policy) 12108 * </p> 12109 * <p> 12110 * <b>Related operations:</b> 12111 * </p> 12112 * <ul> 12113 * <li> 12114 * <p> 12115 * <a>CreateKey</a> 12116 * </p> 12117 * </li> 12118 * <li> 12119 * <p> 12120 * <a>DescribeKey</a> 12121 * </p> 12122 * </li> 12123 * <li> 12124 * <p> 12125 * <a>ListAliases</a> 12126 * </p> 12127 * </li> 12128 * <li> 12129 * <p> 12130 * <a>ListResourceTags</a> 12131 * </p> 12132 * </li> 12133 * </ul> 12134 * <p> 12135 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12136 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12137 * consistency</a>. 12138 * </p> 12139 * 12140 * @param listKeysRequest 12141 * @return A Java Future containing the result of the ListKeys operation returned by the service.<br/> 12142 * The CompletableFuture returned by this method can be completed exceptionally with the following 12143 * exceptions. 12144 * <ul> 12145 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12146 * the request.</li> 12147 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12148 * be retried.</li> 12149 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12150 * should next begin is not valid.</li> 12151 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12152 * Can be used for catch all scenarios.</li> 12153 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12154 * credentials, etc.</li> 12155 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12156 * of this type.</li> 12157 * </ul> 12158 * @sample KmsAsyncClient.ListKeys 12159 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12160 * Documentation</a> 12161 */ listKeys(ListKeysRequest listKeysRequest)12162 default CompletableFuture<ListKeysResponse> listKeys(ListKeysRequest listKeysRequest) { 12163 throw new UnsupportedOperationException(); 12164 } 12165 12166 /** 12167 * <p> 12168 * Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. 12169 * </p> 12170 * <p> 12171 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12172 * account. 12173 * </p> 12174 * <p> 12175 * <b>Required permissions</b>: <a 12176 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListKeys</a> 12177 * (IAM policy) 12178 * </p> 12179 * <p> 12180 * <b>Related operations:</b> 12181 * </p> 12182 * <ul> 12183 * <li> 12184 * <p> 12185 * <a>CreateKey</a> 12186 * </p> 12187 * </li> 12188 * <li> 12189 * <p> 12190 * <a>DescribeKey</a> 12191 * </p> 12192 * </li> 12193 * <li> 12194 * <p> 12195 * <a>ListAliases</a> 12196 * </p> 12197 * </li> 12198 * <li> 12199 * <p> 12200 * <a>ListResourceTags</a> 12201 * </p> 12202 * </li> 12203 * </ul> 12204 * <p> 12205 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12206 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12207 * consistency</a>. 12208 * </p> 12209 * <br/> 12210 * <p> 12211 * This is a convenience which creates an instance of the {@link ListKeysRequest.Builder} avoiding the need to 12212 * create one manually via {@link ListKeysRequest#builder()} 12213 * </p> 12214 * 12215 * @param listKeysRequest 12216 * A {@link Consumer} that will call methods on 12217 * {@link software.amazon.awssdk.services.kms.model.ListKeysRequest.Builder} to create a request. 12218 * @return A Java Future containing the result of the ListKeys operation returned by the service.<br/> 12219 * The CompletableFuture returned by this method can be completed exceptionally with the following 12220 * exceptions. 12221 * <ul> 12222 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12223 * the request.</li> 12224 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12225 * be retried.</li> 12226 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12227 * should next begin is not valid.</li> 12228 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12229 * Can be used for catch all scenarios.</li> 12230 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12231 * credentials, etc.</li> 12232 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12233 * of this type.</li> 12234 * </ul> 12235 * @sample KmsAsyncClient.ListKeys 12236 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12237 * Documentation</a> 12238 */ listKeys(Consumer<ListKeysRequest.Builder> listKeysRequest)12239 default CompletableFuture<ListKeysResponse> listKeys(Consumer<ListKeysRequest.Builder> listKeysRequest) { 12240 return listKeys(ListKeysRequest.builder().applyMutation(listKeysRequest).build()); 12241 } 12242 12243 /** 12244 * <p> 12245 * Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. 12246 * </p> 12247 * <p> 12248 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12249 * account. 12250 * </p> 12251 * <p> 12252 * <b>Required permissions</b>: <a 12253 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListKeys</a> 12254 * (IAM policy) 12255 * </p> 12256 * <p> 12257 * <b>Related operations:</b> 12258 * </p> 12259 * <ul> 12260 * <li> 12261 * <p> 12262 * <a>CreateKey</a> 12263 * </p> 12264 * </li> 12265 * <li> 12266 * <p> 12267 * <a>DescribeKey</a> 12268 * </p> 12269 * </li> 12270 * <li> 12271 * <p> 12272 * <a>ListAliases</a> 12273 * </p> 12274 * </li> 12275 * <li> 12276 * <p> 12277 * <a>ListResourceTags</a> 12278 * </p> 12279 * </li> 12280 * </ul> 12281 * <p> 12282 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12283 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12284 * consistency</a>. 12285 * </p> 12286 * 12287 * @return A Java Future containing the result of the ListKeys operation returned by the service.<br/> 12288 * The CompletableFuture returned by this method can be completed exceptionally with the following 12289 * exceptions. 12290 * <ul> 12291 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12292 * the request.</li> 12293 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12294 * be retried.</li> 12295 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12296 * should next begin is not valid.</li> 12297 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12298 * Can be used for catch all scenarios.</li> 12299 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12300 * credentials, etc.</li> 12301 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12302 * of this type.</li> 12303 * </ul> 12304 * @sample KmsAsyncClient.ListKeys 12305 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12306 * Documentation</a> 12307 */ listKeys()12308 default CompletableFuture<ListKeysResponse> listKeys() { 12309 return listKeys(ListKeysRequest.builder().build()); 12310 } 12311 12312 /** 12313 * <p> 12314 * This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The 12315 * return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 12316 * internally handle making service calls for you. 12317 * </p> 12318 * <p> 12319 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 12320 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 12321 * failures only after you start streaming the data. The subscribe method should be called as a request to start 12322 * streaming data. For more info, see 12323 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 12324 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 12325 * starting request. 12326 * </p> 12327 * 12328 * <p> 12329 * The following are few ways to use the response class: 12330 * </p> 12331 * 1) Using the subscribe helper method 12332 * 12333 * <pre> 12334 * {@code 12335 * software.amazon.awssdk.services.kms.paginators.ListKeysPublisher publisher = client.listKeysPaginator(request); 12336 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 12337 * future.get(); 12338 * } 12339 * </pre> 12340 * 12341 * 2) Using a custom subscriber 12342 * 12343 * <pre> 12344 * {@code 12345 * software.amazon.awssdk.services.kms.paginators.ListKeysPublisher publisher = client.listKeysPaginator(request); 12346 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListKeysResponse>() { 12347 * 12348 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 12349 * 12350 * 12351 * public void onNext(software.amazon.awssdk.services.kms.model.ListKeysResponse response) { //... }; 12352 * });} 12353 * </pre> 12354 * 12355 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 12356 * <p> 12357 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12358 * only limits the number of results in each page.</b> 12359 * </p> 12360 * <p> 12361 * <b>Note: If you prefer to have control on service calls, use the 12362 * {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.</b> 12363 * </p> 12364 * 12365 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 12366 * The CompletableFuture returned by this method can be completed exceptionally with the following 12367 * exceptions. 12368 * <ul> 12369 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12370 * the request.</li> 12371 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12372 * be retried.</li> 12373 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12374 * should next begin is not valid.</li> 12375 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12376 * Can be used for catch all scenarios.</li> 12377 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12378 * credentials, etc.</li> 12379 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12380 * of this type.</li> 12381 * </ul> 12382 * @sample KmsAsyncClient.ListKeys 12383 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12384 * Documentation</a> 12385 */ listKeysPaginator()12386 default ListKeysPublisher listKeysPaginator() { 12387 return listKeysPaginator(ListKeysRequest.builder().build()); 12388 } 12389 12390 /** 12391 * <p> 12392 * This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The 12393 * return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 12394 * internally handle making service calls for you. 12395 * </p> 12396 * <p> 12397 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 12398 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 12399 * failures only after you start streaming the data. The subscribe method should be called as a request to start 12400 * streaming data. For more info, see 12401 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 12402 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 12403 * starting request. 12404 * </p> 12405 * 12406 * <p> 12407 * The following are few ways to use the response class: 12408 * </p> 12409 * 1) Using the subscribe helper method 12410 * 12411 * <pre> 12412 * {@code 12413 * software.amazon.awssdk.services.kms.paginators.ListKeysPublisher publisher = client.listKeysPaginator(request); 12414 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 12415 * future.get(); 12416 * } 12417 * </pre> 12418 * 12419 * 2) Using a custom subscriber 12420 * 12421 * <pre> 12422 * {@code 12423 * software.amazon.awssdk.services.kms.paginators.ListKeysPublisher publisher = client.listKeysPaginator(request); 12424 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListKeysResponse>() { 12425 * 12426 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 12427 * 12428 * 12429 * public void onNext(software.amazon.awssdk.services.kms.model.ListKeysResponse response) { //... }; 12430 * });} 12431 * </pre> 12432 * 12433 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 12434 * <p> 12435 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12436 * only limits the number of results in each page.</b> 12437 * </p> 12438 * <p> 12439 * <b>Note: If you prefer to have control on service calls, use the 12440 * {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.</b> 12441 * </p> 12442 * 12443 * @param listKeysRequest 12444 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 12445 * The CompletableFuture returned by this method can be completed exceptionally with the following 12446 * exceptions. 12447 * <ul> 12448 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12449 * the request.</li> 12450 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12451 * be retried.</li> 12452 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12453 * should next begin is not valid.</li> 12454 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12455 * Can be used for catch all scenarios.</li> 12456 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12457 * credentials, etc.</li> 12458 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12459 * of this type.</li> 12460 * </ul> 12461 * @sample KmsAsyncClient.ListKeys 12462 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12463 * Documentation</a> 12464 */ listKeysPaginator(ListKeysRequest listKeysRequest)12465 default ListKeysPublisher listKeysPaginator(ListKeysRequest listKeysRequest) { 12466 return new ListKeysPublisher(this, listKeysRequest); 12467 } 12468 12469 /** 12470 * <p> 12471 * This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The 12472 * return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 12473 * internally handle making service calls for you. 12474 * </p> 12475 * <p> 12476 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 12477 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 12478 * failures only after you start streaming the data. The subscribe method should be called as a request to start 12479 * streaming data. For more info, see 12480 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 12481 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 12482 * starting request. 12483 * </p> 12484 * 12485 * <p> 12486 * The following are few ways to use the response class: 12487 * </p> 12488 * 1) Using the subscribe helper method 12489 * 12490 * <pre> 12491 * {@code 12492 * software.amazon.awssdk.services.kms.paginators.ListKeysPublisher publisher = client.listKeysPaginator(request); 12493 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 12494 * future.get(); 12495 * } 12496 * </pre> 12497 * 12498 * 2) Using a custom subscriber 12499 * 12500 * <pre> 12501 * {@code 12502 * software.amazon.awssdk.services.kms.paginators.ListKeysPublisher publisher = client.listKeysPaginator(request); 12503 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListKeysResponse>() { 12504 * 12505 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 12506 * 12507 * 12508 * public void onNext(software.amazon.awssdk.services.kms.model.ListKeysResponse response) { //... }; 12509 * });} 12510 * </pre> 12511 * 12512 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 12513 * <p> 12514 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12515 * only limits the number of results in each page.</b> 12516 * </p> 12517 * <p> 12518 * <b>Note: If you prefer to have control on service calls, use the 12519 * {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.</b> 12520 * </p> 12521 * <br/> 12522 * <p> 12523 * This is a convenience which creates an instance of the {@link ListKeysRequest.Builder} avoiding the need to 12524 * create one manually via {@link ListKeysRequest#builder()} 12525 * </p> 12526 * 12527 * @param listKeysRequest 12528 * A {@link Consumer} that will call methods on 12529 * {@link software.amazon.awssdk.services.kms.model.ListKeysRequest.Builder} to create a request. 12530 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 12531 * The CompletableFuture returned by this method can be completed exceptionally with the following 12532 * exceptions. 12533 * <ul> 12534 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12535 * the request.</li> 12536 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12537 * be retried.</li> 12538 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12539 * should next begin is not valid.</li> 12540 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12541 * Can be used for catch all scenarios.</li> 12542 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12543 * credentials, etc.</li> 12544 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12545 * of this type.</li> 12546 * </ul> 12547 * @sample KmsAsyncClient.ListKeys 12548 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12549 * Documentation</a> 12550 */ listKeysPaginator(Consumer<ListKeysRequest.Builder> listKeysRequest)12551 default ListKeysPublisher listKeysPaginator(Consumer<ListKeysRequest.Builder> listKeysRequest) { 12552 return listKeysPaginator(ListKeysRequest.builder().applyMutation(listKeysRequest).build()); 12553 } 12554 12555 /** 12556 * <p> 12557 * Returns all tags on the specified KMS key. 12558 * </p> 12559 * <p> 12560 * For general information about tags, including the format and syntax, see <a 12561 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 12562 * in the <i>Amazon Web Services General Reference</i>. For information about using tags in KMS, see <a 12563 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. 12564 * </p> 12565 * <p> 12566 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12567 * account. 12568 * </p> 12569 * <p> 12570 * <b>Required permissions</b>: <a 12571 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 12572 * >kms:ListResourceTags</a> (key policy) 12573 * </p> 12574 * <p> 12575 * <b>Related operations:</b> 12576 * </p> 12577 * <ul> 12578 * <li> 12579 * <p> 12580 * <a>CreateKey</a> 12581 * </p> 12582 * </li> 12583 * <li> 12584 * <p> 12585 * <a>ReplicateKey</a> 12586 * </p> 12587 * </li> 12588 * <li> 12589 * <p> 12590 * <a>TagResource</a> 12591 * </p> 12592 * </li> 12593 * <li> 12594 * <p> 12595 * <a>UntagResource</a> 12596 * </p> 12597 * </li> 12598 * </ul> 12599 * <p> 12600 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12601 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12602 * consistency</a>. 12603 * </p> 12604 * 12605 * @param listResourceTagsRequest 12606 * @return A Java Future containing the result of the ListResourceTags operation returned by the service.<br/> 12607 * The CompletableFuture returned by this method can be completed exceptionally with the following 12608 * exceptions. 12609 * <ul> 12610 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12611 * be retried.</li> 12612 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 12613 * found.</li> 12614 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 12615 * not valid.</li> 12616 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12617 * should next begin is not valid.</li> 12618 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12619 * Can be used for catch all scenarios.</li> 12620 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12621 * credentials, etc.</li> 12622 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12623 * of this type.</li> 12624 * </ul> 12625 * @sample KmsAsyncClient.ListResourceTags 12626 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 12627 * Documentation</a> 12628 */ listResourceTags(ListResourceTagsRequest listResourceTagsRequest)12629 default CompletableFuture<ListResourceTagsResponse> listResourceTags(ListResourceTagsRequest listResourceTagsRequest) { 12630 throw new UnsupportedOperationException(); 12631 } 12632 12633 /** 12634 * <p> 12635 * Returns all tags on the specified KMS key. 12636 * </p> 12637 * <p> 12638 * For general information about tags, including the format and syntax, see <a 12639 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 12640 * in the <i>Amazon Web Services General Reference</i>. For information about using tags in KMS, see <a 12641 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. 12642 * </p> 12643 * <p> 12644 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12645 * account. 12646 * </p> 12647 * <p> 12648 * <b>Required permissions</b>: <a 12649 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 12650 * >kms:ListResourceTags</a> (key policy) 12651 * </p> 12652 * <p> 12653 * <b>Related operations:</b> 12654 * </p> 12655 * <ul> 12656 * <li> 12657 * <p> 12658 * <a>CreateKey</a> 12659 * </p> 12660 * </li> 12661 * <li> 12662 * <p> 12663 * <a>ReplicateKey</a> 12664 * </p> 12665 * </li> 12666 * <li> 12667 * <p> 12668 * <a>TagResource</a> 12669 * </p> 12670 * </li> 12671 * <li> 12672 * <p> 12673 * <a>UntagResource</a> 12674 * </p> 12675 * </li> 12676 * </ul> 12677 * <p> 12678 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12679 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12680 * consistency</a>. 12681 * </p> 12682 * <br/> 12683 * <p> 12684 * This is a convenience which creates an instance of the {@link ListResourceTagsRequest.Builder} avoiding the need 12685 * to create one manually via {@link ListResourceTagsRequest#builder()} 12686 * </p> 12687 * 12688 * @param listResourceTagsRequest 12689 * A {@link Consumer} that will call methods on 12690 * {@link software.amazon.awssdk.services.kms.model.ListResourceTagsRequest.Builder} to create a request. 12691 * @return A Java Future containing the result of the ListResourceTags operation returned by the service.<br/> 12692 * The CompletableFuture returned by this method can be completed exceptionally with the following 12693 * exceptions. 12694 * <ul> 12695 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12696 * be retried.</li> 12697 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 12698 * found.</li> 12699 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 12700 * not valid.</li> 12701 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12702 * should next begin is not valid.</li> 12703 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12704 * Can be used for catch all scenarios.</li> 12705 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12706 * credentials, etc.</li> 12707 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12708 * of this type.</li> 12709 * </ul> 12710 * @sample KmsAsyncClient.ListResourceTags 12711 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 12712 * Documentation</a> 12713 */ listResourceTags( Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest)12714 default CompletableFuture<ListResourceTagsResponse> listResourceTags( 12715 Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest) { 12716 return listResourceTags(ListResourceTagsRequest.builder().applyMutation(listResourceTagsRequest).build()); 12717 } 12718 12719 /** 12720 * <p> 12721 * This is a variant of {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} 12722 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 12723 * SDK will internally handle making service calls for you. 12724 * </p> 12725 * <p> 12726 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 12727 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 12728 * failures only after you start streaming the data. The subscribe method should be called as a request to start 12729 * streaming data. For more info, see 12730 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 12731 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 12732 * starting request. 12733 * </p> 12734 * 12735 * <p> 12736 * The following are few ways to use the response class: 12737 * </p> 12738 * 1) Using the subscribe helper method 12739 * 12740 * <pre> 12741 * {@code 12742 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsPublisher publisher = client.listResourceTagsPaginator(request); 12743 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 12744 * future.get(); 12745 * } 12746 * </pre> 12747 * 12748 * 2) Using a custom subscriber 12749 * 12750 * <pre> 12751 * {@code 12752 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsPublisher publisher = client.listResourceTagsPaginator(request); 12753 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListResourceTagsResponse>() { 12754 * 12755 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 12756 * 12757 * 12758 * public void onNext(software.amazon.awssdk.services.kms.model.ListResourceTagsResponse response) { //... }; 12759 * });} 12760 * </pre> 12761 * 12762 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 12763 * <p> 12764 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12765 * only limits the number of results in each page.</b> 12766 * </p> 12767 * <p> 12768 * <b>Note: If you prefer to have control on service calls, use the 12769 * {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} operation.</b> 12770 * </p> 12771 * 12772 * @param listResourceTagsRequest 12773 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 12774 * The CompletableFuture returned by this method can be completed exceptionally with the following 12775 * exceptions. 12776 * <ul> 12777 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12778 * be retried.</li> 12779 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 12780 * found.</li> 12781 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 12782 * not valid.</li> 12783 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12784 * should next begin is not valid.</li> 12785 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12786 * Can be used for catch all scenarios.</li> 12787 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12788 * credentials, etc.</li> 12789 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12790 * of this type.</li> 12791 * </ul> 12792 * @sample KmsAsyncClient.ListResourceTags 12793 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 12794 * Documentation</a> 12795 */ listResourceTagsPaginator(ListResourceTagsRequest listResourceTagsRequest)12796 default ListResourceTagsPublisher listResourceTagsPaginator(ListResourceTagsRequest listResourceTagsRequest) { 12797 return new ListResourceTagsPublisher(this, listResourceTagsRequest); 12798 } 12799 12800 /** 12801 * <p> 12802 * This is a variant of {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} 12803 * operation. The return type is a custom publisher that can be subscribed to request a stream of response pages. 12804 * SDK will internally handle making service calls for you. 12805 * </p> 12806 * <p> 12807 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 12808 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 12809 * failures only after you start streaming the data. The subscribe method should be called as a request to start 12810 * streaming data. For more info, see 12811 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 12812 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 12813 * starting request. 12814 * </p> 12815 * 12816 * <p> 12817 * The following are few ways to use the response class: 12818 * </p> 12819 * 1) Using the subscribe helper method 12820 * 12821 * <pre> 12822 * {@code 12823 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsPublisher publisher = client.listResourceTagsPaginator(request); 12824 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 12825 * future.get(); 12826 * } 12827 * </pre> 12828 * 12829 * 2) Using a custom subscriber 12830 * 12831 * <pre> 12832 * {@code 12833 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsPublisher publisher = client.listResourceTagsPaginator(request); 12834 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListResourceTagsResponse>() { 12835 * 12836 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 12837 * 12838 * 12839 * public void onNext(software.amazon.awssdk.services.kms.model.ListResourceTagsResponse response) { //... }; 12840 * });} 12841 * </pre> 12842 * 12843 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 12844 * <p> 12845 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12846 * only limits the number of results in each page.</b> 12847 * </p> 12848 * <p> 12849 * <b>Note: If you prefer to have control on service calls, use the 12850 * {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} operation.</b> 12851 * </p> 12852 * <br/> 12853 * <p> 12854 * This is a convenience which creates an instance of the {@link ListResourceTagsRequest.Builder} avoiding the need 12855 * to create one manually via {@link ListResourceTagsRequest#builder()} 12856 * </p> 12857 * 12858 * @param listResourceTagsRequest 12859 * A {@link Consumer} that will call methods on 12860 * {@link software.amazon.awssdk.services.kms.model.ListResourceTagsRequest.Builder} to create a request. 12861 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 12862 * The CompletableFuture returned by this method can be completed exceptionally with the following 12863 * exceptions. 12864 * <ul> 12865 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12866 * be retried.</li> 12867 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 12868 * found.</li> 12869 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 12870 * not valid.</li> 12871 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12872 * should next begin is not valid.</li> 12873 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12874 * Can be used for catch all scenarios.</li> 12875 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12876 * credentials, etc.</li> 12877 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12878 * of this type.</li> 12879 * </ul> 12880 * @sample KmsAsyncClient.ListResourceTags 12881 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 12882 * Documentation</a> 12883 */ listResourceTagsPaginator(Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest)12884 default ListResourceTagsPublisher listResourceTagsPaginator(Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest) { 12885 return listResourceTagsPaginator(ListResourceTagsRequest.builder().applyMutation(listResourceTagsRequest).build()); 12886 } 12887 12888 /** 12889 * <p> 12890 * Returns information about all grants in the Amazon Web Services account and Region that have the specified 12891 * retiring principal. 12892 * </p> 12893 * <p> 12894 * You can specify any principal in your Amazon Web Services account. The grants that are returned include grants 12895 * for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this 12896 * operation to determine which grants you may retire. To retire a grant, use the <a>RetireGrant</a> operation. 12897 * </p> 12898 * <p> 12899 * For detailed information about grants, including grant terminology, see <a 12900 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 12901 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 12902 * languages, see <a 12903 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 12904 * </p> 12905 * <p> 12906 * <b>Cross-account use</b>: You must specify a principal in your Amazon Web Services account. This operation 12907 * returns a list of grants where the retiring principal specified in the <code>ListRetirableGrants</code> request 12908 * is the same retiring principal on the grant. This can include grants on KMS keys owned by other Amazon Web 12909 * Services accounts, but you do not need <code>kms:ListRetirableGrants</code> permission (or any other additional 12910 * permission) in any Amazon Web Services account other than your own. 12911 * </p> 12912 * <p> 12913 * <b>Required permissions</b>: <a 12914 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 12915 * >kms:ListRetirableGrants</a> (IAM policy) in your Amazon Web Services account. 12916 * </p> 12917 * <note> 12918 * <p> 12919 * KMS authorizes <code>ListRetirableGrants</code> requests by evaluating the caller account's 12920 * kms:ListRetirableGrants permissions. The authorized resource in <code>ListRetirableGrants</code> calls is the 12921 * retiring principal specified in the request. KMS does not evaluate the caller's permissions to verify their 12922 * access to any KMS keys or grants that might be returned by the <code>ListRetirableGrants</code> call. 12923 * </p> 12924 * </note> 12925 * <p> 12926 * <b>Related operations:</b> 12927 * </p> 12928 * <ul> 12929 * <li> 12930 * <p> 12931 * <a>CreateGrant</a> 12932 * </p> 12933 * </li> 12934 * <li> 12935 * <p> 12936 * <a>ListGrants</a> 12937 * </p> 12938 * </li> 12939 * <li> 12940 * <p> 12941 * <a>RetireGrant</a> 12942 * </p> 12943 * </li> 12944 * <li> 12945 * <p> 12946 * <a>RevokeGrant</a> 12947 * </p> 12948 * </li> 12949 * </ul> 12950 * <p> 12951 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12952 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12953 * consistency</a>. 12954 * </p> 12955 * 12956 * @param listRetirableGrantsRequest 12957 * @return A Java Future containing the result of the ListRetirableGrants operation returned by the service.<br/> 12958 * The CompletableFuture returned by this method can be completed exceptionally with the following 12959 * exceptions. 12960 * <ul> 12961 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 12962 * the request.</li> 12963 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 12964 * should next begin is not valid.</li> 12965 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 12966 * not valid.</li> 12967 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 12968 * found.</li> 12969 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 12970 * be retried.</li> 12971 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 12972 * Can be used for catch all scenarios.</li> 12973 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 12974 * credentials, etc.</li> 12975 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 12976 * of this type.</li> 12977 * </ul> 12978 * @sample KmsAsyncClient.ListRetirableGrants 12979 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 12980 * Documentation</a> 12981 */ listRetirableGrants( ListRetirableGrantsRequest listRetirableGrantsRequest)12982 default CompletableFuture<ListRetirableGrantsResponse> listRetirableGrants( 12983 ListRetirableGrantsRequest listRetirableGrantsRequest) { 12984 throw new UnsupportedOperationException(); 12985 } 12986 12987 /** 12988 * <p> 12989 * Returns information about all grants in the Amazon Web Services account and Region that have the specified 12990 * retiring principal. 12991 * </p> 12992 * <p> 12993 * You can specify any principal in your Amazon Web Services account. The grants that are returned include grants 12994 * for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this 12995 * operation to determine which grants you may retire. To retire a grant, use the <a>RetireGrant</a> operation. 12996 * </p> 12997 * <p> 12998 * For detailed information about grants, including grant terminology, see <a 12999 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 13000 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 13001 * languages, see <a 13002 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 13003 * </p> 13004 * <p> 13005 * <b>Cross-account use</b>: You must specify a principal in your Amazon Web Services account. This operation 13006 * returns a list of grants where the retiring principal specified in the <code>ListRetirableGrants</code> request 13007 * is the same retiring principal on the grant. This can include grants on KMS keys owned by other Amazon Web 13008 * Services accounts, but you do not need <code>kms:ListRetirableGrants</code> permission (or any other additional 13009 * permission) in any Amazon Web Services account other than your own. 13010 * </p> 13011 * <p> 13012 * <b>Required permissions</b>: <a 13013 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13014 * >kms:ListRetirableGrants</a> (IAM policy) in your Amazon Web Services account. 13015 * </p> 13016 * <note> 13017 * <p> 13018 * KMS authorizes <code>ListRetirableGrants</code> requests by evaluating the caller account's 13019 * kms:ListRetirableGrants permissions. The authorized resource in <code>ListRetirableGrants</code> calls is the 13020 * retiring principal specified in the request. KMS does not evaluate the caller's permissions to verify their 13021 * access to any KMS keys or grants that might be returned by the <code>ListRetirableGrants</code> call. 13022 * </p> 13023 * </note> 13024 * <p> 13025 * <b>Related operations:</b> 13026 * </p> 13027 * <ul> 13028 * <li> 13029 * <p> 13030 * <a>CreateGrant</a> 13031 * </p> 13032 * </li> 13033 * <li> 13034 * <p> 13035 * <a>ListGrants</a> 13036 * </p> 13037 * </li> 13038 * <li> 13039 * <p> 13040 * <a>RetireGrant</a> 13041 * </p> 13042 * </li> 13043 * <li> 13044 * <p> 13045 * <a>RevokeGrant</a> 13046 * </p> 13047 * </li> 13048 * </ul> 13049 * <p> 13050 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13051 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13052 * consistency</a>. 13053 * </p> 13054 * <br/> 13055 * <p> 13056 * This is a convenience which creates an instance of the {@link ListRetirableGrantsRequest.Builder} avoiding the 13057 * need to create one manually via {@link ListRetirableGrantsRequest#builder()} 13058 * </p> 13059 * 13060 * @param listRetirableGrantsRequest 13061 * A {@link Consumer} that will call methods on 13062 * {@link software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest.Builder} to create a request. 13063 * @return A Java Future containing the result of the ListRetirableGrants operation returned by the service.<br/> 13064 * The CompletableFuture returned by this method can be completed exceptionally with the following 13065 * exceptions. 13066 * <ul> 13067 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13068 * the request.</li> 13069 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 13070 * should next begin is not valid.</li> 13071 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 13072 * not valid.</li> 13073 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13074 * found.</li> 13075 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13076 * be retried.</li> 13077 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13078 * Can be used for catch all scenarios.</li> 13079 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13080 * credentials, etc.</li> 13081 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13082 * of this type.</li> 13083 * </ul> 13084 * @sample KmsAsyncClient.ListRetirableGrants 13085 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13086 * Documentation</a> 13087 */ listRetirableGrants( Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest)13088 default CompletableFuture<ListRetirableGrantsResponse> listRetirableGrants( 13089 Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest) { 13090 return listRetirableGrants(ListRetirableGrantsRequest.builder().applyMutation(listRetirableGrantsRequest).build()); 13091 } 13092 13093 /** 13094 * <p> 13095 * This is a variant of 13096 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation. The 13097 * return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 13098 * internally handle making service calls for you. 13099 * </p> 13100 * <p> 13101 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 13102 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 13103 * failures only after you start streaming the data. The subscribe method should be called as a request to start 13104 * streaming data. For more info, see 13105 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 13106 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 13107 * starting request. 13108 * </p> 13109 * 13110 * <p> 13111 * The following are few ways to use the response class: 13112 * </p> 13113 * 1) Using the subscribe helper method 13114 * 13115 * <pre> 13116 * {@code 13117 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsPublisher publisher = client.listRetirableGrantsPaginator(request); 13118 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 13119 * future.get(); 13120 * } 13121 * </pre> 13122 * 13123 * 2) Using a custom subscriber 13124 * 13125 * <pre> 13126 * {@code 13127 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsPublisher publisher = client.listRetirableGrantsPaginator(request); 13128 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse>() { 13129 * 13130 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 13131 * 13132 * 13133 * public void onNext(software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse response) { //... }; 13134 * });} 13135 * </pre> 13136 * 13137 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 13138 * <p> 13139 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 13140 * only limits the number of results in each page.</b> 13141 * </p> 13142 * <p> 13143 * <b>Note: If you prefer to have control on service calls, use the 13144 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation.</b> 13145 * </p> 13146 * 13147 * @param listRetirableGrantsRequest 13148 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 13149 * The CompletableFuture returned by this method can be completed exceptionally with the following 13150 * exceptions. 13151 * <ul> 13152 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13153 * the request.</li> 13154 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 13155 * should next begin is not valid.</li> 13156 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 13157 * not valid.</li> 13158 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13159 * found.</li> 13160 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13161 * be retried.</li> 13162 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13163 * Can be used for catch all scenarios.</li> 13164 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13165 * credentials, etc.</li> 13166 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13167 * of this type.</li> 13168 * </ul> 13169 * @sample KmsAsyncClient.ListRetirableGrants 13170 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13171 * Documentation</a> 13172 */ listRetirableGrantsPaginator(ListRetirableGrantsRequest listRetirableGrantsRequest)13173 default ListRetirableGrantsPublisher listRetirableGrantsPaginator(ListRetirableGrantsRequest listRetirableGrantsRequest) { 13174 return new ListRetirableGrantsPublisher(this, listRetirableGrantsRequest); 13175 } 13176 13177 /** 13178 * <p> 13179 * This is a variant of 13180 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation. The 13181 * return type is a custom publisher that can be subscribed to request a stream of response pages. SDK will 13182 * internally handle making service calls for you. 13183 * </p> 13184 * <p> 13185 * When the operation is called, an instance of this class is returned. At this point, no service calls are made yet 13186 * and so there is no guarantee that the request is valid. If there are errors in your request, you will see the 13187 * failures only after you start streaming the data. The subscribe method should be called as a request to start 13188 * streaming data. For more info, see 13189 * {@link org.reactivestreams.Publisher#subscribe(org.reactivestreams.Subscriber)}. Each call to the subscribe 13190 * method will result in a new {@link org.reactivestreams.Subscription} i.e., a new contract to stream data from the 13191 * starting request. 13192 * </p> 13193 * 13194 * <p> 13195 * The following are few ways to use the response class: 13196 * </p> 13197 * 1) Using the subscribe helper method 13198 * 13199 * <pre> 13200 * {@code 13201 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsPublisher publisher = client.listRetirableGrantsPaginator(request); 13202 * CompletableFuture<Void> future = publisher.subscribe(res -> { // Do something with the response }); 13203 * future.get(); 13204 * } 13205 * </pre> 13206 * 13207 * 2) Using a custom subscriber 13208 * 13209 * <pre> 13210 * {@code 13211 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsPublisher publisher = client.listRetirableGrantsPaginator(request); 13212 * publisher.subscribe(new Subscriber<software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse>() { 13213 * 13214 * public void onSubscribe(org.reactivestreams.Subscriber subscription) { //... }; 13215 * 13216 * 13217 * public void onNext(software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse response) { //... }; 13218 * });} 13219 * </pre> 13220 * 13221 * As the response is a publisher, it can work well with third party reactive streams implementations like RxJava2. 13222 * <p> 13223 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 13224 * only limits the number of results in each page.</b> 13225 * </p> 13226 * <p> 13227 * <b>Note: If you prefer to have control on service calls, use the 13228 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation.</b> 13229 * </p> 13230 * <br/> 13231 * <p> 13232 * This is a convenience which creates an instance of the {@link ListRetirableGrantsRequest.Builder} avoiding the 13233 * need to create one manually via {@link ListRetirableGrantsRequest#builder()} 13234 * </p> 13235 * 13236 * @param listRetirableGrantsRequest 13237 * A {@link Consumer} that will call methods on 13238 * {@link software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest.Builder} to create a request. 13239 * @return A custom publisher that can be subscribed to request a stream of response pages.<br/> 13240 * The CompletableFuture returned by this method can be completed exceptionally with the following 13241 * exceptions. 13242 * <ul> 13243 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13244 * the request.</li> 13245 * <li>InvalidMarkerException The request was rejected because the marker that specifies where pagination 13246 * should next begin is not valid.</li> 13247 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 13248 * not valid.</li> 13249 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13250 * found.</li> 13251 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13252 * be retried.</li> 13253 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13254 * Can be used for catch all scenarios.</li> 13255 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13256 * credentials, etc.</li> 13257 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13258 * of this type.</li> 13259 * </ul> 13260 * @sample KmsAsyncClient.ListRetirableGrants 13261 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13262 * Documentation</a> 13263 */ listRetirableGrantsPaginator( Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest)13264 default ListRetirableGrantsPublisher listRetirableGrantsPaginator( 13265 Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest) { 13266 return listRetirableGrantsPaginator(ListRetirableGrantsRequest.builder().applyMutation(listRetirableGrantsRequest) 13267 .build()); 13268 } 13269 13270 /** 13271 * <p> 13272 * Attaches a key policy to the specified KMS key. 13273 * </p> 13274 * <p> 13275 * For more information about key policies, see <a 13276 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">Key Policies</a> in the <i>Key 13277 * Management Service Developer Guide</i>. For help writing and formatting a JSON policy document, see the <a 13278 * href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON Policy Reference</a> in 13279 * the <i> <i>Identity and Access Management User Guide</i> </i>. For examples of adding a key policy in multiple 13280 * programming languages, see <a 13281 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy">Setting a 13282 * key policy</a> in the <i>Key Management Service Developer Guide</i>. 13283 * </p> 13284 * <p> 13285 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 13286 * account. 13287 * </p> 13288 * <p> 13289 * <b>Required permissions</b>: <a 13290 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13291 * >kms:PutKeyPolicy</a> (key policy) 13292 * </p> 13293 * <p> 13294 * <b>Related operations</b>: <a>GetKeyPolicy</a> 13295 * </p> 13296 * <p> 13297 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13298 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13299 * consistency</a>. 13300 * </p> 13301 * 13302 * @param putKeyPolicyRequest 13303 * @return A Java Future containing the result of the PutKeyPolicy operation returned by the service.<br/> 13304 * The CompletableFuture returned by this method can be completed exceptionally with the following 13305 * exceptions. 13306 * <ul> 13307 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13308 * found.</li> 13309 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 13310 * not valid.</li> 13311 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 13312 * syntactically or semantically correct.</li> 13313 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13314 * the request.</li> 13315 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 13316 * or a specified resource is not valid for this operation.</li> 13317 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13318 * be retried.</li> 13319 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 13320 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 13321 * Management Service Developer Guide</i>.</li> 13322 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 13323 * valid for this request.</p> 13324 * <p> 13325 * This exceptions means one of the following: 13326 * </p> 13327 * <ul> 13328 * <li> 13329 * <p> 13330 * The key state of the KMS key is not compatible with the operation. 13331 * </p> 13332 * <p> 13333 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13334 * are compatible with each KMS operation, see <a 13335 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13336 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13337 * </p> 13338 * </li> 13339 * <li> 13340 * <p> 13341 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13342 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13343 * exception. 13344 * </p> 13345 * </li></li> 13346 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13347 * Can be used for catch all scenarios.</li> 13348 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13349 * credentials, etc.</li> 13350 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13351 * of this type.</li> 13352 * </ul> 13353 * @sample KmsAsyncClient.PutKeyPolicy 13354 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy" target="_top">AWS API 13355 * Documentation</a> 13356 */ putKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest)13357 default CompletableFuture<PutKeyPolicyResponse> putKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest) { 13358 throw new UnsupportedOperationException(); 13359 } 13360 13361 /** 13362 * <p> 13363 * Attaches a key policy to the specified KMS key. 13364 * </p> 13365 * <p> 13366 * For more information about key policies, see <a 13367 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">Key Policies</a> in the <i>Key 13368 * Management Service Developer Guide</i>. For help writing and formatting a JSON policy document, see the <a 13369 * href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON Policy Reference</a> in 13370 * the <i> <i>Identity and Access Management User Guide</i> </i>. For examples of adding a key policy in multiple 13371 * programming languages, see <a 13372 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy">Setting a 13373 * key policy</a> in the <i>Key Management Service Developer Guide</i>. 13374 * </p> 13375 * <p> 13376 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 13377 * account. 13378 * </p> 13379 * <p> 13380 * <b>Required permissions</b>: <a 13381 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13382 * >kms:PutKeyPolicy</a> (key policy) 13383 * </p> 13384 * <p> 13385 * <b>Related operations</b>: <a>GetKeyPolicy</a> 13386 * </p> 13387 * <p> 13388 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13389 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13390 * consistency</a>. 13391 * </p> 13392 * <br/> 13393 * <p> 13394 * This is a convenience which creates an instance of the {@link PutKeyPolicyRequest.Builder} avoiding the need to 13395 * create one manually via {@link PutKeyPolicyRequest#builder()} 13396 * </p> 13397 * 13398 * @param putKeyPolicyRequest 13399 * A {@link Consumer} that will call methods on 13400 * {@link software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest.Builder} to create a request. 13401 * @return A Java Future containing the result of the PutKeyPolicy operation returned by the service.<br/> 13402 * The CompletableFuture returned by this method can be completed exceptionally with the following 13403 * exceptions. 13404 * <ul> 13405 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13406 * found.</li> 13407 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 13408 * not valid.</li> 13409 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 13410 * syntactically or semantically correct.</li> 13411 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13412 * the request.</li> 13413 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 13414 * or a specified resource is not valid for this operation.</li> 13415 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13416 * be retried.</li> 13417 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 13418 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 13419 * Management Service Developer Guide</i>.</li> 13420 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 13421 * valid for this request.</p> 13422 * <p> 13423 * This exceptions means one of the following: 13424 * </p> 13425 * <ul> 13426 * <li> 13427 * <p> 13428 * The key state of the KMS key is not compatible with the operation. 13429 * </p> 13430 * <p> 13431 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13432 * are compatible with each KMS operation, see <a 13433 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13434 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13435 * </p> 13436 * </li> 13437 * <li> 13438 * <p> 13439 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13440 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13441 * exception. 13442 * </p> 13443 * </li></li> 13444 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13445 * Can be used for catch all scenarios.</li> 13446 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13447 * credentials, etc.</li> 13448 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13449 * of this type.</li> 13450 * </ul> 13451 * @sample KmsAsyncClient.PutKeyPolicy 13452 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy" target="_top">AWS API 13453 * Documentation</a> 13454 */ putKeyPolicy(Consumer<PutKeyPolicyRequest.Builder> putKeyPolicyRequest)13455 default CompletableFuture<PutKeyPolicyResponse> putKeyPolicy(Consumer<PutKeyPolicyRequest.Builder> putKeyPolicyRequest) { 13456 return putKeyPolicy(PutKeyPolicyRequest.builder().applyMutation(putKeyPolicyRequest).build()); 13457 } 13458 13459 /** 13460 * <p> 13461 * Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key 13462 * under which data is encrypted, such as when you <a 13463 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually">manually 13464 * rotate</a> a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt 13465 * ciphertext under the same KMS key, such as to change the <a 13466 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">encryption context</a> 13467 * of a ciphertext. 13468 * </p> 13469 * <p> 13470 * The <code>ReEncrypt</code> operation can decrypt ciphertext that was encrypted by using a KMS key in an KMS 13471 * operation, such as <a>Encrypt</a> or <a>GenerateDataKey</a>. It can also decrypt ciphertext that was encrypted by 13472 * using the public key of an <a 13473 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric 13474 * KMS key</a> outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the <a 13475 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a> 13476 * or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 13477 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 13478 * </p> 13479 * <p> 13480 * When you use the <code>ReEncrypt</code> operation, you need to provide information for the decrypt operation and 13481 * the subsequent encrypt operation. 13482 * </p> 13483 * <ul> 13484 * <li> 13485 * <p> 13486 * If your ciphertext was encrypted under an asymmetric KMS key, you must use the <code>SourceKeyId</code> parameter 13487 * to identify the KMS key that encrypted the ciphertext. You must also supply the encryption algorithm that was 13488 * used. This information is required to decrypt the data. 13489 * </p> 13490 * </li> 13491 * <li> 13492 * <p> 13493 * If your ciphertext was encrypted under a symmetric encryption KMS key, the <code>SourceKeyId</code> parameter is 13494 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 13495 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 13496 * was encrypted, even if they've lost track of the key ID. However, specifying the source KMS key is always 13497 * recommended as a best practice. When you use the <code>SourceKeyId</code> parameter to specify a KMS key, KMS 13498 * uses only the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the 13499 * <code>ReEncrypt</code> operation fails. This practice ensures that you use the KMS key that you intend. 13500 * </p> 13501 * </li> 13502 * <li> 13503 * <p> 13504 * To reencrypt the data, you must use the <code>DestinationKeyId</code> parameter to specify the KMS key that 13505 * re-encrypts the data after it is decrypted. If the destination KMS key is an asymmetric KMS key, you must also 13506 * provide the encryption algorithm. The algorithm that you choose must be compatible with the KMS key. 13507 * </p> 13508 * <important> 13509 * <p> 13510 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 13511 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 13512 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 13513 * operation fails. 13514 * </p> 13515 * <p> 13516 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 13517 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 13518 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 13519 * fields. 13520 * </p> 13521 * </important></li> 13522 * </ul> 13523 * <p> 13524 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 13525 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 13526 * <i>Key Management Service Developer Guide</i>. 13527 * </p> 13528 * <p> 13529 * <b>Cross-account use</b>: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services 13530 * accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a 13531 * different account, you must use its key ARN or alias ARN. 13532 * </p> 13533 * <p> 13534 * <b>Required permissions</b>: 13535 * </p> 13536 * <ul> 13537 * <li> 13538 * <p> 13539 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms: 13540 * ReEncryptFrom</a> permission on the source KMS key (key policy) 13541 * </p> 13542 * </li> 13543 * <li> 13544 * <p> 13545 * <a 13546 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ReEncryptTo 13547 * </a> permission on the destination KMS key (key policy) 13548 * </p> 13549 * </li> 13550 * </ul> 13551 * <p> 13552 * To permit reencryption from or to a KMS key, include the <code>"kms:ReEncrypt*"</code> permission in your <a 13553 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>. This permission is 13554 * automatically included in the key policy when you use the console to create a KMS key. But you must include it 13555 * manually when you create a KMS key programmatically or when you use the <a>PutKeyPolicy</a> operation to set a 13556 * key policy. 13557 * </p> 13558 * <p> 13559 * <b>Related operations:</b> 13560 * </p> 13561 * <ul> 13562 * <li> 13563 * <p> 13564 * <a>Decrypt</a> 13565 * </p> 13566 * </li> 13567 * <li> 13568 * <p> 13569 * <a>Encrypt</a> 13570 * </p> 13571 * </li> 13572 * <li> 13573 * <p> 13574 * <a>GenerateDataKey</a> 13575 * </p> 13576 * </li> 13577 * <li> 13578 * <p> 13579 * <a>GenerateDataKeyPair</a> 13580 * </p> 13581 * </li> 13582 * </ul> 13583 * <p> 13584 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13585 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13586 * consistency</a>. 13587 * </p> 13588 * 13589 * @param reEncryptRequest 13590 * @return A Java Future containing the result of the ReEncrypt operation returned by the service.<br/> 13591 * The CompletableFuture returned by this method can be completed exceptionally with the following 13592 * exceptions. 13593 * <ul> 13594 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13595 * found.</li> 13596 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 13597 * <li>InvalidCiphertextException From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was 13598 * rejected because the specified ciphertext, or additional authenticated data incorporated into the 13599 * ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.</p> 13600 * <p> 13601 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 13602 * encrypted (wrapped) key material.</li> 13603 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 13604 * can retry the request.</li> 13605 * <li>IncorrectKeyException The request was rejected because the specified KMS key cannot decrypt the data. 13606 * The <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> 13607 * request must identify the same KMS key that was used to encrypt the ciphertext.</li> 13608 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13609 * the request.</li> 13610 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 13611 * <ul> 13612 * <li> 13613 * <p> 13614 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 13615 * </p> 13616 * </li> 13617 * <li> 13618 * <p> 13619 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 13620 * of key material in the KMS key <code>(KeySpec</code>). 13621 * </p> 13622 * </li> 13623 * </ul> 13624 * <p> 13625 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 13626 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 13627 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 13628 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 13629 * KMS key, use the <a>DescribeKey</a> operation. 13630 * </p> 13631 * <p> 13632 * To find the encryption or signing algorithms supported for a particular KMS key, use the 13633 * <a>DescribeKey</a> operation.</li> 13634 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 13635 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13636 * be retried.</li> 13637 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 13638 * valid for this request.</p> 13639 * <p> 13640 * This exceptions means one of the following: 13641 * </p> 13642 * <ul> 13643 * <li> 13644 * <p> 13645 * The key state of the KMS key is not compatible with the operation. 13646 * </p> 13647 * <p> 13648 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13649 * are compatible with each KMS operation, see <a 13650 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13651 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13652 * </p> 13653 * </li> 13654 * <li> 13655 * <p> 13656 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13657 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13658 * exception. 13659 * </p> 13660 * </li></li> 13661 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 13662 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13663 * Can be used for catch all scenarios.</li> 13664 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13665 * credentials, etc.</li> 13666 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13667 * of this type.</li> 13668 * </ul> 13669 * @sample KmsAsyncClient.ReEncrypt 13670 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt" target="_top">AWS API 13671 * Documentation</a> 13672 */ reEncrypt(ReEncryptRequest reEncryptRequest)13673 default CompletableFuture<ReEncryptResponse> reEncrypt(ReEncryptRequest reEncryptRequest) { 13674 throw new UnsupportedOperationException(); 13675 } 13676 13677 /** 13678 * <p> 13679 * Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key 13680 * under which data is encrypted, such as when you <a 13681 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually">manually 13682 * rotate</a> a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt 13683 * ciphertext under the same KMS key, such as to change the <a 13684 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">encryption context</a> 13685 * of a ciphertext. 13686 * </p> 13687 * <p> 13688 * The <code>ReEncrypt</code> operation can decrypt ciphertext that was encrypted by using a KMS key in an KMS 13689 * operation, such as <a>Encrypt</a> or <a>GenerateDataKey</a>. It can also decrypt ciphertext that was encrypted by 13690 * using the public key of an <a 13691 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric 13692 * KMS key</a> outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the <a 13693 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a> 13694 * or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 13695 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 13696 * </p> 13697 * <p> 13698 * When you use the <code>ReEncrypt</code> operation, you need to provide information for the decrypt operation and 13699 * the subsequent encrypt operation. 13700 * </p> 13701 * <ul> 13702 * <li> 13703 * <p> 13704 * If your ciphertext was encrypted under an asymmetric KMS key, you must use the <code>SourceKeyId</code> parameter 13705 * to identify the KMS key that encrypted the ciphertext. You must also supply the encryption algorithm that was 13706 * used. This information is required to decrypt the data. 13707 * </p> 13708 * </li> 13709 * <li> 13710 * <p> 13711 * If your ciphertext was encrypted under a symmetric encryption KMS key, the <code>SourceKeyId</code> parameter is 13712 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 13713 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 13714 * was encrypted, even if they've lost track of the key ID. However, specifying the source KMS key is always 13715 * recommended as a best practice. When you use the <code>SourceKeyId</code> parameter to specify a KMS key, KMS 13716 * uses only the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the 13717 * <code>ReEncrypt</code> operation fails. This practice ensures that you use the KMS key that you intend. 13718 * </p> 13719 * </li> 13720 * <li> 13721 * <p> 13722 * To reencrypt the data, you must use the <code>DestinationKeyId</code> parameter to specify the KMS key that 13723 * re-encrypts the data after it is decrypted. If the destination KMS key is an asymmetric KMS key, you must also 13724 * provide the encryption algorithm. The algorithm that you choose must be compatible with the KMS key. 13725 * </p> 13726 * <important> 13727 * <p> 13728 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 13729 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 13730 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 13731 * operation fails. 13732 * </p> 13733 * <p> 13734 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 13735 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 13736 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 13737 * fields. 13738 * </p> 13739 * </important></li> 13740 * </ul> 13741 * <p> 13742 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 13743 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 13744 * <i>Key Management Service Developer Guide</i>. 13745 * </p> 13746 * <p> 13747 * <b>Cross-account use</b>: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services 13748 * accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a 13749 * different account, you must use its key ARN or alias ARN. 13750 * </p> 13751 * <p> 13752 * <b>Required permissions</b>: 13753 * </p> 13754 * <ul> 13755 * <li> 13756 * <p> 13757 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms: 13758 * ReEncryptFrom</a> permission on the source KMS key (key policy) 13759 * </p> 13760 * </li> 13761 * <li> 13762 * <p> 13763 * <a 13764 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ReEncryptTo 13765 * </a> permission on the destination KMS key (key policy) 13766 * </p> 13767 * </li> 13768 * </ul> 13769 * <p> 13770 * To permit reencryption from or to a KMS key, include the <code>"kms:ReEncrypt*"</code> permission in your <a 13771 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>. This permission is 13772 * automatically included in the key policy when you use the console to create a KMS key. But you must include it 13773 * manually when you create a KMS key programmatically or when you use the <a>PutKeyPolicy</a> operation to set a 13774 * key policy. 13775 * </p> 13776 * <p> 13777 * <b>Related operations:</b> 13778 * </p> 13779 * <ul> 13780 * <li> 13781 * <p> 13782 * <a>Decrypt</a> 13783 * </p> 13784 * </li> 13785 * <li> 13786 * <p> 13787 * <a>Encrypt</a> 13788 * </p> 13789 * </li> 13790 * <li> 13791 * <p> 13792 * <a>GenerateDataKey</a> 13793 * </p> 13794 * </li> 13795 * <li> 13796 * <p> 13797 * <a>GenerateDataKeyPair</a> 13798 * </p> 13799 * </li> 13800 * </ul> 13801 * <p> 13802 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13803 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13804 * consistency</a>. 13805 * </p> 13806 * <br/> 13807 * <p> 13808 * This is a convenience which creates an instance of the {@link ReEncryptRequest.Builder} avoiding the need to 13809 * create one manually via {@link ReEncryptRequest#builder()} 13810 * </p> 13811 * 13812 * @param reEncryptRequest 13813 * A {@link Consumer} that will call methods on 13814 * {@link software.amazon.awssdk.services.kms.model.ReEncryptRequest.Builder} to create a request. 13815 * @return A Java Future containing the result of the ReEncrypt operation returned by the service.<br/> 13816 * The CompletableFuture returned by this method can be completed exceptionally with the following 13817 * exceptions. 13818 * <ul> 13819 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 13820 * found.</li> 13821 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 13822 * <li>InvalidCiphertextException From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was 13823 * rejected because the specified ciphertext, or additional authenticated data incorporated into the 13824 * ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.</p> 13825 * <p> 13826 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 13827 * encrypted (wrapped) key material.</li> 13828 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 13829 * can retry the request.</li> 13830 * <li>IncorrectKeyException The request was rejected because the specified KMS key cannot decrypt the data. 13831 * The <code>KeyId</code> in a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> 13832 * request must identify the same KMS key that was used to encrypt the ciphertext.</li> 13833 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 13834 * the request.</li> 13835 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 13836 * <ul> 13837 * <li> 13838 * <p> 13839 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 13840 * </p> 13841 * </li> 13842 * <li> 13843 * <p> 13844 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 13845 * of key material in the KMS key <code>(KeySpec</code>). 13846 * </p> 13847 * </li> 13848 * </ul> 13849 * <p> 13850 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 13851 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 13852 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 13853 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 13854 * KMS key, use the <a>DescribeKey</a> operation. 13855 * </p> 13856 * <p> 13857 * To find the encryption or signing algorithms supported for a particular KMS key, use the 13858 * <a>DescribeKey</a> operation.</li> 13859 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 13860 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 13861 * be retried.</li> 13862 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 13863 * valid for this request.</p> 13864 * <p> 13865 * This exceptions means one of the following: 13866 * </p> 13867 * <ul> 13868 * <li> 13869 * <p> 13870 * The key state of the KMS key is not compatible with the operation. 13871 * </p> 13872 * <p> 13873 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13874 * are compatible with each KMS operation, see <a 13875 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13876 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13877 * </p> 13878 * </li> 13879 * <li> 13880 * <p> 13881 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13882 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13883 * exception. 13884 * </p> 13885 * </li></li> 13886 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 13887 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 13888 * Can be used for catch all scenarios.</li> 13889 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 13890 * credentials, etc.</li> 13891 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 13892 * of this type.</li> 13893 * </ul> 13894 * @sample KmsAsyncClient.ReEncrypt 13895 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt" target="_top">AWS API 13896 * Documentation</a> 13897 */ reEncrypt(Consumer<ReEncryptRequest.Builder> reEncryptRequest)13898 default CompletableFuture<ReEncryptResponse> reEncrypt(Consumer<ReEncryptRequest.Builder> reEncryptRequest) { 13899 return reEncrypt(ReEncryptRequest.builder().applyMutation(reEncryptRequest).build()); 13900 } 13901 13902 /** 13903 * <p> 13904 * Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based 13905 * on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create 13906 * multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, 13907 * use the <a>CreateKey</a> operation. 13908 * </p> 13909 * <p> 13910 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 13911 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 13912 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 13913 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 13914 * information about multi-Region keys, see <a 13915 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 13916 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 13917 * </p> 13918 * <p> 13919 * A <i>replica key</i> is a fully-functional KMS key that can be used independently of its primary and peer replica 13920 * keys. A primary key and its replica keys share properties that make them interoperable. They have the same <a 13921 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a> and key 13922 * material. They also have the same <a 13923 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 13924 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 13925 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 13926 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation 13927 * status</a>. KMS automatically synchronizes these shared properties among related multi-Region keys. All other 13928 * properties of a replica key can differ, including its <a 13929 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>, <a 13930 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">tags</a>, <a 13931 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">aliases</a>, and <a 13932 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a>. KMS 13933 * pricing and quotas for KMS keys apply to each primary key and replica key. 13934 * </p> 13935 * <p> 13936 * When this operation completes, the new replica key has a transient key state of <code>Creating</code>. This key 13937 * state changes to <code>Enabled</code> (or <code>PendingImport</code>) after a few seconds when the process of 13938 * creating the new replica key is complete. While the key state is <code>Creating</code>, you can manage key, but 13939 * you cannot yet use it in cryptographic operations. If you are creating and using the replica key 13940 * programmatically, retry on <code>KMSInvalidStateException</code> or call <code>DescribeKey</code> to check its 13941 * <code>KeyState</code> value before using it. For details about the <code>Creating</code> key state, see <a 13942 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 13943 * <i>Key Management Service Developer Guide</i>. 13944 * </p> 13945 * <p> 13946 * You cannot create more than one replica of a primary key in any Region. If the Region already includes a replica 13947 * of the key you're trying to replicate, <code>ReplicateKey</code> returns an <code>AlreadyExistsException</code> 13948 * error. If the key state of the existing replica is <code>PendingDeletion</code>, you can cancel the scheduled key 13949 * deletion (<a>CancelKeyDeletion</a>) or wait for the key to be deleted. The new replica key you create will have 13950 * the same <a href= 13951 * "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties" 13952 * >shared properties</a> as the original replica key. 13953 * </p> 13954 * <p> 13955 * The CloudTrail log of a <code>ReplicateKey</code> operation records a <code>ReplicateKey</code> operation in the 13956 * primary key's Region and a <a>CreateKey</a> operation in the replica key's Region. 13957 * </p> 13958 * <p> 13959 * If you replicate a multi-Region primary key with imported key material, the replica key is created with no key 13960 * material. You must import the same key material that you imported into the primary key. For details, see <a 13961 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html">Importing key material 13962 * into multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>. 13963 * </p> 13964 * <p> 13965 * To convert a replica key to a primary key, use the <a>UpdatePrimaryRegion</a> operation. 13966 * </p> 13967 * <note> 13968 * <p> 13969 * <code>ReplicateKey</code> uses different default values for the <code>KeyPolicy</code> and <code>Tags</code> 13970 * parameters than those used in the KMS console. For details, see the parameter descriptions. 13971 * </p> 13972 * </note> 13973 * <p> 13974 * <b>Cross-account use</b>: No. You cannot use this operation to create a replica key in a different Amazon Web 13975 * Services account. 13976 * </p> 13977 * <p> 13978 * <b>Required permissions</b>: 13979 * </p> 13980 * <ul> 13981 * <li> 13982 * <p> 13983 * <code>kms:ReplicateKey</code> on the primary key (in the primary key's Region). Include this permission in the 13984 * primary key's key policy. 13985 * </p> 13986 * </li> 13987 * <li> 13988 * <p> 13989 * <code>kms:CreateKey</code> in an IAM policy in the replica Region. 13990 * </p> 13991 * </li> 13992 * <li> 13993 * <p> 13994 * To use the <code>Tags</code> parameter, <code>kms:TagResource</code> in an IAM policy in the replica Region. 13995 * </p> 13996 * </li> 13997 * </ul> 13998 * <p> 13999 * <b>Related operations</b> 14000 * </p> 14001 * <ul> 14002 * <li> 14003 * <p> 14004 * <a>CreateKey</a> 14005 * </p> 14006 * </li> 14007 * <li> 14008 * <p> 14009 * <a>UpdatePrimaryRegion</a> 14010 * </p> 14011 * </li> 14012 * </ul> 14013 * <p> 14014 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14015 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14016 * consistency</a>. 14017 * </p> 14018 * 14019 * @param replicateKeyRequest 14020 * @return A Java Future containing the result of the ReplicateKey operation returned by the service.<br/> 14021 * The CompletableFuture returned by this method can be completed exceptionally with the following 14022 * exceptions. 14023 * <ul> 14024 * <li>AlreadyExistsException The request was rejected because it attempted to create a resource that 14025 * already exists.</li> 14026 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 14027 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14028 * not valid.</li> 14029 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14030 * valid for this request.</p> 14031 * <p> 14032 * This exceptions means one of the following: 14033 * </p> 14034 * <ul> 14035 * <li> 14036 * <p> 14037 * The key state of the KMS key is not compatible with the operation. 14038 * </p> 14039 * <p> 14040 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14041 * are compatible with each KMS operation, see <a 14042 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14043 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14044 * </p> 14045 * </li> 14046 * <li> 14047 * <p> 14048 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14049 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14050 * exception. 14051 * </p> 14052 * </li></li> 14053 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14054 * be retried.</li> 14055 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 14056 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 14057 * Management Service Developer Guide</i>.</li> 14058 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 14059 * syntactically or semantically correct.</li> 14060 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14061 * found.</li> 14062 * <li>TagException The request was rejected because one or more tags are not valid.</li> 14063 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 14064 * or a specified resource is not valid for this operation.</li> 14065 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14066 * Can be used for catch all scenarios.</li> 14067 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14068 * credentials, etc.</li> 14069 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14070 * of this type.</li> 14071 * </ul> 14072 * @sample KmsAsyncClient.ReplicateKey 14073 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey" target="_top">AWS API 14074 * Documentation</a> 14075 */ replicateKey(ReplicateKeyRequest replicateKeyRequest)14076 default CompletableFuture<ReplicateKeyResponse> replicateKey(ReplicateKeyRequest replicateKeyRequest) { 14077 throw new UnsupportedOperationException(); 14078 } 14079 14080 /** 14081 * <p> 14082 * Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based 14083 * on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create 14084 * multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, 14085 * use the <a>CreateKey</a> operation. 14086 * </p> 14087 * <p> 14088 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 14089 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 14090 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 14091 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 14092 * information about multi-Region keys, see <a 14093 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 14094 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 14095 * </p> 14096 * <p> 14097 * A <i>replica key</i> is a fully-functional KMS key that can be used independently of its primary and peer replica 14098 * keys. A primary key and its replica keys share properties that make them interoperable. They have the same <a 14099 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a> and key 14100 * material. They also have the same <a 14101 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 14102 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 14103 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 14104 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation 14105 * status</a>. KMS automatically synchronizes these shared properties among related multi-Region keys. All other 14106 * properties of a replica key can differ, including its <a 14107 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>, <a 14108 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">tags</a>, <a 14109 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">aliases</a>, and <a 14110 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a>. KMS 14111 * pricing and quotas for KMS keys apply to each primary key and replica key. 14112 * </p> 14113 * <p> 14114 * When this operation completes, the new replica key has a transient key state of <code>Creating</code>. This key 14115 * state changes to <code>Enabled</code> (or <code>PendingImport</code>) after a few seconds when the process of 14116 * creating the new replica key is complete. While the key state is <code>Creating</code>, you can manage key, but 14117 * you cannot yet use it in cryptographic operations. If you are creating and using the replica key 14118 * programmatically, retry on <code>KMSInvalidStateException</code> or call <code>DescribeKey</code> to check its 14119 * <code>KeyState</code> value before using it. For details about the <code>Creating</code> key state, see <a 14120 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 14121 * <i>Key Management Service Developer Guide</i>. 14122 * </p> 14123 * <p> 14124 * You cannot create more than one replica of a primary key in any Region. If the Region already includes a replica 14125 * of the key you're trying to replicate, <code>ReplicateKey</code> returns an <code>AlreadyExistsException</code> 14126 * error. If the key state of the existing replica is <code>PendingDeletion</code>, you can cancel the scheduled key 14127 * deletion (<a>CancelKeyDeletion</a>) or wait for the key to be deleted. The new replica key you create will have 14128 * the same <a href= 14129 * "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties" 14130 * >shared properties</a> as the original replica key. 14131 * </p> 14132 * <p> 14133 * The CloudTrail log of a <code>ReplicateKey</code> operation records a <code>ReplicateKey</code> operation in the 14134 * primary key's Region and a <a>CreateKey</a> operation in the replica key's Region. 14135 * </p> 14136 * <p> 14137 * If you replicate a multi-Region primary key with imported key material, the replica key is created with no key 14138 * material. You must import the same key material that you imported into the primary key. For details, see <a 14139 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html">Importing key material 14140 * into multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>. 14141 * </p> 14142 * <p> 14143 * To convert a replica key to a primary key, use the <a>UpdatePrimaryRegion</a> operation. 14144 * </p> 14145 * <note> 14146 * <p> 14147 * <code>ReplicateKey</code> uses different default values for the <code>KeyPolicy</code> and <code>Tags</code> 14148 * parameters than those used in the KMS console. For details, see the parameter descriptions. 14149 * </p> 14150 * </note> 14151 * <p> 14152 * <b>Cross-account use</b>: No. You cannot use this operation to create a replica key in a different Amazon Web 14153 * Services account. 14154 * </p> 14155 * <p> 14156 * <b>Required permissions</b>: 14157 * </p> 14158 * <ul> 14159 * <li> 14160 * <p> 14161 * <code>kms:ReplicateKey</code> on the primary key (in the primary key's Region). Include this permission in the 14162 * primary key's key policy. 14163 * </p> 14164 * </li> 14165 * <li> 14166 * <p> 14167 * <code>kms:CreateKey</code> in an IAM policy in the replica Region. 14168 * </p> 14169 * </li> 14170 * <li> 14171 * <p> 14172 * To use the <code>Tags</code> parameter, <code>kms:TagResource</code> in an IAM policy in the replica Region. 14173 * </p> 14174 * </li> 14175 * </ul> 14176 * <p> 14177 * <b>Related operations</b> 14178 * </p> 14179 * <ul> 14180 * <li> 14181 * <p> 14182 * <a>CreateKey</a> 14183 * </p> 14184 * </li> 14185 * <li> 14186 * <p> 14187 * <a>UpdatePrimaryRegion</a> 14188 * </p> 14189 * </li> 14190 * </ul> 14191 * <p> 14192 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14193 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14194 * consistency</a>. 14195 * </p> 14196 * <br/> 14197 * <p> 14198 * This is a convenience which creates an instance of the {@link ReplicateKeyRequest.Builder} avoiding the need to 14199 * create one manually via {@link ReplicateKeyRequest#builder()} 14200 * </p> 14201 * 14202 * @param replicateKeyRequest 14203 * A {@link Consumer} that will call methods on 14204 * {@link software.amazon.awssdk.services.kms.model.ReplicateKeyRequest.Builder} to create a request. 14205 * @return A Java Future containing the result of the ReplicateKey operation returned by the service.<br/> 14206 * The CompletableFuture returned by this method can be completed exceptionally with the following 14207 * exceptions. 14208 * <ul> 14209 * <li>AlreadyExistsException The request was rejected because it attempted to create a resource that 14210 * already exists.</li> 14211 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 14212 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14213 * not valid.</li> 14214 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14215 * valid for this request.</p> 14216 * <p> 14217 * This exceptions means one of the following: 14218 * </p> 14219 * <ul> 14220 * <li> 14221 * <p> 14222 * The key state of the KMS key is not compatible with the operation. 14223 * </p> 14224 * <p> 14225 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14226 * are compatible with each KMS operation, see <a 14227 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14228 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14229 * </p> 14230 * </li> 14231 * <li> 14232 * <p> 14233 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14234 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14235 * exception. 14236 * </p> 14237 * </li></li> 14238 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14239 * be retried.</li> 14240 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 14241 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 14242 * Management Service Developer Guide</i>.</li> 14243 * <li>MalformedPolicyDocumentException The request was rejected because the specified policy is not 14244 * syntactically or semantically correct.</li> 14245 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14246 * found.</li> 14247 * <li>TagException The request was rejected because one or more tags are not valid.</li> 14248 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 14249 * or a specified resource is not valid for this operation.</li> 14250 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14251 * Can be used for catch all scenarios.</li> 14252 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14253 * credentials, etc.</li> 14254 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14255 * of this type.</li> 14256 * </ul> 14257 * @sample KmsAsyncClient.ReplicateKey 14258 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey" target="_top">AWS API 14259 * Documentation</a> 14260 */ replicateKey(Consumer<ReplicateKeyRequest.Builder> replicateKeyRequest)14261 default CompletableFuture<ReplicateKeyResponse> replicateKey(Consumer<ReplicateKeyRequest.Builder> replicateKeyRequest) { 14262 return replicateKey(ReplicateKeyRequest.builder().applyMutation(replicateKeyRequest).build()); 14263 } 14264 14265 /** 14266 * <p> 14267 * Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to 14268 * retire, use a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">grant 14269 * token</a>, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The <a>CreateGrant</a> 14270 * operation returns both values. 14271 * </p> 14272 * <p> 14273 * This operation can be called by the <i>retiring principal</i> for a grant, by the <i>grantee principal</i> if the 14274 * grant allows the <code>RetireGrant</code> operation, and by the Amazon Web Services account in which the grant is 14275 * created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, 14276 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14277 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14278 * </p> 14279 * <p> 14280 * For detailed information about grants, including grant terminology, see <a 14281 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14282 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14283 * languages, see <a 14284 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14285 * </p> 14286 * <p> 14287 * <b>Cross-account use</b>: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. 14288 * </p> 14289 * <p> 14290 * <b>Required permissions</b>: Permission to retire a grant is determined primarily by the grant. For details, see 14291 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14292 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14293 * </p> 14294 * <p> 14295 * <b>Related operations:</b> 14296 * </p> 14297 * <ul> 14298 * <li> 14299 * <p> 14300 * <a>CreateGrant</a> 14301 * </p> 14302 * </li> 14303 * <li> 14304 * <p> 14305 * <a>ListGrants</a> 14306 * </p> 14307 * </li> 14308 * <li> 14309 * <p> 14310 * <a>ListRetirableGrants</a> 14311 * </p> 14312 * </li> 14313 * <li> 14314 * <p> 14315 * <a>RevokeGrant</a> 14316 * </p> 14317 * </li> 14318 * </ul> 14319 * <p> 14320 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14321 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14322 * consistency</a>. 14323 * </p> 14324 * 14325 * @param retireGrantRequest 14326 * @return A Java Future containing the result of the RetireGrant operation returned by the service.<br/> 14327 * The CompletableFuture returned by this method can be completed exceptionally with the following 14328 * exceptions. 14329 * <ul> 14330 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14331 * not valid.</li> 14332 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 14333 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 14334 * valid.</li> 14335 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14336 * found.</li> 14337 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 14338 * the request.</li> 14339 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14340 * be retried.</li> 14341 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14342 * valid for this request.</p> 14343 * <p> 14344 * This exceptions means one of the following: 14345 * </p> 14346 * <ul> 14347 * <li> 14348 * <p> 14349 * The key state of the KMS key is not compatible with the operation. 14350 * </p> 14351 * <p> 14352 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14353 * are compatible with each KMS operation, see <a 14354 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14355 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14356 * </p> 14357 * </li> 14358 * <li> 14359 * <p> 14360 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14361 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14362 * exception. 14363 * </p> 14364 * </li></li> 14365 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 14366 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14367 * Can be used for catch all scenarios.</li> 14368 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14369 * credentials, etc.</li> 14370 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14371 * of this type.</li> 14372 * </ul> 14373 * @sample KmsAsyncClient.RetireGrant 14374 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API 14375 * Documentation</a> 14376 */ retireGrant(RetireGrantRequest retireGrantRequest)14377 default CompletableFuture<RetireGrantResponse> retireGrant(RetireGrantRequest retireGrantRequest) { 14378 throw new UnsupportedOperationException(); 14379 } 14380 14381 /** 14382 * <p> 14383 * Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to 14384 * retire, use a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">grant 14385 * token</a>, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The <a>CreateGrant</a> 14386 * operation returns both values. 14387 * </p> 14388 * <p> 14389 * This operation can be called by the <i>retiring principal</i> for a grant, by the <i>grantee principal</i> if the 14390 * grant allows the <code>RetireGrant</code> operation, and by the Amazon Web Services account in which the grant is 14391 * created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, 14392 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14393 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14394 * </p> 14395 * <p> 14396 * For detailed information about grants, including grant terminology, see <a 14397 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14398 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14399 * languages, see <a 14400 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14401 * </p> 14402 * <p> 14403 * <b>Cross-account use</b>: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. 14404 * </p> 14405 * <p> 14406 * <b>Required permissions</b>: Permission to retire a grant is determined primarily by the grant. For details, see 14407 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14408 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14409 * </p> 14410 * <p> 14411 * <b>Related operations:</b> 14412 * </p> 14413 * <ul> 14414 * <li> 14415 * <p> 14416 * <a>CreateGrant</a> 14417 * </p> 14418 * </li> 14419 * <li> 14420 * <p> 14421 * <a>ListGrants</a> 14422 * </p> 14423 * </li> 14424 * <li> 14425 * <p> 14426 * <a>ListRetirableGrants</a> 14427 * </p> 14428 * </li> 14429 * <li> 14430 * <p> 14431 * <a>RevokeGrant</a> 14432 * </p> 14433 * </li> 14434 * </ul> 14435 * <p> 14436 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14437 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14438 * consistency</a>. 14439 * </p> 14440 * <br/> 14441 * <p> 14442 * This is a convenience which creates an instance of the {@link RetireGrantRequest.Builder} avoiding the need to 14443 * create one manually via {@link RetireGrantRequest#builder()} 14444 * </p> 14445 * 14446 * @param retireGrantRequest 14447 * A {@link Consumer} that will call methods on 14448 * {@link software.amazon.awssdk.services.kms.model.RetireGrantRequest.Builder} to create a request. 14449 * @return A Java Future containing the result of the RetireGrant operation returned by the service.<br/> 14450 * The CompletableFuture returned by this method can be completed exceptionally with the following 14451 * exceptions. 14452 * <ul> 14453 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14454 * not valid.</li> 14455 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 14456 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 14457 * valid.</li> 14458 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14459 * found.</li> 14460 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 14461 * the request.</li> 14462 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14463 * be retried.</li> 14464 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14465 * valid for this request.</p> 14466 * <p> 14467 * This exceptions means one of the following: 14468 * </p> 14469 * <ul> 14470 * <li> 14471 * <p> 14472 * The key state of the KMS key is not compatible with the operation. 14473 * </p> 14474 * <p> 14475 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14476 * are compatible with each KMS operation, see <a 14477 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14478 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14479 * </p> 14480 * </li> 14481 * <li> 14482 * <p> 14483 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14484 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14485 * exception. 14486 * </p> 14487 * </li></li> 14488 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 14489 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14490 * Can be used for catch all scenarios.</li> 14491 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14492 * credentials, etc.</li> 14493 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14494 * of this type.</li> 14495 * </ul> 14496 * @sample KmsAsyncClient.RetireGrant 14497 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API 14498 * Documentation</a> 14499 */ retireGrant(Consumer<RetireGrantRequest.Builder> retireGrantRequest)14500 default CompletableFuture<RetireGrantResponse> retireGrant(Consumer<RetireGrantRequest.Builder> retireGrantRequest) { 14501 return retireGrant(RetireGrantRequest.builder().applyMutation(retireGrantRequest).build()); 14502 } 14503 14504 /** 14505 * <p> 14506 * Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to 14507 * retire, use a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">grant 14508 * token</a>, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The <a>CreateGrant</a> 14509 * operation returns both values. 14510 * </p> 14511 * <p> 14512 * This operation can be called by the <i>retiring principal</i> for a grant, by the <i>grantee principal</i> if the 14513 * grant allows the <code>RetireGrant</code> operation, and by the Amazon Web Services account in which the grant is 14514 * created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, 14515 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14516 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14517 * </p> 14518 * <p> 14519 * For detailed information about grants, including grant terminology, see <a 14520 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14521 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14522 * languages, see <a 14523 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14524 * </p> 14525 * <p> 14526 * <b>Cross-account use</b>: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. 14527 * </p> 14528 * <p> 14529 * <b>Required permissions</b>: Permission to retire a grant is determined primarily by the grant. For details, see 14530 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14531 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14532 * </p> 14533 * <p> 14534 * <b>Related operations:</b> 14535 * </p> 14536 * <ul> 14537 * <li> 14538 * <p> 14539 * <a>CreateGrant</a> 14540 * </p> 14541 * </li> 14542 * <li> 14543 * <p> 14544 * <a>ListGrants</a> 14545 * </p> 14546 * </li> 14547 * <li> 14548 * <p> 14549 * <a>ListRetirableGrants</a> 14550 * </p> 14551 * </li> 14552 * <li> 14553 * <p> 14554 * <a>RevokeGrant</a> 14555 * </p> 14556 * </li> 14557 * </ul> 14558 * <p> 14559 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14560 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14561 * consistency</a>. 14562 * </p> 14563 * 14564 * @return A Java Future containing the result of the RetireGrant operation returned by the service.<br/> 14565 * The CompletableFuture returned by this method can be completed exceptionally with the following 14566 * exceptions. 14567 * <ul> 14568 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14569 * not valid.</li> 14570 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 14571 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 14572 * valid.</li> 14573 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14574 * found.</li> 14575 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 14576 * the request.</li> 14577 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14578 * be retried.</li> 14579 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14580 * valid for this request.</p> 14581 * <p> 14582 * This exceptions means one of the following: 14583 * </p> 14584 * <ul> 14585 * <li> 14586 * <p> 14587 * The key state of the KMS key is not compatible with the operation. 14588 * </p> 14589 * <p> 14590 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14591 * are compatible with each KMS operation, see <a 14592 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14593 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14594 * </p> 14595 * </li> 14596 * <li> 14597 * <p> 14598 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14599 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14600 * exception. 14601 * </p> 14602 * </li></li> 14603 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 14604 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14605 * Can be used for catch all scenarios.</li> 14606 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14607 * credentials, etc.</li> 14608 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14609 * of this type.</li> 14610 * </ul> 14611 * @sample KmsAsyncClient.RetireGrant 14612 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API 14613 * Documentation</a> 14614 */ retireGrant()14615 default CompletableFuture<RetireGrantResponse> retireGrant() { 14616 return retireGrant(RetireGrantRequest.builder().build()); 14617 } 14618 14619 /** 14620 * <p> 14621 * Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more 14622 * information, see <a 14623 * href="https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete">Retiring and 14624 * revoking grants</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 14625 * </p> 14626 * <p> 14627 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 14628 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. For details, see <a 14629 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency">Eventual 14630 * consistency</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 14631 * </p> 14632 * <p> 14633 * For detailed information about grants, including grant terminology, see <a 14634 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14635 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14636 * languages, see <a 14637 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14638 * </p> 14639 * <p> 14640 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 14641 * specify the key ARN in the value of the <code>KeyId</code> parameter. 14642 * </p> 14643 * <p> 14644 * <b>Required permissions</b>: <a 14645 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 14646 * >kms:RevokeGrant</a> (key policy). 14647 * </p> 14648 * <p> 14649 * <b>Related operations:</b> 14650 * </p> 14651 * <ul> 14652 * <li> 14653 * <p> 14654 * <a>CreateGrant</a> 14655 * </p> 14656 * </li> 14657 * <li> 14658 * <p> 14659 * <a>ListGrants</a> 14660 * </p> 14661 * </li> 14662 * <li> 14663 * <p> 14664 * <a>ListRetirableGrants</a> 14665 * </p> 14666 * </li> 14667 * <li> 14668 * <p> 14669 * <a>RetireGrant</a> 14670 * </p> 14671 * </li> 14672 * </ul> 14673 * <p> 14674 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14675 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14676 * consistency</a>. 14677 * </p> 14678 * 14679 * @param revokeGrantRequest 14680 * @return A Java Future containing the result of the RevokeGrant operation returned by the service.<br/> 14681 * The CompletableFuture returned by this method can be completed exceptionally with the following 14682 * exceptions. 14683 * <ul> 14684 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14685 * found.</li> 14686 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 14687 * the request.</li> 14688 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14689 * not valid.</li> 14690 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 14691 * valid.</li> 14692 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14693 * be retried.</li> 14694 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14695 * valid for this request.</p> 14696 * <p> 14697 * This exceptions means one of the following: 14698 * </p> 14699 * <ul> 14700 * <li> 14701 * <p> 14702 * The key state of the KMS key is not compatible with the operation. 14703 * </p> 14704 * <p> 14705 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14706 * are compatible with each KMS operation, see <a 14707 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14708 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14709 * </p> 14710 * </li> 14711 * <li> 14712 * <p> 14713 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14714 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14715 * exception. 14716 * </p> 14717 * </li></li> 14718 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 14719 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14720 * Can be used for catch all scenarios.</li> 14721 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14722 * credentials, etc.</li> 14723 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14724 * of this type.</li> 14725 * </ul> 14726 * @sample KmsAsyncClient.RevokeGrant 14727 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant" target="_top">AWS API 14728 * Documentation</a> 14729 */ revokeGrant(RevokeGrantRequest revokeGrantRequest)14730 default CompletableFuture<RevokeGrantResponse> revokeGrant(RevokeGrantRequest revokeGrantRequest) { 14731 throw new UnsupportedOperationException(); 14732 } 14733 14734 /** 14735 * <p> 14736 * Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more 14737 * information, see <a 14738 * href="https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete">Retiring and 14739 * revoking grants</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 14740 * </p> 14741 * <p> 14742 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 14743 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. For details, see <a 14744 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency">Eventual 14745 * consistency</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 14746 * </p> 14747 * <p> 14748 * For detailed information about grants, including grant terminology, see <a 14749 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14750 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14751 * languages, see <a 14752 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14753 * </p> 14754 * <p> 14755 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 14756 * specify the key ARN in the value of the <code>KeyId</code> parameter. 14757 * </p> 14758 * <p> 14759 * <b>Required permissions</b>: <a 14760 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 14761 * >kms:RevokeGrant</a> (key policy). 14762 * </p> 14763 * <p> 14764 * <b>Related operations:</b> 14765 * </p> 14766 * <ul> 14767 * <li> 14768 * <p> 14769 * <a>CreateGrant</a> 14770 * </p> 14771 * </li> 14772 * <li> 14773 * <p> 14774 * <a>ListGrants</a> 14775 * </p> 14776 * </li> 14777 * <li> 14778 * <p> 14779 * <a>ListRetirableGrants</a> 14780 * </p> 14781 * </li> 14782 * <li> 14783 * <p> 14784 * <a>RetireGrant</a> 14785 * </p> 14786 * </li> 14787 * </ul> 14788 * <p> 14789 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14790 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14791 * consistency</a>. 14792 * </p> 14793 * <br/> 14794 * <p> 14795 * This is a convenience which creates an instance of the {@link RevokeGrantRequest.Builder} avoiding the need to 14796 * create one manually via {@link RevokeGrantRequest#builder()} 14797 * </p> 14798 * 14799 * @param revokeGrantRequest 14800 * A {@link Consumer} that will call methods on 14801 * {@link software.amazon.awssdk.services.kms.model.RevokeGrantRequest.Builder} to create a request. 14802 * @return A Java Future containing the result of the RevokeGrant operation returned by the service.<br/> 14803 * The CompletableFuture returned by this method can be completed exceptionally with the following 14804 * exceptions. 14805 * <ul> 14806 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14807 * found.</li> 14808 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 14809 * the request.</li> 14810 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14811 * not valid.</li> 14812 * <li>InvalidGrantIdException The request was rejected because the specified <code>GrantId</code> is not 14813 * valid.</li> 14814 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14815 * be retried.</li> 14816 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14817 * valid for this request.</p> 14818 * <p> 14819 * This exceptions means one of the following: 14820 * </p> 14821 * <ul> 14822 * <li> 14823 * <p> 14824 * The key state of the KMS key is not compatible with the operation. 14825 * </p> 14826 * <p> 14827 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14828 * are compatible with each KMS operation, see <a 14829 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14830 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14831 * </p> 14832 * </li> 14833 * <li> 14834 * <p> 14835 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14836 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14837 * exception. 14838 * </p> 14839 * </li></li> 14840 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 14841 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14842 * Can be used for catch all scenarios.</li> 14843 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14844 * credentials, etc.</li> 14845 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14846 * of this type.</li> 14847 * </ul> 14848 * @sample KmsAsyncClient.RevokeGrant 14849 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant" target="_top">AWS API 14850 * Documentation</a> 14851 */ revokeGrant(Consumer<RevokeGrantRequest.Builder> revokeGrantRequest)14852 default CompletableFuture<RevokeGrantResponse> revokeGrant(Consumer<RevokeGrantRequest.Builder> revokeGrantRequest) { 14853 return revokeGrant(RevokeGrantRequest.builder().applyMutation(revokeGrantRequest).build()); 14854 } 14855 14856 /** 14857 * <p> 14858 * Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a 14859 * waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to 14860 * <code>PendingDeletion</code> and the key can't be used in any cryptographic operations. It remains in this state 14861 * for the duration of the waiting period. Before the waiting period ends, you can use <a>CancelKeyDeletion</a> to 14862 * cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and 14863 * all KMS data associated with it, including all aliases that refer to it. 14864 * </p> 14865 * <important> 14866 * <p> 14867 * Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that 14868 * was encrypted under the KMS key is unrecoverable. (The only exception is a <a 14869 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">multi-Region replica 14870 * key</a>, or an <a href="kms/latest/developerguide/importing-keys-managing.html#import-delete-key">asymmetric or 14871 * HMAC KMS key with imported key material</a>.) To prevent the use of a KMS key without deleting it, use 14872 * <a>DisableKey</a>. 14873 * </p> 14874 * </important> 14875 * <p> 14876 * You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will 14877 * not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key 14878 * with replicas, its key state changes to <code>PendingReplicaDeletion</code> and it cannot be replicated or used 14879 * in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted 14880 * (not just scheduled), the key state of the primary key changes to <code>PendingDeletion</code> and its waiting 14881 * period (<code>PendingWindowInDays</code>) begins. For details, see <a 14882 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">Deleting multi-Region 14883 * keys</a> in the <i>Key Management Service Developer Guide</i>. 14884 * </p> 14885 * <p> 14886 * When KMS <a href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html">deletes a KMS 14887 * key from an CloudHSM key store</a>, it makes a best effort to delete the associated key material from the 14888 * associated CloudHSM cluster. However, you might need to manually <a 14889 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 14890 * the orphaned key material</a> from the cluster and its backups. <a 14891 * href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html">Deleting a KMS key from an 14892 * external key store</a> has no effect on the associated external key. However, for both types of custom key 14893 * stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS 14894 * key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external 14895 * key store by creating a new KMS key with the same key material. 14896 * </p> 14897 * <p> 14898 * For more information about scheduling a KMS key for deletion, see <a 14899 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 14900 * <i>Key Management Service Developer Guide</i>. 14901 * </p> 14902 * <p> 14903 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 14904 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 14905 * <i>Key Management Service Developer Guide</i>. 14906 * </p> 14907 * <p> 14908 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 14909 * account. 14910 * </p> 14911 * <p> 14912 * <b>Required permissions</b>: kms:ScheduleKeyDeletion (key policy) 14913 * </p> 14914 * <p> 14915 * <b>Related operations</b> 14916 * </p> 14917 * <ul> 14918 * <li> 14919 * <p> 14920 * <a>CancelKeyDeletion</a> 14921 * </p> 14922 * </li> 14923 * <li> 14924 * <p> 14925 * <a>DisableKey</a> 14926 * </p> 14927 * </li> 14928 * </ul> 14929 * <p> 14930 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14931 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14932 * consistency</a>. 14933 * </p> 14934 * 14935 * @param scheduleKeyDeletionRequest 14936 * @return A Java Future containing the result of the ScheduleKeyDeletion operation returned by the service.<br/> 14937 * The CompletableFuture returned by this method can be completed exceptionally with the following 14938 * exceptions. 14939 * <ul> 14940 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 14941 * found.</li> 14942 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 14943 * not valid.</li> 14944 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 14945 * the request.</li> 14946 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 14947 * be retried.</li> 14948 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 14949 * valid for this request.</p> 14950 * <p> 14951 * This exceptions means one of the following: 14952 * </p> 14953 * <ul> 14954 * <li> 14955 * <p> 14956 * The key state of the KMS key is not compatible with the operation. 14957 * </p> 14958 * <p> 14959 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14960 * are compatible with each KMS operation, see <a 14961 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14962 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14963 * </p> 14964 * </li> 14965 * <li> 14966 * <p> 14967 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14968 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14969 * exception. 14970 * </p> 14971 * </li></li> 14972 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 14973 * Can be used for catch all scenarios.</li> 14974 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 14975 * credentials, etc.</li> 14976 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 14977 * of this type.</li> 14978 * </ul> 14979 * @sample KmsAsyncClient.ScheduleKeyDeletion 14980 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion" target="_top">AWS API 14981 * Documentation</a> 14982 */ scheduleKeyDeletion( ScheduleKeyDeletionRequest scheduleKeyDeletionRequest)14983 default CompletableFuture<ScheduleKeyDeletionResponse> scheduleKeyDeletion( 14984 ScheduleKeyDeletionRequest scheduleKeyDeletionRequest) { 14985 throw new UnsupportedOperationException(); 14986 } 14987 14988 /** 14989 * <p> 14990 * Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a 14991 * waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to 14992 * <code>PendingDeletion</code> and the key can't be used in any cryptographic operations. It remains in this state 14993 * for the duration of the waiting period. Before the waiting period ends, you can use <a>CancelKeyDeletion</a> to 14994 * cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and 14995 * all KMS data associated with it, including all aliases that refer to it. 14996 * </p> 14997 * <important> 14998 * <p> 14999 * Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that 15000 * was encrypted under the KMS key is unrecoverable. (The only exception is a <a 15001 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">multi-Region replica 15002 * key</a>, or an <a href="kms/latest/developerguide/importing-keys-managing.html#import-delete-key">asymmetric or 15003 * HMAC KMS key with imported key material</a>.) To prevent the use of a KMS key without deleting it, use 15004 * <a>DisableKey</a>. 15005 * </p> 15006 * </important> 15007 * <p> 15008 * You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will 15009 * not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key 15010 * with replicas, its key state changes to <code>PendingReplicaDeletion</code> and it cannot be replicated or used 15011 * in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted 15012 * (not just scheduled), the key state of the primary key changes to <code>PendingDeletion</code> and its waiting 15013 * period (<code>PendingWindowInDays</code>) begins. For details, see <a 15014 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">Deleting multi-Region 15015 * keys</a> in the <i>Key Management Service Developer Guide</i>. 15016 * </p> 15017 * <p> 15018 * When KMS <a href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html">deletes a KMS 15019 * key from an CloudHSM key store</a>, it makes a best effort to delete the associated key material from the 15020 * associated CloudHSM cluster. However, you might need to manually <a 15021 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 15022 * the orphaned key material</a> from the cluster and its backups. <a 15023 * href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html">Deleting a KMS key from an 15024 * external key store</a> has no effect on the associated external key. However, for both types of custom key 15025 * stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS 15026 * key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external 15027 * key store by creating a new KMS key with the same key material. 15028 * </p> 15029 * <p> 15030 * For more information about scheduling a KMS key for deletion, see <a 15031 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 15032 * <i>Key Management Service Developer Guide</i>. 15033 * </p> 15034 * <p> 15035 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15036 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15037 * <i>Key Management Service Developer Guide</i>. 15038 * </p> 15039 * <p> 15040 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15041 * account. 15042 * </p> 15043 * <p> 15044 * <b>Required permissions</b>: kms:ScheduleKeyDeletion (key policy) 15045 * </p> 15046 * <p> 15047 * <b>Related operations</b> 15048 * </p> 15049 * <ul> 15050 * <li> 15051 * <p> 15052 * <a>CancelKeyDeletion</a> 15053 * </p> 15054 * </li> 15055 * <li> 15056 * <p> 15057 * <a>DisableKey</a> 15058 * </p> 15059 * </li> 15060 * </ul> 15061 * <p> 15062 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15063 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15064 * consistency</a>. 15065 * </p> 15066 * <br/> 15067 * <p> 15068 * This is a convenience which creates an instance of the {@link ScheduleKeyDeletionRequest.Builder} avoiding the 15069 * need to create one manually via {@link ScheduleKeyDeletionRequest#builder()} 15070 * </p> 15071 * 15072 * @param scheduleKeyDeletionRequest 15073 * A {@link Consumer} that will call methods on 15074 * {@link software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest.Builder} to create a request. 15075 * @return A Java Future containing the result of the ScheduleKeyDeletion operation returned by the service.<br/> 15076 * The CompletableFuture returned by this method can be completed exceptionally with the following 15077 * exceptions. 15078 * <ul> 15079 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15080 * found.</li> 15081 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 15082 * not valid.</li> 15083 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 15084 * the request.</li> 15085 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15086 * be retried.</li> 15087 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15088 * valid for this request.</p> 15089 * <p> 15090 * This exceptions means one of the following: 15091 * </p> 15092 * <ul> 15093 * <li> 15094 * <p> 15095 * The key state of the KMS key is not compatible with the operation. 15096 * </p> 15097 * <p> 15098 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15099 * are compatible with each KMS operation, see <a 15100 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15101 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15102 * </p> 15103 * </li> 15104 * <li> 15105 * <p> 15106 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15107 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15108 * exception. 15109 * </p> 15110 * </li></li> 15111 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15112 * Can be used for catch all scenarios.</li> 15113 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15114 * credentials, etc.</li> 15115 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15116 * of this type.</li> 15117 * </ul> 15118 * @sample KmsAsyncClient.ScheduleKeyDeletion 15119 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion" target="_top">AWS API 15120 * Documentation</a> 15121 */ scheduleKeyDeletion( Consumer<ScheduleKeyDeletionRequest.Builder> scheduleKeyDeletionRequest)15122 default CompletableFuture<ScheduleKeyDeletionResponse> scheduleKeyDeletion( 15123 Consumer<ScheduleKeyDeletionRequest.Builder> scheduleKeyDeletionRequest) { 15124 return scheduleKeyDeletion(ScheduleKeyDeletionRequest.builder().applyMutation(scheduleKeyDeletionRequest).build()); 15125 } 15126 15127 /** 15128 * <p> 15129 * Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a> for a message or 15130 * message digest by using the private key in an asymmetric signing KMS key. To verify the signature, use the 15131 * <a>Verify</a> operation, or use the public key in the same asymmetric KMS key outside of KMS. For information 15132 * about asymmetric KMS keys, see <a 15133 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 15134 * the <i>Key Management Service Developer Guide</i>. 15135 * </p> 15136 * <p> 15137 * Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is 15138 * represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a 15139 * message. Anyone with the public key can verify that the message was signed with that particular private key and 15140 * that the message hasn't changed since it was signed. 15141 * </p> 15142 * <p> 15143 * To use the <code>Sign</code> operation, provide the following information: 15144 * </p> 15145 * <ul> 15146 * <li> 15147 * <p> 15148 * Use the <code>KeyId</code> parameter to identify an asymmetric KMS key with a <code>KeyUsage</code> value of 15149 * <code>SIGN_VERIFY</code>. To get the <code>KeyUsage</code> value of a KMS key, use the <a>DescribeKey</a> 15150 * operation. The caller must have <code>kms:Sign</code> permission on the KMS key. 15151 * </p> 15152 * </li> 15153 * <li> 15154 * <p> 15155 * Use the <code>Message</code> parameter to specify the message or message digest to sign. You can submit messages 15156 * of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash 15157 * digest in the <code>Message</code> parameter. To indicate whether the message is a full message or a digest, use 15158 * the <code>MessageType</code> parameter. 15159 * </p> 15160 * </li> 15161 * <li> 15162 * <p> 15163 * Choose a signing algorithm that is compatible with the KMS key. 15164 * </p> 15165 * </li> 15166 * </ul> 15167 * <important> 15168 * <p> 15169 * When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to 15170 * verify the signature. 15171 * </p> 15172 * </important> <note> 15173 * <p> 15174 * Best practices recommend that you limit the time during which any signature is effective. This deters an attack 15175 * where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. 15176 * Signatures do not include a timestamp, but you can include a timestamp in the signed message to help you detect 15177 * when its time to refresh the signature. 15178 * </p> 15179 * </note> 15180 * <p> 15181 * To verify the signature that this operation generates, use the <a>Verify</a> operation. Or use the 15182 * <a>GetPublicKey</a> operation to download the public key and then use the public key to verify the signature 15183 * outside of KMS. 15184 * </p> 15185 * <p> 15186 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15187 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15188 * <i>Key Management Service Developer Guide</i>. 15189 * </p> 15190 * <p> 15191 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 15192 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 15193 * </p> 15194 * <p> 15195 * <b>Required permissions</b>: <a 15196 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Sign</a> (key 15197 * policy) 15198 * </p> 15199 * <p> 15200 * <b>Related operations</b>: <a>Verify</a> 15201 * </p> 15202 * <p> 15203 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15204 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15205 * consistency</a>. 15206 * </p> 15207 * 15208 * @param signRequest 15209 * @return A Java Future containing the result of the Sign operation returned by the service.<br/> 15210 * The CompletableFuture returned by this method can be completed exceptionally with the following 15211 * exceptions. 15212 * <ul> 15213 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15214 * found.</li> 15215 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 15216 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 15217 * can retry the request.</li> 15218 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 15219 * the request.</li> 15220 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 15221 * <ul> 15222 * <li> 15223 * <p> 15224 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 15225 * </p> 15226 * </li> 15227 * <li> 15228 * <p> 15229 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 15230 * of key material in the KMS key <code>(KeySpec</code>). 15231 * </p> 15232 * </li> 15233 * </ul> 15234 * <p> 15235 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 15236 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 15237 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 15238 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 15239 * KMS key, use the <a>DescribeKey</a> operation. 15240 * </p> 15241 * <p> 15242 * To find the encryption or signing algorithms supported for a particular KMS key, use the 15243 * <a>DescribeKey</a> operation.</li> 15244 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 15245 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15246 * be retried.</li> 15247 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15248 * valid for this request.</p> 15249 * <p> 15250 * This exceptions means one of the following: 15251 * </p> 15252 * <ul> 15253 * <li> 15254 * <p> 15255 * The key state of the KMS key is not compatible with the operation. 15256 * </p> 15257 * <p> 15258 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15259 * are compatible with each KMS operation, see <a 15260 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15261 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15262 * </p> 15263 * </li> 15264 * <li> 15265 * <p> 15266 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15267 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15268 * exception. 15269 * </p> 15270 * </li></li> 15271 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 15272 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15273 * Can be used for catch all scenarios.</li> 15274 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15275 * credentials, etc.</li> 15276 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15277 * of this type.</li> 15278 * </ul> 15279 * @sample KmsAsyncClient.Sign 15280 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign" target="_top">AWS API 15281 * Documentation</a> 15282 */ sign(SignRequest signRequest)15283 default CompletableFuture<SignResponse> sign(SignRequest signRequest) { 15284 throw new UnsupportedOperationException(); 15285 } 15286 15287 /** 15288 * <p> 15289 * Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a> for a message or 15290 * message digest by using the private key in an asymmetric signing KMS key. To verify the signature, use the 15291 * <a>Verify</a> operation, or use the public key in the same asymmetric KMS key outside of KMS. For information 15292 * about asymmetric KMS keys, see <a 15293 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 15294 * the <i>Key Management Service Developer Guide</i>. 15295 * </p> 15296 * <p> 15297 * Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is 15298 * represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a 15299 * message. Anyone with the public key can verify that the message was signed with that particular private key and 15300 * that the message hasn't changed since it was signed. 15301 * </p> 15302 * <p> 15303 * To use the <code>Sign</code> operation, provide the following information: 15304 * </p> 15305 * <ul> 15306 * <li> 15307 * <p> 15308 * Use the <code>KeyId</code> parameter to identify an asymmetric KMS key with a <code>KeyUsage</code> value of 15309 * <code>SIGN_VERIFY</code>. To get the <code>KeyUsage</code> value of a KMS key, use the <a>DescribeKey</a> 15310 * operation. The caller must have <code>kms:Sign</code> permission on the KMS key. 15311 * </p> 15312 * </li> 15313 * <li> 15314 * <p> 15315 * Use the <code>Message</code> parameter to specify the message or message digest to sign. You can submit messages 15316 * of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash 15317 * digest in the <code>Message</code> parameter. To indicate whether the message is a full message or a digest, use 15318 * the <code>MessageType</code> parameter. 15319 * </p> 15320 * </li> 15321 * <li> 15322 * <p> 15323 * Choose a signing algorithm that is compatible with the KMS key. 15324 * </p> 15325 * </li> 15326 * </ul> 15327 * <important> 15328 * <p> 15329 * When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to 15330 * verify the signature. 15331 * </p> 15332 * </important> <note> 15333 * <p> 15334 * Best practices recommend that you limit the time during which any signature is effective. This deters an attack 15335 * where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. 15336 * Signatures do not include a timestamp, but you can include a timestamp in the signed message to help you detect 15337 * when its time to refresh the signature. 15338 * </p> 15339 * </note> 15340 * <p> 15341 * To verify the signature that this operation generates, use the <a>Verify</a> operation. Or use the 15342 * <a>GetPublicKey</a> operation to download the public key and then use the public key to verify the signature 15343 * outside of KMS. 15344 * </p> 15345 * <p> 15346 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15347 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15348 * <i>Key Management Service Developer Guide</i>. 15349 * </p> 15350 * <p> 15351 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 15352 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 15353 * </p> 15354 * <p> 15355 * <b>Required permissions</b>: <a 15356 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Sign</a> (key 15357 * policy) 15358 * </p> 15359 * <p> 15360 * <b>Related operations</b>: <a>Verify</a> 15361 * </p> 15362 * <p> 15363 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15364 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15365 * consistency</a>. 15366 * </p> 15367 * <br/> 15368 * <p> 15369 * This is a convenience which creates an instance of the {@link SignRequest.Builder} avoiding the need to create 15370 * one manually via {@link SignRequest#builder()} 15371 * </p> 15372 * 15373 * @param signRequest 15374 * A {@link Consumer} that will call methods on 15375 * {@link software.amazon.awssdk.services.kms.model.SignRequest.Builder} to create a request. 15376 * @return A Java Future containing the result of the Sign operation returned by the service.<br/> 15377 * The CompletableFuture returned by this method can be completed exceptionally with the following 15378 * exceptions. 15379 * <ul> 15380 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15381 * found.</li> 15382 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 15383 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 15384 * can retry the request.</li> 15385 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 15386 * the request.</li> 15387 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 15388 * <ul> 15389 * <li> 15390 * <p> 15391 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 15392 * </p> 15393 * </li> 15394 * <li> 15395 * <p> 15396 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 15397 * of key material in the KMS key <code>(KeySpec</code>). 15398 * </p> 15399 * </li> 15400 * </ul> 15401 * <p> 15402 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 15403 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 15404 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 15405 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 15406 * KMS key, use the <a>DescribeKey</a> operation. 15407 * </p> 15408 * <p> 15409 * To find the encryption or signing algorithms supported for a particular KMS key, use the 15410 * <a>DescribeKey</a> operation.</li> 15411 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 15412 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15413 * be retried.</li> 15414 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15415 * valid for this request.</p> 15416 * <p> 15417 * This exceptions means one of the following: 15418 * </p> 15419 * <ul> 15420 * <li> 15421 * <p> 15422 * The key state of the KMS key is not compatible with the operation. 15423 * </p> 15424 * <p> 15425 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15426 * are compatible with each KMS operation, see <a 15427 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15428 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15429 * </p> 15430 * </li> 15431 * <li> 15432 * <p> 15433 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15434 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15435 * exception. 15436 * </p> 15437 * </li></li> 15438 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 15439 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15440 * Can be used for catch all scenarios.</li> 15441 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15442 * credentials, etc.</li> 15443 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15444 * of this type.</li> 15445 * </ul> 15446 * @sample KmsAsyncClient.Sign 15447 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign" target="_top">AWS API 15448 * Documentation</a> 15449 */ sign(Consumer<SignRequest.Builder> signRequest)15450 default CompletableFuture<SignResponse> sign(Consumer<SignRequest.Builder> signRequest) { 15451 return sign(SignRequest.builder().applyMutation(signRequest).build()); 15452 } 15453 15454 /** 15455 * <p> 15456 * Adds or edits tags on a <a 15457 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 15458 * </p> 15459 * <note> 15460 * <p> 15461 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 15462 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15463 * Service Developer Guide</i>. 15464 * </p> 15465 * </note> 15466 * <p> 15467 * Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an 15468 * empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag 15469 * key and a new tag value. 15470 * </p> 15471 * <p> 15472 * You can use this operation to tag a <a 15473 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>, 15474 * but you cannot tag an <a 15475 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 15476 * managed key</a>, an <a 15477 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 15478 * owned key</a>, a <a 15479 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept">custom key store</a>, 15480 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept">alias</a>. 15481 * </p> 15482 * <p> 15483 * You can also add tags to a KMS key while creating it (<a>CreateKey</a>) or replicating it (<a>ReplicateKey</a>). 15484 * </p> 15485 * <p> 15486 * For information about using tags in KMS, see <a 15487 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 15488 * information about tags, including the format and syntax, see <a 15489 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 15490 * in the <i>Amazon Web Services General Reference</i>. 15491 * </p> 15492 * <p> 15493 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15494 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15495 * <i>Key Management Service Developer Guide</i>. 15496 * </p> 15497 * <p> 15498 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15499 * account. 15500 * </p> 15501 * <p> 15502 * <b>Required permissions</b>: <a 15503 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15504 * >kms:TagResource</a> (key policy) 15505 * </p> 15506 * <p> 15507 * <b>Related operations</b> 15508 * </p> 15509 * <ul> 15510 * <li> 15511 * <p> 15512 * <a>CreateKey</a> 15513 * </p> 15514 * </li> 15515 * <li> 15516 * <p> 15517 * <a>ListResourceTags</a> 15518 * </p> 15519 * </li> 15520 * <li> 15521 * <p> 15522 * <a>ReplicateKey</a> 15523 * </p> 15524 * </li> 15525 * <li> 15526 * <p> 15527 * <a>UntagResource</a> 15528 * </p> 15529 * </li> 15530 * </ul> 15531 * <p> 15532 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15533 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15534 * consistency</a>. 15535 * </p> 15536 * 15537 * @param tagResourceRequest 15538 * @return A Java Future containing the result of the TagResource operation returned by the service.<br/> 15539 * The CompletableFuture returned by this method can be completed exceptionally with the following 15540 * exceptions. 15541 * <ul> 15542 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15543 * be retried.</li> 15544 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15545 * found.</li> 15546 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 15547 * not valid.</li> 15548 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15549 * valid for this request.</p> 15550 * <p> 15551 * This exceptions means one of the following: 15552 * </p> 15553 * <ul> 15554 * <li> 15555 * <p> 15556 * The key state of the KMS key is not compatible with the operation. 15557 * </p> 15558 * <p> 15559 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15560 * are compatible with each KMS operation, see <a 15561 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15562 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15563 * </p> 15564 * </li> 15565 * <li> 15566 * <p> 15567 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15568 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15569 * exception. 15570 * </p> 15571 * </li></li> 15572 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 15573 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 15574 * Management Service Developer Guide</i>.</li> 15575 * <li>TagException The request was rejected because one or more tags are not valid.</li> 15576 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15577 * Can be used for catch all scenarios.</li> 15578 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15579 * credentials, etc.</li> 15580 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15581 * of this type.</li> 15582 * </ul> 15583 * @sample KmsAsyncClient.TagResource 15584 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource" target="_top">AWS API 15585 * Documentation</a> 15586 */ tagResource(TagResourceRequest tagResourceRequest)15587 default CompletableFuture<TagResourceResponse> tagResource(TagResourceRequest tagResourceRequest) { 15588 throw new UnsupportedOperationException(); 15589 } 15590 15591 /** 15592 * <p> 15593 * Adds or edits tags on a <a 15594 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 15595 * </p> 15596 * <note> 15597 * <p> 15598 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 15599 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15600 * Service Developer Guide</i>. 15601 * </p> 15602 * </note> 15603 * <p> 15604 * Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an 15605 * empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag 15606 * key and a new tag value. 15607 * </p> 15608 * <p> 15609 * You can use this operation to tag a <a 15610 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>, 15611 * but you cannot tag an <a 15612 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 15613 * managed key</a>, an <a 15614 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 15615 * owned key</a>, a <a 15616 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept">custom key store</a>, 15617 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept">alias</a>. 15618 * </p> 15619 * <p> 15620 * You can also add tags to a KMS key while creating it (<a>CreateKey</a>) or replicating it (<a>ReplicateKey</a>). 15621 * </p> 15622 * <p> 15623 * For information about using tags in KMS, see <a 15624 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 15625 * information about tags, including the format and syntax, see <a 15626 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 15627 * in the <i>Amazon Web Services General Reference</i>. 15628 * </p> 15629 * <p> 15630 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15631 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15632 * <i>Key Management Service Developer Guide</i>. 15633 * </p> 15634 * <p> 15635 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15636 * account. 15637 * </p> 15638 * <p> 15639 * <b>Required permissions</b>: <a 15640 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15641 * >kms:TagResource</a> (key policy) 15642 * </p> 15643 * <p> 15644 * <b>Related operations</b> 15645 * </p> 15646 * <ul> 15647 * <li> 15648 * <p> 15649 * <a>CreateKey</a> 15650 * </p> 15651 * </li> 15652 * <li> 15653 * <p> 15654 * <a>ListResourceTags</a> 15655 * </p> 15656 * </li> 15657 * <li> 15658 * <p> 15659 * <a>ReplicateKey</a> 15660 * </p> 15661 * </li> 15662 * <li> 15663 * <p> 15664 * <a>UntagResource</a> 15665 * </p> 15666 * </li> 15667 * </ul> 15668 * <p> 15669 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15670 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15671 * consistency</a>. 15672 * </p> 15673 * <br/> 15674 * <p> 15675 * This is a convenience which creates an instance of the {@link TagResourceRequest.Builder} avoiding the need to 15676 * create one manually via {@link TagResourceRequest#builder()} 15677 * </p> 15678 * 15679 * @param tagResourceRequest 15680 * A {@link Consumer} that will call methods on 15681 * {@link software.amazon.awssdk.services.kms.model.TagResourceRequest.Builder} to create a request. 15682 * @return A Java Future containing the result of the TagResource operation returned by the service.<br/> 15683 * The CompletableFuture returned by this method can be completed exceptionally with the following 15684 * exceptions. 15685 * <ul> 15686 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15687 * be retried.</li> 15688 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15689 * found.</li> 15690 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 15691 * not valid.</li> 15692 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15693 * valid for this request.</p> 15694 * <p> 15695 * This exceptions means one of the following: 15696 * </p> 15697 * <ul> 15698 * <li> 15699 * <p> 15700 * The key state of the KMS key is not compatible with the operation. 15701 * </p> 15702 * <p> 15703 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15704 * are compatible with each KMS operation, see <a 15705 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15706 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15707 * </p> 15708 * </li> 15709 * <li> 15710 * <p> 15711 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15712 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15713 * exception. 15714 * </p> 15715 * </li></li> 15716 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 15717 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 15718 * Management Service Developer Guide</i>.</li> 15719 * <li>TagException The request was rejected because one or more tags are not valid.</li> 15720 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15721 * Can be used for catch all scenarios.</li> 15722 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15723 * credentials, etc.</li> 15724 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15725 * of this type.</li> 15726 * </ul> 15727 * @sample KmsAsyncClient.TagResource 15728 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource" target="_top">AWS API 15729 * Documentation</a> 15730 */ tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest)15731 default CompletableFuture<TagResourceResponse> tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest) { 15732 return tagResource(TagResourceRequest.builder().applyMutation(tagResourceRequest).build()); 15733 } 15734 15735 /** 15736 * <p> 15737 * Deletes tags from a <a 15738 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 15739 * To delete a tag, specify the tag key and the KMS key. 15740 * </p> 15741 * <note> 15742 * <p> 15743 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 15744 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15745 * Service Developer Guide</i>. 15746 * </p> 15747 * </note> 15748 * <p> 15749 * When it succeeds, the <code>UntagResource</code> operation doesn't return any output. Also, if the specified tag 15750 * key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation 15751 * worked, use the <a>ListResourceTags</a> operation. 15752 * </p> 15753 * <p> 15754 * For information about using tags in KMS, see <a 15755 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 15756 * information about tags, including the format and syntax, see <a 15757 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 15758 * in the <i>Amazon Web Services General Reference</i>. 15759 * </p> 15760 * <p> 15761 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15762 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15763 * <i>Key Management Service Developer Guide</i>. 15764 * </p> 15765 * <p> 15766 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15767 * account. 15768 * </p> 15769 * <p> 15770 * <b>Required permissions</b>: <a 15771 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15772 * >kms:UntagResource</a> (key policy) 15773 * </p> 15774 * <p> 15775 * <b>Related operations</b> 15776 * </p> 15777 * <ul> 15778 * <li> 15779 * <p> 15780 * <a>CreateKey</a> 15781 * </p> 15782 * </li> 15783 * <li> 15784 * <p> 15785 * <a>ListResourceTags</a> 15786 * </p> 15787 * </li> 15788 * <li> 15789 * <p> 15790 * <a>ReplicateKey</a> 15791 * </p> 15792 * </li> 15793 * <li> 15794 * <p> 15795 * <a>TagResource</a> 15796 * </p> 15797 * </li> 15798 * </ul> 15799 * <p> 15800 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15801 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15802 * consistency</a>. 15803 * </p> 15804 * 15805 * @param untagResourceRequest 15806 * @return A Java Future containing the result of the UntagResource operation returned by the service.<br/> 15807 * The CompletableFuture returned by this method can be completed exceptionally with the following 15808 * exceptions. 15809 * <ul> 15810 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15811 * be retried.</li> 15812 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15813 * found.</li> 15814 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 15815 * not valid.</li> 15816 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15817 * valid for this request.</p> 15818 * <p> 15819 * This exceptions means one of the following: 15820 * </p> 15821 * <ul> 15822 * <li> 15823 * <p> 15824 * The key state of the KMS key is not compatible with the operation. 15825 * </p> 15826 * <p> 15827 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15828 * are compatible with each KMS operation, see <a 15829 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15830 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15831 * </p> 15832 * </li> 15833 * <li> 15834 * <p> 15835 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15836 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15837 * exception. 15838 * </p> 15839 * </li></li> 15840 * <li>TagException The request was rejected because one or more tags are not valid.</li> 15841 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15842 * Can be used for catch all scenarios.</li> 15843 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15844 * credentials, etc.</li> 15845 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15846 * of this type.</li> 15847 * </ul> 15848 * @sample KmsAsyncClient.UntagResource 15849 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource" target="_top">AWS API 15850 * Documentation</a> 15851 */ untagResource(UntagResourceRequest untagResourceRequest)15852 default CompletableFuture<UntagResourceResponse> untagResource(UntagResourceRequest untagResourceRequest) { 15853 throw new UnsupportedOperationException(); 15854 } 15855 15856 /** 15857 * <p> 15858 * Deletes tags from a <a 15859 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 15860 * To delete a tag, specify the tag key and the KMS key. 15861 * </p> 15862 * <note> 15863 * <p> 15864 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 15865 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15866 * Service Developer Guide</i>. 15867 * </p> 15868 * </note> 15869 * <p> 15870 * When it succeeds, the <code>UntagResource</code> operation doesn't return any output. Also, if the specified tag 15871 * key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation 15872 * worked, use the <a>ListResourceTags</a> operation. 15873 * </p> 15874 * <p> 15875 * For information about using tags in KMS, see <a 15876 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 15877 * information about tags, including the format and syntax, see <a 15878 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 15879 * in the <i>Amazon Web Services General Reference</i>. 15880 * </p> 15881 * <p> 15882 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15883 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15884 * <i>Key Management Service Developer Guide</i>. 15885 * </p> 15886 * <p> 15887 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15888 * account. 15889 * </p> 15890 * <p> 15891 * <b>Required permissions</b>: <a 15892 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15893 * >kms:UntagResource</a> (key policy) 15894 * </p> 15895 * <p> 15896 * <b>Related operations</b> 15897 * </p> 15898 * <ul> 15899 * <li> 15900 * <p> 15901 * <a>CreateKey</a> 15902 * </p> 15903 * </li> 15904 * <li> 15905 * <p> 15906 * <a>ListResourceTags</a> 15907 * </p> 15908 * </li> 15909 * <li> 15910 * <p> 15911 * <a>ReplicateKey</a> 15912 * </p> 15913 * </li> 15914 * <li> 15915 * <p> 15916 * <a>TagResource</a> 15917 * </p> 15918 * </li> 15919 * </ul> 15920 * <p> 15921 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15922 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15923 * consistency</a>. 15924 * </p> 15925 * <br/> 15926 * <p> 15927 * This is a convenience which creates an instance of the {@link UntagResourceRequest.Builder} avoiding the need to 15928 * create one manually via {@link UntagResourceRequest#builder()} 15929 * </p> 15930 * 15931 * @param untagResourceRequest 15932 * A {@link Consumer} that will call methods on 15933 * {@link software.amazon.awssdk.services.kms.model.UntagResourceRequest.Builder} to create a request. 15934 * @return A Java Future containing the result of the UntagResource operation returned by the service.<br/> 15935 * The CompletableFuture returned by this method can be completed exceptionally with the following 15936 * exceptions. 15937 * <ul> 15938 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 15939 * be retried.</li> 15940 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 15941 * found.</li> 15942 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 15943 * not valid.</li> 15944 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 15945 * valid for this request.</p> 15946 * <p> 15947 * This exceptions means one of the following: 15948 * </p> 15949 * <ul> 15950 * <li> 15951 * <p> 15952 * The key state of the KMS key is not compatible with the operation. 15953 * </p> 15954 * <p> 15955 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15956 * are compatible with each KMS operation, see <a 15957 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15958 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15959 * </p> 15960 * </li> 15961 * <li> 15962 * <p> 15963 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15964 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15965 * exception. 15966 * </p> 15967 * </li></li> 15968 * <li>TagException The request was rejected because one or more tags are not valid.</li> 15969 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 15970 * Can be used for catch all scenarios.</li> 15971 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 15972 * credentials, etc.</li> 15973 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 15974 * of this type.</li> 15975 * </ul> 15976 * @sample KmsAsyncClient.UntagResource 15977 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource" target="_top">AWS API 15978 * Documentation</a> 15979 */ untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest)15980 default CompletableFuture<UntagResourceResponse> untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest) { 15981 return untagResource(UntagResourceRequest.builder().applyMutation(untagResourceRequest).build()); 15982 } 15983 15984 /** 15985 * <p> 15986 * Associates an existing KMS alias with a different KMS key. Each alias is associated with only one KMS key at a 15987 * time, although a KMS key can have multiple aliases. The alias and the KMS key must be in the same Amazon Web 15988 * Services account and Region. 15989 * </p> 15990 * <note> 15991 * <p> 15992 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 15993 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15994 * Service Developer Guide</i>. 15995 * </p> 15996 * </note> 15997 * <p> 15998 * The current and new KMS key must be the same type (both symmetric or both asymmetric or both HMAC), and they must 15999 * have the same key usage. This restriction prevents errors in code that uses aliases. If you must assign an alias 16000 * to a different type of KMS key, use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to create a 16001 * new alias. 16002 * </p> 16003 * <p> 16004 * You cannot use <code>UpdateAlias</code> to change an alias name. To change an alias name, use <a>DeleteAlias</a> 16005 * to delete the old alias and <a>CreateAlias</a> to create a new alias. 16006 * </p> 16007 * <p> 16008 * Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key 16009 * without affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. 16010 * To get the aliases of all KMS keys in the account, use the <a>ListAliases</a> operation. 16011 * </p> 16012 * <p> 16013 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16014 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16015 * <i>Key Management Service Developer Guide</i>. 16016 * </p> 16017 * <p> 16018 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16019 * account. 16020 * </p> 16021 * <p> 16022 * <b>Required permissions</b> 16023 * </p> 16024 * <ul> 16025 * <li> 16026 * <p> 16027 * <a 16028 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16029 * </a> on the alias (IAM policy). 16030 * </p> 16031 * </li> 16032 * <li> 16033 * <p> 16034 * <a 16035 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16036 * </a> on the current KMS key (key policy). 16037 * </p> 16038 * </li> 16039 * <li> 16040 * <p> 16041 * <a 16042 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16043 * </a> on the new KMS key (key policy). 16044 * </p> 16045 * </li> 16046 * </ul> 16047 * <p> 16048 * For details, see <a 16049 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 16050 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 16051 * </p> 16052 * <p> 16053 * <b>Related operations:</b> 16054 * </p> 16055 * <ul> 16056 * <li> 16057 * <p> 16058 * <a>CreateAlias</a> 16059 * </p> 16060 * </li> 16061 * <li> 16062 * <p> 16063 * <a>DeleteAlias</a> 16064 * </p> 16065 * </li> 16066 * <li> 16067 * <p> 16068 * <a>ListAliases</a> 16069 * </p> 16070 * </li> 16071 * </ul> 16072 * <p> 16073 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16074 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16075 * consistency</a>. 16076 * </p> 16077 * 16078 * @param updateAliasRequest 16079 * @return A Java Future containing the result of the UpdateAlias operation returned by the service.<br/> 16080 * The CompletableFuture returned by this method can be completed exceptionally with the following 16081 * exceptions. 16082 * <ul> 16083 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 16084 * the request.</li> 16085 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 16086 * found.</li> 16087 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 16088 * be retried.</li> 16089 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 16090 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 16091 * Management Service Developer Guide</i>.</li> 16092 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 16093 * valid for this request.</p> 16094 * <p> 16095 * This exceptions means one of the following: 16096 * </p> 16097 * <ul> 16098 * <li> 16099 * <p> 16100 * The key state of the KMS key is not compatible with the operation. 16101 * </p> 16102 * <p> 16103 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16104 * are compatible with each KMS operation, see <a 16105 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16106 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16107 * </p> 16108 * </li> 16109 * <li> 16110 * <p> 16111 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16112 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16113 * exception. 16114 * </p> 16115 * </li></li> 16116 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 16117 * Can be used for catch all scenarios.</li> 16118 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 16119 * credentials, etc.</li> 16120 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 16121 * of this type.</li> 16122 * </ul> 16123 * @sample KmsAsyncClient.UpdateAlias 16124 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias" target="_top">AWS API 16125 * Documentation</a> 16126 */ updateAlias(UpdateAliasRequest updateAliasRequest)16127 default CompletableFuture<UpdateAliasResponse> updateAlias(UpdateAliasRequest updateAliasRequest) { 16128 throw new UnsupportedOperationException(); 16129 } 16130 16131 /** 16132 * <p> 16133 * Associates an existing KMS alias with a different KMS key. Each alias is associated with only one KMS key at a 16134 * time, although a KMS key can have multiple aliases. The alias and the KMS key must be in the same Amazon Web 16135 * Services account and Region. 16136 * </p> 16137 * <note> 16138 * <p> 16139 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 16140 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 16141 * Service Developer Guide</i>. 16142 * </p> 16143 * </note> 16144 * <p> 16145 * The current and new KMS key must be the same type (both symmetric or both asymmetric or both HMAC), and they must 16146 * have the same key usage. This restriction prevents errors in code that uses aliases. If you must assign an alias 16147 * to a different type of KMS key, use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to create a 16148 * new alias. 16149 * </p> 16150 * <p> 16151 * You cannot use <code>UpdateAlias</code> to change an alias name. To change an alias name, use <a>DeleteAlias</a> 16152 * to delete the old alias and <a>CreateAlias</a> to create a new alias. 16153 * </p> 16154 * <p> 16155 * Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key 16156 * without affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. 16157 * To get the aliases of all KMS keys in the account, use the <a>ListAliases</a> operation. 16158 * </p> 16159 * <p> 16160 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16161 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16162 * <i>Key Management Service Developer Guide</i>. 16163 * </p> 16164 * <p> 16165 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16166 * account. 16167 * </p> 16168 * <p> 16169 * <b>Required permissions</b> 16170 * </p> 16171 * <ul> 16172 * <li> 16173 * <p> 16174 * <a 16175 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16176 * </a> on the alias (IAM policy). 16177 * </p> 16178 * </li> 16179 * <li> 16180 * <p> 16181 * <a 16182 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16183 * </a> on the current KMS key (key policy). 16184 * </p> 16185 * </li> 16186 * <li> 16187 * <p> 16188 * <a 16189 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16190 * </a> on the new KMS key (key policy). 16191 * </p> 16192 * </li> 16193 * </ul> 16194 * <p> 16195 * For details, see <a 16196 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 16197 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 16198 * </p> 16199 * <p> 16200 * <b>Related operations:</b> 16201 * </p> 16202 * <ul> 16203 * <li> 16204 * <p> 16205 * <a>CreateAlias</a> 16206 * </p> 16207 * </li> 16208 * <li> 16209 * <p> 16210 * <a>DeleteAlias</a> 16211 * </p> 16212 * </li> 16213 * <li> 16214 * <p> 16215 * <a>ListAliases</a> 16216 * </p> 16217 * </li> 16218 * </ul> 16219 * <p> 16220 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16221 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16222 * consistency</a>. 16223 * </p> 16224 * <br/> 16225 * <p> 16226 * This is a convenience which creates an instance of the {@link UpdateAliasRequest.Builder} avoiding the need to 16227 * create one manually via {@link UpdateAliasRequest#builder()} 16228 * </p> 16229 * 16230 * @param updateAliasRequest 16231 * A {@link Consumer} that will call methods on 16232 * {@link software.amazon.awssdk.services.kms.model.UpdateAliasRequest.Builder} to create a request. 16233 * @return A Java Future containing the result of the UpdateAlias operation returned by the service.<br/> 16234 * The CompletableFuture returned by this method can be completed exceptionally with the following 16235 * exceptions. 16236 * <ul> 16237 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 16238 * the request.</li> 16239 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 16240 * found.</li> 16241 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 16242 * be retried.</li> 16243 * <li>LimitExceededException The request was rejected because a quota was exceeded. For more information, 16244 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 16245 * Management Service Developer Guide</i>.</li> 16246 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 16247 * valid for this request.</p> 16248 * <p> 16249 * This exceptions means one of the following: 16250 * </p> 16251 * <ul> 16252 * <li> 16253 * <p> 16254 * The key state of the KMS key is not compatible with the operation. 16255 * </p> 16256 * <p> 16257 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16258 * are compatible with each KMS operation, see <a 16259 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16260 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16261 * </p> 16262 * </li> 16263 * <li> 16264 * <p> 16265 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16266 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16267 * exception. 16268 * </p> 16269 * </li></li> 16270 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 16271 * Can be used for catch all scenarios.</li> 16272 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 16273 * credentials, etc.</li> 16274 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 16275 * of this type.</li> 16276 * </ul> 16277 * @sample KmsAsyncClient.UpdateAlias 16278 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias" target="_top">AWS API 16279 * Documentation</a> 16280 */ updateAlias(Consumer<UpdateAliasRequest.Builder> updateAliasRequest)16281 default CompletableFuture<UpdateAliasResponse> updateAlias(Consumer<UpdateAliasRequest.Builder> updateAliasRequest) { 16282 return updateAlias(UpdateAliasRequest.builder().applyMutation(updateAliasRequest).build()); 16283 } 16284 16285 /** 16286 * <p> 16287 * Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM 16288 * key store or an external key store. 16289 * </p> 16290 * <p> 16291 * Use the required <code>CustomKeyStoreId</code> parameter to identify the custom key store. Use the remaining 16292 * optional parameters to change its properties. This operation does not return any property values. To verify the 16293 * updated property values, use the <a>DescribeCustomKeyStores</a> operation. 16294 * </p> 16295 * <p> 16296 * This operation is part of the <a 16297 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 16298 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 16299 * a key store that you own and manage. 16300 * </p> 16301 * <important> 16302 * <p> 16303 * When updating the properties of an external key store, verify that the updated settings connect your key store, 16304 * via the external key store proxy, to the same external key manager as the previous settings, or to a backup or 16305 * snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, 16306 * you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if 16307 * KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable. 16308 * </p> 16309 * </important> <note> 16310 * <p> 16311 * For external key stores: 16312 * </p> 16313 * <p> 16314 * Some external key managers provide a simpler method for updating an external key store. For details, see your 16315 * external key manager documentation. 16316 * </p> 16317 * <p> 16318 * When updating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 16319 * the desired values. You cannot upload the proxy configuration file to the <code>UpdateCustomKeyStore</code> 16320 * operation. However, you can use the file to help you determine the correct values for the 16321 * <code>UpdateCustomKeyStore</code> parameters. 16322 * </p> 16323 * </note> 16324 * <p> 16325 * For an CloudHSM key store, you can use this operation to change the custom key store friendly name ( 16326 * <code>NewCustomKeyStoreName</code>), to tell KMS about a change to the <code>kmsuser</code> crypto user password 16327 * (<code>KeyStorePassword</code>), or to associate the custom key store with a different, but related, CloudHSM 16328 * cluster (<code>CloudHsmClusterId</code>). To update any property of an CloudHSM key store, the 16329 * <code>ConnectionState</code> of the CloudHSM key store must be <code>DISCONNECTED</code>. 16330 * </p> 16331 * <p> 16332 * For an external key store, you can use this operation to change the custom key store friendly name ( 16333 * <code>NewCustomKeyStoreName</code>), or to tell KMS about a change to the external key store proxy authentication 16334 * credentials (<code>XksProxyAuthenticationCredential</code>), connection method (<code>XksProxyConnectivity</code> 16335 * ), external proxy endpoint (<code>XksProxyUriEndpoint</code>) and path (<code>XksProxyUriPath</code>). For 16336 * external key stores with an <code>XksProxyConnectivity</code> of <code>VPC_ENDPOINT_SERVICE</code>, you can also 16337 * update the Amazon VPC endpoint service name (<code>XksProxyVpcEndpointServiceName</code>). To update most 16338 * properties of an external key store, the <code>ConnectionState</code> of the external key store must be 16339 * <code>DISCONNECTED</code>. However, you can update the <code>CustomKeyStoreName</code>, 16340 * <code>XksProxyAuthenticationCredential</code>, and <code>XksProxyUriPath</code> of an external key store when it 16341 * is in the CONNECTED or DISCONNECTED state. 16342 * </p> 16343 * <p> 16344 * If your update requires a <code>DISCONNECTED</code> state, before using <code>UpdateCustomKeyStore</code>, use 16345 * the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store. After the 16346 * <code>UpdateCustomKeyStore</code> operation completes, use the <a>ConnectCustomKeyStore</a> to reconnect the 16347 * custom key store. To find the <code>ConnectionState</code> of the custom key store, use the 16348 * <a>DescribeCustomKeyStores</a> operation. 16349 * </p> 16350 * <p> 16351 * </p> 16352 * <p> 16353 * Before updating the custom key store, verify that the new values allow KMS to connect the custom key store to its 16354 * backing key store. For example, before you change the <code>XksProxyUriPath</code> value, verify that the 16355 * external key store proxy is reachable at the new path. 16356 * </p> 16357 * <p> 16358 * If the operation succeeds, it returns a JSON object with no properties. 16359 * </p> 16360 * <p> 16361 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 16362 * Services account. 16363 * </p> 16364 * <p> 16365 * <b>Required permissions</b>: <a 16366 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16367 * >kms:UpdateCustomKeyStore</a> (IAM policy) 16368 * </p> 16369 * <p> 16370 * <b>Related operations:</b> 16371 * </p> 16372 * <ul> 16373 * <li> 16374 * <p> 16375 * <a>ConnectCustomKeyStore</a> 16376 * </p> 16377 * </li> 16378 * <li> 16379 * <p> 16380 * <a>CreateCustomKeyStore</a> 16381 * </p> 16382 * </li> 16383 * <li> 16384 * <p> 16385 * <a>DeleteCustomKeyStore</a> 16386 * </p> 16387 * </li> 16388 * <li> 16389 * <p> 16390 * <a>DescribeCustomKeyStores</a> 16391 * </p> 16392 * </li> 16393 * <li> 16394 * <p> 16395 * <a>DisconnectCustomKeyStore</a> 16396 * </p> 16397 * </li> 16398 * </ul> 16399 * <p> 16400 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16401 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16402 * consistency</a>. 16403 * </p> 16404 * 16405 * @param updateCustomKeyStoreRequest 16406 * @return A Java Future containing the result of the UpdateCustomKeyStore operation returned by the service.<br/> 16407 * The CompletableFuture returned by this method can be completed exceptionally with the following 16408 * exceptions. 16409 * <ul> 16410 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 16411 * with the specified key store name or ID.</li> 16412 * <li>CustomKeyStoreNameInUseException The request was rejected because the specified custom key store name 16413 * is already assigned to another custom key store in the account. Try again with a custom key store name 16414 * that is unique in the account.</li> 16415 * <li>CloudHsmClusterNotFoundException The request was rejected because KMS cannot find the CloudHSM 16416 * cluster with the specified cluster ID. Retry the request with a different cluster ID.</li> 16417 * <li>CloudHsmClusterNotRelatedException The request was rejected because the specified CloudHSM cluster 16418 * has a different cluster certificate than the original cluster. You cannot use the operation to specify an 16419 * unrelated cluster for an CloudHSM key store.</p> 16420 * <p> 16421 * Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes 16422 * clusters that were created from a backup of the current cluster, and clusters that were created from the 16423 * same backup that produced the current cluster. 16424 * </p> 16425 * <p> 16426 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 16427 * certificate of an CloudHSM cluster, use the <a 16428 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 16429 * >DescribeClusters</a> operation.</li> 16430 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 16431 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 16432 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 16433 * <p> 16434 * This exception is thrown under the following conditions: 16435 * </p> 16436 * <ul> 16437 * <li> 16438 * <p> 16439 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 16440 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 16441 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 16442 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 16443 * <code>ConnectCustomKeyStore</code>). 16444 * </p> 16445 * </li> 16446 * <li> 16447 * <p> 16448 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 16449 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 16450 * </p> 16451 * </li> 16452 * <li> 16453 * <p> 16454 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 16455 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 16456 * is valid for all other <code>ConnectionState</code> values. 16457 * </p> 16458 * </li> 16459 * <li> 16460 * <p> 16461 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 16462 * store that is not disconnected. This operation is valid only when the custom key store 16463 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 16464 * </p> 16465 * </li> 16466 * <li> 16467 * <p> 16468 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 16469 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 16470 * <code>CONNECTED</code>. 16471 * </p> 16472 * </li></li> 16473 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 16474 * be retried.</li> 16475 * <li>CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated 16476 * with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. 16477 * For detailed instructions, see <a 16478 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 16479 * the <i>CloudHSM User Guide</i>.</li> 16480 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 16481 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 16482 * <ul> 16483 * <li> 16484 * <p> 16485 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 16486 * in the Region. 16487 * </p> 16488 * </li> 16489 * <li> 16490 * <p> 16491 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 16492 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 16493 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 16494 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 16495 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 16496 * security group, use the <a 16497 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 16498 * >DescribeSecurityGroups</a> operation. 16499 * </p> 16500 * </li> 16501 * <li> 16502 * <p> 16503 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 16504 * CloudHSM <a 16505 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 16506 * operation. 16507 * </p> 16508 * <p> 16509 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 16510 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 16511 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 16512 * </p> 16513 * </li> 16514 * </ul> 16515 * <p> 16516 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 16517 * store, see <a 16518 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 16519 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 16520 * about creating a private subnet for an CloudHSM cluster, see <a 16521 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 16522 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 16523 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 16524 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 16525 * <li>XksProxyUriInUseException The request was rejected because the concatenation of the 16526 * <code>XksProxyUriEndpoint</code> and <code>XksProxyUriPath</code> is already associated with another 16527 * external key store in this Amazon Web Services Region. Each external key store in a Region must use a 16528 * unique external key store proxy API address.</li> 16529 * <li>XksProxyUriEndpointInUseException The request was rejected because the 16530 * <code>XksProxyUriEndpoint</code> is already associated with another external key store in this Amazon Web 16531 * Services Region. To identify the cause, see the error message that accompanies the exception.</li> 16532 * <li>XksProxyUriUnreachableException KMS was unable to reach the specified <code>XksProxyUriPath</code>. 16533 * The path must be reachable before you create the external key store or update its settings.</p> 16534 * <p> 16535 * This exception is also thrown when the external key store proxy response to a 16536 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable.</li> 16537 * <li>XksProxyIncorrectAuthenticationCredentialException The request was rejected because the proxy 16538 * credentials failed to authenticate to the specified external key store proxy. The specified external key 16539 * store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in 16540 * the credentials or in the identification of the external key store proxy.</li> 16541 * <li>XksProxyVpcEndpointServiceInUseException The request was rejected because the specified Amazon VPC 16542 * endpoint service is already associated with another external key store in this Amazon Web Services 16543 * Region. Each external key store in a Region must use a different Amazon VPC endpoint service.</li> 16544 * <li>XksProxyVpcEndpointServiceNotFoundException The request was rejected because KMS could not find the 16545 * specified VPC endpoint service. Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service 16546 * name for the external key store. Also, confirm that the <code>Allow principals</code> list for the VPC 16547 * endpoint service includes the KMS service principal for the Region, such as 16548 * <code>cks.kms.us-east-1.amazonaws.com</code>.</li> 16549 * <li>XksProxyVpcEndpointServiceInvalidConfigurationException The request was rejected because the Amazon 16550 * VPC endpoint service configuration does not fulfill the requirements for an external key store. To 16551 * identify the cause, see the error message that accompanies the exception and <a 16552 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 16553 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store.</li> 16554 * <li>XksProxyInvalidResponseException 16555 * <p> 16556 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 16557 * poorly constructed response, but it could also be a transient network issue. If you see this error 16558 * repeatedly, report it to the proxy vendor.</li> 16559 * <li>XksProxyInvalidConfigurationException The request was rejected because the external key store proxy 16560 * is not configured correctly. To identify the cause, see the error message that accompanies the exception. 16561 * </li> 16562 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 16563 * Can be used for catch all scenarios.</li> 16564 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 16565 * credentials, etc.</li> 16566 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 16567 * of this type.</li> 16568 * </ul> 16569 * @sample KmsAsyncClient.UpdateCustomKeyStore 16570 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore" target="_top">AWS API 16571 * Documentation</a> 16572 */ updateCustomKeyStore( UpdateCustomKeyStoreRequest updateCustomKeyStoreRequest)16573 default CompletableFuture<UpdateCustomKeyStoreResponse> updateCustomKeyStore( 16574 UpdateCustomKeyStoreRequest updateCustomKeyStoreRequest) { 16575 throw new UnsupportedOperationException(); 16576 } 16577 16578 /** 16579 * <p> 16580 * Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM 16581 * key store or an external key store. 16582 * </p> 16583 * <p> 16584 * Use the required <code>CustomKeyStoreId</code> parameter to identify the custom key store. Use the remaining 16585 * optional parameters to change its properties. This operation does not return any property values. To verify the 16586 * updated property values, use the <a>DescribeCustomKeyStores</a> operation. 16587 * </p> 16588 * <p> 16589 * This operation is part of the <a 16590 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 16591 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 16592 * a key store that you own and manage. 16593 * </p> 16594 * <important> 16595 * <p> 16596 * When updating the properties of an external key store, verify that the updated settings connect your key store, 16597 * via the external key store proxy, to the same external key manager as the previous settings, or to a backup or 16598 * snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, 16599 * you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if 16600 * KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable. 16601 * </p> 16602 * </important> <note> 16603 * <p> 16604 * For external key stores: 16605 * </p> 16606 * <p> 16607 * Some external key managers provide a simpler method for updating an external key store. For details, see your 16608 * external key manager documentation. 16609 * </p> 16610 * <p> 16611 * When updating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 16612 * the desired values. You cannot upload the proxy configuration file to the <code>UpdateCustomKeyStore</code> 16613 * operation. However, you can use the file to help you determine the correct values for the 16614 * <code>UpdateCustomKeyStore</code> parameters. 16615 * </p> 16616 * </note> 16617 * <p> 16618 * For an CloudHSM key store, you can use this operation to change the custom key store friendly name ( 16619 * <code>NewCustomKeyStoreName</code>), to tell KMS about a change to the <code>kmsuser</code> crypto user password 16620 * (<code>KeyStorePassword</code>), or to associate the custom key store with a different, but related, CloudHSM 16621 * cluster (<code>CloudHsmClusterId</code>). To update any property of an CloudHSM key store, the 16622 * <code>ConnectionState</code> of the CloudHSM key store must be <code>DISCONNECTED</code>. 16623 * </p> 16624 * <p> 16625 * For an external key store, you can use this operation to change the custom key store friendly name ( 16626 * <code>NewCustomKeyStoreName</code>), or to tell KMS about a change to the external key store proxy authentication 16627 * credentials (<code>XksProxyAuthenticationCredential</code>), connection method (<code>XksProxyConnectivity</code> 16628 * ), external proxy endpoint (<code>XksProxyUriEndpoint</code>) and path (<code>XksProxyUriPath</code>). For 16629 * external key stores with an <code>XksProxyConnectivity</code> of <code>VPC_ENDPOINT_SERVICE</code>, you can also 16630 * update the Amazon VPC endpoint service name (<code>XksProxyVpcEndpointServiceName</code>). To update most 16631 * properties of an external key store, the <code>ConnectionState</code> of the external key store must be 16632 * <code>DISCONNECTED</code>. However, you can update the <code>CustomKeyStoreName</code>, 16633 * <code>XksProxyAuthenticationCredential</code>, and <code>XksProxyUriPath</code> of an external key store when it 16634 * is in the CONNECTED or DISCONNECTED state. 16635 * </p> 16636 * <p> 16637 * If your update requires a <code>DISCONNECTED</code> state, before using <code>UpdateCustomKeyStore</code>, use 16638 * the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store. After the 16639 * <code>UpdateCustomKeyStore</code> operation completes, use the <a>ConnectCustomKeyStore</a> to reconnect the 16640 * custom key store. To find the <code>ConnectionState</code> of the custom key store, use the 16641 * <a>DescribeCustomKeyStores</a> operation. 16642 * </p> 16643 * <p> 16644 * </p> 16645 * <p> 16646 * Before updating the custom key store, verify that the new values allow KMS to connect the custom key store to its 16647 * backing key store. For example, before you change the <code>XksProxyUriPath</code> value, verify that the 16648 * external key store proxy is reachable at the new path. 16649 * </p> 16650 * <p> 16651 * If the operation succeeds, it returns a JSON object with no properties. 16652 * </p> 16653 * <p> 16654 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 16655 * Services account. 16656 * </p> 16657 * <p> 16658 * <b>Required permissions</b>: <a 16659 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16660 * >kms:UpdateCustomKeyStore</a> (IAM policy) 16661 * </p> 16662 * <p> 16663 * <b>Related operations:</b> 16664 * </p> 16665 * <ul> 16666 * <li> 16667 * <p> 16668 * <a>ConnectCustomKeyStore</a> 16669 * </p> 16670 * </li> 16671 * <li> 16672 * <p> 16673 * <a>CreateCustomKeyStore</a> 16674 * </p> 16675 * </li> 16676 * <li> 16677 * <p> 16678 * <a>DeleteCustomKeyStore</a> 16679 * </p> 16680 * </li> 16681 * <li> 16682 * <p> 16683 * <a>DescribeCustomKeyStores</a> 16684 * </p> 16685 * </li> 16686 * <li> 16687 * <p> 16688 * <a>DisconnectCustomKeyStore</a> 16689 * </p> 16690 * </li> 16691 * </ul> 16692 * <p> 16693 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16694 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16695 * consistency</a>. 16696 * </p> 16697 * <br/> 16698 * <p> 16699 * This is a convenience which creates an instance of the {@link UpdateCustomKeyStoreRequest.Builder} avoiding the 16700 * need to create one manually via {@link UpdateCustomKeyStoreRequest#builder()} 16701 * </p> 16702 * 16703 * @param updateCustomKeyStoreRequest 16704 * A {@link Consumer} that will call methods on 16705 * {@link software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreRequest.Builder} to create a request. 16706 * @return A Java Future containing the result of the UpdateCustomKeyStore operation returned by the service.<br/> 16707 * The CompletableFuture returned by this method can be completed exceptionally with the following 16708 * exceptions. 16709 * <ul> 16710 * <li>CustomKeyStoreNotFoundException The request was rejected because KMS cannot find a custom key store 16711 * with the specified key store name or ID.</li> 16712 * <li>CustomKeyStoreNameInUseException The request was rejected because the specified custom key store name 16713 * is already assigned to another custom key store in the account. Try again with a custom key store name 16714 * that is unique in the account.</li> 16715 * <li>CloudHsmClusterNotFoundException The request was rejected because KMS cannot find the CloudHSM 16716 * cluster with the specified cluster ID. Retry the request with a different cluster ID.</li> 16717 * <li>CloudHsmClusterNotRelatedException The request was rejected because the specified CloudHSM cluster 16718 * has a different cluster certificate than the original cluster. You cannot use the operation to specify an 16719 * unrelated cluster for an CloudHSM key store.</p> 16720 * <p> 16721 * Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes 16722 * clusters that were created from a backup of the current cluster, and clusters that were created from the 16723 * same backup that produced the current cluster. 16724 * </p> 16725 * <p> 16726 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 16727 * certificate of an CloudHSM cluster, use the <a 16728 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 16729 * >DescribeClusters</a> operation.</li> 16730 * <li>CustomKeyStoreInvalidStateException The request was rejected because of the 16731 * <code>ConnectionState</code> of the custom key store. To get the <code>ConnectionState</code> of a custom 16732 * key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 16733 * <p> 16734 * This exception is thrown under the following conditions: 16735 * </p> 16736 * <ul> 16737 * <li> 16738 * <p> 16739 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 16740 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 16741 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 16742 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 16743 * <code>ConnectCustomKeyStore</code>). 16744 * </p> 16745 * </li> 16746 * <li> 16747 * <p> 16748 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 16749 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 16750 * </p> 16751 * </li> 16752 * <li> 16753 * <p> 16754 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 16755 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 16756 * is valid for all other <code>ConnectionState</code> values. 16757 * </p> 16758 * </li> 16759 * <li> 16760 * <p> 16761 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 16762 * store that is not disconnected. This operation is valid only when the custom key store 16763 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 16764 * </p> 16765 * </li> 16766 * <li> 16767 * <p> 16768 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 16769 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 16770 * <code>CONNECTED</code>. 16771 * </p> 16772 * </li></li> 16773 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 16774 * be retried.</li> 16775 * <li>CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated 16776 * with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. 16777 * For detailed instructions, see <a 16778 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 16779 * the <i>CloudHSM User Guide</i>.</li> 16780 * <li>CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM 16781 * cluster did not meet the configuration requirements for an CloudHSM key store.</p> 16782 * <ul> 16783 * <li> 16784 * <p> 16785 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 16786 * in the Region. 16787 * </p> 16788 * </li> 16789 * <li> 16790 * <p> 16791 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 16792 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 16793 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 16794 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 16795 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 16796 * security group, use the <a 16797 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 16798 * >DescribeSecurityGroups</a> operation. 16799 * </p> 16800 * </li> 16801 * <li> 16802 * <p> 16803 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 16804 * CloudHSM <a 16805 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 16806 * operation. 16807 * </p> 16808 * <p> 16809 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 16810 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 16811 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 16812 * </p> 16813 * </li> 16814 * </ul> 16815 * <p> 16816 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 16817 * store, see <a 16818 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 16819 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 16820 * about creating a private subnet for an CloudHSM cluster, see <a 16821 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 16822 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 16823 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 16824 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>.</li> 16825 * <li>XksProxyUriInUseException The request was rejected because the concatenation of the 16826 * <code>XksProxyUriEndpoint</code> and <code>XksProxyUriPath</code> is already associated with another 16827 * external key store in this Amazon Web Services Region. Each external key store in a Region must use a 16828 * unique external key store proxy API address.</li> 16829 * <li>XksProxyUriEndpointInUseException The request was rejected because the 16830 * <code>XksProxyUriEndpoint</code> is already associated with another external key store in this Amazon Web 16831 * Services Region. To identify the cause, see the error message that accompanies the exception.</li> 16832 * <li>XksProxyUriUnreachableException KMS was unable to reach the specified <code>XksProxyUriPath</code>. 16833 * The path must be reachable before you create the external key store or update its settings.</p> 16834 * <p> 16835 * This exception is also thrown when the external key store proxy response to a 16836 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable.</li> 16837 * <li>XksProxyIncorrectAuthenticationCredentialException The request was rejected because the proxy 16838 * credentials failed to authenticate to the specified external key store proxy. The specified external key 16839 * store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in 16840 * the credentials or in the identification of the external key store proxy.</li> 16841 * <li>XksProxyVpcEndpointServiceInUseException The request was rejected because the specified Amazon VPC 16842 * endpoint service is already associated with another external key store in this Amazon Web Services 16843 * Region. Each external key store in a Region must use a different Amazon VPC endpoint service.</li> 16844 * <li>XksProxyVpcEndpointServiceNotFoundException The request was rejected because KMS could not find the 16845 * specified VPC endpoint service. Use <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service 16846 * name for the external key store. Also, confirm that the <code>Allow principals</code> list for the VPC 16847 * endpoint service includes the KMS service principal for the Region, such as 16848 * <code>cks.kms.us-east-1.amazonaws.com</code>.</li> 16849 * <li>XksProxyVpcEndpointServiceInvalidConfigurationException The request was rejected because the Amazon 16850 * VPC endpoint service configuration does not fulfill the requirements for an external key store. To 16851 * identify the cause, see the error message that accompanies the exception and <a 16852 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 16853 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store.</li> 16854 * <li>XksProxyInvalidResponseException 16855 * <p> 16856 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 16857 * poorly constructed response, but it could also be a transient network issue. If you see this error 16858 * repeatedly, report it to the proxy vendor.</li> 16859 * <li>XksProxyInvalidConfigurationException The request was rejected because the external key store proxy 16860 * is not configured correctly. To identify the cause, see the error message that accompanies the exception. 16861 * </li> 16862 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 16863 * Can be used for catch all scenarios.</li> 16864 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 16865 * credentials, etc.</li> 16866 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 16867 * of this type.</li> 16868 * </ul> 16869 * @sample KmsAsyncClient.UpdateCustomKeyStore 16870 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore" target="_top">AWS API 16871 * Documentation</a> 16872 */ updateCustomKeyStore( Consumer<UpdateCustomKeyStoreRequest.Builder> updateCustomKeyStoreRequest)16873 default CompletableFuture<UpdateCustomKeyStoreResponse> updateCustomKeyStore( 16874 Consumer<UpdateCustomKeyStoreRequest.Builder> updateCustomKeyStoreRequest) { 16875 return updateCustomKeyStore(UpdateCustomKeyStoreRequest.builder().applyMutation(updateCustomKeyStoreRequest).build()); 16876 } 16877 16878 /** 16879 * <p> 16880 * Updates the description of a KMS key. To see the description of a KMS key, use <a>DescribeKey</a>. 16881 * </p> 16882 * <p> 16883 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16884 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16885 * <i>Key Management Service Developer Guide</i>. 16886 * </p> 16887 * <p> 16888 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16889 * account. 16890 * </p> 16891 * <p> 16892 * <b>Required permissions</b>: <a 16893 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16894 * >kms:UpdateKeyDescription</a> (key policy) 16895 * </p> 16896 * <p> 16897 * <b>Related operations</b> 16898 * </p> 16899 * <ul> 16900 * <li> 16901 * <p> 16902 * <a>CreateKey</a> 16903 * </p> 16904 * </li> 16905 * <li> 16906 * <p> 16907 * <a>DescribeKey</a> 16908 * </p> 16909 * </li> 16910 * </ul> 16911 * <p> 16912 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16913 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16914 * consistency</a>. 16915 * </p> 16916 * 16917 * @param updateKeyDescriptionRequest 16918 * @return A Java Future containing the result of the UpdateKeyDescription operation returned by the service.<br/> 16919 * The CompletableFuture returned by this method can be completed exceptionally with the following 16920 * exceptions. 16921 * <ul> 16922 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 16923 * found.</li> 16924 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 16925 * not valid.</li> 16926 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 16927 * the request.</li> 16928 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 16929 * be retried.</li> 16930 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 16931 * valid for this request.</p> 16932 * <p> 16933 * This exceptions means one of the following: 16934 * </p> 16935 * <ul> 16936 * <li> 16937 * <p> 16938 * The key state of the KMS key is not compatible with the operation. 16939 * </p> 16940 * <p> 16941 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16942 * are compatible with each KMS operation, see <a 16943 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16944 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16945 * </p> 16946 * </li> 16947 * <li> 16948 * <p> 16949 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16950 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16951 * exception. 16952 * </p> 16953 * </li></li> 16954 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 16955 * Can be used for catch all scenarios.</li> 16956 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 16957 * credentials, etc.</li> 16958 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 16959 * of this type.</li> 16960 * </ul> 16961 * @sample KmsAsyncClient.UpdateKeyDescription 16962 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription" target="_top">AWS API 16963 * Documentation</a> 16964 */ updateKeyDescription( UpdateKeyDescriptionRequest updateKeyDescriptionRequest)16965 default CompletableFuture<UpdateKeyDescriptionResponse> updateKeyDescription( 16966 UpdateKeyDescriptionRequest updateKeyDescriptionRequest) { 16967 throw new UnsupportedOperationException(); 16968 } 16969 16970 /** 16971 * <p> 16972 * Updates the description of a KMS key. To see the description of a KMS key, use <a>DescribeKey</a>. 16973 * </p> 16974 * <p> 16975 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16976 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16977 * <i>Key Management Service Developer Guide</i>. 16978 * </p> 16979 * <p> 16980 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16981 * account. 16982 * </p> 16983 * <p> 16984 * <b>Required permissions</b>: <a 16985 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16986 * >kms:UpdateKeyDescription</a> (key policy) 16987 * </p> 16988 * <p> 16989 * <b>Related operations</b> 16990 * </p> 16991 * <ul> 16992 * <li> 16993 * <p> 16994 * <a>CreateKey</a> 16995 * </p> 16996 * </li> 16997 * <li> 16998 * <p> 16999 * <a>DescribeKey</a> 17000 * </p> 17001 * </li> 17002 * </ul> 17003 * <p> 17004 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17005 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17006 * consistency</a>. 17007 * </p> 17008 * <br/> 17009 * <p> 17010 * This is a convenience which creates an instance of the {@link UpdateKeyDescriptionRequest.Builder} avoiding the 17011 * need to create one manually via {@link UpdateKeyDescriptionRequest#builder()} 17012 * </p> 17013 * 17014 * @param updateKeyDescriptionRequest 17015 * A {@link Consumer} that will call methods on 17016 * {@link software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionRequest.Builder} to create a request. 17017 * @return A Java Future containing the result of the UpdateKeyDescription operation returned by the service.<br/> 17018 * The CompletableFuture returned by this method can be completed exceptionally with the following 17019 * exceptions. 17020 * <ul> 17021 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17022 * found.</li> 17023 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 17024 * not valid.</li> 17025 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 17026 * the request.</li> 17027 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17028 * be retried.</li> 17029 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17030 * valid for this request.</p> 17031 * <p> 17032 * This exceptions means one of the following: 17033 * </p> 17034 * <ul> 17035 * <li> 17036 * <p> 17037 * The key state of the KMS key is not compatible with the operation. 17038 * </p> 17039 * <p> 17040 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17041 * are compatible with each KMS operation, see <a 17042 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17043 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17044 * </p> 17045 * </li> 17046 * <li> 17047 * <p> 17048 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17049 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17050 * exception. 17051 * </p> 17052 * </li></li> 17053 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17054 * Can be used for catch all scenarios.</li> 17055 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17056 * credentials, etc.</li> 17057 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17058 * of this type.</li> 17059 * </ul> 17060 * @sample KmsAsyncClient.UpdateKeyDescription 17061 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription" target="_top">AWS API 17062 * Documentation</a> 17063 */ updateKeyDescription( Consumer<UpdateKeyDescriptionRequest.Builder> updateKeyDescriptionRequest)17064 default CompletableFuture<UpdateKeyDescriptionResponse> updateKeyDescription( 17065 Consumer<UpdateKeyDescriptionRequest.Builder> updateKeyDescriptionRequest) { 17066 return updateKeyDescription(UpdateKeyDescriptionRequest.builder().applyMutation(updateKeyDescriptionRequest).build()); 17067 } 17068 17069 /** 17070 * <p> 17071 * Changes the primary key of a multi-Region key. 17072 * </p> 17073 * <p> 17074 * This operation changes the replica key in the specified Region to a primary key and changes the former primary 17075 * key to a replica key. For example, suppose you have a primary key in <code>us-east-1</code> and a replica key in 17076 * <code>eu-west-2</code>. If you run <code>UpdatePrimaryRegion</code> with a <code>PrimaryRegion</code> value of 17077 * <code>eu-west-2</code>, the primary key is now the key in <code>eu-west-2</code>, and the key in 17078 * <code>us-east-1</code> becomes a replica key. For details, see <a 17079 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update" 17080 * >Updating the primary Region</a> in the <i>Key Management Service Developer Guide</i>. 17081 * </p> 17082 * <p> 17083 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 17084 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 17085 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 17086 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 17087 * information about multi-Region keys, see <a 17088 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 17089 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 17090 * </p> 17091 * <p> 17092 * The <i>primary key</i> of a multi-Region key is the source for properties that are always shared by primary and 17093 * replica keys, including the key material, <a 17094 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a>, <a 17095 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 17096 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 17097 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 17098 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation</a>. 17099 * It's the only key that can be replicated. You cannot <a 17100 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html">delete the primary 17101 * key</a> until all replica keys are deleted. 17102 * </p> 17103 * <p> 17104 * The key ID and primary Region that you specify uniquely identify the replica key that will become the primary 17105 * key. The primary Region must already have a replica key. This operation does not create a KMS key in the 17106 * specified Region. To find the replica keys, use the <a>DescribeKey</a> operation on the primary key or any 17107 * replica key. To create a replica key, use the <a>ReplicateKey</a> operation. 17108 * </p> 17109 * <p> 17110 * You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation 17111 * should not delay, interrupt, or cause failures in cryptographic operations. 17112 * </p> 17113 * <p> 17114 * Even after this operation completes, the process of updating the primary Region might still be in progress for a 17115 * few more seconds. Operations such as <code>DescribeKey</code> might display both the old and new primary keys as 17116 * replicas. The old and new primary keys have a transient key state of <code>Updating</code>. The original key 17117 * state is restored when the update is complete. While the key state is <code>Updating</code>, you can use the keys 17118 * in cryptographic operations, but you cannot replicate the new primary key or perform certain management 17119 * operations, such as enabling or disabling these keys. For details about the <code>Updating</code> key state, see 17120 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17121 * <i>Key Management Service Developer Guide</i>. 17122 * </p> 17123 * <p> 17124 * This operation does not return any output. To verify that primary key is changed, use the <a>DescribeKey</a> 17125 * operation. 17126 * </p> 17127 * <p> 17128 * <b>Cross-account use</b>: No. You cannot use this operation in a different Amazon Web Services account. 17129 * </p> 17130 * <p> 17131 * <b>Required permissions</b>: 17132 * </p> 17133 * <ul> 17134 * <li> 17135 * <p> 17136 * <code>kms:UpdatePrimaryRegion</code> on the current primary key (in the primary key's Region). Include this 17137 * permission primary key's key policy. 17138 * </p> 17139 * </li> 17140 * <li> 17141 * <p> 17142 * <code>kms:UpdatePrimaryRegion</code> on the current replica key (in the replica key's Region). Include this 17143 * permission in the replica key's key policy. 17144 * </p> 17145 * </li> 17146 * </ul> 17147 * <p> 17148 * <b>Related operations</b> 17149 * </p> 17150 * <ul> 17151 * <li> 17152 * <p> 17153 * <a>CreateKey</a> 17154 * </p> 17155 * </li> 17156 * <li> 17157 * <p> 17158 * <a>ReplicateKey</a> 17159 * </p> 17160 * </li> 17161 * </ul> 17162 * <p> 17163 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17164 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17165 * consistency</a>. 17166 * </p> 17167 * 17168 * @param updatePrimaryRegionRequest 17169 * @return A Java Future containing the result of the UpdatePrimaryRegion operation returned by the service.<br/> 17170 * The CompletableFuture returned by this method can be completed exceptionally with the following 17171 * exceptions. 17172 * <ul> 17173 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 17174 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 17175 * not valid.</li> 17176 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17177 * valid for this request.</p> 17178 * <p> 17179 * This exceptions means one of the following: 17180 * </p> 17181 * <ul> 17182 * <li> 17183 * <p> 17184 * The key state of the KMS key is not compatible with the operation. 17185 * </p> 17186 * <p> 17187 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17188 * are compatible with each KMS operation, see <a 17189 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17190 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17191 * </p> 17192 * </li> 17193 * <li> 17194 * <p> 17195 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17196 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17197 * exception. 17198 * </p> 17199 * </li></li> 17200 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17201 * be retried.</li> 17202 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17203 * found.</li> 17204 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 17205 * or a specified resource is not valid for this operation.</li> 17206 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17207 * Can be used for catch all scenarios.</li> 17208 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17209 * credentials, etc.</li> 17210 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17211 * of this type.</li> 17212 * </ul> 17213 * @sample KmsAsyncClient.UpdatePrimaryRegion 17214 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion" target="_top">AWS API 17215 * Documentation</a> 17216 */ updatePrimaryRegion( UpdatePrimaryRegionRequest updatePrimaryRegionRequest)17217 default CompletableFuture<UpdatePrimaryRegionResponse> updatePrimaryRegion( 17218 UpdatePrimaryRegionRequest updatePrimaryRegionRequest) { 17219 throw new UnsupportedOperationException(); 17220 } 17221 17222 /** 17223 * <p> 17224 * Changes the primary key of a multi-Region key. 17225 * </p> 17226 * <p> 17227 * This operation changes the replica key in the specified Region to a primary key and changes the former primary 17228 * key to a replica key. For example, suppose you have a primary key in <code>us-east-1</code> and a replica key in 17229 * <code>eu-west-2</code>. If you run <code>UpdatePrimaryRegion</code> with a <code>PrimaryRegion</code> value of 17230 * <code>eu-west-2</code>, the primary key is now the key in <code>eu-west-2</code>, and the key in 17231 * <code>us-east-1</code> becomes a replica key. For details, see <a 17232 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update" 17233 * >Updating the primary Region</a> in the <i>Key Management Service Developer Guide</i>. 17234 * </p> 17235 * <p> 17236 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 17237 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 17238 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 17239 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 17240 * information about multi-Region keys, see <a 17241 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 17242 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 17243 * </p> 17244 * <p> 17245 * The <i>primary key</i> of a multi-Region key is the source for properties that are always shared by primary and 17246 * replica keys, including the key material, <a 17247 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a>, <a 17248 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 17249 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 17250 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 17251 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation</a>. 17252 * It's the only key that can be replicated. You cannot <a 17253 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html">delete the primary 17254 * key</a> until all replica keys are deleted. 17255 * </p> 17256 * <p> 17257 * The key ID and primary Region that you specify uniquely identify the replica key that will become the primary 17258 * key. The primary Region must already have a replica key. This operation does not create a KMS key in the 17259 * specified Region. To find the replica keys, use the <a>DescribeKey</a> operation on the primary key or any 17260 * replica key. To create a replica key, use the <a>ReplicateKey</a> operation. 17261 * </p> 17262 * <p> 17263 * You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation 17264 * should not delay, interrupt, or cause failures in cryptographic operations. 17265 * </p> 17266 * <p> 17267 * Even after this operation completes, the process of updating the primary Region might still be in progress for a 17268 * few more seconds. Operations such as <code>DescribeKey</code> might display both the old and new primary keys as 17269 * replicas. The old and new primary keys have a transient key state of <code>Updating</code>. The original key 17270 * state is restored when the update is complete. While the key state is <code>Updating</code>, you can use the keys 17271 * in cryptographic operations, but you cannot replicate the new primary key or perform certain management 17272 * operations, such as enabling or disabling these keys. For details about the <code>Updating</code> key state, see 17273 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17274 * <i>Key Management Service Developer Guide</i>. 17275 * </p> 17276 * <p> 17277 * This operation does not return any output. To verify that primary key is changed, use the <a>DescribeKey</a> 17278 * operation. 17279 * </p> 17280 * <p> 17281 * <b>Cross-account use</b>: No. You cannot use this operation in a different Amazon Web Services account. 17282 * </p> 17283 * <p> 17284 * <b>Required permissions</b>: 17285 * </p> 17286 * <ul> 17287 * <li> 17288 * <p> 17289 * <code>kms:UpdatePrimaryRegion</code> on the current primary key (in the primary key's Region). Include this 17290 * permission primary key's key policy. 17291 * </p> 17292 * </li> 17293 * <li> 17294 * <p> 17295 * <code>kms:UpdatePrimaryRegion</code> on the current replica key (in the replica key's Region). Include this 17296 * permission in the replica key's key policy. 17297 * </p> 17298 * </li> 17299 * </ul> 17300 * <p> 17301 * <b>Related operations</b> 17302 * </p> 17303 * <ul> 17304 * <li> 17305 * <p> 17306 * <a>CreateKey</a> 17307 * </p> 17308 * </li> 17309 * <li> 17310 * <p> 17311 * <a>ReplicateKey</a> 17312 * </p> 17313 * </li> 17314 * </ul> 17315 * <p> 17316 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17317 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17318 * consistency</a>. 17319 * </p> 17320 * <br/> 17321 * <p> 17322 * This is a convenience which creates an instance of the {@link UpdatePrimaryRegionRequest.Builder} avoiding the 17323 * need to create one manually via {@link UpdatePrimaryRegionRequest#builder()} 17324 * </p> 17325 * 17326 * @param updatePrimaryRegionRequest 17327 * A {@link Consumer} that will call methods on 17328 * {@link software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionRequest.Builder} to create a request. 17329 * @return A Java Future containing the result of the UpdatePrimaryRegion operation returned by the service.<br/> 17330 * The CompletableFuture returned by this method can be completed exceptionally with the following 17331 * exceptions. 17332 * <ul> 17333 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 17334 * <li>InvalidArnException The request was rejected because a specified ARN, or an ARN in a key policy, is 17335 * not valid.</li> 17336 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17337 * valid for this request.</p> 17338 * <p> 17339 * This exceptions means one of the following: 17340 * </p> 17341 * <ul> 17342 * <li> 17343 * <p> 17344 * The key state of the KMS key is not compatible with the operation. 17345 * </p> 17346 * <p> 17347 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17348 * are compatible with each KMS operation, see <a 17349 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17350 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17351 * </p> 17352 * </li> 17353 * <li> 17354 * <p> 17355 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17356 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17357 * exception. 17358 * </p> 17359 * </li></li> 17360 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17361 * be retried.</li> 17362 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17363 * found.</li> 17364 * <li>UnsupportedOperationException The request was rejected because a specified parameter is not supported 17365 * or a specified resource is not valid for this operation.</li> 17366 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17367 * Can be used for catch all scenarios.</li> 17368 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17369 * credentials, etc.</li> 17370 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17371 * of this type.</li> 17372 * </ul> 17373 * @sample KmsAsyncClient.UpdatePrimaryRegion 17374 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion" target="_top">AWS API 17375 * Documentation</a> 17376 */ updatePrimaryRegion( Consumer<UpdatePrimaryRegionRequest.Builder> updatePrimaryRegionRequest)17377 default CompletableFuture<UpdatePrimaryRegionResponse> updatePrimaryRegion( 17378 Consumer<UpdatePrimaryRegionRequest.Builder> updatePrimaryRegionRequest) { 17379 return updatePrimaryRegion(UpdatePrimaryRegionRequest.builder().applyMutation(updatePrimaryRegionRequest).build()); 17380 } 17381 17382 /** 17383 * <p> 17384 * Verifies a digital signature that was generated by the <a>Sign</a> operation. 17385 * </p> 17386 * <p/> 17387 * <p> 17388 * Verification confirms that an authorized user signed the message with the specified KMS key and signing 17389 * algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the 17390 * <code>SignatureValid</code> field in the response is <code>True</code>. If the signature verification fails, the 17391 * <code>Verify</code> operation fails with an <code>KMSInvalidSignatureException</code> exception. 17392 * </p> 17393 * <p> 17394 * A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by 17395 * using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see <a 17396 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 17397 * the <i>Key Management Service Developer Guide</i>. 17398 * </p> 17399 * <p> 17400 * To use the <code>Verify</code> operation, specify the same asymmetric KMS key, message, and signing algorithm 17401 * that were used to produce the signature. The message type does not need to be the same as the one used for 17402 * signing, but it must indicate whether the value of the <code>Message</code> parameter should be hashed as part of 17403 * the verification process. 17404 * </p> 17405 * <p> 17406 * You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the 17407 * <a>GetPublicKey</a> operation to download the public key in the asymmetric KMS key and then use the public key to 17408 * verify the signature outside of KMS. The advantage of using the <code>Verify</code> operation is that it is 17409 * performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is 17410 * logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key 17411 * to verify signatures. 17412 * </p> 17413 * <p> 17414 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 17415 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 17416 * information, see <a href= 17417 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 17418 * >Offline verification with SM2 key pairs</a>. 17419 * </p> 17420 * <p> 17421 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17422 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17423 * <i>Key Management Service Developer Guide</i>. 17424 * </p> 17425 * <p> 17426 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 17427 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 17428 * </p> 17429 * <p> 17430 * <b>Required permissions</b>: <a 17431 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Verify</a> 17432 * (key policy) 17433 * </p> 17434 * <p> 17435 * <b>Related operations</b>: <a>Sign</a> 17436 * </p> 17437 * <p> 17438 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17439 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17440 * consistency</a>. 17441 * </p> 17442 * 17443 * @param verifyRequest 17444 * @return A Java Future containing the result of the Verify operation returned by the service.<br/> 17445 * The CompletableFuture returned by this method can be completed exceptionally with the following 17446 * exceptions. 17447 * <ul> 17448 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17449 * found.</li> 17450 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 17451 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 17452 * can retry the request.</li> 17453 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 17454 * the request.</li> 17455 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 17456 * <ul> 17457 * <li> 17458 * <p> 17459 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 17460 * </p> 17461 * </li> 17462 * <li> 17463 * <p> 17464 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 17465 * of key material in the KMS key <code>(KeySpec</code>). 17466 * </p> 17467 * </li> 17468 * </ul> 17469 * <p> 17470 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 17471 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 17472 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 17473 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 17474 * KMS key, use the <a>DescribeKey</a> operation. 17475 * </p> 17476 * <p> 17477 * To find the encryption or signing algorithms supported for a particular KMS key, use the 17478 * <a>DescribeKey</a> operation.</li> 17479 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 17480 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17481 * be retried.</li> 17482 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17483 * valid for this request.</p> 17484 * <p> 17485 * This exceptions means one of the following: 17486 * </p> 17487 * <ul> 17488 * <li> 17489 * <p> 17490 * The key state of the KMS key is not compatible with the operation. 17491 * </p> 17492 * <p> 17493 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17494 * are compatible with each KMS operation, see <a 17495 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17496 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17497 * </p> 17498 * </li> 17499 * <li> 17500 * <p> 17501 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17502 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17503 * exception. 17504 * </p> 17505 * </li></li> 17506 * <li>KmsInvalidSignatureException The request was rejected because the signature verification failed. 17507 * Signature verification fails when it cannot confirm that signature was produced by signing the specified 17508 * message with the specified KMS key and signing algorithm.</li> 17509 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 17510 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17511 * Can be used for catch all scenarios.</li> 17512 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17513 * credentials, etc.</li> 17514 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17515 * of this type.</li> 17516 * </ul> 17517 * @sample KmsAsyncClient.Verify 17518 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify" target="_top">AWS API 17519 * Documentation</a> 17520 */ verify(VerifyRequest verifyRequest)17521 default CompletableFuture<VerifyResponse> verify(VerifyRequest verifyRequest) { 17522 throw new UnsupportedOperationException(); 17523 } 17524 17525 /** 17526 * <p> 17527 * Verifies a digital signature that was generated by the <a>Sign</a> operation. 17528 * </p> 17529 * <p/> 17530 * <p> 17531 * Verification confirms that an authorized user signed the message with the specified KMS key and signing 17532 * algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the 17533 * <code>SignatureValid</code> field in the response is <code>True</code>. If the signature verification fails, the 17534 * <code>Verify</code> operation fails with an <code>KMSInvalidSignatureException</code> exception. 17535 * </p> 17536 * <p> 17537 * A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by 17538 * using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see <a 17539 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 17540 * the <i>Key Management Service Developer Guide</i>. 17541 * </p> 17542 * <p> 17543 * To use the <code>Verify</code> operation, specify the same asymmetric KMS key, message, and signing algorithm 17544 * that were used to produce the signature. The message type does not need to be the same as the one used for 17545 * signing, but it must indicate whether the value of the <code>Message</code> parameter should be hashed as part of 17546 * the verification process. 17547 * </p> 17548 * <p> 17549 * You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the 17550 * <a>GetPublicKey</a> operation to download the public key in the asymmetric KMS key and then use the public key to 17551 * verify the signature outside of KMS. The advantage of using the <code>Verify</code> operation is that it is 17552 * performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is 17553 * logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key 17554 * to verify signatures. 17555 * </p> 17556 * <p> 17557 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 17558 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 17559 * information, see <a href= 17560 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 17561 * >Offline verification with SM2 key pairs</a>. 17562 * </p> 17563 * <p> 17564 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17565 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17566 * <i>Key Management Service Developer Guide</i>. 17567 * </p> 17568 * <p> 17569 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 17570 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 17571 * </p> 17572 * <p> 17573 * <b>Required permissions</b>: <a 17574 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Verify</a> 17575 * (key policy) 17576 * </p> 17577 * <p> 17578 * <b>Related operations</b>: <a>Sign</a> 17579 * </p> 17580 * <p> 17581 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17582 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17583 * consistency</a>. 17584 * </p> 17585 * <br/> 17586 * <p> 17587 * This is a convenience which creates an instance of the {@link VerifyRequest.Builder} avoiding the need to create 17588 * one manually via {@link VerifyRequest#builder()} 17589 * </p> 17590 * 17591 * @param verifyRequest 17592 * A {@link Consumer} that will call methods on 17593 * {@link software.amazon.awssdk.services.kms.model.VerifyRequest.Builder} to create a request. 17594 * @return A Java Future containing the result of the Verify operation returned by the service.<br/> 17595 * The CompletableFuture returned by this method can be completed exceptionally with the following 17596 * exceptions. 17597 * <ul> 17598 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17599 * found.</li> 17600 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 17601 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 17602 * can retry the request.</li> 17603 * <li>DependencyTimeoutException The system timed out while trying to fulfill the request. You can retry 17604 * the request.</li> 17605 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 17606 * <ul> 17607 * <li> 17608 * <p> 17609 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 17610 * </p> 17611 * </li> 17612 * <li> 17613 * <p> 17614 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 17615 * of key material in the KMS key <code>(KeySpec</code>). 17616 * </p> 17617 * </li> 17618 * </ul> 17619 * <p> 17620 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 17621 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 17622 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 17623 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 17624 * KMS key, use the <a>DescribeKey</a> operation. 17625 * </p> 17626 * <p> 17627 * To find the encryption or signing algorithms supported for a particular KMS key, use the 17628 * <a>DescribeKey</a> operation.</li> 17629 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 17630 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17631 * be retried.</li> 17632 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17633 * valid for this request.</p> 17634 * <p> 17635 * This exceptions means one of the following: 17636 * </p> 17637 * <ul> 17638 * <li> 17639 * <p> 17640 * The key state of the KMS key is not compatible with the operation. 17641 * </p> 17642 * <p> 17643 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17644 * are compatible with each KMS operation, see <a 17645 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17646 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17647 * </p> 17648 * </li> 17649 * <li> 17650 * <p> 17651 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17652 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17653 * exception. 17654 * </p> 17655 * </li></li> 17656 * <li>KmsInvalidSignatureException The request was rejected because the signature verification failed. 17657 * Signature verification fails when it cannot confirm that signature was produced by signing the specified 17658 * message with the specified KMS key and signing algorithm.</li> 17659 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 17660 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17661 * Can be used for catch all scenarios.</li> 17662 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17663 * credentials, etc.</li> 17664 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17665 * of this type.</li> 17666 * </ul> 17667 * @sample KmsAsyncClient.Verify 17668 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify" target="_top">AWS API 17669 * Documentation</a> 17670 */ verify(Consumer<VerifyRequest.Builder> verifyRequest)17671 default CompletableFuture<VerifyResponse> verify(Consumer<VerifyRequest.Builder> verifyRequest) { 17672 return verify(VerifyRequest.builder().applyMutation(verifyRequest).build()); 17673 } 17674 17675 /** 17676 * <p> 17677 * Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC KMS key, and MAC 17678 * algorithm. To verify the HMAC, <code>VerifyMac</code> computes an HMAC using the message, HMAC KMS key, and MAC 17679 * algorithm that you specify, and compares the computed HMAC to the HMAC that you specify. If the HMACs are 17680 * identical, the verification succeeds; otherwise, it fails. Verification indicates that the message hasn't changed 17681 * since the HMAC was calculated, and the specified key was used to generate and verify the HMAC. 17682 * </p> 17683 * <p> 17684 * HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in <a 17685 * href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 17686 * </p> 17687 * <p> 17688 * This operation is part of KMS support for HMAC KMS keys. For details, see <a 17689 * href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>Key 17690 * Management Service Developer Guide</i>. 17691 * </p> 17692 * <p> 17693 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17694 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17695 * <i>Key Management Service Developer Guide</i>. 17696 * </p> 17697 * <p> 17698 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 17699 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 17700 * </p> 17701 * <p> 17702 * <b>Required permissions</b>: <a 17703 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:VerifyMac</a> 17704 * (key policy) 17705 * </p> 17706 * <p> 17707 * <b>Related operations</b>: <a>GenerateMac</a> 17708 * </p> 17709 * <p> 17710 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17711 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17712 * consistency</a>. 17713 * </p> 17714 * 17715 * @param verifyMacRequest 17716 * @return A Java Future containing the result of the VerifyMac operation returned by the service.<br/> 17717 * The CompletableFuture returned by this method can be completed exceptionally with the following 17718 * exceptions. 17719 * <ul> 17720 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17721 * found.</li> 17722 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 17723 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 17724 * can retry the request.</li> 17725 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 17726 * <ul> 17727 * <li> 17728 * <p> 17729 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 17730 * </p> 17731 * </li> 17732 * <li> 17733 * <p> 17734 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 17735 * of key material in the KMS key <code>(KeySpec</code>). 17736 * </p> 17737 * </li> 17738 * </ul> 17739 * <p> 17740 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 17741 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 17742 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 17743 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 17744 * KMS key, use the <a>DescribeKey</a> operation. 17745 * </p> 17746 * <p> 17747 * To find the encryption or signing algorithms supported for a particular KMS key, use the 17748 * <a>DescribeKey</a> operation.</li> 17749 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 17750 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17751 * be retried.</li> 17752 * <li>KmsInvalidMacException The request was rejected because the HMAC verification failed. HMAC 17753 * verification fails when the HMAC computed by using the specified message, HMAC KMS key, and MAC algorithm 17754 * does not match the HMAC specified in the request.</li> 17755 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17756 * valid for this request.</p> 17757 * <p> 17758 * This exceptions means one of the following: 17759 * </p> 17760 * <ul> 17761 * <li> 17762 * <p> 17763 * The key state of the KMS key is not compatible with the operation. 17764 * </p> 17765 * <p> 17766 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17767 * are compatible with each KMS operation, see <a 17768 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17769 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17770 * </p> 17771 * </li> 17772 * <li> 17773 * <p> 17774 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17775 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17776 * exception. 17777 * </p> 17778 * </li></li> 17779 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 17780 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17781 * Can be used for catch all scenarios.</li> 17782 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17783 * credentials, etc.</li> 17784 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17785 * of this type.</li> 17786 * </ul> 17787 * @sample KmsAsyncClient.VerifyMac 17788 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac" target="_top">AWS API 17789 * Documentation</a> 17790 */ verifyMac(VerifyMacRequest verifyMacRequest)17791 default CompletableFuture<VerifyMacResponse> verifyMac(VerifyMacRequest verifyMacRequest) { 17792 throw new UnsupportedOperationException(); 17793 } 17794 17795 /** 17796 * <p> 17797 * Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC KMS key, and MAC 17798 * algorithm. To verify the HMAC, <code>VerifyMac</code> computes an HMAC using the message, HMAC KMS key, and MAC 17799 * algorithm that you specify, and compares the computed HMAC to the HMAC that you specify. If the HMACs are 17800 * identical, the verification succeeds; otherwise, it fails. Verification indicates that the message hasn't changed 17801 * since the HMAC was calculated, and the specified key was used to generate and verify the HMAC. 17802 * </p> 17803 * <p> 17804 * HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in <a 17805 * href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 17806 * </p> 17807 * <p> 17808 * This operation is part of KMS support for HMAC KMS keys. For details, see <a 17809 * href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>Key 17810 * Management Service Developer Guide</i>. 17811 * </p> 17812 * <p> 17813 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17814 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17815 * <i>Key Management Service Developer Guide</i>. 17816 * </p> 17817 * <p> 17818 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 17819 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 17820 * </p> 17821 * <p> 17822 * <b>Required permissions</b>: <a 17823 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:VerifyMac</a> 17824 * (key policy) 17825 * </p> 17826 * <p> 17827 * <b>Related operations</b>: <a>GenerateMac</a> 17828 * </p> 17829 * <p> 17830 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17831 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17832 * consistency</a>. 17833 * </p> 17834 * <br/> 17835 * <p> 17836 * This is a convenience which creates an instance of the {@link VerifyMacRequest.Builder} avoiding the need to 17837 * create one manually via {@link VerifyMacRequest#builder()} 17838 * </p> 17839 * 17840 * @param verifyMacRequest 17841 * A {@link Consumer} that will call methods on 17842 * {@link software.amazon.awssdk.services.kms.model.VerifyMacRequest.Builder} to create a request. 17843 * @return A Java Future containing the result of the VerifyMac operation returned by the service.<br/> 17844 * The CompletableFuture returned by this method can be completed exceptionally with the following 17845 * exceptions. 17846 * <ul> 17847 * <li>NotFoundException The request was rejected because the specified entity or resource could not be 17848 * found.</li> 17849 * <li>DisabledException The request was rejected because the specified KMS key is not enabled.</li> 17850 * <li>KeyUnavailableException The request was rejected because the specified KMS key was not available. You 17851 * can retry the request.</li> 17852 * <li>InvalidKeyUsageException The request was rejected for one of the following reasons: </p> 17853 * <ul> 17854 * <li> 17855 * <p> 17856 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 17857 * </p> 17858 * </li> 17859 * <li> 17860 * <p> 17861 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 17862 * of key material in the KMS key <code>(KeySpec</code>). 17863 * </p> 17864 * </li> 17865 * </ul> 17866 * <p> 17867 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 17868 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 17869 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 17870 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 17871 * KMS key, use the <a>DescribeKey</a> operation. 17872 * </p> 17873 * <p> 17874 * To find the encryption or signing algorithms supported for a particular KMS key, use the 17875 * <a>DescribeKey</a> operation.</li> 17876 * <li>InvalidGrantTokenException The request was rejected because the specified grant token is not valid.</li> 17877 * <li>KmsInternalException The request was rejected because an internal exception occurred. The request can 17878 * be retried.</li> 17879 * <li>KmsInvalidMacException The request was rejected because the HMAC verification failed. HMAC 17880 * verification fails when the HMAC computed by using the specified message, HMAC KMS key, and MAC algorithm 17881 * does not match the HMAC specified in the request.</li> 17882 * <li>KmsInvalidStateException The request was rejected because the state of the specified resource is not 17883 * valid for this request.</p> 17884 * <p> 17885 * This exceptions means one of the following: 17886 * </p> 17887 * <ul> 17888 * <li> 17889 * <p> 17890 * The key state of the KMS key is not compatible with the operation. 17891 * </p> 17892 * <p> 17893 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17894 * are compatible with each KMS operation, see <a 17895 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17896 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17897 * </p> 17898 * </li> 17899 * <li> 17900 * <p> 17901 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17902 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17903 * exception. 17904 * </p> 17905 * </li></li> 17906 * <li>DryRunOperationException The request was rejected because the DryRun parameter was specified.</li> 17907 * <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). 17908 * Can be used for catch all scenarios.</li> 17909 * <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get 17910 * credentials, etc.</li> 17911 * <li>KmsException Base class for all service exceptions. Unknown exceptions will be thrown as an instance 17912 * of this type.</li> 17913 * </ul> 17914 * @sample KmsAsyncClient.VerifyMac 17915 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac" target="_top">AWS API 17916 * Documentation</a> 17917 */ verifyMac(Consumer<VerifyMacRequest.Builder> verifyMacRequest)17918 default CompletableFuture<VerifyMacResponse> verifyMac(Consumer<VerifyMacRequest.Builder> verifyMacRequest) { 17919 return verifyMac(VerifyMacRequest.builder().applyMutation(verifyMacRequest).build()); 17920 } 17921 17922 @Override serviceClientConfiguration()17923 default KmsServiceClientConfiguration serviceClientConfiguration() { 17924 throw new UnsupportedOperationException(); 17925 } 17926 17927 /** 17928 * Create a {@link KmsAsyncClient} with the region loaded from the 17929 * {@link software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain} and credentials loaded from the 17930 * {@link software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider}. 17931 */ create()17932 static KmsAsyncClient create() { 17933 return builder().build(); 17934 } 17935 17936 /** 17937 * Create a builder that can be used to configure and create a {@link KmsAsyncClient}. 17938 */ builder()17939 static KmsAsyncClientBuilder builder() { 17940 return new DefaultKmsAsyncClientBuilder(); 17941 } 17942 } 17943