1 /* 2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with 5 * the License. A copy of the License is located at 6 * 7 * http://aws.amazon.com/apache2.0 8 * 9 * or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 10 * CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions 11 * and limitations under the License. 12 */ 13 14 package software.amazon.awssdk.services.kms; 15 16 import java.util.function.Consumer; 17 import software.amazon.awssdk.annotations.Generated; 18 import software.amazon.awssdk.annotations.SdkPublicApi; 19 import software.amazon.awssdk.annotations.ThreadSafe; 20 import software.amazon.awssdk.awscore.AwsClient; 21 import software.amazon.awssdk.awscore.exception.AwsServiceException; 22 import software.amazon.awssdk.core.exception.SdkClientException; 23 import software.amazon.awssdk.regions.ServiceMetadata; 24 import software.amazon.awssdk.services.kms.model.AlreadyExistsException; 25 import software.amazon.awssdk.services.kms.model.CancelKeyDeletionRequest; 26 import software.amazon.awssdk.services.kms.model.CancelKeyDeletionResponse; 27 import software.amazon.awssdk.services.kms.model.CloudHsmClusterInUseException; 28 import software.amazon.awssdk.services.kms.model.CloudHsmClusterInvalidConfigurationException; 29 import software.amazon.awssdk.services.kms.model.CloudHsmClusterNotActiveException; 30 import software.amazon.awssdk.services.kms.model.CloudHsmClusterNotFoundException; 31 import software.amazon.awssdk.services.kms.model.CloudHsmClusterNotRelatedException; 32 import software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreRequest; 33 import software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreResponse; 34 import software.amazon.awssdk.services.kms.model.CreateAliasRequest; 35 import software.amazon.awssdk.services.kms.model.CreateAliasResponse; 36 import software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreRequest; 37 import software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreResponse; 38 import software.amazon.awssdk.services.kms.model.CreateGrantRequest; 39 import software.amazon.awssdk.services.kms.model.CreateGrantResponse; 40 import software.amazon.awssdk.services.kms.model.CreateKeyRequest; 41 import software.amazon.awssdk.services.kms.model.CreateKeyResponse; 42 import software.amazon.awssdk.services.kms.model.CustomKeyStoreHasCmKsException; 43 import software.amazon.awssdk.services.kms.model.CustomKeyStoreInvalidStateException; 44 import software.amazon.awssdk.services.kms.model.CustomKeyStoreNameInUseException; 45 import software.amazon.awssdk.services.kms.model.CustomKeyStoreNotFoundException; 46 import software.amazon.awssdk.services.kms.model.DecryptRequest; 47 import software.amazon.awssdk.services.kms.model.DecryptResponse; 48 import software.amazon.awssdk.services.kms.model.DeleteAliasRequest; 49 import software.amazon.awssdk.services.kms.model.DeleteAliasResponse; 50 import software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreRequest; 51 import software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreResponse; 52 import software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialRequest; 53 import software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialResponse; 54 import software.amazon.awssdk.services.kms.model.DependencyTimeoutException; 55 import software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest; 56 import software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse; 57 import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; 58 import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; 59 import software.amazon.awssdk.services.kms.model.DisableKeyRequest; 60 import software.amazon.awssdk.services.kms.model.DisableKeyResponse; 61 import software.amazon.awssdk.services.kms.model.DisableKeyRotationRequest; 62 import software.amazon.awssdk.services.kms.model.DisableKeyRotationResponse; 63 import software.amazon.awssdk.services.kms.model.DisabledException; 64 import software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreRequest; 65 import software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreResponse; 66 import software.amazon.awssdk.services.kms.model.DryRunOperationException; 67 import software.amazon.awssdk.services.kms.model.EnableKeyRequest; 68 import software.amazon.awssdk.services.kms.model.EnableKeyResponse; 69 import software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest; 70 import software.amazon.awssdk.services.kms.model.EnableKeyRotationResponse; 71 import software.amazon.awssdk.services.kms.model.EncryptRequest; 72 import software.amazon.awssdk.services.kms.model.EncryptResponse; 73 import software.amazon.awssdk.services.kms.model.ExpiredImportTokenException; 74 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairRequest; 75 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairResponse; 76 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextRequest; 77 import software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextResponse; 78 import software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest; 79 import software.amazon.awssdk.services.kms.model.GenerateDataKeyResponse; 80 import software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextRequest; 81 import software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextResponse; 82 import software.amazon.awssdk.services.kms.model.GenerateMacRequest; 83 import software.amazon.awssdk.services.kms.model.GenerateMacResponse; 84 import software.amazon.awssdk.services.kms.model.GenerateRandomRequest; 85 import software.amazon.awssdk.services.kms.model.GenerateRandomResponse; 86 import software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest; 87 import software.amazon.awssdk.services.kms.model.GetKeyPolicyResponse; 88 import software.amazon.awssdk.services.kms.model.GetKeyRotationStatusRequest; 89 import software.amazon.awssdk.services.kms.model.GetKeyRotationStatusResponse; 90 import software.amazon.awssdk.services.kms.model.GetParametersForImportRequest; 91 import software.amazon.awssdk.services.kms.model.GetParametersForImportResponse; 92 import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest; 93 import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse; 94 import software.amazon.awssdk.services.kms.model.ImportKeyMaterialRequest; 95 import software.amazon.awssdk.services.kms.model.ImportKeyMaterialResponse; 96 import software.amazon.awssdk.services.kms.model.IncorrectKeyException; 97 import software.amazon.awssdk.services.kms.model.IncorrectKeyMaterialException; 98 import software.amazon.awssdk.services.kms.model.IncorrectTrustAnchorException; 99 import software.amazon.awssdk.services.kms.model.InvalidAliasNameException; 100 import software.amazon.awssdk.services.kms.model.InvalidArnException; 101 import software.amazon.awssdk.services.kms.model.InvalidCiphertextException; 102 import software.amazon.awssdk.services.kms.model.InvalidGrantIdException; 103 import software.amazon.awssdk.services.kms.model.InvalidGrantTokenException; 104 import software.amazon.awssdk.services.kms.model.InvalidImportTokenException; 105 import software.amazon.awssdk.services.kms.model.InvalidKeyUsageException; 106 import software.amazon.awssdk.services.kms.model.InvalidMarkerException; 107 import software.amazon.awssdk.services.kms.model.KeyUnavailableException; 108 import software.amazon.awssdk.services.kms.model.KmsException; 109 import software.amazon.awssdk.services.kms.model.KmsInternalException; 110 import software.amazon.awssdk.services.kms.model.KmsInvalidMacException; 111 import software.amazon.awssdk.services.kms.model.KmsInvalidSignatureException; 112 import software.amazon.awssdk.services.kms.model.KmsInvalidStateException; 113 import software.amazon.awssdk.services.kms.model.LimitExceededException; 114 import software.amazon.awssdk.services.kms.model.ListAliasesRequest; 115 import software.amazon.awssdk.services.kms.model.ListAliasesResponse; 116 import software.amazon.awssdk.services.kms.model.ListGrantsRequest; 117 import software.amazon.awssdk.services.kms.model.ListGrantsResponse; 118 import software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest; 119 import software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse; 120 import software.amazon.awssdk.services.kms.model.ListKeysRequest; 121 import software.amazon.awssdk.services.kms.model.ListKeysResponse; 122 import software.amazon.awssdk.services.kms.model.ListResourceTagsRequest; 123 import software.amazon.awssdk.services.kms.model.ListResourceTagsResponse; 124 import software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest; 125 import software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse; 126 import software.amazon.awssdk.services.kms.model.MalformedPolicyDocumentException; 127 import software.amazon.awssdk.services.kms.model.NotFoundException; 128 import software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest; 129 import software.amazon.awssdk.services.kms.model.PutKeyPolicyResponse; 130 import software.amazon.awssdk.services.kms.model.ReEncryptRequest; 131 import software.amazon.awssdk.services.kms.model.ReEncryptResponse; 132 import software.amazon.awssdk.services.kms.model.ReplicateKeyRequest; 133 import software.amazon.awssdk.services.kms.model.ReplicateKeyResponse; 134 import software.amazon.awssdk.services.kms.model.RetireGrantRequest; 135 import software.amazon.awssdk.services.kms.model.RetireGrantResponse; 136 import software.amazon.awssdk.services.kms.model.RevokeGrantRequest; 137 import software.amazon.awssdk.services.kms.model.RevokeGrantResponse; 138 import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; 139 import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionResponse; 140 import software.amazon.awssdk.services.kms.model.SignRequest; 141 import software.amazon.awssdk.services.kms.model.SignResponse; 142 import software.amazon.awssdk.services.kms.model.TagException; 143 import software.amazon.awssdk.services.kms.model.TagResourceRequest; 144 import software.amazon.awssdk.services.kms.model.TagResourceResponse; 145 import software.amazon.awssdk.services.kms.model.UntagResourceRequest; 146 import software.amazon.awssdk.services.kms.model.UntagResourceResponse; 147 import software.amazon.awssdk.services.kms.model.UpdateAliasRequest; 148 import software.amazon.awssdk.services.kms.model.UpdateAliasResponse; 149 import software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreRequest; 150 import software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreResponse; 151 import software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionRequest; 152 import software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionResponse; 153 import software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionRequest; 154 import software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionResponse; 155 import software.amazon.awssdk.services.kms.model.VerifyMacRequest; 156 import software.amazon.awssdk.services.kms.model.VerifyMacResponse; 157 import software.amazon.awssdk.services.kms.model.VerifyRequest; 158 import software.amazon.awssdk.services.kms.model.VerifyResponse; 159 import software.amazon.awssdk.services.kms.model.XksKeyAlreadyInUseException; 160 import software.amazon.awssdk.services.kms.model.XksKeyInvalidConfigurationException; 161 import software.amazon.awssdk.services.kms.model.XksKeyNotFoundException; 162 import software.amazon.awssdk.services.kms.model.XksProxyIncorrectAuthenticationCredentialException; 163 import software.amazon.awssdk.services.kms.model.XksProxyInvalidConfigurationException; 164 import software.amazon.awssdk.services.kms.model.XksProxyInvalidResponseException; 165 import software.amazon.awssdk.services.kms.model.XksProxyUriEndpointInUseException; 166 import software.amazon.awssdk.services.kms.model.XksProxyUriInUseException; 167 import software.amazon.awssdk.services.kms.model.XksProxyUriUnreachableException; 168 import software.amazon.awssdk.services.kms.model.XksProxyVpcEndpointServiceInUseException; 169 import software.amazon.awssdk.services.kms.model.XksProxyVpcEndpointServiceInvalidConfigurationException; 170 import software.amazon.awssdk.services.kms.model.XksProxyVpcEndpointServiceNotFoundException; 171 import software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable; 172 import software.amazon.awssdk.services.kms.paginators.ListAliasesIterable; 173 import software.amazon.awssdk.services.kms.paginators.ListGrantsIterable; 174 import software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable; 175 import software.amazon.awssdk.services.kms.paginators.ListKeysIterable; 176 import software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable; 177 import software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable; 178 179 /** 180 * Service client for accessing KMS. This can be created using the static {@link #builder()} method. 181 * 182 * <fullname>Key Management Service</fullname> 183 * <p> 184 * Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations 185 * that you can call programmatically. For general information about KMS, see the <a 186 * href="https://docs.aws.amazon.com/kms/latest/developerguide/"> <i>Key Management Service Developer Guide</i> </a>. 187 * </p> 188 * <note> 189 * <p> 190 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept has 191 * not changed. To prevent breaking changes, KMS is keeping some variations of this term. 192 * </p> 193 * <p> 194 * Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and 195 * platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access 196 * to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see 197 * below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services 198 * SDKs, including how to download and install them, see <a href="http://aws.amazon.com/tools/">Tools for Amazon Web 199 * Services</a>. 200 * </p> 201 * </note> 202 * <p> 203 * We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS. 204 * </p> 205 * <p> 206 * If you need to use FIPS 140-2 validated cryptographic modules when communicating with Amazon Web Services, use the 207 * FIPS endpoint in your preferred Amazon Web Services Region. For more information about the available FIPS endpoints, 208 * see <a href="https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region">Service endpoints</a> in the Key 209 * Management Service topic of the <i>Amazon Web Services General Reference</i>. 210 * </p> 211 * <p> 212 * All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS). KMS recommends you always 213 * use the latest supported TLS version. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such 214 * as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as 215 * Java 7 and later support these modes. 216 * </p> 217 * <p> 218 * <b>Signing Requests</b> 219 * </p> 220 * <p> 221 * Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use 222 * your Amazon Web Services account root access key ID and secret access key for everyday work. You can use the access 223 * key ID and secret access key for an IAM user or you can use the Security Token Service (STS) to generate temporary 224 * security credentials and use those to sign requests. 225 * </p> 226 * <p> 227 * All KMS requests must be signed with <a 228 * href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4</a>. 229 * </p> 230 * <p> 231 * <b>Logging API Requests</b> 232 * </p> 233 * <p> 234 * KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web 235 * Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by 236 * CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To 237 * learn more about CloudTrail, including how to turn it on and find your log files, see the <a 238 * href="https://docs.aws.amazon.com/awscloudtrail/latest/userguide/">CloudTrail User Guide</a>. 239 * </p> 240 * <p> 241 * <b>Additional Resources</b> 242 * </p> 243 * <p> 244 * For more information about credentials and request signing, see the following: 245 * </p> 246 * <ul> 247 * <li> 248 * <p> 249 * <a href="https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html">Amazon Web Services Security 250 * Credentials</a> - This topic provides general information about the types of credentials used to access Amazon Web 251 * Services. 252 * </p> 253 * </li> 254 * <li> 255 * <p> 256 * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security 257 * Credentials</a> - This section of the <i>IAM User Guide</i> describes how to create and use temporary security 258 * credentials. 259 * </p> 260 * </li> 261 * <li> 262 * <p> 263 * <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4 Signing 264 * Process</a> - This set of topics walks you through the process of signing a request using an access key ID and a 265 * secret access key. 266 * </p> 267 * </li> 268 * </ul> 269 * <p> 270 * <b>Commonly Used API Operations</b> 271 * </p> 272 * <p> 273 * Of the API operations discussed in this guide, the following will prove the most useful for most applications. You 274 * will likely perform operations other than these, such as creating keys and assigning policies, by using the console. 275 * </p> 276 * <ul> 277 * <li> 278 * <p> 279 * <a>Encrypt</a> 280 * </p> 281 * </li> 282 * <li> 283 * <p> 284 * <a>Decrypt</a> 285 * </p> 286 * </li> 287 * <li> 288 * <p> 289 * <a>GenerateDataKey</a> 290 * </p> 291 * </li> 292 * <li> 293 * <p> 294 * <a>GenerateDataKeyWithoutPlaintext</a> 295 * </p> 296 * </li> 297 * </ul> 298 */ 299 @Generated("software.amazon.awssdk:codegen") 300 @SdkPublicApi 301 @ThreadSafe 302 public interface KmsClient extends AwsClient { 303 String SERVICE_NAME = "kms"; 304 305 /** 306 * Value for looking up the service's metadata from the 307 * {@link software.amazon.awssdk.regions.ServiceMetadataProvider}. 308 */ 309 String SERVICE_METADATA_ID = "kms"; 310 311 /** 312 * <p> 313 * Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is 314 * <code>Disabled</code>. To enable the KMS key, use <a>EnableKey</a>. 315 * </p> 316 * <p> 317 * For more information about scheduling and canceling deletion of a KMS key, see <a 318 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 319 * <i>Key Management Service Developer Guide</i>. 320 * </p> 321 * <p> 322 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 323 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 324 * <i>Key Management Service Developer Guide</i>. 325 * </p> 326 * <p> 327 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 328 * account. 329 * </p> 330 * <p> 331 * <b>Required permissions</b>: <a 332 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 333 * >kms:CancelKeyDeletion</a> (key policy) 334 * </p> 335 * <p> 336 * <b>Related operations</b>: <a>ScheduleKeyDeletion</a> 337 * </p> 338 * <p> 339 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 340 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 341 * consistency</a>. 342 * </p> 343 * 344 * @param cancelKeyDeletionRequest 345 * @return Result of the CancelKeyDeletion operation returned by the service. 346 * @throws NotFoundException 347 * The request was rejected because the specified entity or resource could not be found. 348 * @throws InvalidArnException 349 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 350 * @throws DependencyTimeoutException 351 * The system timed out while trying to fulfill the request. You can retry the request. 352 * @throws KmsInternalException 353 * The request was rejected because an internal exception occurred. The request can be retried. 354 * @throws KmsInvalidStateException 355 * The request was rejected because the state of the specified resource is not valid for this request.</p> 356 * <p> 357 * This exceptions means one of the following: 358 * </p> 359 * <ul> 360 * <li> 361 * <p> 362 * The key state of the KMS key is not compatible with the operation. 363 * </p> 364 * <p> 365 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 366 * are compatible with each KMS operation, see <a 367 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 368 * the <i> <i>Key Management Service Developer Guide</i> </i>. 369 * </p> 370 * </li> 371 * <li> 372 * <p> 373 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 374 * failure with many possible causes. To identify the cause, see the error message that accompanies the 375 * exception. 376 * </p> 377 * </li> 378 * @throws SdkException 379 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 380 * catch all scenarios. 381 * @throws SdkClientException 382 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 383 * @throws KmsException 384 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 385 * @sample KmsClient.CancelKeyDeletion 386 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion" target="_top">AWS API 387 * Documentation</a> 388 */ cancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest)389 default CancelKeyDeletionResponse cancelKeyDeletion(CancelKeyDeletionRequest cancelKeyDeletionRequest) 390 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 391 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 392 throw new UnsupportedOperationException(); 393 } 394 395 /** 396 * <p> 397 * Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is 398 * <code>Disabled</code>. To enable the KMS key, use <a>EnableKey</a>. 399 * </p> 400 * <p> 401 * For more information about scheduling and canceling deletion of a KMS key, see <a 402 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 403 * <i>Key Management Service Developer Guide</i>. 404 * </p> 405 * <p> 406 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 407 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 408 * <i>Key Management Service Developer Guide</i>. 409 * </p> 410 * <p> 411 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 412 * account. 413 * </p> 414 * <p> 415 * <b>Required permissions</b>: <a 416 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 417 * >kms:CancelKeyDeletion</a> (key policy) 418 * </p> 419 * <p> 420 * <b>Related operations</b>: <a>ScheduleKeyDeletion</a> 421 * </p> 422 * <p> 423 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 424 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 425 * consistency</a>. 426 * </p> 427 * <br/> 428 * <p> 429 * This is a convenience which creates an instance of the {@link CancelKeyDeletionRequest.Builder} avoiding the need 430 * to create one manually via {@link CancelKeyDeletionRequest#builder()} 431 * </p> 432 * 433 * @param cancelKeyDeletionRequest 434 * A {@link Consumer} that will call methods on 435 * {@link software.amazon.awssdk.services.kms.model.CancelKeyDeletionRequest.Builder} to create a request. 436 * @return Result of the CancelKeyDeletion operation returned by the service. 437 * @throws NotFoundException 438 * The request was rejected because the specified entity or resource could not be found. 439 * @throws InvalidArnException 440 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 441 * @throws DependencyTimeoutException 442 * The system timed out while trying to fulfill the request. You can retry the request. 443 * @throws KmsInternalException 444 * The request was rejected because an internal exception occurred. The request can be retried. 445 * @throws KmsInvalidStateException 446 * The request was rejected because the state of the specified resource is not valid for this request.</p> 447 * <p> 448 * This exceptions means one of the following: 449 * </p> 450 * <ul> 451 * <li> 452 * <p> 453 * The key state of the KMS key is not compatible with the operation. 454 * </p> 455 * <p> 456 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 457 * are compatible with each KMS operation, see <a 458 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 459 * the <i> <i>Key Management Service Developer Guide</i> </i>. 460 * </p> 461 * </li> 462 * <li> 463 * <p> 464 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 465 * failure with many possible causes. To identify the cause, see the error message that accompanies the 466 * exception. 467 * </p> 468 * </li> 469 * @throws SdkException 470 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 471 * catch all scenarios. 472 * @throws SdkClientException 473 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 474 * @throws KmsException 475 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 476 * @sample KmsClient.CancelKeyDeletion 477 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion" target="_top">AWS API 478 * Documentation</a> 479 */ cancelKeyDeletion(Consumer<CancelKeyDeletionRequest.Builder> cancelKeyDeletionRequest)480 default CancelKeyDeletionResponse cancelKeyDeletion(Consumer<CancelKeyDeletionRequest.Builder> cancelKeyDeletionRequest) 481 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 482 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 483 return cancelKeyDeletion(CancelKeyDeletionRequest.builder().applyMutation(cancelKeyDeletionRequest).build()); 484 } 485 486 /** 487 * <p> 488 * Connects or reconnects a <a 489 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 490 * to its backing key store. For an CloudHSM key store, <code>ConnectCustomKeyStore</code> connects the key store to 491 * its associated CloudHSM cluster. For an external key store, <code>ConnectCustomKeyStore</code> connects the key 492 * store to the external key store proxy that communicates with your external key manager. 493 * </p> 494 * <p> 495 * The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it 496 * contains. You can disconnect and reconnect a custom key store at any time. 497 * </p> 498 * <p> 499 * The connection process for a custom key store can take an extended amount of time to complete. This operation 500 * starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly 501 * returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that 502 * the custom key store is connected. To get the connection state of the custom key store, use the 503 * <a>DescribeCustomKeyStores</a> operation. 504 * </p> 505 * <p> 506 * This operation is part of the <a 507 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 508 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 509 * a key store that you own and manage. 510 * </p> 511 * <p> 512 * The <code>ConnectCustomKeyStore</code> operation might fail for various reasons. To find the reason, use the 513 * <a>DescribeCustomKeyStores</a> operation and see the <code>ConnectionErrorCode</code> in the response. For help 514 * interpreting the <code>ConnectionErrorCode</code>, see <a>CustomKeyStoresListEntry</a>. 515 * </p> 516 * <p> 517 * To fix the failure, use the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store, correct 518 * the error, use the <a>UpdateCustomKeyStore</a> operation if necessary, and then use 519 * <code>ConnectCustomKeyStore</code> again. 520 * </p> 521 * <p> 522 * <b>CloudHSM key store</b> 523 * </p> 524 * <p> 525 * During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated with 526 * the custom key store, creates the connection infrastructure, connects to the cluster, logs into the CloudHSM 527 * client as the <code>kmsuser</code> CU, and rotates its password. 528 * </p> 529 * <p> 530 * To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active HSM. To get the 531 * number of active HSMs in a cluster, use the <a 532 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> 533 * operation. To add HSMs to the cluster, use the <a 534 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation. Also, 535 * the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser"> 536 * <code>kmsuser</code> crypto user</a> (CU) must not be logged into the cluster. This prevents KMS from using this 537 * account to log in. 538 * </p> 539 * <p> 540 * If you are having trouble connecting or disconnecting a CloudHSM key store, see <a 541 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 542 * store</a> in the <i>Key Management Service Developer Guide</i>. 543 * </p> 544 * <p> 545 * <b>External key store</b> 546 * </p> 547 * <p> 548 * When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to 549 * communicate with your external key manager by sending a request via the external key store proxy. 550 * </p> 551 * <p> 552 * When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the 553 * networking elements that it needs to communicate with your external key manager via the external key store proxy. 554 * This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic 555 * between KMS and the VPC endpoint service. 556 * </p> 557 * <p> 558 * To connect an external key store, KMS must be able to connect to the external key store proxy, the external key 559 * store proxy must be able to communicate with your external key manager, and the external key manager must be 560 * available for cryptographic operations. 561 * </p> 562 * <p> 563 * If you are having trouble connecting or disconnecting an external key store, see <a 564 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 565 * key store</a> in the <i>Key Management Service Developer Guide</i>. 566 * </p> 567 * <p> 568 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 569 * Services account. 570 * </p> 571 * <p> 572 * <b>Required permissions</b>: <a 573 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 574 * >kms:ConnectCustomKeyStore</a> (IAM policy) 575 * </p> 576 * <p> 577 * <b>Related operations</b> 578 * </p> 579 * <ul> 580 * <li> 581 * <p> 582 * <a>CreateCustomKeyStore</a> 583 * </p> 584 * </li> 585 * <li> 586 * <p> 587 * <a>DeleteCustomKeyStore</a> 588 * </p> 589 * </li> 590 * <li> 591 * <p> 592 * <a>DescribeCustomKeyStores</a> 593 * </p> 594 * </li> 595 * <li> 596 * <p> 597 * <a>DisconnectCustomKeyStore</a> 598 * </p> 599 * </li> 600 * <li> 601 * <p> 602 * <a>UpdateCustomKeyStore</a> 603 * </p> 604 * </li> 605 * </ul> 606 * <p> 607 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 608 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 609 * consistency</a>. 610 * </p> 611 * 612 * @param connectCustomKeyStoreRequest 613 * @return Result of the ConnectCustomKeyStore operation returned by the service. 614 * @throws CloudHsmClusterNotActiveException 615 * The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not 616 * active. Initialize and activate the cluster and try the command again. For detailed instructions, see <a 617 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 618 * the <i>CloudHSM User Guide</i>. 619 * @throws CustomKeyStoreInvalidStateException 620 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 621 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 622 * <p> 623 * This exception is thrown under the following conditions: 624 * </p> 625 * <ul> 626 * <li> 627 * <p> 628 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 629 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 630 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 631 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 632 * <code>ConnectCustomKeyStore</code>). 633 * </p> 634 * </li> 635 * <li> 636 * <p> 637 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 638 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 639 * </p> 640 * </li> 641 * <li> 642 * <p> 643 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 644 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 645 * is valid for all other <code>ConnectionState</code> values. 646 * </p> 647 * </li> 648 * <li> 649 * <p> 650 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 651 * store that is not disconnected. This operation is valid only when the custom key store 652 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 653 * </p> 654 * </li> 655 * <li> 656 * <p> 657 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 658 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 659 * <code>CONNECTED</code>. 660 * </p> 661 * </li> 662 * @throws CustomKeyStoreNotFoundException 663 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 664 * ID. 665 * @throws KmsInternalException 666 * The request was rejected because an internal exception occurred. The request can be retried. 667 * @throws CloudHsmClusterInvalidConfigurationException 668 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 669 * requirements for an CloudHSM key store.</p> 670 * <ul> 671 * <li> 672 * <p> 673 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 674 * in the Region. 675 * </p> 676 * </li> 677 * <li> 678 * <p> 679 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 680 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 681 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 682 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 683 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 684 * security group, use the <a 685 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 686 * >DescribeSecurityGroups</a> operation. 687 * </p> 688 * </li> 689 * <li> 690 * <p> 691 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 692 * CloudHSM <a 693 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 694 * operation. 695 * </p> 696 * <p> 697 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 698 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 699 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 700 * </p> 701 * </li> 702 * </ul> 703 * <p> 704 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 705 * store, see <a 706 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 707 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 708 * about creating a private subnet for an CloudHSM cluster, see <a 709 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 710 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 711 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 712 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 713 * @throws SdkException 714 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 715 * catch all scenarios. 716 * @throws SdkClientException 717 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 718 * @throws KmsException 719 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 720 * @sample KmsClient.ConnectCustomKeyStore 721 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore" target="_top">AWS API 722 * Documentation</a> 723 */ connectCustomKeyStore(ConnectCustomKeyStoreRequest connectCustomKeyStoreRequest)724 default ConnectCustomKeyStoreResponse connectCustomKeyStore(ConnectCustomKeyStoreRequest connectCustomKeyStoreRequest) 725 throws CloudHsmClusterNotActiveException, CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException, 726 KmsInternalException, CloudHsmClusterInvalidConfigurationException, AwsServiceException, SdkClientException, 727 KmsException { 728 throw new UnsupportedOperationException(); 729 } 730 731 /** 732 * <p> 733 * Connects or reconnects a <a 734 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 735 * to its backing key store. For an CloudHSM key store, <code>ConnectCustomKeyStore</code> connects the key store to 736 * its associated CloudHSM cluster. For an external key store, <code>ConnectCustomKeyStore</code> connects the key 737 * store to the external key store proxy that communicates with your external key manager. 738 * </p> 739 * <p> 740 * The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it 741 * contains. You can disconnect and reconnect a custom key store at any time. 742 * </p> 743 * <p> 744 * The connection process for a custom key store can take an extended amount of time to complete. This operation 745 * starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly 746 * returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that 747 * the custom key store is connected. To get the connection state of the custom key store, use the 748 * <a>DescribeCustomKeyStores</a> operation. 749 * </p> 750 * <p> 751 * This operation is part of the <a 752 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 753 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 754 * a key store that you own and manage. 755 * </p> 756 * <p> 757 * The <code>ConnectCustomKeyStore</code> operation might fail for various reasons. To find the reason, use the 758 * <a>DescribeCustomKeyStores</a> operation and see the <code>ConnectionErrorCode</code> in the response. For help 759 * interpreting the <code>ConnectionErrorCode</code>, see <a>CustomKeyStoresListEntry</a>. 760 * </p> 761 * <p> 762 * To fix the failure, use the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store, correct 763 * the error, use the <a>UpdateCustomKeyStore</a> operation if necessary, and then use 764 * <code>ConnectCustomKeyStore</code> again. 765 * </p> 766 * <p> 767 * <b>CloudHSM key store</b> 768 * </p> 769 * <p> 770 * During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated with 771 * the custom key store, creates the connection infrastructure, connects to the cluster, logs into the CloudHSM 772 * client as the <code>kmsuser</code> CU, and rotates its password. 773 * </p> 774 * <p> 775 * To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active HSM. To get the 776 * number of active HSMs in a cluster, use the <a 777 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html">DescribeClusters</a> 778 * operation. To add HSMs to the cluster, use the <a 779 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> operation. Also, 780 * the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser"> 781 * <code>kmsuser</code> crypto user</a> (CU) must not be logged into the cluster. This prevents KMS from using this 782 * account to log in. 783 * </p> 784 * <p> 785 * If you are having trouble connecting or disconnecting a CloudHSM key store, see <a 786 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 787 * store</a> in the <i>Key Management Service Developer Guide</i>. 788 * </p> 789 * <p> 790 * <b>External key store</b> 791 * </p> 792 * <p> 793 * When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to 794 * communicate with your external key manager by sending a request via the external key store proxy. 795 * </p> 796 * <p> 797 * When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the 798 * networking elements that it needs to communicate with your external key manager via the external key store proxy. 799 * This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic 800 * between KMS and the VPC endpoint service. 801 * </p> 802 * <p> 803 * To connect an external key store, KMS must be able to connect to the external key store proxy, the external key 804 * store proxy must be able to communicate with your external key manager, and the external key manager must be 805 * available for cryptographic operations. 806 * </p> 807 * <p> 808 * If you are having trouble connecting or disconnecting an external key store, see <a 809 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 810 * key store</a> in the <i>Key Management Service Developer Guide</i>. 811 * </p> 812 * <p> 813 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 814 * Services account. 815 * </p> 816 * <p> 817 * <b>Required permissions</b>: <a 818 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 819 * >kms:ConnectCustomKeyStore</a> (IAM policy) 820 * </p> 821 * <p> 822 * <b>Related operations</b> 823 * </p> 824 * <ul> 825 * <li> 826 * <p> 827 * <a>CreateCustomKeyStore</a> 828 * </p> 829 * </li> 830 * <li> 831 * <p> 832 * <a>DeleteCustomKeyStore</a> 833 * </p> 834 * </li> 835 * <li> 836 * <p> 837 * <a>DescribeCustomKeyStores</a> 838 * </p> 839 * </li> 840 * <li> 841 * <p> 842 * <a>DisconnectCustomKeyStore</a> 843 * </p> 844 * </li> 845 * <li> 846 * <p> 847 * <a>UpdateCustomKeyStore</a> 848 * </p> 849 * </li> 850 * </ul> 851 * <p> 852 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 853 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 854 * consistency</a>. 855 * </p> 856 * <br/> 857 * <p> 858 * This is a convenience which creates an instance of the {@link ConnectCustomKeyStoreRequest.Builder} avoiding the 859 * need to create one manually via {@link ConnectCustomKeyStoreRequest#builder()} 860 * </p> 861 * 862 * @param connectCustomKeyStoreRequest 863 * A {@link Consumer} that will call methods on 864 * {@link software.amazon.awssdk.services.kms.model.ConnectCustomKeyStoreRequest.Builder} to create a 865 * request. 866 * @return Result of the ConnectCustomKeyStore operation returned by the service. 867 * @throws CloudHsmClusterNotActiveException 868 * The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not 869 * active. Initialize and activate the cluster and try the command again. For detailed instructions, see <a 870 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 871 * the <i>CloudHSM User Guide</i>. 872 * @throws CustomKeyStoreInvalidStateException 873 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 874 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 875 * <p> 876 * This exception is thrown under the following conditions: 877 * </p> 878 * <ul> 879 * <li> 880 * <p> 881 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 882 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 883 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 884 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 885 * <code>ConnectCustomKeyStore</code>). 886 * </p> 887 * </li> 888 * <li> 889 * <p> 890 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 891 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 892 * </p> 893 * </li> 894 * <li> 895 * <p> 896 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 897 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 898 * is valid for all other <code>ConnectionState</code> values. 899 * </p> 900 * </li> 901 * <li> 902 * <p> 903 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 904 * store that is not disconnected. This operation is valid only when the custom key store 905 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 906 * </p> 907 * </li> 908 * <li> 909 * <p> 910 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 911 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 912 * <code>CONNECTED</code>. 913 * </p> 914 * </li> 915 * @throws CustomKeyStoreNotFoundException 916 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 917 * ID. 918 * @throws KmsInternalException 919 * The request was rejected because an internal exception occurred. The request can be retried. 920 * @throws CloudHsmClusterInvalidConfigurationException 921 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 922 * requirements for an CloudHSM key store.</p> 923 * <ul> 924 * <li> 925 * <p> 926 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 927 * in the Region. 928 * </p> 929 * </li> 930 * <li> 931 * <p> 932 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 933 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 934 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 935 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 936 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 937 * security group, use the <a 938 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 939 * >DescribeSecurityGroups</a> operation. 940 * </p> 941 * </li> 942 * <li> 943 * <p> 944 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 945 * CloudHSM <a 946 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 947 * operation. 948 * </p> 949 * <p> 950 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 951 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 952 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 953 * </p> 954 * </li> 955 * </ul> 956 * <p> 957 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 958 * store, see <a 959 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 960 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 961 * about creating a private subnet for an CloudHSM cluster, see <a 962 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 963 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 964 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 965 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 966 * @throws SdkException 967 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 968 * catch all scenarios. 969 * @throws SdkClientException 970 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 971 * @throws KmsException 972 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 973 * @sample KmsClient.ConnectCustomKeyStore 974 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore" target="_top">AWS API 975 * Documentation</a> 976 */ connectCustomKeyStore( Consumer<ConnectCustomKeyStoreRequest.Builder> connectCustomKeyStoreRequest)977 default ConnectCustomKeyStoreResponse connectCustomKeyStore( 978 Consumer<ConnectCustomKeyStoreRequest.Builder> connectCustomKeyStoreRequest) 979 throws CloudHsmClusterNotActiveException, CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException, 980 KmsInternalException, CloudHsmClusterInvalidConfigurationException, AwsServiceException, SdkClientException, 981 KmsException { 982 return connectCustomKeyStore(ConnectCustomKeyStoreRequest.builder().applyMutation(connectCustomKeyStoreRequest).build()); 983 } 984 985 /** 986 * <p> 987 * Creates a friendly name for a KMS key. 988 * </p> 989 * <note> 990 * <p> 991 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 992 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 993 * Service Developer Guide</i>. 994 * </p> 995 * </note> 996 * <p> 997 * You can use an alias to identify a KMS key in the KMS console, in the <a>DescribeKey</a> operation and in <a 998 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 999 * operations</a>, such as <a>Encrypt</a> and <a>GenerateDataKey</a>. You can also change the KMS key that's 1000 * associated with the alias (<a>UpdateAlias</a>) or delete the alias (<a>DeleteAlias</a>) at any time. These 1001 * operations don't affect the underlying KMS key. 1002 * </p> 1003 * <p> 1004 * You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is 1005 * associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. 1006 * You can't create an alias without a KMS key. 1007 * </p> 1008 * <p> 1009 * The alias must be unique in the account and Region, but you can have aliases with the same name in different 1010 * Regions. For detailed information about aliases, see <a 1011 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">Using aliases</a> in the <i>Key 1012 * Management Service Developer Guide</i>. 1013 * </p> 1014 * <p> 1015 * This operation does not return a response. To get the alias that you created, use the <a>ListAliases</a> 1016 * operation. 1017 * </p> 1018 * <p> 1019 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 1020 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 1021 * <i>Key Management Service Developer Guide</i>. 1022 * </p> 1023 * <p> 1024 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 1025 * account. 1026 * </p> 1027 * <p> 1028 * <b>Required permissions</b> 1029 * </p> 1030 * <ul> 1031 * <li> 1032 * <p> 1033 * <a 1034 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 1035 * </a> on the alias (IAM policy). 1036 * </p> 1037 * </li> 1038 * <li> 1039 * <p> 1040 * <a 1041 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 1042 * </a> on the KMS key (key policy). 1043 * </p> 1044 * </li> 1045 * </ul> 1046 * <p> 1047 * For details, see <a 1048 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 1049 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 1050 * </p> 1051 * <p> 1052 * <b>Related operations:</b> 1053 * </p> 1054 * <ul> 1055 * <li> 1056 * <p> 1057 * <a>DeleteAlias</a> 1058 * </p> 1059 * </li> 1060 * <li> 1061 * <p> 1062 * <a>ListAliases</a> 1063 * </p> 1064 * </li> 1065 * <li> 1066 * <p> 1067 * <a>UpdateAlias</a> 1068 * </p> 1069 * </li> 1070 * </ul> 1071 * <p> 1072 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1073 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1074 * consistency</a>. 1075 * </p> 1076 * 1077 * @param createAliasRequest 1078 * @return Result of the CreateAlias operation returned by the service. 1079 * @throws DependencyTimeoutException 1080 * The system timed out while trying to fulfill the request. You can retry the request. 1081 * @throws AlreadyExistsException 1082 * The request was rejected because it attempted to create a resource that already exists. 1083 * @throws NotFoundException 1084 * The request was rejected because the specified entity or resource could not be found. 1085 * @throws InvalidAliasNameException 1086 * The request was rejected because the specified alias name is not valid. 1087 * @throws KmsInternalException 1088 * The request was rejected because an internal exception occurred. The request can be retried. 1089 * @throws LimitExceededException 1090 * The request was rejected because a quota was exceeded. For more information, see <a 1091 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1092 * Management Service Developer Guide</i>. 1093 * @throws KmsInvalidStateException 1094 * The request was rejected because the state of the specified resource is not valid for this request.</p> 1095 * <p> 1096 * This exceptions means one of the following: 1097 * </p> 1098 * <ul> 1099 * <li> 1100 * <p> 1101 * The key state of the KMS key is not compatible with the operation. 1102 * </p> 1103 * <p> 1104 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 1105 * are compatible with each KMS operation, see <a 1106 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 1107 * the <i> <i>Key Management Service Developer Guide</i> </i>. 1108 * </p> 1109 * </li> 1110 * <li> 1111 * <p> 1112 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 1113 * failure with many possible causes. To identify the cause, see the error message that accompanies the 1114 * exception. 1115 * </p> 1116 * </li> 1117 * @throws SdkException 1118 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 1119 * catch all scenarios. 1120 * @throws SdkClientException 1121 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 1122 * @throws KmsException 1123 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 1124 * @sample KmsClient.CreateAlias 1125 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias" target="_top">AWS API 1126 * Documentation</a> 1127 */ createAlias(CreateAliasRequest createAliasRequest)1128 default CreateAliasResponse createAlias(CreateAliasRequest createAliasRequest) throws DependencyTimeoutException, 1129 AlreadyExistsException, NotFoundException, InvalidAliasNameException, KmsInternalException, LimitExceededException, 1130 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 1131 throw new UnsupportedOperationException(); 1132 } 1133 1134 /** 1135 * <p> 1136 * Creates a friendly name for a KMS key. 1137 * </p> 1138 * <note> 1139 * <p> 1140 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 1141 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 1142 * Service Developer Guide</i>. 1143 * </p> 1144 * </note> 1145 * <p> 1146 * You can use an alias to identify a KMS key in the KMS console, in the <a>DescribeKey</a> operation and in <a 1147 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 1148 * operations</a>, such as <a>Encrypt</a> and <a>GenerateDataKey</a>. You can also change the KMS key that's 1149 * associated with the alias (<a>UpdateAlias</a>) or delete the alias (<a>DeleteAlias</a>) at any time. These 1150 * operations don't affect the underlying KMS key. 1151 * </p> 1152 * <p> 1153 * You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is 1154 * associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. 1155 * You can't create an alias without a KMS key. 1156 * </p> 1157 * <p> 1158 * The alias must be unique in the account and Region, but you can have aliases with the same name in different 1159 * Regions. For detailed information about aliases, see <a 1160 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">Using aliases</a> in the <i>Key 1161 * Management Service Developer Guide</i>. 1162 * </p> 1163 * <p> 1164 * This operation does not return a response. To get the alias that you created, use the <a>ListAliases</a> 1165 * operation. 1166 * </p> 1167 * <p> 1168 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 1169 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 1170 * <i>Key Management Service Developer Guide</i>. 1171 * </p> 1172 * <p> 1173 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 1174 * account. 1175 * </p> 1176 * <p> 1177 * <b>Required permissions</b> 1178 * </p> 1179 * <ul> 1180 * <li> 1181 * <p> 1182 * <a 1183 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 1184 * </a> on the alias (IAM policy). 1185 * </p> 1186 * </li> 1187 * <li> 1188 * <p> 1189 * <a 1190 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateAlias 1191 * </a> on the KMS key (key policy). 1192 * </p> 1193 * </li> 1194 * </ul> 1195 * <p> 1196 * For details, see <a 1197 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 1198 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 1199 * </p> 1200 * <p> 1201 * <b>Related operations:</b> 1202 * </p> 1203 * <ul> 1204 * <li> 1205 * <p> 1206 * <a>DeleteAlias</a> 1207 * </p> 1208 * </li> 1209 * <li> 1210 * <p> 1211 * <a>ListAliases</a> 1212 * </p> 1213 * </li> 1214 * <li> 1215 * <p> 1216 * <a>UpdateAlias</a> 1217 * </p> 1218 * </li> 1219 * </ul> 1220 * <p> 1221 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1222 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1223 * consistency</a>. 1224 * </p> 1225 * <br/> 1226 * <p> 1227 * This is a convenience which creates an instance of the {@link CreateAliasRequest.Builder} avoiding the need to 1228 * create one manually via {@link CreateAliasRequest#builder()} 1229 * </p> 1230 * 1231 * @param createAliasRequest 1232 * A {@link Consumer} that will call methods on 1233 * {@link software.amazon.awssdk.services.kms.model.CreateAliasRequest.Builder} to create a request. 1234 * @return Result of the CreateAlias operation returned by the service. 1235 * @throws DependencyTimeoutException 1236 * The system timed out while trying to fulfill the request. You can retry the request. 1237 * @throws AlreadyExistsException 1238 * The request was rejected because it attempted to create a resource that already exists. 1239 * @throws NotFoundException 1240 * The request was rejected because the specified entity or resource could not be found. 1241 * @throws InvalidAliasNameException 1242 * The request was rejected because the specified alias name is not valid. 1243 * @throws KmsInternalException 1244 * The request was rejected because an internal exception occurred. The request can be retried. 1245 * @throws LimitExceededException 1246 * The request was rejected because a quota was exceeded. For more information, see <a 1247 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1248 * Management Service Developer Guide</i>. 1249 * @throws KmsInvalidStateException 1250 * The request was rejected because the state of the specified resource is not valid for this request.</p> 1251 * <p> 1252 * This exceptions means one of the following: 1253 * </p> 1254 * <ul> 1255 * <li> 1256 * <p> 1257 * The key state of the KMS key is not compatible with the operation. 1258 * </p> 1259 * <p> 1260 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 1261 * are compatible with each KMS operation, see <a 1262 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 1263 * the <i> <i>Key Management Service Developer Guide</i> </i>. 1264 * </p> 1265 * </li> 1266 * <li> 1267 * <p> 1268 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 1269 * failure with many possible causes. To identify the cause, see the error message that accompanies the 1270 * exception. 1271 * </p> 1272 * </li> 1273 * @throws SdkException 1274 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 1275 * catch all scenarios. 1276 * @throws SdkClientException 1277 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 1278 * @throws KmsException 1279 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 1280 * @sample KmsClient.CreateAlias 1281 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias" target="_top">AWS API 1282 * Documentation</a> 1283 */ createAlias(Consumer<CreateAliasRequest.Builder> createAliasRequest)1284 default CreateAliasResponse createAlias(Consumer<CreateAliasRequest.Builder> createAliasRequest) 1285 throws DependencyTimeoutException, AlreadyExistsException, NotFoundException, InvalidAliasNameException, 1286 KmsInternalException, LimitExceededException, KmsInvalidStateException, AwsServiceException, SdkClientException, 1287 KmsException { 1288 return createAlias(CreateAliasRequest.builder().applyMutation(createAliasRequest).build()); 1289 } 1290 1291 /** 1292 * <p> 1293 * Creates a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 1294 * key store</a> backed by a key store that you own and manage. When you use a KMS key in a custom key store for a 1295 * cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS 1296 * supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 1297 * stores</a> backed by an <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html">CloudHSM 1298 * cluster</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external 1299 * key stores</a> backed by an external key store proxy and external key manager outside of Amazon Web Services. 1300 * </p> 1301 * <p> 1302 * This operation is part of the <a 1303 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 1304 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 1305 * a key store that you own and manage. 1306 * </p> 1307 * <p> 1308 * Before you create the custom key store, the required elements must be in place and operational. We recommend that 1309 * you use the test tools that KMS provides to verify the configuration your external key store proxy. For details 1310 * about the required elements and verification tests, see <a 1311 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the 1312 * prerequisites (for CloudHSM key stores)</a> or <a 1313 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements">Assemble 1314 * the prerequisites (for external key stores)</a> in the <i>Key Management Service Developer Guide</i>. 1315 * </p> 1316 * <p> 1317 * To create a custom key store, use the following parameters. 1318 * </p> 1319 * <ul> 1320 * <li> 1321 * <p> 1322 * To create an CloudHSM key store, specify the <code>CustomKeyStoreName</code>, <code>CloudHsmClusterId</code>, 1323 * <code>KeyStorePassword</code>, and <code>TrustAnchorCertificate</code>. The <code>CustomKeyStoreType</code> 1324 * parameter is optional for CloudHSM key stores. If you include it, set it to the default value, 1325 * <code>AWS_CLOUDHSM</code>. For help with failures, see <a 1326 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 1327 * store</a> in the <i>Key Management Service Developer Guide</i>. 1328 * </p> 1329 * </li> 1330 * <li> 1331 * <p> 1332 * To create an external key store, specify the <code>CustomKeyStoreName</code> and a 1333 * <code>CustomKeyStoreType</code> of <code>EXTERNAL_KEY_STORE</code>. Also, specify values for 1334 * <code>XksProxyConnectivity</code>, <code>XksProxyAuthenticationCredential</code>, 1335 * <code>XksProxyUriEndpoint</code>, and <code>XksProxyUriPath</code>. If your <code>XksProxyConnectivity</code> 1336 * value is <code>VPC_ENDPOINT_SERVICE</code>, specify the <code>XksProxyVpcEndpointServiceName</code> parameter. 1337 * For help with failures, see <a 1338 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 1339 * key store</a> in the <i>Key Management Service Developer Guide</i>. 1340 * </p> 1341 * </li> 1342 * </ul> 1343 * <note> 1344 * <p> 1345 * For external key stores: 1346 * </p> 1347 * <p> 1348 * Some external key managers provide a simpler method for creating an external key store. For details, see your 1349 * external key manager documentation. 1350 * </p> 1351 * <p> 1352 * When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 1353 * the desired values. You cannot use a proxy configuration with the <code>CreateCustomKeyStore</code> operation. 1354 * However, you can use the values in the file to help you determine the correct values for the 1355 * <code>CreateCustomKeyStore</code> parameters. 1356 * </p> 1357 * </note> 1358 * <p> 1359 * When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your 1360 * new custom key store, you need to use the <a>ConnectCustomKeyStore</a> operation to connect a new CloudHSM key 1361 * store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your 1362 * external key manager. Even if you are not going to use your custom key store immediately, you might want to 1363 * connect it to verify that all settings are correct and then disconnect it until you are ready to use it. 1364 * </p> 1365 * <p> 1366 * For help with failures, see <a 1367 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting a custom key 1368 * store</a> in the <i>Key Management Service Developer Guide</i>. 1369 * </p> 1370 * <p> 1371 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 1372 * Services account. 1373 * </p> 1374 * <p> 1375 * <b>Required permissions</b>: <a 1376 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1377 * >kms:CreateCustomKeyStore</a> (IAM policy). 1378 * </p> 1379 * <p> 1380 * <b>Related operations:</b> 1381 * </p> 1382 * <ul> 1383 * <li> 1384 * <p> 1385 * <a>ConnectCustomKeyStore</a> 1386 * </p> 1387 * </li> 1388 * <li> 1389 * <p> 1390 * <a>DeleteCustomKeyStore</a> 1391 * </p> 1392 * </li> 1393 * <li> 1394 * <p> 1395 * <a>DescribeCustomKeyStores</a> 1396 * </p> 1397 * </li> 1398 * <li> 1399 * <p> 1400 * <a>DisconnectCustomKeyStore</a> 1401 * </p> 1402 * </li> 1403 * <li> 1404 * <p> 1405 * <a>UpdateCustomKeyStore</a> 1406 * </p> 1407 * </li> 1408 * </ul> 1409 * <p> 1410 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1411 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1412 * consistency</a>. 1413 * </p> 1414 * 1415 * @param createCustomKeyStoreRequest 1416 * @return Result of the CreateCustomKeyStore operation returned by the service. 1417 * @throws CloudHsmClusterInUseException 1418 * The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM 1419 * key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each 1420 * CloudHSM key store in the account must be associated with a different CloudHSM cluster.</p> 1421 * <p> 1422 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 1423 * certificate of an CloudHSM cluster, use the <a 1424 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 1425 * >DescribeClusters</a> operation. 1426 * @throws CustomKeyStoreNameInUseException 1427 * The request was rejected because the specified custom key store name is already assigned to another 1428 * custom key store in the account. Try again with a custom key store name that is unique in the account. 1429 * @throws CloudHsmClusterNotFoundException 1430 * The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. 1431 * Retry the request with a different cluster ID. 1432 * @throws KmsInternalException 1433 * The request was rejected because an internal exception occurred. The request can be retried. 1434 * @throws CloudHsmClusterNotActiveException 1435 * The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not 1436 * active. Initialize and activate the cluster and try the command again. For detailed instructions, see <a 1437 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 1438 * the <i>CloudHSM User Guide</i>. 1439 * @throws IncorrectTrustAnchorException 1440 * The request was rejected because the trust anchor certificate in the request to create an CloudHSM key 1441 * store is not the trust anchor certificate for the specified CloudHSM cluster. 1442 * </p> 1443 * <p> 1444 * When you <a 1445 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr">initialize 1446 * the CloudHSM cluster</a>, you create the trust anchor certificate and save it in the 1447 * <code>customerCA.crt</code> file. 1448 * @throws CloudHsmClusterInvalidConfigurationException 1449 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 1450 * requirements for an CloudHSM key store. 1451 * </p> 1452 * <ul> 1453 * <li> 1454 * <p> 1455 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 1456 * in the Region. 1457 * </p> 1458 * </li> 1459 * <li> 1460 * <p> 1461 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 1462 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 1463 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 1464 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 1465 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 1466 * security group, use the <a 1467 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 1468 * >DescribeSecurityGroups</a> operation. 1469 * </p> 1470 * </li> 1471 * <li> 1472 * <p> 1473 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 1474 * CloudHSM <a 1475 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 1476 * operation. 1477 * </p> 1478 * <p> 1479 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 1480 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 1481 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 1482 * </p> 1483 * </li> 1484 * </ul> 1485 * <p> 1486 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 1487 * store, see <a 1488 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 1489 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 1490 * about creating a private subnet for an CloudHSM cluster, see <a 1491 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 1492 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 1493 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 1494 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 1495 * @throws LimitExceededException 1496 * The request was rejected because a quota was exceeded. For more information, see <a 1497 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1498 * Management Service Developer Guide</i>. 1499 * @throws XksProxyUriInUseException 1500 * The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code> and 1501 * <code>XksProxyUriPath</code> is already associated with another external key store in this Amazon Web 1502 * Services Region. Each external key store in a Region must use a unique external key store proxy API 1503 * address. 1504 * @throws XksProxyUriEndpointInUseException 1505 * The request was rejected because the <code>XksProxyUriEndpoint</code> is already associated with another 1506 * external key store in this Amazon Web Services Region. To identify the cause, see the error message that 1507 * accompanies the exception. 1508 * @throws XksProxyUriUnreachableException 1509 * KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be reachable before you 1510 * create the external key store or update its settings. 1511 * </p> 1512 * <p> 1513 * This exception is also thrown when the external key store proxy response to a 1514 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable. 1515 * @throws XksProxyIncorrectAuthenticationCredentialException 1516 * The request was rejected because the proxy credentials failed to authenticate to the specified external 1517 * key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid 1518 * credentials. This can indicate an error in the credentials or in the identification of the external key 1519 * store proxy. 1520 * @throws XksProxyVpcEndpointServiceInUseException 1521 * The request was rejected because the specified Amazon VPC endpoint service is already associated with 1522 * another external key store in this Amazon Web Services Region. Each external key store in a Region must 1523 * use a different Amazon VPC endpoint service. 1524 * @throws XksProxyVpcEndpointServiceNotFoundException 1525 * The request was rejected because KMS could not find the specified VPC endpoint service. Use 1526 * <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the external key store. Also, 1527 * confirm that the <code>Allow principals</code> list for the VPC endpoint service includes the KMS service 1528 * principal for the Region, such as <code>cks.kms.us-east-1.amazonaws.com</code>. 1529 * @throws XksProxyVpcEndpointServiceInvalidConfigurationException 1530 * The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the 1531 * requirements for an external key store. To identify the cause, see the error message that accompanies the 1532 * exception and <a 1533 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 1534 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store. 1535 * @throws XksProxyInvalidResponseException 1536 * <p> 1537 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 1538 * poorly constructed response, but it could also be a transient network issue. If you see this error 1539 * repeatedly, report it to the proxy vendor. 1540 * @throws XksProxyInvalidConfigurationException 1541 * The request was rejected because the external key store proxy is not configured correctly. To identify 1542 * the cause, see the error message that accompanies the exception. 1543 * @throws SdkException 1544 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 1545 * catch all scenarios. 1546 * @throws SdkClientException 1547 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 1548 * @throws KmsException 1549 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 1550 * @sample KmsClient.CreateCustomKeyStore 1551 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore" target="_top">AWS API 1552 * Documentation</a> 1553 */ createCustomKeyStore(CreateCustomKeyStoreRequest createCustomKeyStoreRequest)1554 default CreateCustomKeyStoreResponse createCustomKeyStore(CreateCustomKeyStoreRequest createCustomKeyStoreRequest) 1555 throws CloudHsmClusterInUseException, CustomKeyStoreNameInUseException, CloudHsmClusterNotFoundException, 1556 KmsInternalException, CloudHsmClusterNotActiveException, IncorrectTrustAnchorException, 1557 CloudHsmClusterInvalidConfigurationException, LimitExceededException, XksProxyUriInUseException, 1558 XksProxyUriEndpointInUseException, XksProxyUriUnreachableException, 1559 XksProxyIncorrectAuthenticationCredentialException, XksProxyVpcEndpointServiceInUseException, 1560 XksProxyVpcEndpointServiceNotFoundException, XksProxyVpcEndpointServiceInvalidConfigurationException, 1561 XksProxyInvalidResponseException, XksProxyInvalidConfigurationException, AwsServiceException, SdkClientException, 1562 KmsException { 1563 throw new UnsupportedOperationException(); 1564 } 1565 1566 /** 1567 * <p> 1568 * Creates a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 1569 * key store</a> backed by a key store that you own and manage. When you use a KMS key in a custom key store for a 1570 * cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS 1571 * supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 1572 * stores</a> backed by an <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html">CloudHSM 1573 * cluster</a> and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external 1574 * key stores</a> backed by an external key store proxy and external key manager outside of Amazon Web Services. 1575 * </p> 1576 * <p> 1577 * This operation is part of the <a 1578 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 1579 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 1580 * a key store that you own and manage. 1581 * </p> 1582 * <p> 1583 * Before you create the custom key store, the required elements must be in place and operational. We recommend that 1584 * you use the test tools that KMS provides to verify the configuration your external key store proxy. For details 1585 * about the required elements and verification tests, see <a 1586 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore">Assemble the 1587 * prerequisites (for CloudHSM key stores)</a> or <a 1588 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keystore.html#xks-requirements">Assemble 1589 * the prerequisites (for external key stores)</a> in the <i>Key Management Service Developer Guide</i>. 1590 * </p> 1591 * <p> 1592 * To create a custom key store, use the following parameters. 1593 * </p> 1594 * <ul> 1595 * <li> 1596 * <p> 1597 * To create an CloudHSM key store, specify the <code>CustomKeyStoreName</code>, <code>CloudHsmClusterId</code>, 1598 * <code>KeyStorePassword</code>, and <code>TrustAnchorCertificate</code>. The <code>CustomKeyStoreType</code> 1599 * parameter is optional for CloudHSM key stores. If you include it, set it to the default value, 1600 * <code>AWS_CLOUDHSM</code>. For help with failures, see <a 1601 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting an CloudHSM key 1602 * store</a> in the <i>Key Management Service Developer Guide</i>. 1603 * </p> 1604 * </li> 1605 * <li> 1606 * <p> 1607 * To create an external key store, specify the <code>CustomKeyStoreName</code> and a 1608 * <code>CustomKeyStoreType</code> of <code>EXTERNAL_KEY_STORE</code>. Also, specify values for 1609 * <code>XksProxyConnectivity</code>, <code>XksProxyAuthenticationCredential</code>, 1610 * <code>XksProxyUriEndpoint</code>, and <code>XksProxyUriPath</code>. If your <code>XksProxyConnectivity</code> 1611 * value is <code>VPC_ENDPOINT_SERVICE</code>, specify the <code>XksProxyVpcEndpointServiceName</code> parameter. 1612 * For help with failures, see <a 1613 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting an external 1614 * key store</a> in the <i>Key Management Service Developer Guide</i>. 1615 * </p> 1616 * </li> 1617 * </ul> 1618 * <note> 1619 * <p> 1620 * For external key stores: 1621 * </p> 1622 * <p> 1623 * Some external key managers provide a simpler method for creating an external key store. For details, see your 1624 * external key manager documentation. 1625 * </p> 1626 * <p> 1627 * When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 1628 * the desired values. You cannot use a proxy configuration with the <code>CreateCustomKeyStore</code> operation. 1629 * However, you can use the values in the file to help you determine the correct values for the 1630 * <code>CreateCustomKeyStore</code> parameters. 1631 * </p> 1632 * </note> 1633 * <p> 1634 * When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your 1635 * new custom key store, you need to use the <a>ConnectCustomKeyStore</a> operation to connect a new CloudHSM key 1636 * store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your 1637 * external key manager. Even if you are not going to use your custom key store immediately, you might want to 1638 * connect it to verify that all settings are correct and then disconnect it until you are ready to use it. 1639 * </p> 1640 * <p> 1641 * For help with failures, see <a 1642 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting a custom key 1643 * store</a> in the <i>Key Management Service Developer Guide</i>. 1644 * </p> 1645 * <p> 1646 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 1647 * Services account. 1648 * </p> 1649 * <p> 1650 * <b>Required permissions</b>: <a 1651 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1652 * >kms:CreateCustomKeyStore</a> (IAM policy). 1653 * </p> 1654 * <p> 1655 * <b>Related operations:</b> 1656 * </p> 1657 * <ul> 1658 * <li> 1659 * <p> 1660 * <a>ConnectCustomKeyStore</a> 1661 * </p> 1662 * </li> 1663 * <li> 1664 * <p> 1665 * <a>DeleteCustomKeyStore</a> 1666 * </p> 1667 * </li> 1668 * <li> 1669 * <p> 1670 * <a>DescribeCustomKeyStores</a> 1671 * </p> 1672 * </li> 1673 * <li> 1674 * <p> 1675 * <a>DisconnectCustomKeyStore</a> 1676 * </p> 1677 * </li> 1678 * <li> 1679 * <p> 1680 * <a>UpdateCustomKeyStore</a> 1681 * </p> 1682 * </li> 1683 * </ul> 1684 * <p> 1685 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1686 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1687 * consistency</a>. 1688 * </p> 1689 * <br/> 1690 * <p> 1691 * This is a convenience which creates an instance of the {@link CreateCustomKeyStoreRequest.Builder} avoiding the 1692 * need to create one manually via {@link CreateCustomKeyStoreRequest#builder()} 1693 * </p> 1694 * 1695 * @param createCustomKeyStoreRequest 1696 * A {@link Consumer} that will call methods on 1697 * {@link software.amazon.awssdk.services.kms.model.CreateCustomKeyStoreRequest.Builder} to create a request. 1698 * @return Result of the CreateCustomKeyStore operation returned by the service. 1699 * @throws CloudHsmClusterInUseException 1700 * The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM 1701 * key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each 1702 * CloudHSM key store in the account must be associated with a different CloudHSM cluster.</p> 1703 * <p> 1704 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 1705 * certificate of an CloudHSM cluster, use the <a 1706 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 1707 * >DescribeClusters</a> operation. 1708 * @throws CustomKeyStoreNameInUseException 1709 * The request was rejected because the specified custom key store name is already assigned to another 1710 * custom key store in the account. Try again with a custom key store name that is unique in the account. 1711 * @throws CloudHsmClusterNotFoundException 1712 * The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. 1713 * Retry the request with a different cluster ID. 1714 * @throws KmsInternalException 1715 * The request was rejected because an internal exception occurred. The request can be retried. 1716 * @throws CloudHsmClusterNotActiveException 1717 * The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not 1718 * active. Initialize and activate the cluster and try the command again. For detailed instructions, see <a 1719 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 1720 * the <i>CloudHSM User Guide</i>. 1721 * @throws IncorrectTrustAnchorException 1722 * The request was rejected because the trust anchor certificate in the request to create an CloudHSM key 1723 * store is not the trust anchor certificate for the specified CloudHSM cluster. 1724 * </p> 1725 * <p> 1726 * When you <a 1727 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr">initialize 1728 * the CloudHSM cluster</a>, you create the trust anchor certificate and save it in the 1729 * <code>customerCA.crt</code> file. 1730 * @throws CloudHsmClusterInvalidConfigurationException 1731 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 1732 * requirements for an CloudHSM key store. 1733 * </p> 1734 * <ul> 1735 * <li> 1736 * <p> 1737 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 1738 * in the Region. 1739 * </p> 1740 * </li> 1741 * <li> 1742 * <p> 1743 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 1744 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 1745 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 1746 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 1747 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 1748 * security group, use the <a 1749 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 1750 * >DescribeSecurityGroups</a> operation. 1751 * </p> 1752 * </li> 1753 * <li> 1754 * <p> 1755 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 1756 * CloudHSM <a 1757 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 1758 * operation. 1759 * </p> 1760 * <p> 1761 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 1762 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 1763 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 1764 * </p> 1765 * </li> 1766 * </ul> 1767 * <p> 1768 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 1769 * store, see <a 1770 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 1771 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 1772 * about creating a private subnet for an CloudHSM cluster, see <a 1773 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 1774 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 1775 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 1776 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 1777 * @throws LimitExceededException 1778 * The request was rejected because a quota was exceeded. For more information, see <a 1779 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1780 * Management Service Developer Guide</i>. 1781 * @throws XksProxyUriInUseException 1782 * The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code> and 1783 * <code>XksProxyUriPath</code> is already associated with another external key store in this Amazon Web 1784 * Services Region. Each external key store in a Region must use a unique external key store proxy API 1785 * address. 1786 * @throws XksProxyUriEndpointInUseException 1787 * The request was rejected because the <code>XksProxyUriEndpoint</code> is already associated with another 1788 * external key store in this Amazon Web Services Region. To identify the cause, see the error message that 1789 * accompanies the exception. 1790 * @throws XksProxyUriUnreachableException 1791 * KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be reachable before you 1792 * create the external key store or update its settings. 1793 * </p> 1794 * <p> 1795 * This exception is also thrown when the external key store proxy response to a 1796 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable. 1797 * @throws XksProxyIncorrectAuthenticationCredentialException 1798 * The request was rejected because the proxy credentials failed to authenticate to the specified external 1799 * key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid 1800 * credentials. This can indicate an error in the credentials or in the identification of the external key 1801 * store proxy. 1802 * @throws XksProxyVpcEndpointServiceInUseException 1803 * The request was rejected because the specified Amazon VPC endpoint service is already associated with 1804 * another external key store in this Amazon Web Services Region. Each external key store in a Region must 1805 * use a different Amazon VPC endpoint service. 1806 * @throws XksProxyVpcEndpointServiceNotFoundException 1807 * The request was rejected because KMS could not find the specified VPC endpoint service. Use 1808 * <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the external key store. Also, 1809 * confirm that the <code>Allow principals</code> list for the VPC endpoint service includes the KMS service 1810 * principal for the Region, such as <code>cks.kms.us-east-1.amazonaws.com</code>. 1811 * @throws XksProxyVpcEndpointServiceInvalidConfigurationException 1812 * The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the 1813 * requirements for an external key store. To identify the cause, see the error message that accompanies the 1814 * exception and <a 1815 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 1816 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store. 1817 * @throws XksProxyInvalidResponseException 1818 * <p> 1819 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 1820 * poorly constructed response, but it could also be a transient network issue. If you see this error 1821 * repeatedly, report it to the proxy vendor. 1822 * @throws XksProxyInvalidConfigurationException 1823 * The request was rejected because the external key store proxy is not configured correctly. To identify 1824 * the cause, see the error message that accompanies the exception. 1825 * @throws SdkException 1826 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 1827 * catch all scenarios. 1828 * @throws SdkClientException 1829 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 1830 * @throws KmsException 1831 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 1832 * @sample KmsClient.CreateCustomKeyStore 1833 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore" target="_top">AWS API 1834 * Documentation</a> 1835 */ createCustomKeyStore( Consumer<CreateCustomKeyStoreRequest.Builder> createCustomKeyStoreRequest)1836 default CreateCustomKeyStoreResponse createCustomKeyStore( 1837 Consumer<CreateCustomKeyStoreRequest.Builder> createCustomKeyStoreRequest) throws CloudHsmClusterInUseException, 1838 CustomKeyStoreNameInUseException, CloudHsmClusterNotFoundException, KmsInternalException, 1839 CloudHsmClusterNotActiveException, IncorrectTrustAnchorException, CloudHsmClusterInvalidConfigurationException, 1840 LimitExceededException, XksProxyUriInUseException, XksProxyUriEndpointInUseException, 1841 XksProxyUriUnreachableException, XksProxyIncorrectAuthenticationCredentialException, 1842 XksProxyVpcEndpointServiceInUseException, XksProxyVpcEndpointServiceNotFoundException, 1843 XksProxyVpcEndpointServiceInvalidConfigurationException, XksProxyInvalidResponseException, 1844 XksProxyInvalidConfigurationException, AwsServiceException, SdkClientException, KmsException { 1845 return createCustomKeyStore(CreateCustomKeyStoreRequest.builder().applyMutation(createCustomKeyStoreRequest).build()); 1846 } 1847 1848 /** 1849 * <p> 1850 * Adds a grant to a KMS key. 1851 * </p> 1852 * <p> 1853 * A <i>grant</i> is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic 1854 * operations. It also can allow them to view a KMS key (<a>DescribeKey</a>) and create and manage grants. When 1855 * authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often 1856 * used for temporary permissions because you can create one, use its permissions, and delete it without changing 1857 * your key policies or IAM policies. 1858 * </p> 1859 * <p> 1860 * For detailed information about grants, including grant terminology, see <a 1861 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 1862 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 1863 * languages, see <a 1864 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 1865 * </p> 1866 * <p> 1867 * The <code>CreateGrant</code> operation returns a <code>GrantToken</code> and a <code>GrantId</code>. 1868 * </p> 1869 * <ul> 1870 * <li> 1871 * <p> 1872 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 1873 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. Once the grant has 1874 * achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the 1875 * grant. 1876 * </p> 1877 * <p> 1878 * However, to use the permissions in the grant immediately, use the <code>GrantToken</code> that 1879 * <code>CreateGrant</code> returns. For details, see <a 1880 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token">Using a grant 1881 * token</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 1882 * </p> 1883 * </li> 1884 * <li> 1885 * <p> 1886 * The <code>CreateGrant</code> operation also returns a <code>GrantId</code>. You can use the <code>GrantId</code> 1887 * and a key identifier to identify the grant in the <a>RetireGrant</a> and <a>RevokeGrant</a> operations. To find 1888 * the grant ID, use the <a>ListGrants</a> or <a>ListRetirableGrants</a> operations. 1889 * </p> 1890 * </li> 1891 * </ul> 1892 * <p> 1893 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 1894 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 1895 * <i>Key Management Service Developer Guide</i>. 1896 * </p> 1897 * <p> 1898 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 1899 * specify the key ARN in the value of the <code>KeyId</code> parameter. 1900 * </p> 1901 * <p> 1902 * <b>Required permissions</b>: <a 1903 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 1904 * >kms:CreateGrant</a> (key policy) 1905 * </p> 1906 * <p> 1907 * <b>Related operations:</b> 1908 * </p> 1909 * <ul> 1910 * <li> 1911 * <p> 1912 * <a>ListGrants</a> 1913 * </p> 1914 * </li> 1915 * <li> 1916 * <p> 1917 * <a>ListRetirableGrants</a> 1918 * </p> 1919 * </li> 1920 * <li> 1921 * <p> 1922 * <a>RetireGrant</a> 1923 * </p> 1924 * </li> 1925 * <li> 1926 * <p> 1927 * <a>RevokeGrant</a> 1928 * </p> 1929 * </li> 1930 * </ul> 1931 * <p> 1932 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 1933 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 1934 * consistency</a>. 1935 * </p> 1936 * 1937 * @param createGrantRequest 1938 * @return Result of the CreateGrant operation returned by the service. 1939 * @throws NotFoundException 1940 * The request was rejected because the specified entity or resource could not be found. 1941 * @throws DisabledException 1942 * The request was rejected because the specified KMS key is not enabled. 1943 * @throws DependencyTimeoutException 1944 * The system timed out while trying to fulfill the request. You can retry the request. 1945 * @throws InvalidArnException 1946 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 1947 * @throws KmsInternalException 1948 * The request was rejected because an internal exception occurred. The request can be retried. 1949 * @throws InvalidGrantTokenException 1950 * The request was rejected because the specified grant token is not valid. 1951 * @throws LimitExceededException 1952 * The request was rejected because a quota was exceeded. For more information, see <a 1953 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 1954 * Management Service Developer Guide</i>. 1955 * @throws KmsInvalidStateException 1956 * The request was rejected because the state of the specified resource is not valid for this request.</p> 1957 * <p> 1958 * This exceptions means one of the following: 1959 * </p> 1960 * <ul> 1961 * <li> 1962 * <p> 1963 * The key state of the KMS key is not compatible with the operation. 1964 * </p> 1965 * <p> 1966 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 1967 * are compatible with each KMS operation, see <a 1968 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 1969 * the <i> <i>Key Management Service Developer Guide</i> </i>. 1970 * </p> 1971 * </li> 1972 * <li> 1973 * <p> 1974 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 1975 * failure with many possible causes. To identify the cause, see the error message that accompanies the 1976 * exception. 1977 * </p> 1978 * </li> 1979 * @throws DryRunOperationException 1980 * The request was rejected because the DryRun parameter was specified. 1981 * @throws SdkException 1982 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 1983 * catch all scenarios. 1984 * @throws SdkClientException 1985 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 1986 * @throws KmsException 1987 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 1988 * @sample KmsClient.CreateGrant 1989 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant" target="_top">AWS API 1990 * Documentation</a> 1991 */ createGrant(CreateGrantRequest createGrantRequest)1992 default CreateGrantResponse createGrant(CreateGrantRequest createGrantRequest) throws NotFoundException, DisabledException, 1993 DependencyTimeoutException, InvalidArnException, KmsInternalException, InvalidGrantTokenException, 1994 LimitExceededException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 1995 KmsException { 1996 throw new UnsupportedOperationException(); 1997 } 1998 1999 /** 2000 * <p> 2001 * Adds a grant to a KMS key. 2002 * </p> 2003 * <p> 2004 * A <i>grant</i> is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic 2005 * operations. It also can allow them to view a KMS key (<a>DescribeKey</a>) and create and manage grants. When 2006 * authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often 2007 * used for temporary permissions because you can create one, use its permissions, and delete it without changing 2008 * your key policies or IAM policies. 2009 * </p> 2010 * <p> 2011 * For detailed information about grants, including grant terminology, see <a 2012 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 2013 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 2014 * languages, see <a 2015 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 2016 * </p> 2017 * <p> 2018 * The <code>CreateGrant</code> operation returns a <code>GrantToken</code> and a <code>GrantId</code>. 2019 * </p> 2020 * <ul> 2021 * <li> 2022 * <p> 2023 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 2024 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. Once the grant has 2025 * achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the 2026 * grant. 2027 * </p> 2028 * <p> 2029 * However, to use the permissions in the grant immediately, use the <code>GrantToken</code> that 2030 * <code>CreateGrant</code> returns. For details, see <a 2031 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token">Using a grant 2032 * token</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 2033 * </p> 2034 * </li> 2035 * <li> 2036 * <p> 2037 * The <code>CreateGrant</code> operation also returns a <code>GrantId</code>. You can use the <code>GrantId</code> 2038 * and a key identifier to identify the grant in the <a>RetireGrant</a> and <a>RevokeGrant</a> operations. To find 2039 * the grant ID, use the <a>ListGrants</a> or <a>ListRetirableGrants</a> operations. 2040 * </p> 2041 * </li> 2042 * </ul> 2043 * <p> 2044 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 2045 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 2046 * <i>Key Management Service Developer Guide</i>. 2047 * </p> 2048 * <p> 2049 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 2050 * specify the key ARN in the value of the <code>KeyId</code> parameter. 2051 * </p> 2052 * <p> 2053 * <b>Required permissions</b>: <a 2054 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 2055 * >kms:CreateGrant</a> (key policy) 2056 * </p> 2057 * <p> 2058 * <b>Related operations:</b> 2059 * </p> 2060 * <ul> 2061 * <li> 2062 * <p> 2063 * <a>ListGrants</a> 2064 * </p> 2065 * </li> 2066 * <li> 2067 * <p> 2068 * <a>ListRetirableGrants</a> 2069 * </p> 2070 * </li> 2071 * <li> 2072 * <p> 2073 * <a>RetireGrant</a> 2074 * </p> 2075 * </li> 2076 * <li> 2077 * <p> 2078 * <a>RevokeGrant</a> 2079 * </p> 2080 * </li> 2081 * </ul> 2082 * <p> 2083 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 2084 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 2085 * consistency</a>. 2086 * </p> 2087 * <br/> 2088 * <p> 2089 * This is a convenience which creates an instance of the {@link CreateGrantRequest.Builder} avoiding the need to 2090 * create one manually via {@link CreateGrantRequest#builder()} 2091 * </p> 2092 * 2093 * @param createGrantRequest 2094 * A {@link Consumer} that will call methods on 2095 * {@link software.amazon.awssdk.services.kms.model.CreateGrantRequest.Builder} to create a request. 2096 * @return Result of the CreateGrant operation returned by the service. 2097 * @throws NotFoundException 2098 * The request was rejected because the specified entity or resource could not be found. 2099 * @throws DisabledException 2100 * The request was rejected because the specified KMS key is not enabled. 2101 * @throws DependencyTimeoutException 2102 * The system timed out while trying to fulfill the request. You can retry the request. 2103 * @throws InvalidArnException 2104 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 2105 * @throws KmsInternalException 2106 * The request was rejected because an internal exception occurred. The request can be retried. 2107 * @throws InvalidGrantTokenException 2108 * The request was rejected because the specified grant token is not valid. 2109 * @throws LimitExceededException 2110 * The request was rejected because a quota was exceeded. For more information, see <a 2111 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 2112 * Management Service Developer Guide</i>. 2113 * @throws KmsInvalidStateException 2114 * The request was rejected because the state of the specified resource is not valid for this request.</p> 2115 * <p> 2116 * This exceptions means one of the following: 2117 * </p> 2118 * <ul> 2119 * <li> 2120 * <p> 2121 * The key state of the KMS key is not compatible with the operation. 2122 * </p> 2123 * <p> 2124 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 2125 * are compatible with each KMS operation, see <a 2126 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 2127 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2128 * </p> 2129 * </li> 2130 * <li> 2131 * <p> 2132 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 2133 * failure with many possible causes. To identify the cause, see the error message that accompanies the 2134 * exception. 2135 * </p> 2136 * </li> 2137 * @throws DryRunOperationException 2138 * The request was rejected because the DryRun parameter was specified. 2139 * @throws SdkException 2140 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 2141 * catch all scenarios. 2142 * @throws SdkClientException 2143 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 2144 * @throws KmsException 2145 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 2146 * @sample KmsClient.CreateGrant 2147 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant" target="_top">AWS API 2148 * Documentation</a> 2149 */ createGrant(Consumer<CreateGrantRequest.Builder> createGrantRequest)2150 default CreateGrantResponse createGrant(Consumer<CreateGrantRequest.Builder> createGrantRequest) throws NotFoundException, 2151 DisabledException, DependencyTimeoutException, InvalidArnException, KmsInternalException, InvalidGrantTokenException, 2152 LimitExceededException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 2153 KmsException { 2154 return createGrant(CreateGrantRequest.builder().applyMutation(createGrantRequest).build()); 2155 } 2156 2157 /** 2158 * <p> 2159 * Creates a unique customer managed <a 2160 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon 2161 * Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and 2162 * signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your 2163 * service resources. 2164 * </p> 2165 * <p> 2166 * A KMS key is a logical representation of a cryptographic key. In addition to the key material used in 2167 * cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, 2168 * description, and key state. For details, see <a 2169 * href="https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html">Managing keys</a> in the <i>Key 2170 * Management Service Developer Guide</i> 2171 * </p> 2172 * <p> 2173 * Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its 2174 * key policy, description, tags, and other properties. 2175 * </p> 2176 * <note> 2177 * <p> 2178 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept 2179 * has not changed. To prevent breaking changes, KMS is keeping some variations of this term. 2180 * </p> 2181 * </note> 2182 * <p> 2183 * To create different types of KMS keys, use the following guidance: 2184 * </p> 2185 * <dl> 2186 * <dt>Symmetric encryption KMS key</dt> 2187 * <dd> 2188 * <p> 2189 * By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. 2190 * This is the basic and most widely used type of KMS key, and provides the best performance. 2191 * </p> 2192 * <p> 2193 * To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for 2194 * <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, 2195 * <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a 2196 * symmetric encryption KMS key with KMS key material. 2197 * </p> 2198 * <p> 2199 * If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in 2200 * an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption 2201 * key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 2202 * 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see 2203 * <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. 2204 * </p> 2205 * <p> 2206 * </p></dd> 2207 * <dt>Asymmetric KMS keys</dt> 2208 * <dd> 2209 * <p> 2210 * To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in 2211 * the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to 2212 * encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. 2213 * </p> 2214 * <p> 2215 * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions 2216 * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the 2217 * <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or 2218 * SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with 2219 * ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a 2220 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 2221 * the <i>Key Management Service Developer Guide</i>. 2222 * </p> 2223 * <p> 2224 * </p></dd> 2225 * <dt>HMAC KMS key</dt> 2226 * <dd> 2227 * <p> 2228 * To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set 2229 * the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though 2230 * <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these 2231 * properties after the KMS key is created. 2232 * </p> 2233 * <p> 2234 * HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate 2235 * (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. 2236 * </p> 2237 * <p> 2238 * </p></dd> 2239 * <dt>Multi-Region primary keys</dt> 2240 * <dt>Imported key material</dt> 2241 * <dd> 2242 * <p> 2243 * To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region, use the 2244 * <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region <i>replica 2245 * key</i>, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web 2246 * Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary 2247 * key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. 2248 * </p> 2249 * <p> 2250 * You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2251 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2252 * imported key material. However, you can't create multi-Region keys in a custom key store. 2253 * </p> 2254 * <p> 2255 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 2256 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 2257 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 2258 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 2259 * information about multi-Region keys, see <a 2260 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2261 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2262 * </p> 2263 * <p> 2264 * </p></dd> 2265 * <dd> 2266 * <p> 2267 * To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use 2268 * the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use 2269 * <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to 2270 * encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. 2271 * For step-by-step instructions, see <a 2272 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 2273 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2274 * </p> 2275 * <p> 2276 * You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2277 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2278 * imported key material. However, you can't import key material into a KMS key in a custom key store. 2279 * </p> 2280 * <p> 2281 * To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of 2282 * <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a 2283 * value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> 2284 * operation. For instructions, see <a 2285 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html ">Importing key 2286 * material into multi-Region keys</a>. For more information about multi-Region keys, see <a 2287 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2288 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2289 * </p> 2290 * <p> 2291 * </p></dd> 2292 * <dt>Custom key store</dt> 2293 * <dd> 2294 * <p> 2295 * A <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key 2296 * store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and 2297 * manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is 2298 * performed in the backing key store using its cryptographic keys. 2299 * </p> 2300 * <p> 2301 * KMS supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 2302 * stores</a> backed by an CloudHSM cluster and <a 2303 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a> 2304 * backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key 2305 * store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you 2306 * create a KMS key in an external key store, you specify an existing encryption key in the external key manager. 2307 * </p> 2308 * <note> 2309 * <p> 2310 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2311 * see your external key manager documentation. 2312 * </p> 2313 * </note> 2314 * <p> 2315 * Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be 2316 * <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find 2317 * the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. 2318 * </p> 2319 * <p> 2320 * To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default 2321 * <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, 2322 * <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key 2323 * store. 2324 * </p> 2325 * <p> 2326 * To create a KMS key in an <a 2327 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key store</a>, use 2328 * the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is 2329 * associated with the custom key store must have at least two active HSMs in different Availability Zones in the 2330 * Amazon Web Services Region. 2331 * </p> 2332 * <p> 2333 * To create a KMS key in an <a 2334 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use 2335 * the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> 2336 * parameter that identifies an existing external key. 2337 * </p> 2338 * <note> 2339 * <p> 2340 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2341 * see your external key manager documentation. 2342 * </p> 2343 * </note></dd> 2344 * </dl> 2345 * <p> 2346 * <b>Cross-account use</b>: No. You cannot use this operation to create a KMS key in a different Amazon Web 2347 * Services account. 2348 * </p> 2349 * <p> 2350 * <b>Required permissions</b>: <a 2351 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> 2352 * (IAM policy). To use the <code>Tags</code> parameter, <a 2353 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 2354 * >kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a 2355 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key" 2356 * >Allow a user to create KMS keys</a> in the <i>Key Management Service Developer Guide</i>. 2357 * </p> 2358 * <p> 2359 * <b>Related operations:</b> 2360 * </p> 2361 * <ul> 2362 * <li> 2363 * <p> 2364 * <a>DescribeKey</a> 2365 * </p> 2366 * </li> 2367 * <li> 2368 * <p> 2369 * <a>ListKeys</a> 2370 * </p> 2371 * </li> 2372 * <li> 2373 * <p> 2374 * <a>ScheduleKeyDeletion</a> 2375 * </p> 2376 * </li> 2377 * </ul> 2378 * <p> 2379 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 2380 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 2381 * consistency</a>. 2382 * </p> 2383 * 2384 * @param createKeyRequest 2385 * @return Result of the CreateKey operation returned by the service. 2386 * @throws MalformedPolicyDocumentException 2387 * The request was rejected because the specified policy is not syntactically or semantically correct. 2388 * @throws DependencyTimeoutException 2389 * The system timed out while trying to fulfill the request. You can retry the request. 2390 * @throws InvalidArnException 2391 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 2392 * @throws UnsupportedOperationException 2393 * The request was rejected because a specified parameter is not supported or a specified resource is not 2394 * valid for this operation. 2395 * @throws KmsInternalException 2396 * The request was rejected because an internal exception occurred. The request can be retried. 2397 * @throws LimitExceededException 2398 * The request was rejected because a quota was exceeded. For more information, see <a 2399 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 2400 * Management Service Developer Guide</i>. 2401 * @throws TagException 2402 * The request was rejected because one or more tags are not valid. 2403 * @throws CustomKeyStoreNotFoundException 2404 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 2405 * ID. 2406 * @throws CustomKeyStoreInvalidStateException 2407 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 2408 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 2409 * <p> 2410 * This exception is thrown under the following conditions: 2411 * </p> 2412 * <ul> 2413 * <li> 2414 * <p> 2415 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 2416 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 2417 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 2418 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 2419 * <code>ConnectCustomKeyStore</code>). 2420 * </p> 2421 * </li> 2422 * <li> 2423 * <p> 2424 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 2425 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 2426 * </p> 2427 * </li> 2428 * <li> 2429 * <p> 2430 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 2431 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 2432 * is valid for all other <code>ConnectionState</code> values. 2433 * </p> 2434 * </li> 2435 * <li> 2436 * <p> 2437 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 2438 * store that is not disconnected. This operation is valid only when the custom key store 2439 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 2440 * </p> 2441 * </li> 2442 * <li> 2443 * <p> 2444 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 2445 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 2446 * <code>CONNECTED</code>. 2447 * </p> 2448 * </li> 2449 * @throws CloudHsmClusterInvalidConfigurationException 2450 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 2451 * requirements for an CloudHSM key store.</p> 2452 * <ul> 2453 * <li> 2454 * <p> 2455 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 2456 * in the Region. 2457 * </p> 2458 * </li> 2459 * <li> 2460 * <p> 2461 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 2462 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 2463 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 2464 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 2465 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 2466 * security group, use the <a 2467 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 2468 * >DescribeSecurityGroups</a> operation. 2469 * </p> 2470 * </li> 2471 * <li> 2472 * <p> 2473 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 2474 * CloudHSM <a 2475 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 2476 * operation. 2477 * </p> 2478 * <p> 2479 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 2480 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 2481 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 2482 * </p> 2483 * </li> 2484 * </ul> 2485 * <p> 2486 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 2487 * store, see <a 2488 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 2489 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 2490 * about creating a private subnet for an CloudHSM cluster, see <a 2491 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 2492 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 2493 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 2494 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 2495 * @throws XksKeyInvalidConfigurationException 2496 * The request was rejected because the external key specified by the <code>XksKeyId</code> parameter did 2497 * not meet the configuration requirements for an external key store. 2498 * </p> 2499 * <p> 2500 * The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. 2501 * @throws XksKeyAlreadyInUseException 2502 * The request was rejected because the (<code>XksKeyId</code>) is already associated with another KMS key 2503 * in this external key store. Each KMS key in an external key store must be associated with a different 2504 * external key. 2505 * @throws XksKeyNotFoundException 2506 * The request was rejected because the external key store proxy could not find the external key. This 2507 * exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't identify a key in the 2508 * external key manager associated with the external key proxy. 2509 * </p> 2510 * <p> 2511 * Verify that the <code>XksKeyId</code> represents an existing key in the external key manager. Use the key 2512 * identifier that the external key store proxy uses to identify the key. For details, see the documentation 2513 * provided with your external key store proxy or key manager. 2514 * @throws SdkException 2515 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 2516 * catch all scenarios. 2517 * @throws SdkClientException 2518 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 2519 * @throws KmsException 2520 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 2521 * @sample KmsClient.CreateKey 2522 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API 2523 * Documentation</a> 2524 */ createKey(CreateKeyRequest createKeyRequest)2525 default CreateKeyResponse createKey(CreateKeyRequest createKeyRequest) throws MalformedPolicyDocumentException, 2526 DependencyTimeoutException, InvalidArnException, 2527 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, KmsInternalException, 2528 LimitExceededException, TagException, CustomKeyStoreNotFoundException, CustomKeyStoreInvalidStateException, 2529 CloudHsmClusterInvalidConfigurationException, XksKeyInvalidConfigurationException, XksKeyAlreadyInUseException, 2530 XksKeyNotFoundException, AwsServiceException, SdkClientException, KmsException { 2531 throw new UnsupportedOperationException(); 2532 } 2533 2534 /** 2535 * <p> 2536 * Creates a unique customer managed <a 2537 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon 2538 * Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and 2539 * signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your 2540 * service resources. 2541 * </p> 2542 * <p> 2543 * A KMS key is a logical representation of a cryptographic key. In addition to the key material used in 2544 * cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, 2545 * description, and key state. For details, see <a 2546 * href="https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html">Managing keys</a> in the <i>Key 2547 * Management Service Developer Guide</i> 2548 * </p> 2549 * <p> 2550 * Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its 2551 * key policy, description, tags, and other properties. 2552 * </p> 2553 * <note> 2554 * <p> 2555 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept 2556 * has not changed. To prevent breaking changes, KMS is keeping some variations of this term. 2557 * </p> 2558 * </note> 2559 * <p> 2560 * To create different types of KMS keys, use the following guidance: 2561 * </p> 2562 * <dl> 2563 * <dt>Symmetric encryption KMS key</dt> 2564 * <dd> 2565 * <p> 2566 * By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. 2567 * This is the basic and most widely used type of KMS key, and provides the best performance. 2568 * </p> 2569 * <p> 2570 * To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for 2571 * <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, 2572 * <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a 2573 * symmetric encryption KMS key with KMS key material. 2574 * </p> 2575 * <p> 2576 * If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in 2577 * an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption 2578 * key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 2579 * 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see 2580 * <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. 2581 * </p> 2582 * <p> 2583 * </p></dd> 2584 * <dt>Asymmetric KMS keys</dt> 2585 * <dd> 2586 * <p> 2587 * To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in 2588 * the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to 2589 * encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. 2590 * </p> 2591 * <p> 2592 * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions 2593 * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the 2594 * <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or 2595 * SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with 2596 * ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a 2597 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 2598 * the <i>Key Management Service Developer Guide</i>. 2599 * </p> 2600 * <p> 2601 * </p></dd> 2602 * <dt>HMAC KMS key</dt> 2603 * <dd> 2604 * <p> 2605 * To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set 2606 * the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though 2607 * <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these 2608 * properties after the KMS key is created. 2609 * </p> 2610 * <p> 2611 * HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate 2612 * (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. 2613 * </p> 2614 * <p> 2615 * </p></dd> 2616 * <dt>Multi-Region primary keys</dt> 2617 * <dt>Imported key material</dt> 2618 * <dd> 2619 * <p> 2620 * To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region, use the 2621 * <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region <i>replica 2622 * key</i>, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web 2623 * Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary 2624 * key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. 2625 * </p> 2626 * <p> 2627 * You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2628 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2629 * imported key material. However, you can't create multi-Region keys in a custom key store. 2630 * </p> 2631 * <p> 2632 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 2633 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 2634 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 2635 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 2636 * information about multi-Region keys, see <a 2637 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2638 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2639 * </p> 2640 * <p> 2641 * </p></dd> 2642 * <dd> 2643 * <p> 2644 * To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use 2645 * the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use 2646 * <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to 2647 * encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. 2648 * For step-by-step instructions, see <a 2649 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 2650 * the <i> <i>Key Management Service Developer Guide</i> </i>. 2651 * </p> 2652 * <p> 2653 * You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 2654 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 2655 * imported key material. However, you can't import key material into a KMS key in a custom key store. 2656 * </p> 2657 * <p> 2658 * To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of 2659 * <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a 2660 * value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> 2661 * operation. For instructions, see <a 2662 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html ">Importing key 2663 * material into multi-Region keys</a>. For more information about multi-Region keys, see <a 2664 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 2665 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 2666 * </p> 2667 * <p> 2668 * </p></dd> 2669 * <dt>Custom key store</dt> 2670 * <dd> 2671 * <p> 2672 * A <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key 2673 * store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and 2674 * manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is 2675 * performed in the backing key store using its cryptographic keys. 2676 * </p> 2677 * <p> 2678 * KMS supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 2679 * stores</a> backed by an CloudHSM cluster and <a 2680 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a> 2681 * backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key 2682 * store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you 2683 * create a KMS key in an external key store, you specify an existing encryption key in the external key manager. 2684 * </p> 2685 * <note> 2686 * <p> 2687 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2688 * see your external key manager documentation. 2689 * </p> 2690 * </note> 2691 * <p> 2692 * Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be 2693 * <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find 2694 * the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. 2695 * </p> 2696 * <p> 2697 * To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default 2698 * <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, 2699 * <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key 2700 * store. 2701 * </p> 2702 * <p> 2703 * To create a KMS key in an <a 2704 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key store</a>, use 2705 * the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is 2706 * associated with the custom key store must have at least two active HSMs in different Availability Zones in the 2707 * Amazon Web Services Region. 2708 * </p> 2709 * <p> 2710 * To create a KMS key in an <a 2711 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use 2712 * the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> 2713 * parameter that identifies an existing external key. 2714 * </p> 2715 * <note> 2716 * <p> 2717 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 2718 * see your external key manager documentation. 2719 * </p> 2720 * </note></dd> 2721 * </dl> 2722 * <p> 2723 * <b>Cross-account use</b>: No. You cannot use this operation to create a KMS key in a different Amazon Web 2724 * Services account. 2725 * </p> 2726 * <p> 2727 * <b>Required permissions</b>: <a 2728 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> 2729 * (IAM policy). To use the <code>Tags</code> parameter, <a 2730 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 2731 * >kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a 2732 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key" 2733 * >Allow a user to create KMS keys</a> in the <i>Key Management Service Developer Guide</i>. 2734 * </p> 2735 * <p> 2736 * <b>Related operations:</b> 2737 * </p> 2738 * <ul> 2739 * <li> 2740 * <p> 2741 * <a>DescribeKey</a> 2742 * </p> 2743 * </li> 2744 * <li> 2745 * <p> 2746 * <a>ListKeys</a> 2747 * </p> 2748 * </li> 2749 * <li> 2750 * <p> 2751 * <a>ScheduleKeyDeletion</a> 2752 * </p> 2753 * </li> 2754 * </ul> 2755 * <p> 2756 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 2757 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 2758 * consistency</a>. 2759 * </p> 2760 * <br/> 2761 * <p> 2762 * This is a convenience which creates an instance of the {@link CreateKeyRequest.Builder} avoiding the need to 2763 * create one manually via {@link CreateKeyRequest#builder()} 2764 * </p> 2765 * 2766 * @param createKeyRequest 2767 * A {@link Consumer} that will call methods on 2768 * {@link software.amazon.awssdk.services.kms.model.CreateKeyRequest.Builder} to create a request. 2769 * @return Result of the CreateKey operation returned by the service. 2770 * @throws MalformedPolicyDocumentException 2771 * The request was rejected because the specified policy is not syntactically or semantically correct. 2772 * @throws DependencyTimeoutException 2773 * The system timed out while trying to fulfill the request. You can retry the request. 2774 * @throws InvalidArnException 2775 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 2776 * @throws UnsupportedOperationException 2777 * The request was rejected because a specified parameter is not supported or a specified resource is not 2778 * valid for this operation. 2779 * @throws KmsInternalException 2780 * The request was rejected because an internal exception occurred. The request can be retried. 2781 * @throws LimitExceededException 2782 * The request was rejected because a quota was exceeded. For more information, see <a 2783 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 2784 * Management Service Developer Guide</i>. 2785 * @throws TagException 2786 * The request was rejected because one or more tags are not valid. 2787 * @throws CustomKeyStoreNotFoundException 2788 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 2789 * ID. 2790 * @throws CustomKeyStoreInvalidStateException 2791 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 2792 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 2793 * <p> 2794 * This exception is thrown under the following conditions: 2795 * </p> 2796 * <ul> 2797 * <li> 2798 * <p> 2799 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 2800 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 2801 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 2802 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 2803 * <code>ConnectCustomKeyStore</code>). 2804 * </p> 2805 * </li> 2806 * <li> 2807 * <p> 2808 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 2809 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 2810 * </p> 2811 * </li> 2812 * <li> 2813 * <p> 2814 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 2815 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 2816 * is valid for all other <code>ConnectionState</code> values. 2817 * </p> 2818 * </li> 2819 * <li> 2820 * <p> 2821 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 2822 * store that is not disconnected. This operation is valid only when the custom key store 2823 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 2824 * </p> 2825 * </li> 2826 * <li> 2827 * <p> 2828 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 2829 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 2830 * <code>CONNECTED</code>. 2831 * </p> 2832 * </li> 2833 * @throws CloudHsmClusterInvalidConfigurationException 2834 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 2835 * requirements for an CloudHSM key store.</p> 2836 * <ul> 2837 * <li> 2838 * <p> 2839 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 2840 * in the Region. 2841 * </p> 2842 * </li> 2843 * <li> 2844 * <p> 2845 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 2846 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 2847 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 2848 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 2849 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 2850 * security group, use the <a 2851 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 2852 * >DescribeSecurityGroups</a> operation. 2853 * </p> 2854 * </li> 2855 * <li> 2856 * <p> 2857 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 2858 * CloudHSM <a 2859 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 2860 * operation. 2861 * </p> 2862 * <p> 2863 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 2864 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 2865 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 2866 * </p> 2867 * </li> 2868 * </ul> 2869 * <p> 2870 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 2871 * store, see <a 2872 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 2873 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 2874 * about creating a private subnet for an CloudHSM cluster, see <a 2875 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 2876 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 2877 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 2878 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 2879 * @throws XksKeyInvalidConfigurationException 2880 * The request was rejected because the external key specified by the <code>XksKeyId</code> parameter did 2881 * not meet the configuration requirements for an external key store. 2882 * </p> 2883 * <p> 2884 * The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. 2885 * @throws XksKeyAlreadyInUseException 2886 * The request was rejected because the (<code>XksKeyId</code>) is already associated with another KMS key 2887 * in this external key store. Each KMS key in an external key store must be associated with a different 2888 * external key. 2889 * @throws XksKeyNotFoundException 2890 * The request was rejected because the external key store proxy could not find the external key. This 2891 * exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't identify a key in the 2892 * external key manager associated with the external key proxy. 2893 * </p> 2894 * <p> 2895 * Verify that the <code>XksKeyId</code> represents an existing key in the external key manager. Use the key 2896 * identifier that the external key store proxy uses to identify the key. For details, see the documentation 2897 * provided with your external key store proxy or key manager. 2898 * @throws SdkException 2899 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 2900 * catch all scenarios. 2901 * @throws SdkClientException 2902 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 2903 * @throws KmsException 2904 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 2905 * @sample KmsClient.CreateKey 2906 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API 2907 * Documentation</a> 2908 */ createKey(Consumer<CreateKeyRequest.Builder> createKeyRequest)2909 default CreateKeyResponse createKey(Consumer<CreateKeyRequest.Builder> createKeyRequest) 2910 throws MalformedPolicyDocumentException, DependencyTimeoutException, InvalidArnException, 2911 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, KmsInternalException, 2912 LimitExceededException, TagException, CustomKeyStoreNotFoundException, CustomKeyStoreInvalidStateException, 2913 CloudHsmClusterInvalidConfigurationException, XksKeyInvalidConfigurationException, XksKeyAlreadyInUseException, 2914 XksKeyNotFoundException, AwsServiceException, SdkClientException, KmsException { 2915 return createKey(CreateKeyRequest.builder().applyMutation(createKeyRequest).build()); 2916 } 2917 2918 /** 2919 * <p> 2920 * Creates a unique customer managed <a 2921 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys">KMS key</a> in your Amazon 2922 * Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and 2923 * signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your 2924 * service resources. 2925 * </p> 2926 * <p> 2927 * A KMS key is a logical representation of a cryptographic key. In addition to the key material used in 2928 * cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, 2929 * description, and key state. For details, see <a 2930 * href="https://docs.aws.amazon.com/kms/latest/developerguide/getting-started.html">Managing keys</a> in the <i>Key 2931 * Management Service Developer Guide</i> 2932 * </p> 2933 * <p> 2934 * Use the parameters of <code>CreateKey</code> to specify the type of KMS key, the source of its key material, its 2935 * key policy, description, tags, and other properties. 2936 * </p> 2937 * <note> 2938 * <p> 2939 * KMS has replaced the term <i>customer master key (CMK)</i> with <i>KMS key</i> and <i>KMS key</i>. The concept 2940 * has not changed. To prevent breaking changes, KMS is keeping some variations of this term. 2941 * </p> 2942 * </note> 2943 * <p> 2944 * To create different types of KMS keys, use the following guidance: 2945 * </p> 2946 * <dl> 2947 * <dt>Symmetric encryption KMS key</dt> 2948 * <dd> 2949 * <p> 2950 * By default, <code>CreateKey</code> creates a symmetric encryption KMS key with key material that KMS generates. 2951 * This is the basic and most widely used type of KMS key, and provides the best performance. 2952 * </p> 2953 * <p> 2954 * To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for 2955 * <code>KeySpec</code>, <code>SYMMETRIC_DEFAULT</code>, the default value for <code>KeyUsage</code>, 2956 * <code>ENCRYPT_DECRYPT</code>, and the default value for <code>Origin</code>, <code>AWS_KMS</code>, create a 2957 * symmetric encryption KMS key with KMS key material. 2958 * </p> 2959 * <p> 2960 * If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in 2961 * an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption 2962 * key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 2963 * 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see 2964 * <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a>. 2965 * </p> 2966 * <p> 2967 * </p></dd> 2968 * <dt>Asymmetric KMS keys</dt> 2969 * <dd> 2970 * <p> 2971 * To create an asymmetric KMS key, use the <code>KeySpec</code> parameter to specify the type of key material in 2972 * the KMS key. Then, use the <code>KeyUsage</code> parameter to determine whether the KMS key will be used to 2973 * encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created. 2974 * </p> 2975 * <p> 2976 * Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an SM2 key pair (China Regions 2977 * only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the 2978 * <a>GetPublicKey</a> operation to download the public key so it can be used outside of KMS. KMS keys with RSA or 2979 * SM2 key pairs can be used to encrypt or decrypt data or sign and verify messages (but not both). KMS keys with 2980 * ECC key pairs can be used only to sign and verify messages. For information about asymmetric KMS keys, see <a 2981 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 2982 * the <i>Key Management Service Developer Guide</i>. 2983 * </p> 2984 * <p> 2985 * </p></dd> 2986 * <dt>HMAC KMS key</dt> 2987 * <dd> 2988 * <p> 2989 * To create an HMAC KMS key, set the <code>KeySpec</code> parameter to a key spec value for HMAC KMS keys. Then set 2990 * the <code>KeyUsage</code> parameter to <code>GENERATE_VERIFY_MAC</code>. You must set the key usage even though 2991 * <code>GENERATE_VERIFY_MAC</code> is the only valid key usage value for HMAC KMS keys. You can't change these 2992 * properties after the KMS key is created. 2993 * </p> 2994 * <p> 2995 * HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate 2996 * (<a>GenerateMac</a>) and verify (<a>VerifyMac</a>) HMAC codes for messages up to 4096 bytes. 2997 * </p> 2998 * <p> 2999 * </p></dd> 3000 * <dt>Multi-Region primary keys</dt> 3001 * <dt>Imported key material</dt> 3002 * <dd> 3003 * <p> 3004 * To create a multi-Region <i>primary key</i> in the local Amazon Web Services Region, use the 3005 * <code>MultiRegion</code> parameter with a value of <code>True</code>. To create a multi-Region <i>replica 3006 * key</i>, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web 3007 * Services Region, use the <a>ReplicateKey</a> operation. To change a replica key to a primary key, and its primary 3008 * key to a replica key, use the <a>UpdatePrimaryRegion</a> operation. 3009 * </p> 3010 * <p> 3011 * You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 3012 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 3013 * imported key material. However, you can't create multi-Region keys in a custom key store. 3014 * </p> 3015 * <p> 3016 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 3017 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 3018 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 3019 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 3020 * information about multi-Region keys, see <a 3021 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 3022 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 3023 * </p> 3024 * <p> 3025 * </p></dd> 3026 * <dd> 3027 * <p> 3028 * To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use 3029 * the <code>Origin</code> parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use 3030 * <a>GetParametersForImport</a> operation to get a public key and import token. Use the wrapping public key to 3031 * encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. 3032 * For step-by-step instructions, see <a 3033 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 3034 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3035 * </p> 3036 * <p> 3037 * You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS 3038 * keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with 3039 * imported key material. However, you can't import key material into a KMS key in a custom key store. 3040 * </p> 3041 * <p> 3042 * To create a multi-Region primary key with imported key material, use the <code>Origin</code> parameter of 3043 * <code>CreateKey</code> with a value of <code>EXTERNAL</code> and the <code>MultiRegion</code> parameter with a 3044 * value of <code>True</code>. To create replicas of the multi-Region primary key, use the <a>ReplicateKey</a> 3045 * operation. For instructions, see <a 3046 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html ">Importing key 3047 * material into multi-Region keys</a>. For more information about multi-Region keys, see <a 3048 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 3049 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 3050 * </p> 3051 * <p> 3052 * </p></dd> 3053 * <dt>Custom key store</dt> 3054 * <dd> 3055 * <p> 3056 * A <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key 3057 * store</a> lets you protect your Amazon Web Services resources using keys in a backing key store that you own and 3058 * manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is 3059 * performed in the backing key store using its cryptographic keys. 3060 * </p> 3061 * <p> 3062 * KMS supports <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key 3063 * stores</a> backed by an CloudHSM cluster and <a 3064 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a> 3065 * backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key 3066 * store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you 3067 * create a KMS key in an external key store, you specify an existing encryption key in the external key manager. 3068 * </p> 3069 * <note> 3070 * <p> 3071 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 3072 * see your external key manager documentation. 3073 * </p> 3074 * </note> 3075 * <p> 3076 * Before you create a KMS key in a custom key store, the <code>ConnectionState</code> of the key store must be 3077 * <code>CONNECTED</code>. To connect the custom key store, use the <a>ConnectCustomKeyStore</a> operation. To find 3078 * the <code>ConnectionState</code>, use the <a>DescribeCustomKeyStores</a> operation. 3079 * </p> 3080 * <p> 3081 * To create a KMS key in a custom key store, use the <code>CustomKeyStoreId</code>. Use the default 3082 * <code>KeySpec</code> value, <code>SYMMETRIC_DEFAULT</code>, and the default <code>KeyUsage</code> value, 3083 * <code>ENCRYPT_DECRYPT</code> to create a symmetric encryption key. No other key type is supported in a custom key 3084 * store. 3085 * </p> 3086 * <p> 3087 * To create a KMS key in an <a 3088 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key store</a>, use 3089 * the <code>Origin</code> parameter with a value of <code>AWS_CLOUDHSM</code>. The CloudHSM cluster that is 3090 * associated with the custom key store must have at least two active HSMs in different Availability Zones in the 3091 * Amazon Web Services Region. 3092 * </p> 3093 * <p> 3094 * To create a KMS key in an <a 3095 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key store</a>, use 3096 * the <code>Origin</code> parameter with a value of <code>EXTERNAL_KEY_STORE</code> and an <code>XksKeyId</code> 3097 * parameter that identifies an existing external key. 3098 * </p> 3099 * <note> 3100 * <p> 3101 * Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, 3102 * see your external key manager documentation. 3103 * </p> 3104 * </note></dd> 3105 * </dl> 3106 * <p> 3107 * <b>Cross-account use</b>: No. You cannot use this operation to create a KMS key in a different Amazon Web 3108 * Services account. 3109 * </p> 3110 * <p> 3111 * <b>Required permissions</b>: <a 3112 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:CreateKey</a> 3113 * (IAM policy). To use the <code>Tags</code> parameter, <a 3114 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 3115 * >kms:TagResource</a> (IAM policy). For examples and information about related permissions, see <a 3116 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key" 3117 * >Allow a user to create KMS keys</a> in the <i>Key Management Service Developer Guide</i>. 3118 * </p> 3119 * <p> 3120 * <b>Related operations:</b> 3121 * </p> 3122 * <ul> 3123 * <li> 3124 * <p> 3125 * <a>DescribeKey</a> 3126 * </p> 3127 * </li> 3128 * <li> 3129 * <p> 3130 * <a>ListKeys</a> 3131 * </p> 3132 * </li> 3133 * <li> 3134 * <p> 3135 * <a>ScheduleKeyDeletion</a> 3136 * </p> 3137 * </li> 3138 * </ul> 3139 * <p> 3140 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3141 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3142 * consistency</a>. 3143 * </p> 3144 * 3145 * @return Result of the CreateKey operation returned by the service. 3146 * @throws MalformedPolicyDocumentException 3147 * The request was rejected because the specified policy is not syntactically or semantically correct. 3148 * @throws DependencyTimeoutException 3149 * The system timed out while trying to fulfill the request. You can retry the request. 3150 * @throws InvalidArnException 3151 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 3152 * @throws UnsupportedOperationException 3153 * The request was rejected because a specified parameter is not supported or a specified resource is not 3154 * valid for this operation. 3155 * @throws KmsInternalException 3156 * The request was rejected because an internal exception occurred. The request can be retried. 3157 * @throws LimitExceededException 3158 * The request was rejected because a quota was exceeded. For more information, see <a 3159 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 3160 * Management Service Developer Guide</i>. 3161 * @throws TagException 3162 * The request was rejected because one or more tags are not valid. 3163 * @throws CustomKeyStoreNotFoundException 3164 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 3165 * ID. 3166 * @throws CustomKeyStoreInvalidStateException 3167 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 3168 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 3169 * <p> 3170 * This exception is thrown under the following conditions: 3171 * </p> 3172 * <ul> 3173 * <li> 3174 * <p> 3175 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 3176 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 3177 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 3178 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 3179 * <code>ConnectCustomKeyStore</code>). 3180 * </p> 3181 * </li> 3182 * <li> 3183 * <p> 3184 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 3185 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 3186 * </p> 3187 * </li> 3188 * <li> 3189 * <p> 3190 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 3191 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 3192 * is valid for all other <code>ConnectionState</code> values. 3193 * </p> 3194 * </li> 3195 * <li> 3196 * <p> 3197 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 3198 * store that is not disconnected. This operation is valid only when the custom key store 3199 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 3200 * </p> 3201 * </li> 3202 * <li> 3203 * <p> 3204 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 3205 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 3206 * <code>CONNECTED</code>. 3207 * </p> 3208 * </li> 3209 * @throws CloudHsmClusterInvalidConfigurationException 3210 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 3211 * requirements for an CloudHSM key store.</p> 3212 * <ul> 3213 * <li> 3214 * <p> 3215 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 3216 * in the Region. 3217 * </p> 3218 * </li> 3219 * <li> 3220 * <p> 3221 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 3222 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 3223 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 3224 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 3225 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 3226 * security group, use the <a 3227 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 3228 * >DescribeSecurityGroups</a> operation. 3229 * </p> 3230 * </li> 3231 * <li> 3232 * <p> 3233 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 3234 * CloudHSM <a 3235 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 3236 * operation. 3237 * </p> 3238 * <p> 3239 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 3240 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 3241 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 3242 * </p> 3243 * </li> 3244 * </ul> 3245 * <p> 3246 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 3247 * store, see <a 3248 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 3249 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 3250 * about creating a private subnet for an CloudHSM cluster, see <a 3251 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 3252 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 3253 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 3254 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 3255 * @throws XksKeyInvalidConfigurationException 3256 * The request was rejected because the external key specified by the <code>XksKeyId</code> parameter did 3257 * not meet the configuration requirements for an external key store. 3258 * </p> 3259 * <p> 3260 * The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption. 3261 * @throws XksKeyAlreadyInUseException 3262 * The request was rejected because the (<code>XksKeyId</code>) is already associated with another KMS key 3263 * in this external key store. Each KMS key in an external key store must be associated with a different 3264 * external key. 3265 * @throws XksKeyNotFoundException 3266 * The request was rejected because the external key store proxy could not find the external key. This 3267 * exception is thrown when the value of the <code>XksKeyId</code> parameter doesn't identify a key in the 3268 * external key manager associated with the external key proxy. 3269 * </p> 3270 * <p> 3271 * Verify that the <code>XksKeyId</code> represents an existing key in the external key manager. Use the key 3272 * identifier that the external key store proxy uses to identify the key. For details, see the documentation 3273 * provided with your external key store proxy or key manager. 3274 * @throws SdkException 3275 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 3276 * catch all scenarios. 3277 * @throws SdkClientException 3278 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 3279 * @throws KmsException 3280 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 3281 * @sample KmsClient.CreateKey 3282 * @see #createKey(CreateKeyRequest) 3283 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey" target="_top">AWS API 3284 * Documentation</a> 3285 */ createKey()3286 default CreateKeyResponse createKey() throws MalformedPolicyDocumentException, DependencyTimeoutException, 3287 InvalidArnException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, KmsInternalException, 3288 LimitExceededException, TagException, CustomKeyStoreNotFoundException, CustomKeyStoreInvalidStateException, 3289 CloudHsmClusterInvalidConfigurationException, XksKeyInvalidConfigurationException, XksKeyAlreadyInUseException, 3290 XksKeyNotFoundException, AwsServiceException, SdkClientException, KmsException { 3291 return createKey(CreateKeyRequest.builder().build()); 3292 } 3293 3294 /** 3295 * <p> 3296 * Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: 3297 * </p> 3298 * <ul> 3299 * <li> 3300 * <p> 3301 * <a>Encrypt</a> 3302 * </p> 3303 * </li> 3304 * <li> 3305 * <p> 3306 * <a>GenerateDataKey</a> 3307 * </p> 3308 * </li> 3309 * <li> 3310 * <p> 3311 * <a>GenerateDataKeyPair</a> 3312 * </p> 3313 * </li> 3314 * <li> 3315 * <p> 3316 * <a>GenerateDataKeyWithoutPlaintext</a> 3317 * </p> 3318 * </li> 3319 * <li> 3320 * <p> 3321 * <a>GenerateDataKeyPairWithoutPlaintext</a> 3322 * </p> 3323 * </li> 3324 * </ul> 3325 * <p> 3326 * You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an 3327 * asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption 3328 * algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a 3329 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 3330 * the <i>Key Management Service Developer Guide</i>. 3331 * </p> 3332 * <p> 3333 * The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the public key 3334 * in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by other libraries, such 3335 * as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services 3336 * Encryption SDK</a> or <a 3337 * href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 3338 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 3339 * </p> 3340 * <p> 3341 * If the ciphertext was encrypted under a symmetric encryption KMS key, the <code>KeyId</code> parameter is 3342 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 3343 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 3344 * was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as 3345 * a best practice. When you use the <code>KeyId</code> parameter to specify a KMS key, KMS only uses the KMS key 3346 * you specify. If the ciphertext was encrypted under a different KMS key, the <code>Decrypt</code> operation fails. 3347 * This practice ensures that you use the KMS key that you intend. 3348 * </p> 3349 * <p> 3350 * Whenever possible, use key policies to give users permission to call the <code>Decrypt</code> operation on a 3351 * particular KMS key, instead of using &IAM; policies. Otherwise, you might create an &IAM; policy that 3352 * gives the user <code>Decrypt</code> permission on all KMS keys. This user could decrypt ciphertext that was 3353 * encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must 3354 * use an IAM policy for <code>Decrypt</code> permissions, limit the user to particular KMS keys or particular 3355 * trusted accounts. For details, see <a 3356 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best 3357 * practices for IAM policies</a> in the <i>Key Management Service Developer Guide</i>. 3358 * </p> 3359 * <p> 3360 * <code>Decrypt</code> also supports <a 3361 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 3362 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>Decrypt</code> for a 3363 * Nitro enclave, use the <a 3364 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 3365 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 3366 * attestation document for the enclave. Instead of the plaintext data, the response includes the plaintext data 3367 * encrypted with the public key from the attestation document (<code>CiphertextForRecipient</code>). For 3368 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 3369 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 3370 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 3371 * </p> 3372 * <p> 3373 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 3374 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 3375 * <i>Key Management Service Developer Guide</i>. 3376 * </p> 3377 * <p> 3378 * <b>Cross-account use</b>: Yes. If you use the <code>KeyId</code> parameter to identify a KMS key in a different 3379 * Amazon Web Services account, specify the key ARN or the alias ARN of the KMS key. 3380 * </p> 3381 * <p> 3382 * <b>Required permissions</b>: <a 3383 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Decrypt</a> 3384 * (key policy) 3385 * </p> 3386 * <p> 3387 * <b>Related operations:</b> 3388 * </p> 3389 * <ul> 3390 * <li> 3391 * <p> 3392 * <a>Encrypt</a> 3393 * </p> 3394 * </li> 3395 * <li> 3396 * <p> 3397 * <a>GenerateDataKey</a> 3398 * </p> 3399 * </li> 3400 * <li> 3401 * <p> 3402 * <a>GenerateDataKeyPair</a> 3403 * </p> 3404 * </li> 3405 * <li> 3406 * <p> 3407 * <a>ReEncrypt</a> 3408 * </p> 3409 * </li> 3410 * </ul> 3411 * <p> 3412 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3413 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3414 * consistency</a>. 3415 * </p> 3416 * 3417 * @param decryptRequest 3418 * @return Result of the Decrypt operation returned by the service. 3419 * @throws NotFoundException 3420 * The request was rejected because the specified entity or resource could not be found. 3421 * @throws DisabledException 3422 * The request was rejected because the specified KMS key is not enabled. 3423 * @throws InvalidCiphertextException 3424 * From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was rejected because the specified 3425 * ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption 3426 * context, is corrupted, missing, or otherwise invalid.</p> 3427 * <p> 3428 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 3429 * encrypted (wrapped) key material. 3430 * @throws KeyUnavailableException 3431 * The request was rejected because the specified KMS key was not available. You can retry the request. 3432 * @throws IncorrectKeyException 3433 * The request was rejected because the specified KMS key cannot decrypt the data. The <code>KeyId</code> in 3434 * a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> request must identify the 3435 * same KMS key that was used to encrypt the ciphertext. 3436 * @throws InvalidKeyUsageException 3437 * The request was rejected for one of the following reasons: 3438 * </p> 3439 * <ul> 3440 * <li> 3441 * <p> 3442 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 3443 * </p> 3444 * </li> 3445 * <li> 3446 * <p> 3447 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 3448 * of key material in the KMS key <code>(KeySpec</code>). 3449 * </p> 3450 * </li> 3451 * </ul> 3452 * <p> 3453 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 3454 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 3455 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 3456 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 3457 * KMS key, use the <a>DescribeKey</a> operation. 3458 * </p> 3459 * <p> 3460 * To find the encryption or signing algorithms supported for a particular KMS key, use the 3461 * <a>DescribeKey</a> operation. 3462 * @throws DependencyTimeoutException 3463 * The system timed out while trying to fulfill the request. You can retry the request. 3464 * @throws InvalidGrantTokenException 3465 * The request was rejected because the specified grant token is not valid. 3466 * @throws KmsInternalException 3467 * The request was rejected because an internal exception occurred. The request can be retried. 3468 * @throws KmsInvalidStateException 3469 * The request was rejected because the state of the specified resource is not valid for this request. 3470 * </p> 3471 * <p> 3472 * This exceptions means one of the following: 3473 * </p> 3474 * <ul> 3475 * <li> 3476 * <p> 3477 * The key state of the KMS key is not compatible with the operation. 3478 * </p> 3479 * <p> 3480 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3481 * are compatible with each KMS operation, see <a 3482 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3483 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3484 * </p> 3485 * </li> 3486 * <li> 3487 * <p> 3488 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3489 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3490 * exception. 3491 * </p> 3492 * </li> 3493 * @throws DryRunOperationException 3494 * The request was rejected because the DryRun parameter was specified. 3495 * @throws SdkException 3496 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 3497 * catch all scenarios. 3498 * @throws SdkClientException 3499 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 3500 * @throws KmsException 3501 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 3502 * @sample KmsClient.Decrypt 3503 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt" target="_top">AWS API 3504 * Documentation</a> 3505 */ decrypt(DecryptRequest decryptRequest)3506 default DecryptResponse decrypt(DecryptRequest decryptRequest) throws NotFoundException, DisabledException, 3507 InvalidCiphertextException, KeyUnavailableException, IncorrectKeyException, InvalidKeyUsageException, 3508 DependencyTimeoutException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 3509 DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 3510 throw new UnsupportedOperationException(); 3511 } 3512 3513 /** 3514 * <p> 3515 * Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: 3516 * </p> 3517 * <ul> 3518 * <li> 3519 * <p> 3520 * <a>Encrypt</a> 3521 * </p> 3522 * </li> 3523 * <li> 3524 * <p> 3525 * <a>GenerateDataKey</a> 3526 * </p> 3527 * </li> 3528 * <li> 3529 * <p> 3530 * <a>GenerateDataKeyPair</a> 3531 * </p> 3532 * </li> 3533 * <li> 3534 * <p> 3535 * <a>GenerateDataKeyWithoutPlaintext</a> 3536 * </p> 3537 * </li> 3538 * <li> 3539 * <p> 3540 * <a>GenerateDataKeyPairWithoutPlaintext</a> 3541 * </p> 3542 * </li> 3543 * </ul> 3544 * <p> 3545 * You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an 3546 * asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption 3547 * algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see <a 3548 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 3549 * the <i>Key Management Service Developer Guide</i>. 3550 * </p> 3551 * <p> 3552 * The <code>Decrypt</code> operation also decrypts ciphertext that was encrypted outside of KMS by the public key 3553 * in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by other libraries, such 3554 * as the <a href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services 3555 * Encryption SDK</a> or <a 3556 * href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 3557 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 3558 * </p> 3559 * <p> 3560 * If the ciphertext was encrypted under a symmetric encryption KMS key, the <code>KeyId</code> parameter is 3561 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 3562 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 3563 * was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as 3564 * a best practice. When you use the <code>KeyId</code> parameter to specify a KMS key, KMS only uses the KMS key 3565 * you specify. If the ciphertext was encrypted under a different KMS key, the <code>Decrypt</code> operation fails. 3566 * This practice ensures that you use the KMS key that you intend. 3567 * </p> 3568 * <p> 3569 * Whenever possible, use key policies to give users permission to call the <code>Decrypt</code> operation on a 3570 * particular KMS key, instead of using &IAM; policies. Otherwise, you might create an &IAM; policy that 3571 * gives the user <code>Decrypt</code> permission on all KMS keys. This user could decrypt ciphertext that was 3572 * encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must 3573 * use an IAM policy for <code>Decrypt</code> permissions, limit the user to particular KMS keys or particular 3574 * trusted accounts. For details, see <a 3575 * href="https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices">Best 3576 * practices for IAM policies</a> in the <i>Key Management Service Developer Guide</i>. 3577 * </p> 3578 * <p> 3579 * <code>Decrypt</code> also supports <a 3580 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 3581 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>Decrypt</code> for a 3582 * Nitro enclave, use the <a 3583 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 3584 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 3585 * attestation document for the enclave. Instead of the plaintext data, the response includes the plaintext data 3586 * encrypted with the public key from the attestation document (<code>CiphertextForRecipient</code>). For 3587 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 3588 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 3589 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 3590 * </p> 3591 * <p> 3592 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 3593 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 3594 * <i>Key Management Service Developer Guide</i>. 3595 * </p> 3596 * <p> 3597 * <b>Cross-account use</b>: Yes. If you use the <code>KeyId</code> parameter to identify a KMS key in a different 3598 * Amazon Web Services account, specify the key ARN or the alias ARN of the KMS key. 3599 * </p> 3600 * <p> 3601 * <b>Required permissions</b>: <a 3602 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Decrypt</a> 3603 * (key policy) 3604 * </p> 3605 * <p> 3606 * <b>Related operations:</b> 3607 * </p> 3608 * <ul> 3609 * <li> 3610 * <p> 3611 * <a>Encrypt</a> 3612 * </p> 3613 * </li> 3614 * <li> 3615 * <p> 3616 * <a>GenerateDataKey</a> 3617 * </p> 3618 * </li> 3619 * <li> 3620 * <p> 3621 * <a>GenerateDataKeyPair</a> 3622 * </p> 3623 * </li> 3624 * <li> 3625 * <p> 3626 * <a>ReEncrypt</a> 3627 * </p> 3628 * </li> 3629 * </ul> 3630 * <p> 3631 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3632 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3633 * consistency</a>. 3634 * </p> 3635 * <br/> 3636 * <p> 3637 * This is a convenience which creates an instance of the {@link DecryptRequest.Builder} avoiding the need to create 3638 * one manually via {@link DecryptRequest#builder()} 3639 * </p> 3640 * 3641 * @param decryptRequest 3642 * A {@link Consumer} that will call methods on 3643 * {@link software.amazon.awssdk.services.kms.model.DecryptRequest.Builder} to create a request. 3644 * @return Result of the Decrypt operation returned by the service. 3645 * @throws NotFoundException 3646 * The request was rejected because the specified entity or resource could not be found. 3647 * @throws DisabledException 3648 * The request was rejected because the specified KMS key is not enabled. 3649 * @throws InvalidCiphertextException 3650 * From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was rejected because the specified 3651 * ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption 3652 * context, is corrupted, missing, or otherwise invalid.</p> 3653 * <p> 3654 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 3655 * encrypted (wrapped) key material. 3656 * @throws KeyUnavailableException 3657 * The request was rejected because the specified KMS key was not available. You can retry the request. 3658 * @throws IncorrectKeyException 3659 * The request was rejected because the specified KMS key cannot decrypt the data. The <code>KeyId</code> in 3660 * a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> request must identify the 3661 * same KMS key that was used to encrypt the ciphertext. 3662 * @throws InvalidKeyUsageException 3663 * The request was rejected for one of the following reasons: 3664 * </p> 3665 * <ul> 3666 * <li> 3667 * <p> 3668 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 3669 * </p> 3670 * </li> 3671 * <li> 3672 * <p> 3673 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 3674 * of key material in the KMS key <code>(KeySpec</code>). 3675 * </p> 3676 * </li> 3677 * </ul> 3678 * <p> 3679 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 3680 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 3681 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 3682 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 3683 * KMS key, use the <a>DescribeKey</a> operation. 3684 * </p> 3685 * <p> 3686 * To find the encryption or signing algorithms supported for a particular KMS key, use the 3687 * <a>DescribeKey</a> operation. 3688 * @throws DependencyTimeoutException 3689 * The system timed out while trying to fulfill the request. You can retry the request. 3690 * @throws InvalidGrantTokenException 3691 * The request was rejected because the specified grant token is not valid. 3692 * @throws KmsInternalException 3693 * The request was rejected because an internal exception occurred. The request can be retried. 3694 * @throws KmsInvalidStateException 3695 * The request was rejected because the state of the specified resource is not valid for this request. 3696 * </p> 3697 * <p> 3698 * This exceptions means one of the following: 3699 * </p> 3700 * <ul> 3701 * <li> 3702 * <p> 3703 * The key state of the KMS key is not compatible with the operation. 3704 * </p> 3705 * <p> 3706 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3707 * are compatible with each KMS operation, see <a 3708 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3709 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3710 * </p> 3711 * </li> 3712 * <li> 3713 * <p> 3714 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3715 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3716 * exception. 3717 * </p> 3718 * </li> 3719 * @throws DryRunOperationException 3720 * The request was rejected because the DryRun parameter was specified. 3721 * @throws SdkException 3722 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 3723 * catch all scenarios. 3724 * @throws SdkClientException 3725 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 3726 * @throws KmsException 3727 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 3728 * @sample KmsClient.Decrypt 3729 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt" target="_top">AWS API 3730 * Documentation</a> 3731 */ decrypt(Consumer<DecryptRequest.Builder> decryptRequest)3732 default DecryptResponse decrypt(Consumer<DecryptRequest.Builder> decryptRequest) throws NotFoundException, DisabledException, 3733 InvalidCiphertextException, KeyUnavailableException, IncorrectKeyException, InvalidKeyUsageException, 3734 DependencyTimeoutException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 3735 DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 3736 return decrypt(DecryptRequest.builder().applyMutation(decryptRequest).build()); 3737 } 3738 3739 /** 3740 * <p> 3741 * Deletes the specified alias. 3742 * </p> 3743 * <note> 3744 * <p> 3745 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 3746 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 3747 * Service Developer Guide</i>. 3748 * </p> 3749 * </note> 3750 * <p> 3751 * Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without 3752 * affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. To get 3753 * the aliases of all KMS keys, use the <a>ListAliases</a> operation. 3754 * </p> 3755 * <p> 3756 * Each KMS key can have multiple aliases. To change the alias of a KMS key, use <a>DeleteAlias</a> to delete the 3757 * current alias and <a>CreateAlias</a> to create a new alias. To associate an existing alias with a different KMS 3758 * key, call <a>UpdateAlias</a>. 3759 * </p> 3760 * <p> 3761 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 3762 * account. 3763 * </p> 3764 * <p> 3765 * <b>Required permissions</b> 3766 * </p> 3767 * <ul> 3768 * <li> 3769 * <p> 3770 * <a 3771 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3772 * </a> on the alias (IAM policy). 3773 * </p> 3774 * </li> 3775 * <li> 3776 * <p> 3777 * <a 3778 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3779 * </a> on the KMS key (key policy). 3780 * </p> 3781 * </li> 3782 * </ul> 3783 * <p> 3784 * For details, see <a 3785 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 3786 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 3787 * </p> 3788 * <p> 3789 * <b>Related operations:</b> 3790 * </p> 3791 * <ul> 3792 * <li> 3793 * <p> 3794 * <a>CreateAlias</a> 3795 * </p> 3796 * </li> 3797 * <li> 3798 * <p> 3799 * <a>ListAliases</a> 3800 * </p> 3801 * </li> 3802 * <li> 3803 * <p> 3804 * <a>UpdateAlias</a> 3805 * </p> 3806 * </li> 3807 * </ul> 3808 * <p> 3809 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3810 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3811 * consistency</a>. 3812 * </p> 3813 * 3814 * @param deleteAliasRequest 3815 * @return Result of the DeleteAlias operation returned by the service. 3816 * @throws DependencyTimeoutException 3817 * The system timed out while trying to fulfill the request. You can retry the request. 3818 * @throws NotFoundException 3819 * The request was rejected because the specified entity or resource could not be found. 3820 * @throws KmsInternalException 3821 * The request was rejected because an internal exception occurred. The request can be retried. 3822 * @throws KmsInvalidStateException 3823 * The request was rejected because the state of the specified resource is not valid for this request.</p> 3824 * <p> 3825 * This exceptions means one of the following: 3826 * </p> 3827 * <ul> 3828 * <li> 3829 * <p> 3830 * The key state of the KMS key is not compatible with the operation. 3831 * </p> 3832 * <p> 3833 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3834 * are compatible with each KMS operation, see <a 3835 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3836 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3837 * </p> 3838 * </li> 3839 * <li> 3840 * <p> 3841 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3842 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3843 * exception. 3844 * </p> 3845 * </li> 3846 * @throws SdkException 3847 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 3848 * catch all scenarios. 3849 * @throws SdkClientException 3850 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 3851 * @throws KmsException 3852 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 3853 * @sample KmsClient.DeleteAlias 3854 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias" target="_top">AWS API 3855 * Documentation</a> 3856 */ deleteAlias(DeleteAliasRequest deleteAliasRequest)3857 default DeleteAliasResponse deleteAlias(DeleteAliasRequest deleteAliasRequest) throws DependencyTimeoutException, 3858 NotFoundException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, 3859 KmsException { 3860 throw new UnsupportedOperationException(); 3861 } 3862 3863 /** 3864 * <p> 3865 * Deletes the specified alias. 3866 * </p> 3867 * <note> 3868 * <p> 3869 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 3870 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 3871 * Service Developer Guide</i>. 3872 * </p> 3873 * </note> 3874 * <p> 3875 * Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without 3876 * affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. To get 3877 * the aliases of all KMS keys, use the <a>ListAliases</a> operation. 3878 * </p> 3879 * <p> 3880 * Each KMS key can have multiple aliases. To change the alias of a KMS key, use <a>DeleteAlias</a> to delete the 3881 * current alias and <a>CreateAlias</a> to create a new alias. To associate an existing alias with a different KMS 3882 * key, call <a>UpdateAlias</a>. 3883 * </p> 3884 * <p> 3885 * <b>Cross-account use</b>: No. You cannot perform this operation on an alias in a different Amazon Web Services 3886 * account. 3887 * </p> 3888 * <p> 3889 * <b>Required permissions</b> 3890 * </p> 3891 * <ul> 3892 * <li> 3893 * <p> 3894 * <a 3895 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3896 * </a> on the alias (IAM policy). 3897 * </p> 3898 * </li> 3899 * <li> 3900 * <p> 3901 * <a 3902 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:DeleteAlias 3903 * </a> on the KMS key (key policy). 3904 * </p> 3905 * </li> 3906 * </ul> 3907 * <p> 3908 * For details, see <a 3909 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 3910 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 3911 * </p> 3912 * <p> 3913 * <b>Related operations:</b> 3914 * </p> 3915 * <ul> 3916 * <li> 3917 * <p> 3918 * <a>CreateAlias</a> 3919 * </p> 3920 * </li> 3921 * <li> 3922 * <p> 3923 * <a>ListAliases</a> 3924 * </p> 3925 * </li> 3926 * <li> 3927 * <p> 3928 * <a>UpdateAlias</a> 3929 * </p> 3930 * </li> 3931 * </ul> 3932 * <p> 3933 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 3934 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 3935 * consistency</a>. 3936 * </p> 3937 * <br/> 3938 * <p> 3939 * This is a convenience which creates an instance of the {@link DeleteAliasRequest.Builder} avoiding the need to 3940 * create one manually via {@link DeleteAliasRequest#builder()} 3941 * </p> 3942 * 3943 * @param deleteAliasRequest 3944 * A {@link Consumer} that will call methods on 3945 * {@link software.amazon.awssdk.services.kms.model.DeleteAliasRequest.Builder} to create a request. 3946 * @return Result of the DeleteAlias operation returned by the service. 3947 * @throws DependencyTimeoutException 3948 * The system timed out while trying to fulfill the request. You can retry the request. 3949 * @throws NotFoundException 3950 * The request was rejected because the specified entity or resource could not be found. 3951 * @throws KmsInternalException 3952 * The request was rejected because an internal exception occurred. The request can be retried. 3953 * @throws KmsInvalidStateException 3954 * The request was rejected because the state of the specified resource is not valid for this request.</p> 3955 * <p> 3956 * This exceptions means one of the following: 3957 * </p> 3958 * <ul> 3959 * <li> 3960 * <p> 3961 * The key state of the KMS key is not compatible with the operation. 3962 * </p> 3963 * <p> 3964 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 3965 * are compatible with each KMS operation, see <a 3966 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 3967 * the <i> <i>Key Management Service Developer Guide</i> </i>. 3968 * </p> 3969 * </li> 3970 * <li> 3971 * <p> 3972 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 3973 * failure with many possible causes. To identify the cause, see the error message that accompanies the 3974 * exception. 3975 * </p> 3976 * </li> 3977 * @throws SdkException 3978 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 3979 * catch all scenarios. 3980 * @throws SdkClientException 3981 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 3982 * @throws KmsException 3983 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 3984 * @sample KmsClient.DeleteAlias 3985 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias" target="_top">AWS API 3986 * Documentation</a> 3987 */ deleteAlias(Consumer<DeleteAliasRequest.Builder> deleteAliasRequest)3988 default DeleteAliasResponse deleteAlias(Consumer<DeleteAliasRequest.Builder> deleteAliasRequest) 3989 throws DependencyTimeoutException, NotFoundException, KmsInternalException, KmsInvalidStateException, 3990 AwsServiceException, SdkClientException, KmsException { 3991 return deleteAlias(DeleteAliasRequest.builder().applyMutation(deleteAliasRequest).build()); 3992 } 3993 3994 /** 3995 * <p> 3996 * Deletes a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 3997 * key store</a>. This operation does not affect any backing elements of the custom key store. It does not delete 3998 * the CloudHSM cluster that is associated with an CloudHSM key store, or affect any users or keys in the cluster. 3999 * For an external key store, it does not affect the external key store proxy, external key manager, or any external 4000 * keys. 4001 * </p> 4002 * <p> 4003 * This operation is part of the <a 4004 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4005 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4006 * a key store that you own and manage. 4007 * </p> 4008 * <p> 4009 * The custom key store that you delete cannot contain any <a 4010 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys">KMS keys</a>. Before deleting 4011 * the key store, verify that you will never need to use any of the KMS keys in the key store for any <a 4012 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 4013 * operations</a>. Then, use <a>ScheduleKeyDeletion</a> to delete the KMS keys from the key store. After the 4014 * required waiting period expires and all KMS keys are deleted from the custom key store, use 4015 * <a>DisconnectCustomKeyStore</a> to disconnect the key store from KMS. Then, you can delete the custom key store. 4016 * </p> 4017 * <p> 4018 * For keys in an CloudHSM key store, the <code>ScheduleKeyDeletion</code> operation makes a best effort to delete 4019 * the key material from the associated cluster. However, you might need to manually <a 4020 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 4021 * the orphaned key material</a> from the cluster and its backups. KMS never creates, manages, or deletes 4022 * cryptographic keys in the external key manager associated with an external key store. You must manage them using 4023 * your external key manager tools. 4024 * </p> 4025 * <p> 4026 * Instead of deleting the custom key store, consider using the <a>DisconnectCustomKeyStore</a> operation to 4027 * disconnect the custom key store from its backing key store. While the key store is disconnected, you cannot 4028 * create or use the KMS keys in the key store. But, you do not need to delete KMS keys and you can reconnect a 4029 * disconnected custom key store at any time. 4030 * </p> 4031 * <p> 4032 * If the operation succeeds, it returns a JSON object with no properties. 4033 * </p> 4034 * <p> 4035 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4036 * Services account. 4037 * </p> 4038 * <p> 4039 * <b>Required permissions</b>: <a 4040 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4041 * >kms:DeleteCustomKeyStore</a> (IAM policy) 4042 * </p> 4043 * <p> 4044 * <b>Related operations:</b> 4045 * </p> 4046 * <ul> 4047 * <li> 4048 * <p> 4049 * <a>ConnectCustomKeyStore</a> 4050 * </p> 4051 * </li> 4052 * <li> 4053 * <p> 4054 * <a>CreateCustomKeyStore</a> 4055 * </p> 4056 * </li> 4057 * <li> 4058 * <p> 4059 * <a>DescribeCustomKeyStores</a> 4060 * </p> 4061 * </li> 4062 * <li> 4063 * <p> 4064 * <a>DisconnectCustomKeyStore</a> 4065 * </p> 4066 * </li> 4067 * <li> 4068 * <p> 4069 * <a>UpdateCustomKeyStore</a> 4070 * </p> 4071 * </li> 4072 * </ul> 4073 * <p> 4074 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4075 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4076 * consistency</a>. 4077 * </p> 4078 * 4079 * @param deleteCustomKeyStoreRequest 4080 * @return Result of the DeleteCustomKeyStore operation returned by the service. 4081 * @throws CustomKeyStoreHasCmKsException 4082 * The request was rejected because the custom key store contains KMS keys. After verifying that you do not 4083 * need to use the KMS keys, use the <a>ScheduleKeyDeletion</a> operation to delete the KMS keys. After they 4084 * are deleted, you can delete the custom key store. 4085 * @throws CustomKeyStoreInvalidStateException 4086 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 4087 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 4088 * <p> 4089 * This exception is thrown under the following conditions: 4090 * </p> 4091 * <ul> 4092 * <li> 4093 * <p> 4094 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 4095 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 4096 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 4097 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 4098 * <code>ConnectCustomKeyStore</code>). 4099 * </p> 4100 * </li> 4101 * <li> 4102 * <p> 4103 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 4104 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 4105 * </p> 4106 * </li> 4107 * <li> 4108 * <p> 4109 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 4110 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 4111 * is valid for all other <code>ConnectionState</code> values. 4112 * </p> 4113 * </li> 4114 * <li> 4115 * <p> 4116 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 4117 * store that is not disconnected. This operation is valid only when the custom key store 4118 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 4119 * </p> 4120 * </li> 4121 * <li> 4122 * <p> 4123 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 4124 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 4125 * <code>CONNECTED</code>. 4126 * </p> 4127 * </li> 4128 * @throws CustomKeyStoreNotFoundException 4129 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 4130 * ID. 4131 * @throws KmsInternalException 4132 * The request was rejected because an internal exception occurred. The request can be retried. 4133 * @throws SdkException 4134 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4135 * catch all scenarios. 4136 * @throws SdkClientException 4137 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4138 * @throws KmsException 4139 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4140 * @sample KmsClient.DeleteCustomKeyStore 4141 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore" target="_top">AWS API 4142 * Documentation</a> 4143 */ deleteCustomKeyStore(DeleteCustomKeyStoreRequest deleteCustomKeyStoreRequest)4144 default DeleteCustomKeyStoreResponse deleteCustomKeyStore(DeleteCustomKeyStoreRequest deleteCustomKeyStoreRequest) 4145 throws CustomKeyStoreHasCmKsException, CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException, 4146 KmsInternalException, AwsServiceException, SdkClientException, KmsException { 4147 throw new UnsupportedOperationException(); 4148 } 4149 4150 /** 4151 * <p> 4152 * Deletes a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom 4153 * key store</a>. This operation does not affect any backing elements of the custom key store. It does not delete 4154 * the CloudHSM cluster that is associated with an CloudHSM key store, or affect any users or keys in the cluster. 4155 * For an external key store, it does not affect the external key store proxy, external key manager, or any external 4156 * keys. 4157 * </p> 4158 * <p> 4159 * This operation is part of the <a 4160 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4161 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4162 * a key store that you own and manage. 4163 * </p> 4164 * <p> 4165 * The custom key store that you delete cannot contain any <a 4166 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys">KMS keys</a>. Before deleting 4167 * the key store, verify that you will never need to use any of the KMS keys in the key store for any <a 4168 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 4169 * operations</a>. Then, use <a>ScheduleKeyDeletion</a> to delete the KMS keys from the key store. After the 4170 * required waiting period expires and all KMS keys are deleted from the custom key store, use 4171 * <a>DisconnectCustomKeyStore</a> to disconnect the key store from KMS. Then, you can delete the custom key store. 4172 * </p> 4173 * <p> 4174 * For keys in an CloudHSM key store, the <code>ScheduleKeyDeletion</code> operation makes a best effort to delete 4175 * the key material from the associated cluster. However, you might need to manually <a 4176 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 4177 * the orphaned key material</a> from the cluster and its backups. KMS never creates, manages, or deletes 4178 * cryptographic keys in the external key manager associated with an external key store. You must manage them using 4179 * your external key manager tools. 4180 * </p> 4181 * <p> 4182 * Instead of deleting the custom key store, consider using the <a>DisconnectCustomKeyStore</a> operation to 4183 * disconnect the custom key store from its backing key store. While the key store is disconnected, you cannot 4184 * create or use the KMS keys in the key store. But, you do not need to delete KMS keys and you can reconnect a 4185 * disconnected custom key store at any time. 4186 * </p> 4187 * <p> 4188 * If the operation succeeds, it returns a JSON object with no properties. 4189 * </p> 4190 * <p> 4191 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4192 * Services account. 4193 * </p> 4194 * <p> 4195 * <b>Required permissions</b>: <a 4196 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4197 * >kms:DeleteCustomKeyStore</a> (IAM policy) 4198 * </p> 4199 * <p> 4200 * <b>Related operations:</b> 4201 * </p> 4202 * <ul> 4203 * <li> 4204 * <p> 4205 * <a>ConnectCustomKeyStore</a> 4206 * </p> 4207 * </li> 4208 * <li> 4209 * <p> 4210 * <a>CreateCustomKeyStore</a> 4211 * </p> 4212 * </li> 4213 * <li> 4214 * <p> 4215 * <a>DescribeCustomKeyStores</a> 4216 * </p> 4217 * </li> 4218 * <li> 4219 * <p> 4220 * <a>DisconnectCustomKeyStore</a> 4221 * </p> 4222 * </li> 4223 * <li> 4224 * <p> 4225 * <a>UpdateCustomKeyStore</a> 4226 * </p> 4227 * </li> 4228 * </ul> 4229 * <p> 4230 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4231 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4232 * consistency</a>. 4233 * </p> 4234 * <br/> 4235 * <p> 4236 * This is a convenience which creates an instance of the {@link DeleteCustomKeyStoreRequest.Builder} avoiding the 4237 * need to create one manually via {@link DeleteCustomKeyStoreRequest#builder()} 4238 * </p> 4239 * 4240 * @param deleteCustomKeyStoreRequest 4241 * A {@link Consumer} that will call methods on 4242 * {@link software.amazon.awssdk.services.kms.model.DeleteCustomKeyStoreRequest.Builder} to create a request. 4243 * @return Result of the DeleteCustomKeyStore operation returned by the service. 4244 * @throws CustomKeyStoreHasCmKsException 4245 * The request was rejected because the custom key store contains KMS keys. After verifying that you do not 4246 * need to use the KMS keys, use the <a>ScheduleKeyDeletion</a> operation to delete the KMS keys. After they 4247 * are deleted, you can delete the custom key store. 4248 * @throws CustomKeyStoreInvalidStateException 4249 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 4250 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 4251 * <p> 4252 * This exception is thrown under the following conditions: 4253 * </p> 4254 * <ul> 4255 * <li> 4256 * <p> 4257 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 4258 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 4259 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 4260 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 4261 * <code>ConnectCustomKeyStore</code>). 4262 * </p> 4263 * </li> 4264 * <li> 4265 * <p> 4266 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 4267 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 4268 * </p> 4269 * </li> 4270 * <li> 4271 * <p> 4272 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 4273 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 4274 * is valid for all other <code>ConnectionState</code> values. 4275 * </p> 4276 * </li> 4277 * <li> 4278 * <p> 4279 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 4280 * store that is not disconnected. This operation is valid only when the custom key store 4281 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 4282 * </p> 4283 * </li> 4284 * <li> 4285 * <p> 4286 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 4287 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 4288 * <code>CONNECTED</code>. 4289 * </p> 4290 * </li> 4291 * @throws CustomKeyStoreNotFoundException 4292 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 4293 * ID. 4294 * @throws KmsInternalException 4295 * The request was rejected because an internal exception occurred. The request can be retried. 4296 * @throws SdkException 4297 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4298 * catch all scenarios. 4299 * @throws SdkClientException 4300 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4301 * @throws KmsException 4302 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4303 * @sample KmsClient.DeleteCustomKeyStore 4304 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore" target="_top">AWS API 4305 * Documentation</a> 4306 */ deleteCustomKeyStore( Consumer<DeleteCustomKeyStoreRequest.Builder> deleteCustomKeyStoreRequest)4307 default DeleteCustomKeyStoreResponse deleteCustomKeyStore( 4308 Consumer<DeleteCustomKeyStoreRequest.Builder> deleteCustomKeyStoreRequest) throws CustomKeyStoreHasCmKsException, 4309 CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException, KmsInternalException, AwsServiceException, 4310 SdkClientException, KmsException { 4311 return deleteCustomKeyStore(DeleteCustomKeyStoreRequest.builder().applyMutation(deleteCustomKeyStoreRequest).build()); 4312 } 4313 4314 /** 4315 * <p> 4316 * Deletes key material that was previously imported. This operation makes the specified KMS key temporarily 4317 * unusable. To restore the usability of the KMS key, reimport the same key material. For more information about 4318 * importing key material into KMS, see <a 4319 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 4320 * the <i>Key Management Service Developer Guide</i>. 4321 * </p> 4322 * <p> 4323 * When the specified KMS key is in the <code>PendingDeletion</code> state, this operation does not change the KMS 4324 * key's state. Otherwise, it changes the KMS key's state to <code>PendingImport</code>. 4325 * </p> 4326 * <p> 4327 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 4328 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 4329 * <i>Key Management Service Developer Guide</i>. 4330 * </p> 4331 * <p> 4332 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 4333 * account. 4334 * </p> 4335 * <p> 4336 * <b>Required permissions</b>: <a 4337 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4338 * >kms:DeleteImportedKeyMaterial</a> (key policy) 4339 * </p> 4340 * <p> 4341 * <b>Related operations:</b> 4342 * </p> 4343 * <ul> 4344 * <li> 4345 * <p> 4346 * <a>GetParametersForImport</a> 4347 * </p> 4348 * </li> 4349 * <li> 4350 * <p> 4351 * <a>ImportKeyMaterial</a> 4352 * </p> 4353 * </li> 4354 * </ul> 4355 * <p> 4356 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4357 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4358 * consistency</a>. 4359 * </p> 4360 * 4361 * @param deleteImportedKeyMaterialRequest 4362 * @return Result of the DeleteImportedKeyMaterial operation returned by the service. 4363 * @throws InvalidArnException 4364 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 4365 * @throws UnsupportedOperationException 4366 * The request was rejected because a specified parameter is not supported or a specified resource is not 4367 * valid for this operation. 4368 * @throws DependencyTimeoutException 4369 * The system timed out while trying to fulfill the request. You can retry the request. 4370 * @throws NotFoundException 4371 * The request was rejected because the specified entity or resource could not be found. 4372 * @throws KmsInternalException 4373 * The request was rejected because an internal exception occurred. The request can be retried. 4374 * @throws KmsInvalidStateException 4375 * The request was rejected because the state of the specified resource is not valid for this request.</p> 4376 * <p> 4377 * This exceptions means one of the following: 4378 * </p> 4379 * <ul> 4380 * <li> 4381 * <p> 4382 * The key state of the KMS key is not compatible with the operation. 4383 * </p> 4384 * <p> 4385 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 4386 * are compatible with each KMS operation, see <a 4387 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 4388 * the <i> <i>Key Management Service Developer Guide</i> </i>. 4389 * </p> 4390 * </li> 4391 * <li> 4392 * <p> 4393 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 4394 * failure with many possible causes. To identify the cause, see the error message that accompanies the 4395 * exception. 4396 * </p> 4397 * </li> 4398 * @throws SdkException 4399 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4400 * catch all scenarios. 4401 * @throws SdkClientException 4402 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4403 * @throws KmsException 4404 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4405 * @sample KmsClient.DeleteImportedKeyMaterial 4406 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial" target="_top">AWS 4407 * API Documentation</a> 4408 */ deleteImportedKeyMaterial( DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest)4409 default DeleteImportedKeyMaterialResponse deleteImportedKeyMaterial( 4410 DeleteImportedKeyMaterialRequest deleteImportedKeyMaterialRequest) throws InvalidArnException, 4411 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DependencyTimeoutException, 4412 NotFoundException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, 4413 KmsException { 4414 throw new UnsupportedOperationException(); 4415 } 4416 4417 /** 4418 * <p> 4419 * Deletes key material that was previously imported. This operation makes the specified KMS key temporarily 4420 * unusable. To restore the usability of the KMS key, reimport the same key material. For more information about 4421 * importing key material into KMS, see <a 4422 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in 4423 * the <i>Key Management Service Developer Guide</i>. 4424 * </p> 4425 * <p> 4426 * When the specified KMS key is in the <code>PendingDeletion</code> state, this operation does not change the KMS 4427 * key's state. Otherwise, it changes the KMS key's state to <code>PendingImport</code>. 4428 * </p> 4429 * <p> 4430 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 4431 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 4432 * <i>Key Management Service Developer Guide</i>. 4433 * </p> 4434 * <p> 4435 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 4436 * account. 4437 * </p> 4438 * <p> 4439 * <b>Required permissions</b>: <a 4440 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4441 * >kms:DeleteImportedKeyMaterial</a> (key policy) 4442 * </p> 4443 * <p> 4444 * <b>Related operations:</b> 4445 * </p> 4446 * <ul> 4447 * <li> 4448 * <p> 4449 * <a>GetParametersForImport</a> 4450 * </p> 4451 * </li> 4452 * <li> 4453 * <p> 4454 * <a>ImportKeyMaterial</a> 4455 * </p> 4456 * </li> 4457 * </ul> 4458 * <p> 4459 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4460 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4461 * consistency</a>. 4462 * </p> 4463 * <br/> 4464 * <p> 4465 * This is a convenience which creates an instance of the {@link DeleteImportedKeyMaterialRequest.Builder} avoiding 4466 * the need to create one manually via {@link DeleteImportedKeyMaterialRequest#builder()} 4467 * </p> 4468 * 4469 * @param deleteImportedKeyMaterialRequest 4470 * A {@link Consumer} that will call methods on 4471 * {@link software.amazon.awssdk.services.kms.model.DeleteImportedKeyMaterialRequest.Builder} to create a 4472 * request. 4473 * @return Result of the DeleteImportedKeyMaterial operation returned by the service. 4474 * @throws InvalidArnException 4475 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 4476 * @throws UnsupportedOperationException 4477 * The request was rejected because a specified parameter is not supported or a specified resource is not 4478 * valid for this operation. 4479 * @throws DependencyTimeoutException 4480 * The system timed out while trying to fulfill the request. You can retry the request. 4481 * @throws NotFoundException 4482 * The request was rejected because the specified entity or resource could not be found. 4483 * @throws KmsInternalException 4484 * The request was rejected because an internal exception occurred. The request can be retried. 4485 * @throws KmsInvalidStateException 4486 * The request was rejected because the state of the specified resource is not valid for this request.</p> 4487 * <p> 4488 * This exceptions means one of the following: 4489 * </p> 4490 * <ul> 4491 * <li> 4492 * <p> 4493 * The key state of the KMS key is not compatible with the operation. 4494 * </p> 4495 * <p> 4496 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 4497 * are compatible with each KMS operation, see <a 4498 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 4499 * the <i> <i>Key Management Service Developer Guide</i> </i>. 4500 * </p> 4501 * </li> 4502 * <li> 4503 * <p> 4504 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 4505 * failure with many possible causes. To identify the cause, see the error message that accompanies the 4506 * exception. 4507 * </p> 4508 * </li> 4509 * @throws SdkException 4510 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4511 * catch all scenarios. 4512 * @throws SdkClientException 4513 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4514 * @throws KmsException 4515 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4516 * @sample KmsClient.DeleteImportedKeyMaterial 4517 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial" target="_top">AWS 4518 * API Documentation</a> 4519 */ deleteImportedKeyMaterial( Consumer<DeleteImportedKeyMaterialRequest.Builder> deleteImportedKeyMaterialRequest)4520 default DeleteImportedKeyMaterialResponse deleteImportedKeyMaterial( 4521 Consumer<DeleteImportedKeyMaterialRequest.Builder> deleteImportedKeyMaterialRequest) throws InvalidArnException, 4522 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DependencyTimeoutException, 4523 NotFoundException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, 4524 KmsException { 4525 return deleteImportedKeyMaterial(DeleteImportedKeyMaterialRequest.builder() 4526 .applyMutation(deleteImportedKeyMaterialRequest).build()); 4527 } 4528 4529 /** 4530 * <p> 4531 * Gets information about <a 4532 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4533 * in the account and Region. 4534 * </p> 4535 * <p> 4536 * This operation is part of the <a 4537 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4538 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4539 * a key store that you own and manage. 4540 * </p> 4541 * <p> 4542 * By default, this operation returns information about all custom key stores in the account and Region. To get only 4543 * information about a particular custom key store, use either the <code>CustomKeyStoreName</code> or 4544 * <code>CustomKeyStoreId</code> parameter (but not both). 4545 * </p> 4546 * <p> 4547 * To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use 4548 * the <code>ConnectionState</code> element in the response. If an attempt to connect the custom key store failed, 4549 * the <code>ConnectionState</code> value is <code>FAILED</code> and the <code>ConnectionErrorCode</code> element in 4550 * the response indicates the cause of the failure. For help interpreting the <code>ConnectionErrorCode</code>, see 4551 * <a>CustomKeyStoresListEntry</a>. 4552 * </p> 4553 * <p> 4554 * Custom key stores have a <code>DISCONNECTED</code> connection state if the key store has never been connected or 4555 * you used the <a>DisconnectCustomKeyStore</a> operation to disconnect it. Otherwise, the connection state is 4556 * CONNECTED. If your custom key store connection state is <code>CONNECTED</code> but you are having trouble using 4557 * it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated 4558 * CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an 4559 * external key store, verify that the external key store proxy and its associated external key manager are 4560 * reachable and enabled. 4561 * </p> 4562 * <p> 4563 * For help repairing your CloudHSM key store, see the <a 4564 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key 4565 * stores</a>. For help repairing your external key store, see the <a 4566 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external 4567 * key stores</a>. Both topics are in the <i>Key Management Service Developer Guide</i>. 4568 * </p> 4569 * <p> 4570 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4571 * Services account. 4572 * </p> 4573 * <p> 4574 * <b>Required permissions</b>: <a 4575 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4576 * >kms:DescribeCustomKeyStores</a> (IAM policy) 4577 * </p> 4578 * <p> 4579 * <b>Related operations:</b> 4580 * </p> 4581 * <ul> 4582 * <li> 4583 * <p> 4584 * <a>ConnectCustomKeyStore</a> 4585 * </p> 4586 * </li> 4587 * <li> 4588 * <p> 4589 * <a>CreateCustomKeyStore</a> 4590 * </p> 4591 * </li> 4592 * <li> 4593 * <p> 4594 * <a>DeleteCustomKeyStore</a> 4595 * </p> 4596 * </li> 4597 * <li> 4598 * <p> 4599 * <a>DisconnectCustomKeyStore</a> 4600 * </p> 4601 * </li> 4602 * <li> 4603 * <p> 4604 * <a>UpdateCustomKeyStore</a> 4605 * </p> 4606 * </li> 4607 * </ul> 4608 * <p> 4609 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4610 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4611 * consistency</a>. 4612 * </p> 4613 * 4614 * @param describeCustomKeyStoresRequest 4615 * @return Result of the DescribeCustomKeyStores operation returned by the service. 4616 * @throws CustomKeyStoreNotFoundException 4617 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 4618 * ID. 4619 * @throws InvalidMarkerException 4620 * The request was rejected because the marker that specifies where pagination should next begin is not 4621 * valid. 4622 * @throws KmsInternalException 4623 * The request was rejected because an internal exception occurred. The request can be retried. 4624 * @throws SdkException 4625 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4626 * catch all scenarios. 4627 * @throws SdkClientException 4628 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4629 * @throws KmsException 4630 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4631 * @sample KmsClient.DescribeCustomKeyStores 4632 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4633 * API Documentation</a> 4634 */ describeCustomKeyStores(DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest)4635 default DescribeCustomKeyStoresResponse describeCustomKeyStores(DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest) 4636 throws CustomKeyStoreNotFoundException, InvalidMarkerException, KmsInternalException, AwsServiceException, 4637 SdkClientException, KmsException { 4638 throw new UnsupportedOperationException(); 4639 } 4640 4641 /** 4642 * <p> 4643 * Gets information about <a 4644 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4645 * in the account and Region. 4646 * </p> 4647 * <p> 4648 * This operation is part of the <a 4649 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4650 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4651 * a key store that you own and manage. 4652 * </p> 4653 * <p> 4654 * By default, this operation returns information about all custom key stores in the account and Region. To get only 4655 * information about a particular custom key store, use either the <code>CustomKeyStoreName</code> or 4656 * <code>CustomKeyStoreId</code> parameter (but not both). 4657 * </p> 4658 * <p> 4659 * To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use 4660 * the <code>ConnectionState</code> element in the response. If an attempt to connect the custom key store failed, 4661 * the <code>ConnectionState</code> value is <code>FAILED</code> and the <code>ConnectionErrorCode</code> element in 4662 * the response indicates the cause of the failure. For help interpreting the <code>ConnectionErrorCode</code>, see 4663 * <a>CustomKeyStoresListEntry</a>. 4664 * </p> 4665 * <p> 4666 * Custom key stores have a <code>DISCONNECTED</code> connection state if the key store has never been connected or 4667 * you used the <a>DisconnectCustomKeyStore</a> operation to disconnect it. Otherwise, the connection state is 4668 * CONNECTED. If your custom key store connection state is <code>CONNECTED</code> but you are having trouble using 4669 * it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated 4670 * CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an 4671 * external key store, verify that the external key store proxy and its associated external key manager are 4672 * reachable and enabled. 4673 * </p> 4674 * <p> 4675 * For help repairing your CloudHSM key store, see the <a 4676 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key 4677 * stores</a>. For help repairing your external key store, see the <a 4678 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external 4679 * key stores</a>. Both topics are in the <i>Key Management Service Developer Guide</i>. 4680 * </p> 4681 * <p> 4682 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4683 * Services account. 4684 * </p> 4685 * <p> 4686 * <b>Required permissions</b>: <a 4687 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4688 * >kms:DescribeCustomKeyStores</a> (IAM policy) 4689 * </p> 4690 * <p> 4691 * <b>Related operations:</b> 4692 * </p> 4693 * <ul> 4694 * <li> 4695 * <p> 4696 * <a>ConnectCustomKeyStore</a> 4697 * </p> 4698 * </li> 4699 * <li> 4700 * <p> 4701 * <a>CreateCustomKeyStore</a> 4702 * </p> 4703 * </li> 4704 * <li> 4705 * <p> 4706 * <a>DeleteCustomKeyStore</a> 4707 * </p> 4708 * </li> 4709 * <li> 4710 * <p> 4711 * <a>DisconnectCustomKeyStore</a> 4712 * </p> 4713 * </li> 4714 * <li> 4715 * <p> 4716 * <a>UpdateCustomKeyStore</a> 4717 * </p> 4718 * </li> 4719 * </ul> 4720 * <p> 4721 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4722 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4723 * consistency</a>. 4724 * </p> 4725 * <br/> 4726 * <p> 4727 * This is a convenience which creates an instance of the {@link DescribeCustomKeyStoresRequest.Builder} avoiding 4728 * the need to create one manually via {@link DescribeCustomKeyStoresRequest#builder()} 4729 * </p> 4730 * 4731 * @param describeCustomKeyStoresRequest 4732 * A {@link Consumer} that will call methods on 4733 * {@link software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest.Builder} to create a 4734 * request. 4735 * @return Result of the DescribeCustomKeyStores operation returned by the service. 4736 * @throws CustomKeyStoreNotFoundException 4737 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 4738 * ID. 4739 * @throws InvalidMarkerException 4740 * The request was rejected because the marker that specifies where pagination should next begin is not 4741 * valid. 4742 * @throws KmsInternalException 4743 * The request was rejected because an internal exception occurred. The request can be retried. 4744 * @throws SdkException 4745 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4746 * catch all scenarios. 4747 * @throws SdkClientException 4748 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4749 * @throws KmsException 4750 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4751 * @sample KmsClient.DescribeCustomKeyStores 4752 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4753 * API Documentation</a> 4754 */ describeCustomKeyStores( Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest)4755 default DescribeCustomKeyStoresResponse describeCustomKeyStores( 4756 Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest) 4757 throws CustomKeyStoreNotFoundException, InvalidMarkerException, KmsInternalException, AwsServiceException, 4758 SdkClientException, KmsException { 4759 return describeCustomKeyStores(DescribeCustomKeyStoresRequest.builder().applyMutation(describeCustomKeyStoresRequest) 4760 .build()); 4761 } 4762 4763 /** 4764 * <p> 4765 * Gets information about <a 4766 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4767 * in the account and Region. 4768 * </p> 4769 * <p> 4770 * This operation is part of the <a 4771 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 4772 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 4773 * a key store that you own and manage. 4774 * </p> 4775 * <p> 4776 * By default, this operation returns information about all custom key stores in the account and Region. To get only 4777 * information about a particular custom key store, use either the <code>CustomKeyStoreName</code> or 4778 * <code>CustomKeyStoreId</code> parameter (but not both). 4779 * </p> 4780 * <p> 4781 * To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use 4782 * the <code>ConnectionState</code> element in the response. If an attempt to connect the custom key store failed, 4783 * the <code>ConnectionState</code> value is <code>FAILED</code> and the <code>ConnectionErrorCode</code> element in 4784 * the response indicates the cause of the failure. For help interpreting the <code>ConnectionErrorCode</code>, see 4785 * <a>CustomKeyStoresListEntry</a>. 4786 * </p> 4787 * <p> 4788 * Custom key stores have a <code>DISCONNECTED</code> connection state if the key store has never been connected or 4789 * you used the <a>DisconnectCustomKeyStore</a> operation to disconnect it. Otherwise, the connection state is 4790 * CONNECTED. If your custom key store connection state is <code>CONNECTED</code> but you are having trouble using 4791 * it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated 4792 * CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an 4793 * external key store, verify that the external key store proxy and its associated external key manager are 4794 * reachable and enabled. 4795 * </p> 4796 * <p> 4797 * For help repairing your CloudHSM key store, see the <a 4798 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html">Troubleshooting CloudHSM key 4799 * stores</a>. For help repairing your external key store, see the <a 4800 * href="https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html">Troubleshooting external 4801 * key stores</a>. Both topics are in the <i>Key Management Service Developer Guide</i>. 4802 * </p> 4803 * <p> 4804 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 4805 * Services account. 4806 * </p> 4807 * <p> 4808 * <b>Required permissions</b>: <a 4809 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 4810 * >kms:DescribeCustomKeyStores</a> (IAM policy) 4811 * </p> 4812 * <p> 4813 * <b>Related operations:</b> 4814 * </p> 4815 * <ul> 4816 * <li> 4817 * <p> 4818 * <a>ConnectCustomKeyStore</a> 4819 * </p> 4820 * </li> 4821 * <li> 4822 * <p> 4823 * <a>CreateCustomKeyStore</a> 4824 * </p> 4825 * </li> 4826 * <li> 4827 * <p> 4828 * <a>DeleteCustomKeyStore</a> 4829 * </p> 4830 * </li> 4831 * <li> 4832 * <p> 4833 * <a>DisconnectCustomKeyStore</a> 4834 * </p> 4835 * </li> 4836 * <li> 4837 * <p> 4838 * <a>UpdateCustomKeyStore</a> 4839 * </p> 4840 * </li> 4841 * </ul> 4842 * <p> 4843 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 4844 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 4845 * consistency</a>. 4846 * </p> 4847 * 4848 * @return Result of the DescribeCustomKeyStores operation returned by the service. 4849 * @throws CustomKeyStoreNotFoundException 4850 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 4851 * ID. 4852 * @throws InvalidMarkerException 4853 * The request was rejected because the marker that specifies where pagination should next begin is not 4854 * valid. 4855 * @throws KmsInternalException 4856 * The request was rejected because an internal exception occurred. The request can be retried. 4857 * @throws SdkException 4858 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4859 * catch all scenarios. 4860 * @throws SdkClientException 4861 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4862 * @throws KmsException 4863 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4864 * @sample KmsClient.DescribeCustomKeyStores 4865 * @see #describeCustomKeyStores(DescribeCustomKeyStoresRequest) 4866 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4867 * API Documentation</a> 4868 */ describeCustomKeyStores()4869 default DescribeCustomKeyStoresResponse describeCustomKeyStores() throws CustomKeyStoreNotFoundException, 4870 InvalidMarkerException, KmsInternalException, AwsServiceException, SdkClientException, KmsException { 4871 return describeCustomKeyStores(DescribeCustomKeyStoresRequest.builder().build()); 4872 } 4873 4874 /** 4875 * <p> 4876 * This is a variant of 4877 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4878 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 4879 * internally handle making service calls for you. 4880 * </p> 4881 * <p> 4882 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 4883 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 4884 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 4885 * request, you will see the failures only after you start iterating through the iterable. 4886 * </p> 4887 * 4888 * <p> 4889 * The following are few ways to iterate through the response pages: 4890 * </p> 4891 * 1) Using a Stream 4892 * 4893 * <pre> 4894 * {@code 4895 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client.describeCustomKeyStoresPaginator(request); 4896 * responses.stream().forEach(....); 4897 * } 4898 * </pre> 4899 * 4900 * 2) Using For loop 4901 * 4902 * <pre> 4903 * { 4904 * @code 4905 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client 4906 * .describeCustomKeyStoresPaginator(request); 4907 * for (software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse response : responses) { 4908 * // do something; 4909 * } 4910 * } 4911 * </pre> 4912 * 4913 * 3) Use iterator directly 4914 * 4915 * <pre> 4916 * {@code 4917 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client.describeCustomKeyStoresPaginator(request); 4918 * responses.iterator().forEachRemaining(....); 4919 * } 4920 * </pre> 4921 * <p> 4922 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 4923 * only limits the number of results in each page.</b> 4924 * </p> 4925 * <p> 4926 * <b>Note: If you prefer to have control on service calls, use the 4927 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4928 * operation.</b> 4929 * </p> 4930 * 4931 * @return A custom iterable that can be used to iterate through all the response pages. 4932 * @throws CustomKeyStoreNotFoundException 4933 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 4934 * ID. 4935 * @throws InvalidMarkerException 4936 * The request was rejected because the marker that specifies where pagination should next begin is not 4937 * valid. 4938 * @throws KmsInternalException 4939 * The request was rejected because an internal exception occurred. The request can be retried. 4940 * @throws SdkException 4941 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 4942 * catch all scenarios. 4943 * @throws SdkClientException 4944 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 4945 * @throws KmsException 4946 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 4947 * @sample KmsClient.DescribeCustomKeyStores 4948 * @see #describeCustomKeyStoresPaginator(DescribeCustomKeyStoresRequest) 4949 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 4950 * API Documentation</a> 4951 */ describeCustomKeyStoresPaginator()4952 default DescribeCustomKeyStoresIterable describeCustomKeyStoresPaginator() throws CustomKeyStoreNotFoundException, 4953 InvalidMarkerException, KmsInternalException, AwsServiceException, SdkClientException, KmsException { 4954 return describeCustomKeyStoresPaginator(DescribeCustomKeyStoresRequest.builder().build()); 4955 } 4956 4957 /** 4958 * <p> 4959 * This is a variant of 4960 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 4961 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 4962 * internally handle making service calls for you. 4963 * </p> 4964 * <p> 4965 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 4966 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 4967 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 4968 * request, you will see the failures only after you start iterating through the iterable. 4969 * </p> 4970 * 4971 * <p> 4972 * The following are few ways to iterate through the response pages: 4973 * </p> 4974 * 1) Using a Stream 4975 * 4976 * <pre> 4977 * {@code 4978 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client.describeCustomKeyStoresPaginator(request); 4979 * responses.stream().forEach(....); 4980 * } 4981 * </pre> 4982 * 4983 * 2) Using For loop 4984 * 4985 * <pre> 4986 * { 4987 * @code 4988 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client 4989 * .describeCustomKeyStoresPaginator(request); 4990 * for (software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse response : responses) { 4991 * // do something; 4992 * } 4993 * } 4994 * </pre> 4995 * 4996 * 3) Use iterator directly 4997 * 4998 * <pre> 4999 * {@code 5000 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client.describeCustomKeyStoresPaginator(request); 5001 * responses.iterator().forEachRemaining(....); 5002 * } 5003 * </pre> 5004 * <p> 5005 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 5006 * only limits the number of results in each page.</b> 5007 * </p> 5008 * <p> 5009 * <b>Note: If you prefer to have control on service calls, use the 5010 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 5011 * operation.</b> 5012 * </p> 5013 * 5014 * @param describeCustomKeyStoresRequest 5015 * @return A custom iterable that can be used to iterate through all the response pages. 5016 * @throws CustomKeyStoreNotFoundException 5017 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 5018 * ID. 5019 * @throws InvalidMarkerException 5020 * The request was rejected because the marker that specifies where pagination should next begin is not 5021 * valid. 5022 * @throws KmsInternalException 5023 * The request was rejected because an internal exception occurred. The request can be retried. 5024 * @throws SdkException 5025 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5026 * catch all scenarios. 5027 * @throws SdkClientException 5028 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5029 * @throws KmsException 5030 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5031 * @sample KmsClient.DescribeCustomKeyStores 5032 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 5033 * API Documentation</a> 5034 */ describeCustomKeyStoresPaginator( DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest)5035 default DescribeCustomKeyStoresIterable describeCustomKeyStoresPaginator( 5036 DescribeCustomKeyStoresRequest describeCustomKeyStoresRequest) throws CustomKeyStoreNotFoundException, 5037 InvalidMarkerException, KmsInternalException, AwsServiceException, SdkClientException, KmsException { 5038 return new DescribeCustomKeyStoresIterable(this, describeCustomKeyStoresRequest); 5039 } 5040 5041 /** 5042 * <p> 5043 * This is a variant of 5044 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 5045 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 5046 * internally handle making service calls for you. 5047 * </p> 5048 * <p> 5049 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 5050 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 5051 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 5052 * request, you will see the failures only after you start iterating through the iterable. 5053 * </p> 5054 * 5055 * <p> 5056 * The following are few ways to iterate through the response pages: 5057 * </p> 5058 * 1) Using a Stream 5059 * 5060 * <pre> 5061 * {@code 5062 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client.describeCustomKeyStoresPaginator(request); 5063 * responses.stream().forEach(....); 5064 * } 5065 * </pre> 5066 * 5067 * 2) Using For loop 5068 * 5069 * <pre> 5070 * { 5071 * @code 5072 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client 5073 * .describeCustomKeyStoresPaginator(request); 5074 * for (software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresResponse response : responses) { 5075 * // do something; 5076 * } 5077 * } 5078 * </pre> 5079 * 5080 * 3) Use iterator directly 5081 * 5082 * <pre> 5083 * {@code 5084 * software.amazon.awssdk.services.kms.paginators.DescribeCustomKeyStoresIterable responses = client.describeCustomKeyStoresPaginator(request); 5085 * responses.iterator().forEachRemaining(....); 5086 * } 5087 * </pre> 5088 * <p> 5089 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 5090 * only limits the number of results in each page.</b> 5091 * </p> 5092 * <p> 5093 * <b>Note: If you prefer to have control on service calls, use the 5094 * {@link #describeCustomKeyStores(software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest)} 5095 * operation.</b> 5096 * </p> 5097 * <br/> 5098 * <p> 5099 * This is a convenience which creates an instance of the {@link DescribeCustomKeyStoresRequest.Builder} avoiding 5100 * the need to create one manually via {@link DescribeCustomKeyStoresRequest#builder()} 5101 * </p> 5102 * 5103 * @param describeCustomKeyStoresRequest 5104 * A {@link Consumer} that will call methods on 5105 * {@link software.amazon.awssdk.services.kms.model.DescribeCustomKeyStoresRequest.Builder} to create a 5106 * request. 5107 * @return A custom iterable that can be used to iterate through all the response pages. 5108 * @throws CustomKeyStoreNotFoundException 5109 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 5110 * ID. 5111 * @throws InvalidMarkerException 5112 * The request was rejected because the marker that specifies where pagination should next begin is not 5113 * valid. 5114 * @throws KmsInternalException 5115 * The request was rejected because an internal exception occurred. The request can be retried. 5116 * @throws SdkException 5117 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5118 * catch all scenarios. 5119 * @throws SdkClientException 5120 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5121 * @throws KmsException 5122 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5123 * @sample KmsClient.DescribeCustomKeyStores 5124 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores" target="_top">AWS 5125 * API Documentation</a> 5126 */ describeCustomKeyStoresPaginator( Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest)5127 default DescribeCustomKeyStoresIterable describeCustomKeyStoresPaginator( 5128 Consumer<DescribeCustomKeyStoresRequest.Builder> describeCustomKeyStoresRequest) 5129 throws CustomKeyStoreNotFoundException, InvalidMarkerException, KmsInternalException, AwsServiceException, 5130 SdkClientException, KmsException { 5131 return describeCustomKeyStoresPaginator(DescribeCustomKeyStoresRequest.builder() 5132 .applyMutation(describeCustomKeyStoresRequest).build()); 5133 } 5134 5135 /** 5136 * <p> 5137 * Provides detailed information about a KMS key. You can run <code>DescribeKey</code> on a <a 5138 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a> 5139 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web 5140 * Services managed key</a>. 5141 * </p> 5142 * <p> 5143 * This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, 5144 * and the origin and expiration date (if any) of the key material. It includes fields, like <code>KeySpec</code>, 5145 * that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or 5146 * generating and verifying MACs) and the algorithms that the KMS key supports. 5147 * </p> 5148 * <p> 5149 * For <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region 5150 * keys</a>, <code>DescribeKey</code> displays the primary key and all related replica keys. For KMS keys in <a 5151 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key stores</a>, it 5152 * includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in 5153 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a>, 5154 * it includes the custom key store ID and the ID of the external key. 5155 * </p> 5156 * <p> 5157 * <code>DescribeKey</code> does not return the following information: 5158 * </p> 5159 * <ul> 5160 * <li> 5161 * <p> 5162 * Aliases associated with the KMS key. To get this information, use <a>ListAliases</a>. 5163 * </p> 5164 * </li> 5165 * <li> 5166 * <p> 5167 * Whether automatic key rotation is enabled on the KMS key. To get this information, use 5168 * <a>GetKeyRotationStatus</a>. Also, some key states prevent a KMS key from being automatically rotated. For 5169 * details, see <a 5170 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works">How 5171 * Automatic Key Rotation Works</a> in the <i>Key Management Service Developer Guide</i>. 5172 * </p> 5173 * </li> 5174 * <li> 5175 * <p> 5176 * Tags on the KMS key. To get this information, use <a>ListResourceTags</a>. 5177 * </p> 5178 * </li> 5179 * <li> 5180 * <p> 5181 * Key policies and grants on the KMS key. To get this information, use <a>GetKeyPolicy</a> and <a>ListGrants</a>. 5182 * </p> 5183 * </li> 5184 * </ul> 5185 * <p> 5186 * In general, <code>DescribeKey</code> is a non-mutating operation. It returns data about KMS keys, but doesn't 5187 * change them. However, Amazon Web Services services use <code>DescribeKey</code> to create <a 5188 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5189 * managed keys</a> from a <i>predefined Amazon Web Services alias</i> with no key ID. 5190 * </p> 5191 * <p> 5192 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 5193 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 5194 * </p> 5195 * <p> 5196 * <b>Required permissions</b>: <a 5197 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5198 * >kms:DescribeKey</a> (key policy) 5199 * </p> 5200 * <p> 5201 * <b>Related operations:</b> 5202 * </p> 5203 * <ul> 5204 * <li> 5205 * <p> 5206 * <a>GetKeyPolicy</a> 5207 * </p> 5208 * </li> 5209 * <li> 5210 * <p> 5211 * <a>GetKeyRotationStatus</a> 5212 * </p> 5213 * </li> 5214 * <li> 5215 * <p> 5216 * <a>ListAliases</a> 5217 * </p> 5218 * </li> 5219 * <li> 5220 * <p> 5221 * <a>ListGrants</a> 5222 * </p> 5223 * </li> 5224 * <li> 5225 * <p> 5226 * <a>ListKeys</a> 5227 * </p> 5228 * </li> 5229 * <li> 5230 * <p> 5231 * <a>ListResourceTags</a> 5232 * </p> 5233 * </li> 5234 * <li> 5235 * <p> 5236 * <a>ListRetirableGrants</a> 5237 * </p> 5238 * </li> 5239 * </ul> 5240 * <p> 5241 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5242 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5243 * consistency</a>. 5244 * </p> 5245 * 5246 * @param describeKeyRequest 5247 * @return Result of the DescribeKey operation returned by the service. 5248 * @throws NotFoundException 5249 * The request was rejected because the specified entity or resource could not be found. 5250 * @throws InvalidArnException 5251 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 5252 * @throws DependencyTimeoutException 5253 * The system timed out while trying to fulfill the request. You can retry the request. 5254 * @throws KmsInternalException 5255 * The request was rejected because an internal exception occurred. The request can be retried. 5256 * @throws SdkException 5257 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5258 * catch all scenarios. 5259 * @throws SdkClientException 5260 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5261 * @throws KmsException 5262 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5263 * @sample KmsClient.DescribeKey 5264 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey" target="_top">AWS API 5265 * Documentation</a> 5266 */ describeKey(DescribeKeyRequest describeKeyRequest)5267 default DescribeKeyResponse describeKey(DescribeKeyRequest describeKeyRequest) throws NotFoundException, InvalidArnException, 5268 DependencyTimeoutException, KmsInternalException, AwsServiceException, SdkClientException, KmsException { 5269 throw new UnsupportedOperationException(); 5270 } 5271 5272 /** 5273 * <p> 5274 * Provides detailed information about a KMS key. You can run <code>DescribeKey</code> on a <a 5275 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a> 5276 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web 5277 * Services managed key</a>. 5278 * </p> 5279 * <p> 5280 * This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, 5281 * and the origin and expiration date (if any) of the key material. It includes fields, like <code>KeySpec</code>, 5282 * that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or 5283 * generating and verifying MACs) and the algorithms that the KMS key supports. 5284 * </p> 5285 * <p> 5286 * For <a href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region 5287 * keys</a>, <code>DescribeKey</code> displays the primary key and all related replica keys. For KMS keys in <a 5288 * href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html">CloudHSM key stores</a>, it 5289 * includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in 5290 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html">external key stores</a>, 5291 * it includes the custom key store ID and the ID of the external key. 5292 * </p> 5293 * <p> 5294 * <code>DescribeKey</code> does not return the following information: 5295 * </p> 5296 * <ul> 5297 * <li> 5298 * <p> 5299 * Aliases associated with the KMS key. To get this information, use <a>ListAliases</a>. 5300 * </p> 5301 * </li> 5302 * <li> 5303 * <p> 5304 * Whether automatic key rotation is enabled on the KMS key. To get this information, use 5305 * <a>GetKeyRotationStatus</a>. Also, some key states prevent a KMS key from being automatically rotated. For 5306 * details, see <a 5307 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works">How 5308 * Automatic Key Rotation Works</a> in the <i>Key Management Service Developer Guide</i>. 5309 * </p> 5310 * </li> 5311 * <li> 5312 * <p> 5313 * Tags on the KMS key. To get this information, use <a>ListResourceTags</a>. 5314 * </p> 5315 * </li> 5316 * <li> 5317 * <p> 5318 * Key policies and grants on the KMS key. To get this information, use <a>GetKeyPolicy</a> and <a>ListGrants</a>. 5319 * </p> 5320 * </li> 5321 * </ul> 5322 * <p> 5323 * In general, <code>DescribeKey</code> is a non-mutating operation. It returns data about KMS keys, but doesn't 5324 * change them. However, Amazon Web Services services use <code>DescribeKey</code> to create <a 5325 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5326 * managed keys</a> from a <i>predefined Amazon Web Services alias</i> with no key ID. 5327 * </p> 5328 * <p> 5329 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 5330 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 5331 * </p> 5332 * <p> 5333 * <b>Required permissions</b>: <a 5334 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5335 * >kms:DescribeKey</a> (key policy) 5336 * </p> 5337 * <p> 5338 * <b>Related operations:</b> 5339 * </p> 5340 * <ul> 5341 * <li> 5342 * <p> 5343 * <a>GetKeyPolicy</a> 5344 * </p> 5345 * </li> 5346 * <li> 5347 * <p> 5348 * <a>GetKeyRotationStatus</a> 5349 * </p> 5350 * </li> 5351 * <li> 5352 * <p> 5353 * <a>ListAliases</a> 5354 * </p> 5355 * </li> 5356 * <li> 5357 * <p> 5358 * <a>ListGrants</a> 5359 * </p> 5360 * </li> 5361 * <li> 5362 * <p> 5363 * <a>ListKeys</a> 5364 * </p> 5365 * </li> 5366 * <li> 5367 * <p> 5368 * <a>ListResourceTags</a> 5369 * </p> 5370 * </li> 5371 * <li> 5372 * <p> 5373 * <a>ListRetirableGrants</a> 5374 * </p> 5375 * </li> 5376 * </ul> 5377 * <p> 5378 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5379 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5380 * consistency</a>. 5381 * </p> 5382 * <br/> 5383 * <p> 5384 * This is a convenience which creates an instance of the {@link DescribeKeyRequest.Builder} avoiding the need to 5385 * create one manually via {@link DescribeKeyRequest#builder()} 5386 * </p> 5387 * 5388 * @param describeKeyRequest 5389 * A {@link Consumer} that will call methods on 5390 * {@link software.amazon.awssdk.services.kms.model.DescribeKeyRequest.Builder} to create a request. 5391 * @return Result of the DescribeKey operation returned by the service. 5392 * @throws NotFoundException 5393 * The request was rejected because the specified entity or resource could not be found. 5394 * @throws InvalidArnException 5395 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 5396 * @throws DependencyTimeoutException 5397 * The system timed out while trying to fulfill the request. You can retry the request. 5398 * @throws KmsInternalException 5399 * The request was rejected because an internal exception occurred. The request can be retried. 5400 * @throws SdkException 5401 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5402 * catch all scenarios. 5403 * @throws SdkClientException 5404 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5405 * @throws KmsException 5406 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5407 * @sample KmsClient.DescribeKey 5408 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey" target="_top">AWS API 5409 * Documentation</a> 5410 */ describeKey(Consumer<DescribeKeyRequest.Builder> describeKeyRequest)5411 default DescribeKeyResponse describeKey(Consumer<DescribeKeyRequest.Builder> describeKeyRequest) throws NotFoundException, 5412 InvalidArnException, DependencyTimeoutException, KmsInternalException, AwsServiceException, SdkClientException, 5413 KmsException { 5414 return describeKey(DescribeKeyRequest.builder().applyMutation(describeKeyRequest).build()); 5415 } 5416 5417 /** 5418 * <p> 5419 * Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for <a 5420 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5421 * operations</a>. 5422 * </p> 5423 * <p> 5424 * For more information about how key state affects the use of a KMS key, see <a 5425 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i> 5426 * <i>Key Management Service Developer Guide</i> </i>. 5427 * </p> 5428 * <p> 5429 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5430 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5431 * <i>Key Management Service Developer Guide</i>. 5432 * </p> 5433 * <p> 5434 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5435 * account. 5436 * </p> 5437 * <p> 5438 * <b>Required permissions</b>: <a 5439 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5440 * >kms:DisableKey</a> (key policy) 5441 * </p> 5442 * <p> 5443 * <b>Related operations</b>: <a>EnableKey</a> 5444 * </p> 5445 * <p> 5446 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5447 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5448 * consistency</a>. 5449 * </p> 5450 * 5451 * @param disableKeyRequest 5452 * @return Result of the DisableKey operation returned by the service. 5453 * @throws NotFoundException 5454 * The request was rejected because the specified entity or resource could not be found. 5455 * @throws InvalidArnException 5456 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 5457 * @throws DependencyTimeoutException 5458 * The system timed out while trying to fulfill the request. You can retry the request. 5459 * @throws KmsInternalException 5460 * The request was rejected because an internal exception occurred. The request can be retried. 5461 * @throws KmsInvalidStateException 5462 * The request was rejected because the state of the specified resource is not valid for this request.</p> 5463 * <p> 5464 * This exceptions means one of the following: 5465 * </p> 5466 * <ul> 5467 * <li> 5468 * <p> 5469 * The key state of the KMS key is not compatible with the operation. 5470 * </p> 5471 * <p> 5472 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5473 * are compatible with each KMS operation, see <a 5474 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5475 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5476 * </p> 5477 * </li> 5478 * <li> 5479 * <p> 5480 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5481 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5482 * exception. 5483 * </p> 5484 * </li> 5485 * @throws SdkException 5486 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5487 * catch all scenarios. 5488 * @throws SdkClientException 5489 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5490 * @throws KmsException 5491 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5492 * @sample KmsClient.DisableKey 5493 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey" target="_top">AWS API 5494 * Documentation</a> 5495 */ disableKey(DisableKeyRequest disableKeyRequest)5496 default DisableKeyResponse disableKey(DisableKeyRequest disableKeyRequest) throws NotFoundException, InvalidArnException, 5497 DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, 5498 KmsException { 5499 throw new UnsupportedOperationException(); 5500 } 5501 5502 /** 5503 * <p> 5504 * Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for <a 5505 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5506 * operations</a>. 5507 * </p> 5508 * <p> 5509 * For more information about how key state affects the use of a KMS key, see <a 5510 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i> 5511 * <i>Key Management Service Developer Guide</i> </i>. 5512 * </p> 5513 * <p> 5514 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5515 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5516 * <i>Key Management Service Developer Guide</i>. 5517 * </p> 5518 * <p> 5519 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5520 * account. 5521 * </p> 5522 * <p> 5523 * <b>Required permissions</b>: <a 5524 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5525 * >kms:DisableKey</a> (key policy) 5526 * </p> 5527 * <p> 5528 * <b>Related operations</b>: <a>EnableKey</a> 5529 * </p> 5530 * <p> 5531 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5532 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5533 * consistency</a>. 5534 * </p> 5535 * <br/> 5536 * <p> 5537 * This is a convenience which creates an instance of the {@link DisableKeyRequest.Builder} avoiding the need to 5538 * create one manually via {@link DisableKeyRequest#builder()} 5539 * </p> 5540 * 5541 * @param disableKeyRequest 5542 * A {@link Consumer} that will call methods on 5543 * {@link software.amazon.awssdk.services.kms.model.DisableKeyRequest.Builder} to create a request. 5544 * @return Result of the DisableKey operation returned by the service. 5545 * @throws NotFoundException 5546 * The request was rejected because the specified entity or resource could not be found. 5547 * @throws InvalidArnException 5548 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 5549 * @throws DependencyTimeoutException 5550 * The system timed out while trying to fulfill the request. You can retry the request. 5551 * @throws KmsInternalException 5552 * The request was rejected because an internal exception occurred. The request can be retried. 5553 * @throws KmsInvalidStateException 5554 * The request was rejected because the state of the specified resource is not valid for this request.</p> 5555 * <p> 5556 * This exceptions means one of the following: 5557 * </p> 5558 * <ul> 5559 * <li> 5560 * <p> 5561 * The key state of the KMS key is not compatible with the operation. 5562 * </p> 5563 * <p> 5564 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5565 * are compatible with each KMS operation, see <a 5566 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5567 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5568 * </p> 5569 * </li> 5570 * <li> 5571 * <p> 5572 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5573 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5574 * exception. 5575 * </p> 5576 * </li> 5577 * @throws SdkException 5578 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5579 * catch all scenarios. 5580 * @throws SdkClientException 5581 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5582 * @throws KmsException 5583 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5584 * @sample KmsClient.DisableKey 5585 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey" target="_top">AWS API 5586 * Documentation</a> 5587 */ disableKey(Consumer<DisableKeyRequest.Builder> disableKeyRequest)5588 default DisableKeyResponse disableKey(Consumer<DisableKeyRequest.Builder> disableKeyRequest) throws NotFoundException, 5589 InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, 5590 SdkClientException, KmsException { 5591 return disableKey(DisableKeyRequest.builder().applyMutation(disableKeyRequest).build()); 5592 } 5593 5594 /** 5595 * <p> 5596 * Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 5597 * the key material</a> of the specified symmetric encryption KMS key. 5598 * </p> 5599 * <p> 5600 * Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation 5601 * of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS 5602 * keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys 5603 * with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key 5604 * material</a>, or KMS keys in a <a 5605 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 5606 * To enable or disable automatic rotation of a set of related <a 5607 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 5608 * >multi-Region keys</a>, set the property on the primary key. 5609 * </p> 5610 * <p> 5611 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the key material in <a 5612 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 5613 * keys</a>. Key material rotation of <a 5614 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5615 * managed KMS keys</a> is not configurable. KMS always rotates the key material for every year. Rotation of <a 5616 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 5617 * owned KMS keys</a> varies. 5618 * </p> 5619 * <note> 5620 * <p> 5621 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 5622 * every year. For details, see <a>EnableKeyRotation</a>. 5623 * </p> 5624 * </note> 5625 * <p> 5626 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5627 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5628 * <i>Key Management Service Developer Guide</i>. 5629 * </p> 5630 * <p> 5631 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5632 * account. 5633 * </p> 5634 * <p> 5635 * <b>Required permissions</b>: <a 5636 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5637 * >kms:DisableKeyRotation</a> (key policy) 5638 * </p> 5639 * <p> 5640 * <b>Related operations:</b> 5641 * </p> 5642 * <ul> 5643 * <li> 5644 * <p> 5645 * <a>EnableKeyRotation</a> 5646 * </p> 5647 * </li> 5648 * <li> 5649 * <p> 5650 * <a>GetKeyRotationStatus</a> 5651 * </p> 5652 * </li> 5653 * </ul> 5654 * <p> 5655 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5656 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5657 * consistency</a>. 5658 * </p> 5659 * 5660 * @param disableKeyRotationRequest 5661 * @return Result of the DisableKeyRotation operation returned by the service. 5662 * @throws NotFoundException 5663 * The request was rejected because the specified entity or resource could not be found. 5664 * @throws DisabledException 5665 * The request was rejected because the specified KMS key is not enabled. 5666 * @throws InvalidArnException 5667 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 5668 * @throws DependencyTimeoutException 5669 * The system timed out while trying to fulfill the request. You can retry the request. 5670 * @throws KmsInternalException 5671 * The request was rejected because an internal exception occurred. The request can be retried. 5672 * @throws KmsInvalidStateException 5673 * The request was rejected because the state of the specified resource is not valid for this request.</p> 5674 * <p> 5675 * This exceptions means one of the following: 5676 * </p> 5677 * <ul> 5678 * <li> 5679 * <p> 5680 * The key state of the KMS key is not compatible with the operation. 5681 * </p> 5682 * <p> 5683 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5684 * are compatible with each KMS operation, see <a 5685 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5686 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5687 * </p> 5688 * </li> 5689 * <li> 5690 * <p> 5691 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5692 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5693 * exception. 5694 * </p> 5695 * </li> 5696 * @throws UnsupportedOperationException 5697 * The request was rejected because a specified parameter is not supported or a specified resource is not 5698 * valid for this operation. 5699 * @throws SdkException 5700 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5701 * catch all scenarios. 5702 * @throws SdkClientException 5703 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5704 * @throws KmsException 5705 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5706 * @sample KmsClient.DisableKeyRotation 5707 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation" target="_top">AWS API 5708 * Documentation</a> 5709 */ disableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest)5710 default DisableKeyRotationResponse disableKeyRotation(DisableKeyRotationRequest disableKeyRotationRequest) 5711 throws NotFoundException, DisabledException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 5712 KmsInvalidStateException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 5713 AwsServiceException, SdkClientException, KmsException { 5714 throw new UnsupportedOperationException(); 5715 } 5716 5717 /** 5718 * <p> 5719 * Disables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 5720 * the key material</a> of the specified symmetric encryption KMS key. 5721 * </p> 5722 * <p> 5723 * Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation 5724 * of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS 5725 * keys</a>, <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys 5726 * with <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key 5727 * material</a>, or KMS keys in a <a 5728 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 5729 * To enable or disable automatic rotation of a set of related <a 5730 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 5731 * >multi-Region keys</a>, set the property on the primary key. 5732 * </p> 5733 * <p> 5734 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation of the key material in <a 5735 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 5736 * keys</a>. Key material rotation of <a 5737 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 5738 * managed KMS keys</a> is not configurable. KMS always rotates the key material for every year. Rotation of <a 5739 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 5740 * owned KMS keys</a> varies. 5741 * </p> 5742 * <note> 5743 * <p> 5744 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 5745 * every year. For details, see <a>EnableKeyRotation</a>. 5746 * </p> 5747 * </note> 5748 * <p> 5749 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 5750 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 5751 * <i>Key Management Service Developer Guide</i>. 5752 * </p> 5753 * <p> 5754 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 5755 * account. 5756 * </p> 5757 * <p> 5758 * <b>Required permissions</b>: <a 5759 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5760 * >kms:DisableKeyRotation</a> (key policy) 5761 * </p> 5762 * <p> 5763 * <b>Related operations:</b> 5764 * </p> 5765 * <ul> 5766 * <li> 5767 * <p> 5768 * <a>EnableKeyRotation</a> 5769 * </p> 5770 * </li> 5771 * <li> 5772 * <p> 5773 * <a>GetKeyRotationStatus</a> 5774 * </p> 5775 * </li> 5776 * </ul> 5777 * <p> 5778 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5779 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5780 * consistency</a>. 5781 * </p> 5782 * <br/> 5783 * <p> 5784 * This is a convenience which creates an instance of the {@link DisableKeyRotationRequest.Builder} avoiding the 5785 * need to create one manually via {@link DisableKeyRotationRequest#builder()} 5786 * </p> 5787 * 5788 * @param disableKeyRotationRequest 5789 * A {@link Consumer} that will call methods on 5790 * {@link software.amazon.awssdk.services.kms.model.DisableKeyRotationRequest.Builder} to create a request. 5791 * @return Result of the DisableKeyRotation operation returned by the service. 5792 * @throws NotFoundException 5793 * The request was rejected because the specified entity or resource could not be found. 5794 * @throws DisabledException 5795 * The request was rejected because the specified KMS key is not enabled. 5796 * @throws InvalidArnException 5797 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 5798 * @throws DependencyTimeoutException 5799 * The system timed out while trying to fulfill the request. You can retry the request. 5800 * @throws KmsInternalException 5801 * The request was rejected because an internal exception occurred. The request can be retried. 5802 * @throws KmsInvalidStateException 5803 * The request was rejected because the state of the specified resource is not valid for this request.</p> 5804 * <p> 5805 * This exceptions means one of the following: 5806 * </p> 5807 * <ul> 5808 * <li> 5809 * <p> 5810 * The key state of the KMS key is not compatible with the operation. 5811 * </p> 5812 * <p> 5813 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 5814 * are compatible with each KMS operation, see <a 5815 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 5816 * the <i> <i>Key Management Service Developer Guide</i> </i>. 5817 * </p> 5818 * </li> 5819 * <li> 5820 * <p> 5821 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 5822 * failure with many possible causes. To identify the cause, see the error message that accompanies the 5823 * exception. 5824 * </p> 5825 * </li> 5826 * @throws UnsupportedOperationException 5827 * The request was rejected because a specified parameter is not supported or a specified resource is not 5828 * valid for this operation. 5829 * @throws SdkException 5830 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5831 * catch all scenarios. 5832 * @throws SdkClientException 5833 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5834 * @throws KmsException 5835 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5836 * @sample KmsClient.DisableKeyRotation 5837 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation" target="_top">AWS API 5838 * Documentation</a> 5839 */ disableKeyRotation(Consumer<DisableKeyRotationRequest.Builder> disableKeyRotationRequest)5840 default DisableKeyRotationResponse disableKeyRotation(Consumer<DisableKeyRotationRequest.Builder> disableKeyRotationRequest) 5841 throws NotFoundException, DisabledException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 5842 KmsInvalidStateException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 5843 AwsServiceException, SdkClientException, KmsException { 5844 return disableKeyRotation(DisableKeyRotationRequest.builder().applyMutation(disableKeyRotationRequest).build()); 5845 } 5846 5847 /** 5848 * <p> 5849 * Disconnects the <a 5850 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 5851 * from its backing key store. This operation disconnects an CloudHSM key store from its associated CloudHSM cluster 5852 * or disconnects an external key store from the external key store proxy that communicates with your external key 5853 * manager. 5854 * </p> 5855 * <p> 5856 * This operation is part of the <a 5857 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 5858 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 5859 * a key store that you own and manage. 5860 * </p> 5861 * <p> 5862 * While a custom key store is disconnected, you can manage the custom key store and its KMS keys, but you cannot 5863 * create or use its KMS keys. You can reconnect the custom key store at any time. 5864 * </p> 5865 * <note> 5866 * <p> 5867 * While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use 5868 * existing KMS keys in <a 5869 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 5870 * operations</a> will fail. This action can prevent users from storing and accessing sensitive data. 5871 * </p> 5872 * </note> 5873 * <p> 5874 * When you disconnect a custom key store, its <code>ConnectionState</code> changes to <code>Disconnected</code>. To 5875 * find the connection state of a custom key store, use the <a>DescribeCustomKeyStores</a> operation. To reconnect a 5876 * custom key store, use the <a>ConnectCustomKeyStore</a> operation. 5877 * </p> 5878 * <p> 5879 * If the operation succeeds, it returns a JSON object with no properties. 5880 * </p> 5881 * <p> 5882 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 5883 * Services account. 5884 * </p> 5885 * <p> 5886 * <b>Required permissions</b>: <a 5887 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 5888 * >kms:DisconnectCustomKeyStore</a> (IAM policy) 5889 * </p> 5890 * <p> 5891 * <b>Related operations:</b> 5892 * </p> 5893 * <ul> 5894 * <li> 5895 * <p> 5896 * <a>ConnectCustomKeyStore</a> 5897 * </p> 5898 * </li> 5899 * <li> 5900 * <p> 5901 * <a>CreateCustomKeyStore</a> 5902 * </p> 5903 * </li> 5904 * <li> 5905 * <p> 5906 * <a>DeleteCustomKeyStore</a> 5907 * </p> 5908 * </li> 5909 * <li> 5910 * <p> 5911 * <a>DescribeCustomKeyStores</a> 5912 * </p> 5913 * </li> 5914 * <li> 5915 * <p> 5916 * <a>UpdateCustomKeyStore</a> 5917 * </p> 5918 * </li> 5919 * </ul> 5920 * <p> 5921 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 5922 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 5923 * consistency</a>. 5924 * </p> 5925 * 5926 * @param disconnectCustomKeyStoreRequest 5927 * @return Result of the DisconnectCustomKeyStore operation returned by the service. 5928 * @throws CustomKeyStoreInvalidStateException 5929 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 5930 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 5931 * <p> 5932 * This exception is thrown under the following conditions: 5933 * </p> 5934 * <ul> 5935 * <li> 5936 * <p> 5937 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 5938 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 5939 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 5940 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 5941 * <code>ConnectCustomKeyStore</code>). 5942 * </p> 5943 * </li> 5944 * <li> 5945 * <p> 5946 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 5947 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 5948 * </p> 5949 * </li> 5950 * <li> 5951 * <p> 5952 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 5953 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 5954 * is valid for all other <code>ConnectionState</code> values. 5955 * </p> 5956 * </li> 5957 * <li> 5958 * <p> 5959 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 5960 * store that is not disconnected. This operation is valid only when the custom key store 5961 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 5962 * </p> 5963 * </li> 5964 * <li> 5965 * <p> 5966 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 5967 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 5968 * <code>CONNECTED</code>. 5969 * </p> 5970 * </li> 5971 * @throws CustomKeyStoreNotFoundException 5972 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 5973 * ID. 5974 * @throws KmsInternalException 5975 * The request was rejected because an internal exception occurred. The request can be retried. 5976 * @throws SdkException 5977 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 5978 * catch all scenarios. 5979 * @throws SdkClientException 5980 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 5981 * @throws KmsException 5982 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 5983 * @sample KmsClient.DisconnectCustomKeyStore 5984 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore" target="_top">AWS 5985 * API Documentation</a> 5986 */ disconnectCustomKeyStore( DisconnectCustomKeyStoreRequest disconnectCustomKeyStoreRequest)5987 default DisconnectCustomKeyStoreResponse disconnectCustomKeyStore( 5988 DisconnectCustomKeyStoreRequest disconnectCustomKeyStoreRequest) throws CustomKeyStoreInvalidStateException, 5989 CustomKeyStoreNotFoundException, KmsInternalException, AwsServiceException, SdkClientException, KmsException { 5990 throw new UnsupportedOperationException(); 5991 } 5992 5993 /** 5994 * <p> 5995 * Disconnects the <a 5996 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a> 5997 * from its backing key store. This operation disconnects an CloudHSM key store from its associated CloudHSM cluster 5998 * or disconnects an external key store from the external key store proxy that communicates with your external key 5999 * manager. 6000 * </p> 6001 * <p> 6002 * This operation is part of the <a 6003 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 6004 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 6005 * a key store that you own and manage. 6006 * </p> 6007 * <p> 6008 * While a custom key store is disconnected, you can manage the custom key store and its KMS keys, but you cannot 6009 * create or use its KMS keys. You can reconnect the custom key store at any time. 6010 * </p> 6011 * <note> 6012 * <p> 6013 * While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use 6014 * existing KMS keys in <a 6015 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 6016 * operations</a> will fail. This action can prevent users from storing and accessing sensitive data. 6017 * </p> 6018 * </note> 6019 * <p> 6020 * When you disconnect a custom key store, its <code>ConnectionState</code> changes to <code>Disconnected</code>. To 6021 * find the connection state of a custom key store, use the <a>DescribeCustomKeyStores</a> operation. To reconnect a 6022 * custom key store, use the <a>ConnectCustomKeyStore</a> operation. 6023 * </p> 6024 * <p> 6025 * If the operation succeeds, it returns a JSON object with no properties. 6026 * </p> 6027 * <p> 6028 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 6029 * Services account. 6030 * </p> 6031 * <p> 6032 * <b>Required permissions</b>: <a 6033 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 6034 * >kms:DisconnectCustomKeyStore</a> (IAM policy) 6035 * </p> 6036 * <p> 6037 * <b>Related operations:</b> 6038 * </p> 6039 * <ul> 6040 * <li> 6041 * <p> 6042 * <a>ConnectCustomKeyStore</a> 6043 * </p> 6044 * </li> 6045 * <li> 6046 * <p> 6047 * <a>CreateCustomKeyStore</a> 6048 * </p> 6049 * </li> 6050 * <li> 6051 * <p> 6052 * <a>DeleteCustomKeyStore</a> 6053 * </p> 6054 * </li> 6055 * <li> 6056 * <p> 6057 * <a>DescribeCustomKeyStores</a> 6058 * </p> 6059 * </li> 6060 * <li> 6061 * <p> 6062 * <a>UpdateCustomKeyStore</a> 6063 * </p> 6064 * </li> 6065 * </ul> 6066 * <p> 6067 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6068 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6069 * consistency</a>. 6070 * </p> 6071 * <br/> 6072 * <p> 6073 * This is a convenience which creates an instance of the {@link DisconnectCustomKeyStoreRequest.Builder} avoiding 6074 * the need to create one manually via {@link DisconnectCustomKeyStoreRequest#builder()} 6075 * </p> 6076 * 6077 * @param disconnectCustomKeyStoreRequest 6078 * A {@link Consumer} that will call methods on 6079 * {@link software.amazon.awssdk.services.kms.model.DisconnectCustomKeyStoreRequest.Builder} to create a 6080 * request. 6081 * @return Result of the DisconnectCustomKeyStore operation returned by the service. 6082 * @throws CustomKeyStoreInvalidStateException 6083 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 6084 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 6085 * <p> 6086 * This exception is thrown under the following conditions: 6087 * </p> 6088 * <ul> 6089 * <li> 6090 * <p> 6091 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 6092 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 6093 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 6094 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 6095 * <code>ConnectCustomKeyStore</code>). 6096 * </p> 6097 * </li> 6098 * <li> 6099 * <p> 6100 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 6101 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 6102 * </p> 6103 * </li> 6104 * <li> 6105 * <p> 6106 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 6107 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 6108 * is valid for all other <code>ConnectionState</code> values. 6109 * </p> 6110 * </li> 6111 * <li> 6112 * <p> 6113 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 6114 * store that is not disconnected. This operation is valid only when the custom key store 6115 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 6116 * </p> 6117 * </li> 6118 * <li> 6119 * <p> 6120 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 6121 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 6122 * <code>CONNECTED</code>. 6123 * </p> 6124 * </li> 6125 * @throws CustomKeyStoreNotFoundException 6126 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 6127 * ID. 6128 * @throws KmsInternalException 6129 * The request was rejected because an internal exception occurred. The request can be retried. 6130 * @throws SdkException 6131 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 6132 * catch all scenarios. 6133 * @throws SdkClientException 6134 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 6135 * @throws KmsException 6136 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 6137 * @sample KmsClient.DisconnectCustomKeyStore 6138 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore" target="_top">AWS 6139 * API Documentation</a> 6140 */ disconnectCustomKeyStore( Consumer<DisconnectCustomKeyStoreRequest.Builder> disconnectCustomKeyStoreRequest)6141 default DisconnectCustomKeyStoreResponse disconnectCustomKeyStore( 6142 Consumer<DisconnectCustomKeyStoreRequest.Builder> disconnectCustomKeyStoreRequest) 6143 throws CustomKeyStoreInvalidStateException, CustomKeyStoreNotFoundException, KmsInternalException, 6144 AwsServiceException, SdkClientException, KmsException { 6145 return disconnectCustomKeyStore(DisconnectCustomKeyStoreRequest.builder().applyMutation(disconnectCustomKeyStoreRequest) 6146 .build()); 6147 } 6148 6149 /** 6150 * <p> 6151 * Sets the key state of a KMS key to enabled. This allows you to use the KMS key for <a 6152 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 6153 * operations</a>. 6154 * </p> 6155 * <p> 6156 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6157 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6158 * <i>Key Management Service Developer Guide</i>. 6159 * </p> 6160 * <p> 6161 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6162 * account. 6163 * </p> 6164 * <p> 6165 * <b>Required permissions</b>: <a 6166 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:EnableKey</a> 6167 * (key policy) 6168 * </p> 6169 * <p> 6170 * <b>Related operations</b>: <a>DisableKey</a> 6171 * </p> 6172 * <p> 6173 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6174 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6175 * consistency</a>. 6176 * </p> 6177 * 6178 * @param enableKeyRequest 6179 * @return Result of the EnableKey operation returned by the service. 6180 * @throws NotFoundException 6181 * The request was rejected because the specified entity or resource could not be found. 6182 * @throws InvalidArnException 6183 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 6184 * @throws DependencyTimeoutException 6185 * The system timed out while trying to fulfill the request. You can retry the request. 6186 * @throws KmsInternalException 6187 * The request was rejected because an internal exception occurred. The request can be retried. 6188 * @throws LimitExceededException 6189 * The request was rejected because a quota was exceeded. For more information, see <a 6190 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 6191 * Management Service Developer Guide</i>. 6192 * @throws KmsInvalidStateException 6193 * The request was rejected because the state of the specified resource is not valid for this request.</p> 6194 * <p> 6195 * This exceptions means one of the following: 6196 * </p> 6197 * <ul> 6198 * <li> 6199 * <p> 6200 * The key state of the KMS key is not compatible with the operation. 6201 * </p> 6202 * <p> 6203 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6204 * are compatible with each KMS operation, see <a 6205 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6206 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6207 * </p> 6208 * </li> 6209 * <li> 6210 * <p> 6211 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6212 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6213 * exception. 6214 * </p> 6215 * </li> 6216 * @throws SdkException 6217 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 6218 * catch all scenarios. 6219 * @throws SdkClientException 6220 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 6221 * @throws KmsException 6222 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 6223 * @sample KmsClient.EnableKey 6224 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey" target="_top">AWS API 6225 * Documentation</a> 6226 */ enableKey(EnableKeyRequest enableKeyRequest)6227 default EnableKeyResponse enableKey(EnableKeyRequest enableKeyRequest) throws NotFoundException, InvalidArnException, 6228 DependencyTimeoutException, KmsInternalException, LimitExceededException, KmsInvalidStateException, 6229 AwsServiceException, SdkClientException, KmsException { 6230 throw new UnsupportedOperationException(); 6231 } 6232 6233 /** 6234 * <p> 6235 * Sets the key state of a KMS key to enabled. This allows you to use the KMS key for <a 6236 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic 6237 * operations</a>. 6238 * </p> 6239 * <p> 6240 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6241 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6242 * <i>Key Management Service Developer Guide</i>. 6243 * </p> 6244 * <p> 6245 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6246 * account. 6247 * </p> 6248 * <p> 6249 * <b>Required permissions</b>: <a 6250 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:EnableKey</a> 6251 * (key policy) 6252 * </p> 6253 * <p> 6254 * <b>Related operations</b>: <a>DisableKey</a> 6255 * </p> 6256 * <p> 6257 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6258 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6259 * consistency</a>. 6260 * </p> 6261 * <br/> 6262 * <p> 6263 * This is a convenience which creates an instance of the {@link EnableKeyRequest.Builder} avoiding the need to 6264 * create one manually via {@link EnableKeyRequest#builder()} 6265 * </p> 6266 * 6267 * @param enableKeyRequest 6268 * A {@link Consumer} that will call methods on 6269 * {@link software.amazon.awssdk.services.kms.model.EnableKeyRequest.Builder} to create a request. 6270 * @return Result of the EnableKey operation returned by the service. 6271 * @throws NotFoundException 6272 * The request was rejected because the specified entity or resource could not be found. 6273 * @throws InvalidArnException 6274 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 6275 * @throws DependencyTimeoutException 6276 * The system timed out while trying to fulfill the request. You can retry the request. 6277 * @throws KmsInternalException 6278 * The request was rejected because an internal exception occurred. The request can be retried. 6279 * @throws LimitExceededException 6280 * The request was rejected because a quota was exceeded. For more information, see <a 6281 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 6282 * Management Service Developer Guide</i>. 6283 * @throws KmsInvalidStateException 6284 * The request was rejected because the state of the specified resource is not valid for this request.</p> 6285 * <p> 6286 * This exceptions means one of the following: 6287 * </p> 6288 * <ul> 6289 * <li> 6290 * <p> 6291 * The key state of the KMS key is not compatible with the operation. 6292 * </p> 6293 * <p> 6294 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6295 * are compatible with each KMS operation, see <a 6296 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6297 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6298 * </p> 6299 * </li> 6300 * <li> 6301 * <p> 6302 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6303 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6304 * exception. 6305 * </p> 6306 * </li> 6307 * @throws SdkException 6308 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 6309 * catch all scenarios. 6310 * @throws SdkClientException 6311 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 6312 * @throws KmsException 6313 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 6314 * @sample KmsClient.EnableKey 6315 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey" target="_top">AWS API 6316 * Documentation</a> 6317 */ enableKey(Consumer<EnableKeyRequest.Builder> enableKeyRequest)6318 default EnableKeyResponse enableKey(Consumer<EnableKeyRequest.Builder> enableKeyRequest) throws NotFoundException, 6319 InvalidArnException, DependencyTimeoutException, KmsInternalException, LimitExceededException, 6320 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 6321 return enableKey(EnableKeyRequest.builder().applyMutation(enableKeyRequest).build()); 6322 } 6323 6324 /** 6325 * <p> 6326 * Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 6327 * the key material</a> of the specified symmetric encryption KMS key. 6328 * </p> 6329 * <p> 6330 * When you enable automatic rotation of a <a 6331 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 6332 * key</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 6333 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 6334 * CloudWatch. To disable rotation of the key material in a customer managed KMS key, use the 6335 * <a>DisableKeyRotation</a> operation. 6336 * </p> 6337 * <p> 6338 * Automatic key rotation is supported only on <a 6339 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 6340 * KMS keys</a>. You cannot enable automatic rotation of <a 6341 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 6342 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 6343 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 6344 * KMS keys in a <a 6345 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 6346 * To enable or disable automatic rotation of a set of related <a 6347 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 6348 * >multi-Region keys</a>, set the property on the primary key. 6349 * </p> 6350 * <p> 6351 * You cannot enable or disable automatic rotation <a 6352 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 6353 * managed KMS keys</a>. KMS always rotates the key material of Amazon Web Services managed keys every year. 6354 * Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon 6355 * Web Services owned KMS keys</a> varies. 6356 * </p> 6357 * <note> 6358 * <p> 6359 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years 6360 * (approximately 1,095 days) to every year (approximately 365 days). 6361 * </p> 6362 * <p> 6363 * New Amazon Web Services managed keys are automatically rotated one year after they are created, and approximately 6364 * every year thereafter. 6365 * </p> 6366 * <p> 6367 * Existing Amazon Web Services managed keys are automatically rotated one year after their most recent rotation, 6368 * and every year thereafter. 6369 * </p> 6370 * </note> 6371 * <p> 6372 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6373 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6374 * <i>Key Management Service Developer Guide</i>. 6375 * </p> 6376 * <p> 6377 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6378 * account. 6379 * </p> 6380 * <p> 6381 * <b>Required permissions</b>: <a 6382 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 6383 * >kms:EnableKeyRotation</a> (key policy) 6384 * </p> 6385 * <p> 6386 * <b>Related operations:</b> 6387 * </p> 6388 * <ul> 6389 * <li> 6390 * <p> 6391 * <a>DisableKeyRotation</a> 6392 * </p> 6393 * </li> 6394 * <li> 6395 * <p> 6396 * <a>GetKeyRotationStatus</a> 6397 * </p> 6398 * </li> 6399 * </ul> 6400 * <p> 6401 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6402 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6403 * consistency</a>. 6404 * </p> 6405 * 6406 * @param enableKeyRotationRequest 6407 * @return Result of the EnableKeyRotation operation returned by the service. 6408 * @throws NotFoundException 6409 * The request was rejected because the specified entity or resource could not be found. 6410 * @throws DisabledException 6411 * The request was rejected because the specified KMS key is not enabled. 6412 * @throws InvalidArnException 6413 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 6414 * @throws DependencyTimeoutException 6415 * The system timed out while trying to fulfill the request. You can retry the request. 6416 * @throws KmsInternalException 6417 * The request was rejected because an internal exception occurred. The request can be retried. 6418 * @throws KmsInvalidStateException 6419 * The request was rejected because the state of the specified resource is not valid for this request.</p> 6420 * <p> 6421 * This exceptions means one of the following: 6422 * </p> 6423 * <ul> 6424 * <li> 6425 * <p> 6426 * The key state of the KMS key is not compatible with the operation. 6427 * </p> 6428 * <p> 6429 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6430 * are compatible with each KMS operation, see <a 6431 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6432 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6433 * </p> 6434 * </li> 6435 * <li> 6436 * <p> 6437 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6438 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6439 * exception. 6440 * </p> 6441 * </li> 6442 * @throws UnsupportedOperationException 6443 * The request was rejected because a specified parameter is not supported or a specified resource is not 6444 * valid for this operation. 6445 * @throws SdkException 6446 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 6447 * catch all scenarios. 6448 * @throws SdkClientException 6449 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 6450 * @throws KmsException 6451 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 6452 * @sample KmsClient.EnableKeyRotation 6453 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation" target="_top">AWS API 6454 * Documentation</a> 6455 */ enableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest)6456 default EnableKeyRotationResponse enableKeyRotation(EnableKeyRotationRequest enableKeyRotationRequest) 6457 throws NotFoundException, DisabledException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 6458 KmsInvalidStateException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 6459 AwsServiceException, SdkClientException, KmsException { 6460 throw new UnsupportedOperationException(); 6461 } 6462 6463 /** 6464 * <p> 6465 * Enables <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of 6466 * the key material</a> of the specified symmetric encryption KMS key. 6467 * </p> 6468 * <p> 6469 * When you enable automatic rotation of a <a 6470 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 6471 * key</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 6472 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 6473 * CloudWatch. To disable rotation of the key material in a customer managed KMS key, use the 6474 * <a>DisableKeyRotation</a> operation. 6475 * </p> 6476 * <p> 6477 * Automatic key rotation is supported only on <a 6478 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 6479 * KMS keys</a>. You cannot enable automatic rotation of <a 6480 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 6481 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 6482 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 6483 * KMS keys in a <a 6484 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 6485 * To enable or disable automatic rotation of a set of related <a 6486 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 6487 * >multi-Region keys</a>, set the property on the primary key. 6488 * </p> 6489 * <p> 6490 * You cannot enable or disable automatic rotation <a 6491 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 6492 * managed KMS keys</a>. KMS always rotates the key material of Amazon Web Services managed keys every year. 6493 * Rotation of <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon 6494 * Web Services owned KMS keys</a> varies. 6495 * </p> 6496 * <note> 6497 * <p> 6498 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years 6499 * (approximately 1,095 days) to every year (approximately 365 days). 6500 * </p> 6501 * <p> 6502 * New Amazon Web Services managed keys are automatically rotated one year after they are created, and approximately 6503 * every year thereafter. 6504 * </p> 6505 * <p> 6506 * Existing Amazon Web Services managed keys are automatically rotated one year after their most recent rotation, 6507 * and every year thereafter. 6508 * </p> 6509 * </note> 6510 * <p> 6511 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6512 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6513 * <i>Key Management Service Developer Guide</i>. 6514 * </p> 6515 * <p> 6516 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 6517 * account. 6518 * </p> 6519 * <p> 6520 * <b>Required permissions</b>: <a 6521 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 6522 * >kms:EnableKeyRotation</a> (key policy) 6523 * </p> 6524 * <p> 6525 * <b>Related operations:</b> 6526 * </p> 6527 * <ul> 6528 * <li> 6529 * <p> 6530 * <a>DisableKeyRotation</a> 6531 * </p> 6532 * </li> 6533 * <li> 6534 * <p> 6535 * <a>GetKeyRotationStatus</a> 6536 * </p> 6537 * </li> 6538 * </ul> 6539 * <p> 6540 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6541 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6542 * consistency</a>. 6543 * </p> 6544 * <br/> 6545 * <p> 6546 * This is a convenience which creates an instance of the {@link EnableKeyRotationRequest.Builder} avoiding the need 6547 * to create one manually via {@link EnableKeyRotationRequest#builder()} 6548 * </p> 6549 * 6550 * @param enableKeyRotationRequest 6551 * A {@link Consumer} that will call methods on 6552 * {@link software.amazon.awssdk.services.kms.model.EnableKeyRotationRequest.Builder} to create a request. 6553 * @return Result of the EnableKeyRotation operation returned by the service. 6554 * @throws NotFoundException 6555 * The request was rejected because the specified entity or resource could not be found. 6556 * @throws DisabledException 6557 * The request was rejected because the specified KMS key is not enabled. 6558 * @throws InvalidArnException 6559 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 6560 * @throws DependencyTimeoutException 6561 * The system timed out while trying to fulfill the request. You can retry the request. 6562 * @throws KmsInternalException 6563 * The request was rejected because an internal exception occurred. The request can be retried. 6564 * @throws KmsInvalidStateException 6565 * The request was rejected because the state of the specified resource is not valid for this request.</p> 6566 * <p> 6567 * This exceptions means one of the following: 6568 * </p> 6569 * <ul> 6570 * <li> 6571 * <p> 6572 * The key state of the KMS key is not compatible with the operation. 6573 * </p> 6574 * <p> 6575 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6576 * are compatible with each KMS operation, see <a 6577 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6578 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6579 * </p> 6580 * </li> 6581 * <li> 6582 * <p> 6583 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6584 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6585 * exception. 6586 * </p> 6587 * </li> 6588 * @throws UnsupportedOperationException 6589 * The request was rejected because a specified parameter is not supported or a specified resource is not 6590 * valid for this operation. 6591 * @throws SdkException 6592 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 6593 * catch all scenarios. 6594 * @throws SdkClientException 6595 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 6596 * @throws KmsException 6597 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 6598 * @sample KmsClient.EnableKeyRotation 6599 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation" target="_top">AWS API 6600 * Documentation</a> 6601 */ enableKeyRotation(Consumer<EnableKeyRotationRequest.Builder> enableKeyRotationRequest)6602 default EnableKeyRotationResponse enableKeyRotation(Consumer<EnableKeyRotationRequest.Builder> enableKeyRotationRequest) 6603 throws NotFoundException, DisabledException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 6604 KmsInvalidStateException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 6605 AwsServiceException, SdkClientException, KmsException { 6606 return enableKeyRotation(EnableKeyRotationRequest.builder().applyMutation(enableKeyRotationRequest).build()); 6607 } 6608 6609 /** 6610 * <p> 6611 * Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or asymmetric KMS key with a 6612 * <code>KeyUsage</code> of <code>ENCRYPT_DECRYPT</code>. 6613 * </p> 6614 * <p> 6615 * You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or database 6616 * password, or other sensitive information. You don't need to use the <code>Encrypt</code> operation to encrypt a 6617 * data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a plaintext data key and an 6618 * encrypted copy of that data key. 6619 * </p> 6620 * <p> 6621 * If you use a symmetric encryption KMS key, you can use an encryption context to add additional security to your 6622 * encryption operation. If you specify an <code>EncryptionContext</code> when encrypting data, you must specify the 6623 * same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to 6624 * decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a 6625 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 6626 * in the <i>Key Management Service Developer Guide</i>. 6627 * </p> 6628 * <p> 6629 * If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be 6630 * compatible with the KMS key spec. 6631 * </p> 6632 * <important> 6633 * <p> 6634 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 6635 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 6636 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 6637 * operation fails. 6638 * </p> 6639 * <p> 6640 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 6641 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 6642 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 6643 * fields. 6644 * </p> 6645 * </important> 6646 * <p> 6647 * The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm 6648 * that you choose. 6649 * </p> 6650 * <ul> 6651 * <li> 6652 * <p> 6653 * Symmetric encryption KMS keys 6654 * </p> 6655 * <ul> 6656 * <li> 6657 * <p> 6658 * <code>SYMMETRIC_DEFAULT</code>: 4096 bytes 6659 * </p> 6660 * </li> 6661 * </ul> 6662 * </li> 6663 * <li> 6664 * <p> 6665 * <code>RSA_2048</code> 6666 * </p> 6667 * <ul> 6668 * <li> 6669 * <p> 6670 * <code>RSAES_OAEP_SHA_1</code>: 214 bytes 6671 * </p> 6672 * </li> 6673 * <li> 6674 * <p> 6675 * <code>RSAES_OAEP_SHA_256</code>: 190 bytes 6676 * </p> 6677 * </li> 6678 * </ul> 6679 * </li> 6680 * <li> 6681 * <p> 6682 * <code>RSA_3072</code> 6683 * </p> 6684 * <ul> 6685 * <li> 6686 * <p> 6687 * <code>RSAES_OAEP_SHA_1</code>: 342 bytes 6688 * </p> 6689 * </li> 6690 * <li> 6691 * <p> 6692 * <code>RSAES_OAEP_SHA_256</code>: 318 bytes 6693 * </p> 6694 * </li> 6695 * </ul> 6696 * </li> 6697 * <li> 6698 * <p> 6699 * <code>RSA_4096</code> 6700 * </p> 6701 * <ul> 6702 * <li> 6703 * <p> 6704 * <code>RSAES_OAEP_SHA_1</code>: 470 bytes 6705 * </p> 6706 * </li> 6707 * <li> 6708 * <p> 6709 * <code>RSAES_OAEP_SHA_256</code>: 446 bytes 6710 * </p> 6711 * </li> 6712 * </ul> 6713 * </li> 6714 * <li> 6715 * <p> 6716 * <code>SM2PKE</code>: 1024 bytes (China Regions only) 6717 * </p> 6718 * </li> 6719 * </ul> 6720 * <p> 6721 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6722 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6723 * <i>Key Management Service Developer Guide</i>. 6724 * </p> 6725 * <p> 6726 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 6727 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 6728 * </p> 6729 * <p> 6730 * <b>Required permissions</b>: <a 6731 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> 6732 * (key policy) 6733 * </p> 6734 * <p> 6735 * <b>Related operations:</b> 6736 * </p> 6737 * <ul> 6738 * <li> 6739 * <p> 6740 * <a>Decrypt</a> 6741 * </p> 6742 * </li> 6743 * <li> 6744 * <p> 6745 * <a>GenerateDataKey</a> 6746 * </p> 6747 * </li> 6748 * <li> 6749 * <p> 6750 * <a>GenerateDataKeyPair</a> 6751 * </p> 6752 * </li> 6753 * </ul> 6754 * <p> 6755 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6756 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6757 * consistency</a>. 6758 * </p> 6759 * 6760 * @param encryptRequest 6761 * @return Result of the Encrypt operation returned by the service. 6762 * @throws NotFoundException 6763 * The request was rejected because the specified entity or resource could not be found. 6764 * @throws DisabledException 6765 * The request was rejected because the specified KMS key is not enabled. 6766 * @throws KeyUnavailableException 6767 * The request was rejected because the specified KMS key was not available. You can retry the request. 6768 * @throws DependencyTimeoutException 6769 * The system timed out while trying to fulfill the request. You can retry the request. 6770 * @throws InvalidKeyUsageException 6771 * The request was rejected for one of the following reasons: </p> 6772 * <ul> 6773 * <li> 6774 * <p> 6775 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 6776 * </p> 6777 * </li> 6778 * <li> 6779 * <p> 6780 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 6781 * of key material in the KMS key <code>(KeySpec</code>). 6782 * </p> 6783 * </li> 6784 * </ul> 6785 * <p> 6786 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 6787 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 6788 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 6789 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 6790 * KMS key, use the <a>DescribeKey</a> operation. 6791 * </p> 6792 * <p> 6793 * To find the encryption or signing algorithms supported for a particular KMS key, use the 6794 * <a>DescribeKey</a> operation. 6795 * @throws InvalidGrantTokenException 6796 * The request was rejected because the specified grant token is not valid. 6797 * @throws KmsInternalException 6798 * The request was rejected because an internal exception occurred. The request can be retried. 6799 * @throws KmsInvalidStateException 6800 * The request was rejected because the state of the specified resource is not valid for this request. 6801 * </p> 6802 * <p> 6803 * This exceptions means one of the following: 6804 * </p> 6805 * <ul> 6806 * <li> 6807 * <p> 6808 * The key state of the KMS key is not compatible with the operation. 6809 * </p> 6810 * <p> 6811 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 6812 * are compatible with each KMS operation, see <a 6813 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 6814 * the <i> <i>Key Management Service Developer Guide</i> </i>. 6815 * </p> 6816 * </li> 6817 * <li> 6818 * <p> 6819 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 6820 * failure with many possible causes. To identify the cause, see the error message that accompanies the 6821 * exception. 6822 * </p> 6823 * </li> 6824 * @throws DryRunOperationException 6825 * The request was rejected because the DryRun parameter was specified. 6826 * @throws SdkException 6827 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 6828 * catch all scenarios. 6829 * @throws SdkClientException 6830 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 6831 * @throws KmsException 6832 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 6833 * @sample KmsClient.Encrypt 6834 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt" target="_top">AWS API 6835 * Documentation</a> 6836 */ encrypt(EncryptRequest encryptRequest)6837 default EncryptResponse encrypt(EncryptRequest encryptRequest) throws NotFoundException, DisabledException, 6838 KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, 6839 KmsInternalException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 6840 KmsException { 6841 throw new UnsupportedOperationException(); 6842 } 6843 6844 /** 6845 * <p> 6846 * Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or asymmetric KMS key with a 6847 * <code>KeyUsage</code> of <code>ENCRYPT_DECRYPT</code>. 6848 * </p> 6849 * <p> 6850 * You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or database 6851 * password, or other sensitive information. You don't need to use the <code>Encrypt</code> operation to encrypt a 6852 * data key. The <a>GenerateDataKey</a> and <a>GenerateDataKeyPair</a> operations return a plaintext data key and an 6853 * encrypted copy of that data key. 6854 * </p> 6855 * <p> 6856 * If you use a symmetric encryption KMS key, you can use an encryption context to add additional security to your 6857 * encryption operation. If you specify an <code>EncryptionContext</code> when encrypting data, you must specify the 6858 * same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to 6859 * decrypt fails with an <code>InvalidCiphertextException</code>. For more information, see <a 6860 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 6861 * in the <i>Key Management Service Developer Guide</i>. 6862 * </p> 6863 * <p> 6864 * If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be 6865 * compatible with the KMS key spec. 6866 * </p> 6867 * <important> 6868 * <p> 6869 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 6870 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 6871 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 6872 * operation fails. 6873 * </p> 6874 * <p> 6875 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 6876 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 6877 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 6878 * fields. 6879 * </p> 6880 * </important> 6881 * <p> 6882 * The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm 6883 * that you choose. 6884 * </p> 6885 * <ul> 6886 * <li> 6887 * <p> 6888 * Symmetric encryption KMS keys 6889 * </p> 6890 * <ul> 6891 * <li> 6892 * <p> 6893 * <code>SYMMETRIC_DEFAULT</code>: 4096 bytes 6894 * </p> 6895 * </li> 6896 * </ul> 6897 * </li> 6898 * <li> 6899 * <p> 6900 * <code>RSA_2048</code> 6901 * </p> 6902 * <ul> 6903 * <li> 6904 * <p> 6905 * <code>RSAES_OAEP_SHA_1</code>: 214 bytes 6906 * </p> 6907 * </li> 6908 * <li> 6909 * <p> 6910 * <code>RSAES_OAEP_SHA_256</code>: 190 bytes 6911 * </p> 6912 * </li> 6913 * </ul> 6914 * </li> 6915 * <li> 6916 * <p> 6917 * <code>RSA_3072</code> 6918 * </p> 6919 * <ul> 6920 * <li> 6921 * <p> 6922 * <code>RSAES_OAEP_SHA_1</code>: 342 bytes 6923 * </p> 6924 * </li> 6925 * <li> 6926 * <p> 6927 * <code>RSAES_OAEP_SHA_256</code>: 318 bytes 6928 * </p> 6929 * </li> 6930 * </ul> 6931 * </li> 6932 * <li> 6933 * <p> 6934 * <code>RSA_4096</code> 6935 * </p> 6936 * <ul> 6937 * <li> 6938 * <p> 6939 * <code>RSAES_OAEP_SHA_1</code>: 470 bytes 6940 * </p> 6941 * </li> 6942 * <li> 6943 * <p> 6944 * <code>RSAES_OAEP_SHA_256</code>: 446 bytes 6945 * </p> 6946 * </li> 6947 * </ul> 6948 * </li> 6949 * <li> 6950 * <p> 6951 * <code>SM2PKE</code>: 1024 bytes (China Regions only) 6952 * </p> 6953 * </li> 6954 * </ul> 6955 * <p> 6956 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 6957 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 6958 * <i>Key Management Service Developer Guide</i>. 6959 * </p> 6960 * <p> 6961 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 6962 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 6963 * </p> 6964 * <p> 6965 * <b>Required permissions</b>: <a 6966 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Encrypt</a> 6967 * (key policy) 6968 * </p> 6969 * <p> 6970 * <b>Related operations:</b> 6971 * </p> 6972 * <ul> 6973 * <li> 6974 * <p> 6975 * <a>Decrypt</a> 6976 * </p> 6977 * </li> 6978 * <li> 6979 * <p> 6980 * <a>GenerateDataKey</a> 6981 * </p> 6982 * </li> 6983 * <li> 6984 * <p> 6985 * <a>GenerateDataKeyPair</a> 6986 * </p> 6987 * </li> 6988 * </ul> 6989 * <p> 6990 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 6991 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 6992 * consistency</a>. 6993 * </p> 6994 * <br/> 6995 * <p> 6996 * This is a convenience which creates an instance of the {@link EncryptRequest.Builder} avoiding the need to create 6997 * one manually via {@link EncryptRequest#builder()} 6998 * </p> 6999 * 7000 * @param encryptRequest 7001 * A {@link Consumer} that will call methods on 7002 * {@link software.amazon.awssdk.services.kms.model.EncryptRequest.Builder} to create a request. 7003 * @return Result of the Encrypt operation returned by the service. 7004 * @throws NotFoundException 7005 * The request was rejected because the specified entity or resource could not be found. 7006 * @throws DisabledException 7007 * The request was rejected because the specified KMS key is not enabled. 7008 * @throws KeyUnavailableException 7009 * The request was rejected because the specified KMS key was not available. You can retry the request. 7010 * @throws DependencyTimeoutException 7011 * The system timed out while trying to fulfill the request. You can retry the request. 7012 * @throws InvalidKeyUsageException 7013 * The request was rejected for one of the following reasons: </p> 7014 * <ul> 7015 * <li> 7016 * <p> 7017 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7018 * </p> 7019 * </li> 7020 * <li> 7021 * <p> 7022 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7023 * of key material in the KMS key <code>(KeySpec</code>). 7024 * </p> 7025 * </li> 7026 * </ul> 7027 * <p> 7028 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7029 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7030 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7031 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7032 * KMS key, use the <a>DescribeKey</a> operation. 7033 * </p> 7034 * <p> 7035 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7036 * <a>DescribeKey</a> operation. 7037 * @throws InvalidGrantTokenException 7038 * The request was rejected because the specified grant token is not valid. 7039 * @throws KmsInternalException 7040 * The request was rejected because an internal exception occurred. The request can be retried. 7041 * @throws KmsInvalidStateException 7042 * The request was rejected because the state of the specified resource is not valid for this request. 7043 * </p> 7044 * <p> 7045 * This exceptions means one of the following: 7046 * </p> 7047 * <ul> 7048 * <li> 7049 * <p> 7050 * The key state of the KMS key is not compatible with the operation. 7051 * </p> 7052 * <p> 7053 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7054 * are compatible with each KMS operation, see <a 7055 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7056 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7057 * </p> 7058 * </li> 7059 * <li> 7060 * <p> 7061 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7062 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7063 * exception. 7064 * </p> 7065 * </li> 7066 * @throws DryRunOperationException 7067 * The request was rejected because the DryRun parameter was specified. 7068 * @throws SdkException 7069 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 7070 * catch all scenarios. 7071 * @throws SdkClientException 7072 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 7073 * @throws KmsException 7074 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 7075 * @sample KmsClient.Encrypt 7076 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt" target="_top">AWS API 7077 * Documentation</a> 7078 */ encrypt(Consumer<EncryptRequest.Builder> encryptRequest)7079 default EncryptResponse encrypt(Consumer<EncryptRequest.Builder> encryptRequest) throws NotFoundException, DisabledException, 7080 KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, 7081 KmsInternalException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 7082 KmsException { 7083 return encrypt(EncryptRequest.builder().applyMutation(encryptRequest).build()); 7084 } 7085 7086 /** 7087 * <p> 7088 * Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data 7089 * key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the 7090 * plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to 7091 * encrypt your data outside of KMS and store the encrypted data key with the encrypted data. 7092 * </p> 7093 * <p> 7094 * To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You 7095 * cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the 7096 * <a>DescribeKey</a> operation. 7097 * </p> 7098 * <p> 7099 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 7100 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 7101 * <code>KeySpec</code> parameter. 7102 * </p> 7103 * <p> 7104 * To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code> value of 7105 * <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used 7106 * in China Regions to encrypt your data key is an SM4 encryption key. 7107 * </p> 7108 * <p> 7109 * To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an 7110 * asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> 7111 * operation. To get a cryptographically secure random byte string, use <a>GenerateRandom</a>. 7112 * </p> 7113 * <p> 7114 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7115 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7116 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7117 * <code>InvalidCiphertextException</code>. For more information, see <a 7118 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7119 * in the <i>Key Management Service Developer Guide</i>. 7120 * </p> 7121 * <p> 7122 * <code>GenerateDataKey</code> also supports <a 7123 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7124 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> 7125 * for an Amazon Web Services Nitro enclave, use the <a 7126 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7127 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7128 * attestation document for the enclave. <code>GenerateDataKey</code> returns a copy of the data key encrypted under 7129 * the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of 7130 * the data key encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). 7131 * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7132 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7133 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7134 * </p> 7135 * <p> 7136 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7137 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7138 * <i>Key Management Service Developer Guide</i>. 7139 * </p> 7140 * <p> 7141 * <b>How to use your data key</b> 7142 * </p> 7143 * <p> 7144 * We recommend that you use the following pattern to encrypt data locally in your application. You can write your 7145 * own code or use a client-side encryption library, such as the <a 7146 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a>, 7147 * the <a href="https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/">Amazon DynamoDB Encryption 7148 * Client</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 7149 * client-side encryption</a> to do these tasks for you. 7150 * </p> 7151 * <p> 7152 * To encrypt data outside of KMS: 7153 * </p> 7154 * <ol> 7155 * <li> 7156 * <p> 7157 * Use the <code>GenerateDataKey</code> operation to get a data key. 7158 * </p> 7159 * </li> 7160 * <li> 7161 * <p> 7162 * Use the plaintext data key (in the <code>Plaintext</code> field of the response) to encrypt your data outside of 7163 * KMS. Then erase the plaintext data key from memory. 7164 * </p> 7165 * </li> 7166 * <li> 7167 * <p> 7168 * Store the encrypted data key (in the <code>CiphertextBlob</code> field of the response) with the encrypted data. 7169 * </p> 7170 * </li> 7171 * </ol> 7172 * <p> 7173 * To decrypt data outside of KMS: 7174 * </p> 7175 * <ol> 7176 * <li> 7177 * <p> 7178 * Use the <a>Decrypt</a> operation to decrypt the encrypted data key. The operation returns a plaintext copy of the 7179 * data key. 7180 * </p> 7181 * </li> 7182 * <li> 7183 * <p> 7184 * Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory. 7185 * </p> 7186 * </li> 7187 * </ol> 7188 * <p> 7189 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7190 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7191 * </p> 7192 * <p> 7193 * <b>Required permissions</b>: <a 7194 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7195 * >kms:GenerateDataKey</a> (key policy) 7196 * </p> 7197 * <p> 7198 * <b>Related operations:</b> 7199 * </p> 7200 * <ul> 7201 * <li> 7202 * <p> 7203 * <a>Decrypt</a> 7204 * </p> 7205 * </li> 7206 * <li> 7207 * <p> 7208 * <a>Encrypt</a> 7209 * </p> 7210 * </li> 7211 * <li> 7212 * <p> 7213 * <a>GenerateDataKeyPair</a> 7214 * </p> 7215 * </li> 7216 * <li> 7217 * <p> 7218 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7219 * </p> 7220 * </li> 7221 * <li> 7222 * <p> 7223 * <a>GenerateDataKeyWithoutPlaintext</a> 7224 * </p> 7225 * </li> 7226 * </ul> 7227 * <p> 7228 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7229 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7230 * consistency</a>. 7231 * </p> 7232 * 7233 * @param generateDataKeyRequest 7234 * @return Result of the GenerateDataKey operation returned by the service. 7235 * @throws NotFoundException 7236 * The request was rejected because the specified entity or resource could not be found. 7237 * @throws DisabledException 7238 * The request was rejected because the specified KMS key is not enabled. 7239 * @throws KeyUnavailableException 7240 * The request was rejected because the specified KMS key was not available. You can retry the request. 7241 * @throws DependencyTimeoutException 7242 * The system timed out while trying to fulfill the request. You can retry the request. 7243 * @throws InvalidKeyUsageException 7244 * The request was rejected for one of the following reasons: </p> 7245 * <ul> 7246 * <li> 7247 * <p> 7248 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7249 * </p> 7250 * </li> 7251 * <li> 7252 * <p> 7253 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7254 * of key material in the KMS key <code>(KeySpec</code>). 7255 * </p> 7256 * </li> 7257 * </ul> 7258 * <p> 7259 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7260 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7261 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7262 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7263 * KMS key, use the <a>DescribeKey</a> operation. 7264 * </p> 7265 * <p> 7266 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7267 * <a>DescribeKey</a> operation. 7268 * @throws InvalidGrantTokenException 7269 * The request was rejected because the specified grant token is not valid. 7270 * @throws KmsInternalException 7271 * The request was rejected because an internal exception occurred. The request can be retried. 7272 * @throws KmsInvalidStateException 7273 * The request was rejected because the state of the specified resource is not valid for this request. 7274 * </p> 7275 * <p> 7276 * This exceptions means one of the following: 7277 * </p> 7278 * <ul> 7279 * <li> 7280 * <p> 7281 * The key state of the KMS key is not compatible with the operation. 7282 * </p> 7283 * <p> 7284 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7285 * are compatible with each KMS operation, see <a 7286 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7287 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7288 * </p> 7289 * </li> 7290 * <li> 7291 * <p> 7292 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7293 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7294 * exception. 7295 * </p> 7296 * </li> 7297 * @throws DryRunOperationException 7298 * The request was rejected because the DryRun parameter was specified. 7299 * @throws SdkException 7300 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 7301 * catch all scenarios. 7302 * @throws SdkClientException 7303 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 7304 * @throws KmsException 7305 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 7306 * @sample KmsClient.GenerateDataKey 7307 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey" target="_top">AWS API 7308 * Documentation</a> 7309 */ generateDataKey(GenerateDataKeyRequest generateDataKeyRequest)7310 default GenerateDataKeyResponse generateDataKey(GenerateDataKeyRequest generateDataKeyRequest) throws NotFoundException, 7311 DisabledException, KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, 7312 InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, DryRunOperationException, 7313 AwsServiceException, SdkClientException, KmsException { 7314 throw new UnsupportedOperationException(); 7315 } 7316 7317 /** 7318 * <p> 7319 * Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data 7320 * key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the 7321 * plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to 7322 * encrypt your data outside of KMS and store the encrypted data key with the encrypted data. 7323 * </p> 7324 * <p> 7325 * To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You 7326 * cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the 7327 * <a>DescribeKey</a> operation. 7328 * </p> 7329 * <p> 7330 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 7331 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 7332 * <code>KeySpec</code> parameter. 7333 * </p> 7334 * <p> 7335 * To generate a 128-bit SM4 data key (China Regions only), specify a <code>KeySpec</code> value of 7336 * <code>AES_128</code> or a <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used 7337 * in China Regions to encrypt your data key is an SM4 encryption key. 7338 * </p> 7339 * <p> 7340 * To get only an encrypted copy of the data key, use <a>GenerateDataKeyWithoutPlaintext</a>. To generate an 7341 * asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or <a>GenerateDataKeyPairWithoutPlaintext</a> 7342 * operation. To get a cryptographically secure random byte string, use <a>GenerateRandom</a>. 7343 * </p> 7344 * <p> 7345 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7346 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7347 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7348 * <code>InvalidCiphertextException</code>. For more information, see <a 7349 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7350 * in the <i>Key Management Service Developer Guide</i>. 7351 * </p> 7352 * <p> 7353 * <code>GenerateDataKey</code> also supports <a 7354 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7355 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateDataKey</code> 7356 * for an Amazon Web Services Nitro enclave, use the <a 7357 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7358 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7359 * attestation document for the enclave. <code>GenerateDataKey</code> returns a copy of the data key encrypted under 7360 * the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of 7361 * the data key encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). 7362 * For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7363 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7364 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7365 * </p> 7366 * <p> 7367 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7368 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7369 * <i>Key Management Service Developer Guide</i>. 7370 * </p> 7371 * <p> 7372 * <b>How to use your data key</b> 7373 * </p> 7374 * <p> 7375 * We recommend that you use the following pattern to encrypt data locally in your application. You can write your 7376 * own code or use a client-side encryption library, such as the <a 7377 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a>, 7378 * the <a href="https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/">Amazon DynamoDB Encryption 7379 * Client</a>, or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 7380 * client-side encryption</a> to do these tasks for you. 7381 * </p> 7382 * <p> 7383 * To encrypt data outside of KMS: 7384 * </p> 7385 * <ol> 7386 * <li> 7387 * <p> 7388 * Use the <code>GenerateDataKey</code> operation to get a data key. 7389 * </p> 7390 * </li> 7391 * <li> 7392 * <p> 7393 * Use the plaintext data key (in the <code>Plaintext</code> field of the response) to encrypt your data outside of 7394 * KMS. Then erase the plaintext data key from memory. 7395 * </p> 7396 * </li> 7397 * <li> 7398 * <p> 7399 * Store the encrypted data key (in the <code>CiphertextBlob</code> field of the response) with the encrypted data. 7400 * </p> 7401 * </li> 7402 * </ol> 7403 * <p> 7404 * To decrypt data outside of KMS: 7405 * </p> 7406 * <ol> 7407 * <li> 7408 * <p> 7409 * Use the <a>Decrypt</a> operation to decrypt the encrypted data key. The operation returns a plaintext copy of the 7410 * data key. 7411 * </p> 7412 * </li> 7413 * <li> 7414 * <p> 7415 * Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory. 7416 * </p> 7417 * </li> 7418 * </ol> 7419 * <p> 7420 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7421 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7422 * </p> 7423 * <p> 7424 * <b>Required permissions</b>: <a 7425 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7426 * >kms:GenerateDataKey</a> (key policy) 7427 * </p> 7428 * <p> 7429 * <b>Related operations:</b> 7430 * </p> 7431 * <ul> 7432 * <li> 7433 * <p> 7434 * <a>Decrypt</a> 7435 * </p> 7436 * </li> 7437 * <li> 7438 * <p> 7439 * <a>Encrypt</a> 7440 * </p> 7441 * </li> 7442 * <li> 7443 * <p> 7444 * <a>GenerateDataKeyPair</a> 7445 * </p> 7446 * </li> 7447 * <li> 7448 * <p> 7449 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7450 * </p> 7451 * </li> 7452 * <li> 7453 * <p> 7454 * <a>GenerateDataKeyWithoutPlaintext</a> 7455 * </p> 7456 * </li> 7457 * </ul> 7458 * <p> 7459 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7460 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7461 * consistency</a>. 7462 * </p> 7463 * <br/> 7464 * <p> 7465 * This is a convenience which creates an instance of the {@link GenerateDataKeyRequest.Builder} avoiding the need 7466 * to create one manually via {@link GenerateDataKeyRequest#builder()} 7467 * </p> 7468 * 7469 * @param generateDataKeyRequest 7470 * A {@link Consumer} that will call methods on 7471 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyRequest.Builder} to create a request. 7472 * @return Result of the GenerateDataKey operation returned by the service. 7473 * @throws NotFoundException 7474 * The request was rejected because the specified entity or resource could not be found. 7475 * @throws DisabledException 7476 * The request was rejected because the specified KMS key is not enabled. 7477 * @throws KeyUnavailableException 7478 * The request was rejected because the specified KMS key was not available. You can retry the request. 7479 * @throws DependencyTimeoutException 7480 * The system timed out while trying to fulfill the request. You can retry the request. 7481 * @throws InvalidKeyUsageException 7482 * The request was rejected for one of the following reasons: </p> 7483 * <ul> 7484 * <li> 7485 * <p> 7486 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7487 * </p> 7488 * </li> 7489 * <li> 7490 * <p> 7491 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7492 * of key material in the KMS key <code>(KeySpec</code>). 7493 * </p> 7494 * </li> 7495 * </ul> 7496 * <p> 7497 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7498 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7499 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7500 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7501 * KMS key, use the <a>DescribeKey</a> operation. 7502 * </p> 7503 * <p> 7504 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7505 * <a>DescribeKey</a> operation. 7506 * @throws InvalidGrantTokenException 7507 * The request was rejected because the specified grant token is not valid. 7508 * @throws KmsInternalException 7509 * The request was rejected because an internal exception occurred. The request can be retried. 7510 * @throws KmsInvalidStateException 7511 * The request was rejected because the state of the specified resource is not valid for this request. 7512 * </p> 7513 * <p> 7514 * This exceptions means one of the following: 7515 * </p> 7516 * <ul> 7517 * <li> 7518 * <p> 7519 * The key state of the KMS key is not compatible with the operation. 7520 * </p> 7521 * <p> 7522 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7523 * are compatible with each KMS operation, see <a 7524 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7525 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7526 * </p> 7527 * </li> 7528 * <li> 7529 * <p> 7530 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7531 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7532 * exception. 7533 * </p> 7534 * </li> 7535 * @throws DryRunOperationException 7536 * The request was rejected because the DryRun parameter was specified. 7537 * @throws SdkException 7538 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 7539 * catch all scenarios. 7540 * @throws SdkClientException 7541 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 7542 * @throws KmsException 7543 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 7544 * @sample KmsClient.GenerateDataKey 7545 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey" target="_top">AWS API 7546 * Documentation</a> 7547 */ generateDataKey(Consumer<GenerateDataKeyRequest.Builder> generateDataKeyRequest)7548 default GenerateDataKeyResponse generateDataKey(Consumer<GenerateDataKeyRequest.Builder> generateDataKeyRequest) 7549 throws NotFoundException, DisabledException, KeyUnavailableException, DependencyTimeoutException, 7550 InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 7551 DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 7552 return generateDataKey(GenerateDataKeyRequest.builder().applyMutation(generateDataKeyRequest).build()); 7553 } 7554 7555 /** 7556 * <p> 7557 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, 7558 * a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key 7559 * you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures 7560 * outside of KMS. The bytes in the keys are random; they are not related to the caller or to the KMS key that is 7561 * used to encrypt the private key. 7562 * </p> 7563 * <p> 7564 * You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data or verify a signature 7565 * outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a 7566 * message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7567 * </p> 7568 * <p> 7569 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7570 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7571 * your KMS key, use the <a>DescribeKey</a> operation. 7572 * </p> 7573 * <p> 7574 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7575 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7576 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7577 * restrictions on the use of data key pairs outside of KMS. 7578 * </p> 7579 * <p> 7580 * If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a 7581 * private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation. 7582 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an encrypted private key, but 7583 * omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need 7584 * to decrypt the data or sign a message, use the <a>Decrypt</a> operation to decrypt the encrypted private key in 7585 * the data key pair. 7586 * </p> 7587 * <p> 7588 * <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The bytes in the keys are 7589 * random; they are not related to the caller or the KMS key that is used to encrypt the private key. The public key 7590 * is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7591 * 5280</a>. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a 7592 * href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>. 7593 * </p> 7594 * <p> 7595 * <code>GenerateDataKeyPair</code> also supports <a 7596 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7597 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call 7598 * <code>GenerateDataKeyPair</code> for an Amazon Web Services Nitro enclave, use the <a 7599 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7600 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7601 * attestation document for the enclave. <code>GenerateDataKeyPair</code> returns the public data key and a copy of 7602 * the private data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the 7603 * private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the private data key 7604 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). For 7605 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7606 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7607 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7608 * </p> 7609 * <p> 7610 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7611 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7612 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7613 * <code>InvalidCiphertextException</code>. For more information, see <a 7614 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7615 * in the <i>Key Management Service Developer Guide</i>. 7616 * </p> 7617 * <p> 7618 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7619 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7620 * <i>Key Management Service Developer Guide</i>. 7621 * </p> 7622 * <p> 7623 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7624 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7625 * </p> 7626 * <p> 7627 * <b>Required permissions</b>: <a 7628 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7629 * >kms:GenerateDataKeyPair</a> (key policy) 7630 * </p> 7631 * <p> 7632 * <b>Related operations:</b> 7633 * </p> 7634 * <ul> 7635 * <li> 7636 * <p> 7637 * <a>Decrypt</a> 7638 * </p> 7639 * </li> 7640 * <li> 7641 * <p> 7642 * <a>Encrypt</a> 7643 * </p> 7644 * </li> 7645 * <li> 7646 * <p> 7647 * <a>GenerateDataKey</a> 7648 * </p> 7649 * </li> 7650 * <li> 7651 * <p> 7652 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7653 * </p> 7654 * </li> 7655 * <li> 7656 * <p> 7657 * <a>GenerateDataKeyWithoutPlaintext</a> 7658 * </p> 7659 * </li> 7660 * </ul> 7661 * <p> 7662 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7663 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7664 * consistency</a>. 7665 * </p> 7666 * 7667 * @param generateDataKeyPairRequest 7668 * @return Result of the GenerateDataKeyPair operation returned by the service. 7669 * @throws NotFoundException 7670 * The request was rejected because the specified entity or resource could not be found. 7671 * @throws DisabledException 7672 * The request was rejected because the specified KMS key is not enabled. 7673 * @throws KeyUnavailableException 7674 * The request was rejected because the specified KMS key was not available. You can retry the request. 7675 * @throws DependencyTimeoutException 7676 * The system timed out while trying to fulfill the request. You can retry the request. 7677 * @throws InvalidKeyUsageException 7678 * The request was rejected for one of the following reasons: </p> 7679 * <ul> 7680 * <li> 7681 * <p> 7682 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7683 * </p> 7684 * </li> 7685 * <li> 7686 * <p> 7687 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7688 * of key material in the KMS key <code>(KeySpec</code>). 7689 * </p> 7690 * </li> 7691 * </ul> 7692 * <p> 7693 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7694 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7695 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7696 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7697 * KMS key, use the <a>DescribeKey</a> operation. 7698 * </p> 7699 * <p> 7700 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7701 * <a>DescribeKey</a> operation. 7702 * @throws InvalidGrantTokenException 7703 * The request was rejected because the specified grant token is not valid. 7704 * @throws KmsInternalException 7705 * The request was rejected because an internal exception occurred. The request can be retried. 7706 * @throws KmsInvalidStateException 7707 * The request was rejected because the state of the specified resource is not valid for this request. 7708 * </p> 7709 * <p> 7710 * This exceptions means one of the following: 7711 * </p> 7712 * <ul> 7713 * <li> 7714 * <p> 7715 * The key state of the KMS key is not compatible with the operation. 7716 * </p> 7717 * <p> 7718 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7719 * are compatible with each KMS operation, see <a 7720 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7721 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7722 * </p> 7723 * </li> 7724 * <li> 7725 * <p> 7726 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7727 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7728 * exception. 7729 * </p> 7730 * </li> 7731 * @throws UnsupportedOperationException 7732 * The request was rejected because a specified parameter is not supported or a specified resource is not 7733 * valid for this operation. 7734 * @throws DryRunOperationException 7735 * The request was rejected because the DryRun parameter was specified. 7736 * @throws SdkException 7737 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 7738 * catch all scenarios. 7739 * @throws SdkClientException 7740 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 7741 * @throws KmsException 7742 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 7743 * @sample KmsClient.GenerateDataKeyPair 7744 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair" target="_top">AWS API 7745 * Documentation</a> 7746 */ generateDataKeyPair(GenerateDataKeyPairRequest generateDataKeyPairRequest)7747 default GenerateDataKeyPairResponse generateDataKeyPair(GenerateDataKeyPairRequest generateDataKeyPairRequest) 7748 throws NotFoundException, DisabledException, KeyUnavailableException, DependencyTimeoutException, 7749 InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 7750 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DryRunOperationException, 7751 AwsServiceException, SdkClientException, KmsException { 7752 throw new UnsupportedOperationException(); 7753 } 7754 7755 /** 7756 * <p> 7757 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, 7758 * a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key 7759 * you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures 7760 * outside of KMS. The bytes in the keys are random; they are not related to the caller or to the KMS key that is 7761 * used to encrypt the private key. 7762 * </p> 7763 * <p> 7764 * You can use the public key that <code>GenerateDataKeyPair</code> returns to encrypt data or verify a signature 7765 * outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a 7766 * message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7767 * </p> 7768 * <p> 7769 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7770 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7771 * your KMS key, use the <a>DescribeKey</a> operation. 7772 * </p> 7773 * <p> 7774 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7775 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7776 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7777 * restrictions on the use of data key pairs outside of KMS. 7778 * </p> 7779 * <p> 7780 * If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a 7781 * private key, consider using the <a>GenerateDataKeyPairWithoutPlaintext</a> operation. 7782 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a plaintext public key and an encrypted private key, but 7783 * omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need 7784 * to decrypt the data or sign a message, use the <a>Decrypt</a> operation to decrypt the encrypted private key in 7785 * the data key pair. 7786 * </p> 7787 * <p> 7788 * <code>GenerateDataKeyPair</code> returns a unique data key pair for each request. The bytes in the keys are 7789 * random; they are not related to the caller or the KMS key that is used to encrypt the private key. The public key 7790 * is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7791 * 5280</a>. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in <a 7792 * href="https://tools.ietf.org/html/rfc5958">RFC 5958</a>. 7793 * </p> 7794 * <p> 7795 * <code>GenerateDataKeyPair</code> also supports <a 7796 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 7797 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call 7798 * <code>GenerateDataKeyPair</code> for an Amazon Web Services Nitro enclave, use the <a 7799 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 7800 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 7801 * attestation document for the enclave. <code>GenerateDataKeyPair</code> returns the public data key and a copy of 7802 * the private data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the 7803 * private data key (<code>PrivateKeyPlaintext</code>), the response includes a copy of the private data key 7804 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>). For 7805 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 7806 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 7807 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>.. 7808 * </p> 7809 * <p> 7810 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7811 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7812 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7813 * <code>InvalidCiphertextException</code>. For more information, see <a 7814 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7815 * in the <i>Key Management Service Developer Guide</i>. 7816 * </p> 7817 * <p> 7818 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 7819 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 7820 * <i>Key Management Service Developer Guide</i>. 7821 * </p> 7822 * <p> 7823 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 7824 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 7825 * </p> 7826 * <p> 7827 * <b>Required permissions</b>: <a 7828 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 7829 * >kms:GenerateDataKeyPair</a> (key policy) 7830 * </p> 7831 * <p> 7832 * <b>Related operations:</b> 7833 * </p> 7834 * <ul> 7835 * <li> 7836 * <p> 7837 * <a>Decrypt</a> 7838 * </p> 7839 * </li> 7840 * <li> 7841 * <p> 7842 * <a>Encrypt</a> 7843 * </p> 7844 * </li> 7845 * <li> 7846 * <p> 7847 * <a>GenerateDataKey</a> 7848 * </p> 7849 * </li> 7850 * <li> 7851 * <p> 7852 * <a>GenerateDataKeyPairWithoutPlaintext</a> 7853 * </p> 7854 * </li> 7855 * <li> 7856 * <p> 7857 * <a>GenerateDataKeyWithoutPlaintext</a> 7858 * </p> 7859 * </li> 7860 * </ul> 7861 * <p> 7862 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 7863 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 7864 * consistency</a>. 7865 * </p> 7866 * <br/> 7867 * <p> 7868 * This is a convenience which creates an instance of the {@link GenerateDataKeyPairRequest.Builder} avoiding the 7869 * need to create one manually via {@link GenerateDataKeyPairRequest#builder()} 7870 * </p> 7871 * 7872 * @param generateDataKeyPairRequest 7873 * A {@link Consumer} that will call methods on 7874 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyPairRequest.Builder} to create a request. 7875 * @return Result of the GenerateDataKeyPair operation returned by the service. 7876 * @throws NotFoundException 7877 * The request was rejected because the specified entity or resource could not be found. 7878 * @throws DisabledException 7879 * The request was rejected because the specified KMS key is not enabled. 7880 * @throws KeyUnavailableException 7881 * The request was rejected because the specified KMS key was not available. You can retry the request. 7882 * @throws DependencyTimeoutException 7883 * The system timed out while trying to fulfill the request. You can retry the request. 7884 * @throws InvalidKeyUsageException 7885 * The request was rejected for one of the following reasons: </p> 7886 * <ul> 7887 * <li> 7888 * <p> 7889 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 7890 * </p> 7891 * </li> 7892 * <li> 7893 * <p> 7894 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 7895 * of key material in the KMS key <code>(KeySpec</code>). 7896 * </p> 7897 * </li> 7898 * </ul> 7899 * <p> 7900 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 7901 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 7902 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 7903 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 7904 * KMS key, use the <a>DescribeKey</a> operation. 7905 * </p> 7906 * <p> 7907 * To find the encryption or signing algorithms supported for a particular KMS key, use the 7908 * <a>DescribeKey</a> operation. 7909 * @throws InvalidGrantTokenException 7910 * The request was rejected because the specified grant token is not valid. 7911 * @throws KmsInternalException 7912 * The request was rejected because an internal exception occurred. The request can be retried. 7913 * @throws KmsInvalidStateException 7914 * The request was rejected because the state of the specified resource is not valid for this request. 7915 * </p> 7916 * <p> 7917 * This exceptions means one of the following: 7918 * </p> 7919 * <ul> 7920 * <li> 7921 * <p> 7922 * The key state of the KMS key is not compatible with the operation. 7923 * </p> 7924 * <p> 7925 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 7926 * are compatible with each KMS operation, see <a 7927 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 7928 * the <i> <i>Key Management Service Developer Guide</i> </i>. 7929 * </p> 7930 * </li> 7931 * <li> 7932 * <p> 7933 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 7934 * failure with many possible causes. To identify the cause, see the error message that accompanies the 7935 * exception. 7936 * </p> 7937 * </li> 7938 * @throws UnsupportedOperationException 7939 * The request was rejected because a specified parameter is not supported or a specified resource is not 7940 * valid for this operation. 7941 * @throws DryRunOperationException 7942 * The request was rejected because the DryRun parameter was specified. 7943 * @throws SdkException 7944 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 7945 * catch all scenarios. 7946 * @throws SdkClientException 7947 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 7948 * @throws KmsException 7949 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 7950 * @sample KmsClient.GenerateDataKeyPair 7951 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPair" target="_top">AWS API 7952 * Documentation</a> 7953 */ generateDataKeyPair( Consumer<GenerateDataKeyPairRequest.Builder> generateDataKeyPairRequest)7954 default GenerateDataKeyPairResponse generateDataKeyPair( 7955 Consumer<GenerateDataKeyPairRequest.Builder> generateDataKeyPairRequest) throws NotFoundException, DisabledException, 7956 KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, 7957 KmsInternalException, KmsInvalidStateException, 7958 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DryRunOperationException, 7959 AwsServiceException, SdkClientException, KmsException { 7960 return generateDataKeyPair(GenerateDataKeyPairRequest.builder().applyMutation(generateDataKeyPairRequest).build()); 7961 } 7962 7963 /** 7964 * <p> 7965 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key 7966 * and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike 7967 * <a>GenerateDataKeyPair</a>, this operation does not return a plaintext private key. The bytes in the keys are 7968 * random; they are not related to the caller or to the KMS key that is used to encrypt the private key. 7969 * </p> 7970 * <p> 7971 * You can use the public key that <code>GenerateDataKeyPairWithoutPlaintext</code> returns to encrypt data or 7972 * verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to 7973 * decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 7974 * </p> 7975 * <p> 7976 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 7977 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 7978 * your KMS key, use the <a>DescribeKey</a> operation. 7979 * </p> 7980 * <p> 7981 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 7982 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 7983 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 7984 * restrictions on the use of data key pairs outside of KMS. 7985 * </p> 7986 * <p> 7987 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each request. The bytes in 7988 * the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a 7989 * DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 7990 * 5280</a>. 7991 * </p> 7992 * <p> 7993 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 7994 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 7995 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 7996 * <code>InvalidCiphertextException</code>. For more information, see <a 7997 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 7998 * in the <i>Key Management Service Developer Guide</i>. 7999 * </p> 8000 * <p> 8001 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8002 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8003 * <i>Key Management Service Developer Guide</i>. 8004 * </p> 8005 * <p> 8006 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8007 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8008 * </p> 8009 * <p> 8010 * <b>Required permissions</b>: <a 8011 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8012 * >kms:GenerateDataKeyPairWithoutPlaintext</a> (key policy) 8013 * </p> 8014 * <p> 8015 * <b>Related operations:</b> 8016 * </p> 8017 * <ul> 8018 * <li> 8019 * <p> 8020 * <a>Decrypt</a> 8021 * </p> 8022 * </li> 8023 * <li> 8024 * <p> 8025 * <a>Encrypt</a> 8026 * </p> 8027 * </li> 8028 * <li> 8029 * <p> 8030 * <a>GenerateDataKey</a> 8031 * </p> 8032 * </li> 8033 * <li> 8034 * <p> 8035 * <a>GenerateDataKeyPair</a> 8036 * </p> 8037 * </li> 8038 * <li> 8039 * <p> 8040 * <a>GenerateDataKeyWithoutPlaintext</a> 8041 * </p> 8042 * </li> 8043 * </ul> 8044 * <p> 8045 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8046 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8047 * consistency</a>. 8048 * </p> 8049 * 8050 * @param generateDataKeyPairWithoutPlaintextRequest 8051 * @return Result of the GenerateDataKeyPairWithoutPlaintext operation returned by the service. 8052 * @throws NotFoundException 8053 * The request was rejected because the specified entity or resource could not be found. 8054 * @throws DisabledException 8055 * The request was rejected because the specified KMS key is not enabled. 8056 * @throws KeyUnavailableException 8057 * The request was rejected because the specified KMS key was not available. You can retry the request. 8058 * @throws DependencyTimeoutException 8059 * The system timed out while trying to fulfill the request. You can retry the request. 8060 * @throws InvalidKeyUsageException 8061 * The request was rejected for one of the following reasons: </p> 8062 * <ul> 8063 * <li> 8064 * <p> 8065 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8066 * </p> 8067 * </li> 8068 * <li> 8069 * <p> 8070 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8071 * of key material in the KMS key <code>(KeySpec</code>). 8072 * </p> 8073 * </li> 8074 * </ul> 8075 * <p> 8076 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8077 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8078 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8079 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8080 * KMS key, use the <a>DescribeKey</a> operation. 8081 * </p> 8082 * <p> 8083 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8084 * <a>DescribeKey</a> operation. 8085 * @throws InvalidGrantTokenException 8086 * The request was rejected because the specified grant token is not valid. 8087 * @throws KmsInternalException 8088 * The request was rejected because an internal exception occurred. The request can be retried. 8089 * @throws KmsInvalidStateException 8090 * The request was rejected because the state of the specified resource is not valid for this request. 8091 * </p> 8092 * <p> 8093 * This exceptions means one of the following: 8094 * </p> 8095 * <ul> 8096 * <li> 8097 * <p> 8098 * The key state of the KMS key is not compatible with the operation. 8099 * </p> 8100 * <p> 8101 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8102 * are compatible with each KMS operation, see <a 8103 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8104 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8105 * </p> 8106 * </li> 8107 * <li> 8108 * <p> 8109 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8110 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8111 * exception. 8112 * </p> 8113 * </li> 8114 * @throws UnsupportedOperationException 8115 * The request was rejected because a specified parameter is not supported or a specified resource is not 8116 * valid for this operation. 8117 * @throws DryRunOperationException 8118 * The request was rejected because the DryRun parameter was specified. 8119 * @throws SdkException 8120 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 8121 * catch all scenarios. 8122 * @throws SdkClientException 8123 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 8124 * @throws KmsException 8125 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 8126 * @sample KmsClient.GenerateDataKeyPairWithoutPlaintext 8127 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext" 8128 * target="_top">AWS API Documentation</a> 8129 */ generateDataKeyPairWithoutPlaintext( GenerateDataKeyPairWithoutPlaintextRequest generateDataKeyPairWithoutPlaintextRequest)8130 default GenerateDataKeyPairWithoutPlaintextResponse generateDataKeyPairWithoutPlaintext( 8131 GenerateDataKeyPairWithoutPlaintextRequest generateDataKeyPairWithoutPlaintextRequest) throws NotFoundException, 8132 DisabledException, KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, 8133 InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 8134 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DryRunOperationException, 8135 AwsServiceException, SdkClientException, KmsException { 8136 throw new UnsupportedOperationException(); 8137 } 8138 8139 /** 8140 * <p> 8141 * Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key 8142 * and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike 8143 * <a>GenerateDataKeyPair</a>, this operation does not return a plaintext private key. The bytes in the keys are 8144 * random; they are not related to the caller or to the KMS key that is used to encrypt the private key. 8145 * </p> 8146 * <p> 8147 * You can use the public key that <code>GenerateDataKeyPairWithoutPlaintext</code> returns to encrypt data or 8148 * verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to 8149 * decrypt data or sign a message, you can use the <a>Decrypt</a> operation to decrypt the encrypted private key. 8150 * </p> 8151 * <p> 8152 * To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data 8153 * key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of 8154 * your KMS key, use the <a>DescribeKey</a> operation. 8155 * </p> 8156 * <p> 8157 * Use the <code>KeyPairSpec</code> parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China 8158 * Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use 8159 * RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any 8160 * restrictions on the use of data key pairs outside of KMS. 8161 * </p> 8162 * <p> 8163 * <code>GenerateDataKeyPairWithoutPlaintext</code> returns a unique data key pair for each request. The bytes in 8164 * the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a 8165 * DER-encoded X.509 SubjectPublicKeyInfo, as specified in <a href="https://tools.ietf.org/html/rfc5280">RFC 8166 * 5280</a>. 8167 * </p> 8168 * <p> 8169 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 8170 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 8171 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 8172 * <code>InvalidCiphertextException</code>. For more information, see <a 8173 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 8174 * in the <i>Key Management Service Developer Guide</i>. 8175 * </p> 8176 * <p> 8177 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8178 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8179 * <i>Key Management Service Developer Guide</i>. 8180 * </p> 8181 * <p> 8182 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8183 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8184 * </p> 8185 * <p> 8186 * <b>Required permissions</b>: <a 8187 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8188 * >kms:GenerateDataKeyPairWithoutPlaintext</a> (key policy) 8189 * </p> 8190 * <p> 8191 * <b>Related operations:</b> 8192 * </p> 8193 * <ul> 8194 * <li> 8195 * <p> 8196 * <a>Decrypt</a> 8197 * </p> 8198 * </li> 8199 * <li> 8200 * <p> 8201 * <a>Encrypt</a> 8202 * </p> 8203 * </li> 8204 * <li> 8205 * <p> 8206 * <a>GenerateDataKey</a> 8207 * </p> 8208 * </li> 8209 * <li> 8210 * <p> 8211 * <a>GenerateDataKeyPair</a> 8212 * </p> 8213 * </li> 8214 * <li> 8215 * <p> 8216 * <a>GenerateDataKeyWithoutPlaintext</a> 8217 * </p> 8218 * </li> 8219 * </ul> 8220 * <p> 8221 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8222 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8223 * consistency</a>. 8224 * </p> 8225 * <br/> 8226 * <p> 8227 * This is a convenience which creates an instance of the {@link GenerateDataKeyPairWithoutPlaintextRequest.Builder} 8228 * avoiding the need to create one manually via {@link GenerateDataKeyPairWithoutPlaintextRequest#builder()} 8229 * </p> 8230 * 8231 * @param generateDataKeyPairWithoutPlaintextRequest 8232 * A {@link Consumer} that will call methods on 8233 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyPairWithoutPlaintextRequest.Builder} to 8234 * create a request. 8235 * @return Result of the GenerateDataKeyPairWithoutPlaintext operation returned by the service. 8236 * @throws NotFoundException 8237 * The request was rejected because the specified entity or resource could not be found. 8238 * @throws DisabledException 8239 * The request was rejected because the specified KMS key is not enabled. 8240 * @throws KeyUnavailableException 8241 * The request was rejected because the specified KMS key was not available. You can retry the request. 8242 * @throws DependencyTimeoutException 8243 * The system timed out while trying to fulfill the request. You can retry the request. 8244 * @throws InvalidKeyUsageException 8245 * The request was rejected for one of the following reasons: </p> 8246 * <ul> 8247 * <li> 8248 * <p> 8249 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8250 * </p> 8251 * </li> 8252 * <li> 8253 * <p> 8254 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8255 * of key material in the KMS key <code>(KeySpec</code>). 8256 * </p> 8257 * </li> 8258 * </ul> 8259 * <p> 8260 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8261 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8262 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8263 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8264 * KMS key, use the <a>DescribeKey</a> operation. 8265 * </p> 8266 * <p> 8267 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8268 * <a>DescribeKey</a> operation. 8269 * @throws InvalidGrantTokenException 8270 * The request was rejected because the specified grant token is not valid. 8271 * @throws KmsInternalException 8272 * The request was rejected because an internal exception occurred. The request can be retried. 8273 * @throws KmsInvalidStateException 8274 * The request was rejected because the state of the specified resource is not valid for this request. 8275 * </p> 8276 * <p> 8277 * This exceptions means one of the following: 8278 * </p> 8279 * <ul> 8280 * <li> 8281 * <p> 8282 * The key state of the KMS key is not compatible with the operation. 8283 * </p> 8284 * <p> 8285 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8286 * are compatible with each KMS operation, see <a 8287 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8288 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8289 * </p> 8290 * </li> 8291 * <li> 8292 * <p> 8293 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8294 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8295 * exception. 8296 * </p> 8297 * </li> 8298 * @throws UnsupportedOperationException 8299 * The request was rejected because a specified parameter is not supported or a specified resource is not 8300 * valid for this operation. 8301 * @throws DryRunOperationException 8302 * The request was rejected because the DryRun parameter was specified. 8303 * @throws SdkException 8304 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 8305 * catch all scenarios. 8306 * @throws SdkClientException 8307 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 8308 * @throws KmsException 8309 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 8310 * @sample KmsClient.GenerateDataKeyPairWithoutPlaintext 8311 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyPairWithoutPlaintext" 8312 * target="_top">AWS API Documentation</a> 8313 */ generateDataKeyPairWithoutPlaintext( Consumer<GenerateDataKeyPairWithoutPlaintextRequest.Builder> generateDataKeyPairWithoutPlaintextRequest)8314 default GenerateDataKeyPairWithoutPlaintextResponse generateDataKeyPairWithoutPlaintext( 8315 Consumer<GenerateDataKeyPairWithoutPlaintextRequest.Builder> generateDataKeyPairWithoutPlaintextRequest) 8316 throws NotFoundException, DisabledException, KeyUnavailableException, DependencyTimeoutException, 8317 InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 8318 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DryRunOperationException, 8319 AwsServiceException, SdkClientException, KmsException { 8320 return generateDataKeyPairWithoutPlaintext(GenerateDataKeyPairWithoutPlaintextRequest.builder() 8321 .applyMutation(generateDataKeyPairWithoutPlaintextRequest).build()); 8322 } 8323 8324 /** 8325 * <p> 8326 * Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted 8327 * under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to 8328 * the caller or to the KMS key. 8329 * </p> 8330 * <p> 8331 * <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that it 8332 * does not return a plaintext copy of the data key. 8333 * </p> 8334 * <p> 8335 * This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need 8336 * to encrypt the data, you call the <a>Decrypt</a> operation on the encrypted copy of the key. 8337 * </p> 8338 * <p> 8339 * It's also useful in distributed systems with different levels of trust. For example, you might store encrypted 8340 * data in containers. One component of your system creates new containers and stores an encrypted data key with 8341 * each container. Then, a different component puts the data into the containers. That component first decrypts the 8342 * data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then 8343 * destroys the plaintext data key. In this system, the component that creates the containers never sees the 8344 * plaintext data key. 8345 * </p> 8346 * <p> 8347 * To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or 8348 * <a>GenerateDataKeyPairWithoutPlaintext</a> operations. 8349 * </p> 8350 * <p> 8351 * To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. 8352 * You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of 8353 * your KMS key, use the <a>DescribeKey</a> operation. 8354 * </p> 8355 * <p> 8356 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 8357 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 8358 * <code>KeySpec</code> parameter. 8359 * </p> 8360 * <p> 8361 * To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of <code>AES_128</code> or 8362 * <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used in China Regions to 8363 * encrypt your data key is an SM4 encryption key. 8364 * </p> 8365 * <p> 8366 * If the operation succeeds, you will find the encrypted copy of the data key in the <code>CiphertextBlob</code> 8367 * field. 8368 * </p> 8369 * <p> 8370 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 8371 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 8372 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 8373 * <code>InvalidCiphertextException</code>. For more information, see <a 8374 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 8375 * in the <i>Key Management Service Developer Guide</i>. 8376 * </p> 8377 * <p> 8378 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8379 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8380 * <i>Key Management Service Developer Guide</i>. 8381 * </p> 8382 * <p> 8383 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8384 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8385 * </p> 8386 * <p> 8387 * <b>Required permissions</b>: <a 8388 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8389 * >kms:GenerateDataKeyWithoutPlaintext</a> (key policy) 8390 * </p> 8391 * <p> 8392 * <b>Related operations:</b> 8393 * </p> 8394 * <ul> 8395 * <li> 8396 * <p> 8397 * <a>Decrypt</a> 8398 * </p> 8399 * </li> 8400 * <li> 8401 * <p> 8402 * <a>Encrypt</a> 8403 * </p> 8404 * </li> 8405 * <li> 8406 * <p> 8407 * <a>GenerateDataKey</a> 8408 * </p> 8409 * </li> 8410 * <li> 8411 * <p> 8412 * <a>GenerateDataKeyPair</a> 8413 * </p> 8414 * </li> 8415 * <li> 8416 * <p> 8417 * <a>GenerateDataKeyPairWithoutPlaintext</a> 8418 * </p> 8419 * </li> 8420 * </ul> 8421 * <p> 8422 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8423 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8424 * consistency</a>. 8425 * </p> 8426 * 8427 * @param generateDataKeyWithoutPlaintextRequest 8428 * @return Result of the GenerateDataKeyWithoutPlaintext operation returned by the service. 8429 * @throws NotFoundException 8430 * The request was rejected because the specified entity or resource could not be found. 8431 * @throws DisabledException 8432 * The request was rejected because the specified KMS key is not enabled. 8433 * @throws KeyUnavailableException 8434 * The request was rejected because the specified KMS key was not available. You can retry the request. 8435 * @throws DependencyTimeoutException 8436 * The system timed out while trying to fulfill the request. You can retry the request. 8437 * @throws InvalidKeyUsageException 8438 * The request was rejected for one of the following reasons: </p> 8439 * <ul> 8440 * <li> 8441 * <p> 8442 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8443 * </p> 8444 * </li> 8445 * <li> 8446 * <p> 8447 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8448 * of key material in the KMS key <code>(KeySpec</code>). 8449 * </p> 8450 * </li> 8451 * </ul> 8452 * <p> 8453 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8454 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8455 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8456 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8457 * KMS key, use the <a>DescribeKey</a> operation. 8458 * </p> 8459 * <p> 8460 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8461 * <a>DescribeKey</a> operation. 8462 * @throws InvalidGrantTokenException 8463 * The request was rejected because the specified grant token is not valid. 8464 * @throws KmsInternalException 8465 * The request was rejected because an internal exception occurred. The request can be retried. 8466 * @throws KmsInvalidStateException 8467 * The request was rejected because the state of the specified resource is not valid for this request. 8468 * </p> 8469 * <p> 8470 * This exceptions means one of the following: 8471 * </p> 8472 * <ul> 8473 * <li> 8474 * <p> 8475 * The key state of the KMS key is not compatible with the operation. 8476 * </p> 8477 * <p> 8478 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8479 * are compatible with each KMS operation, see <a 8480 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8481 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8482 * </p> 8483 * </li> 8484 * <li> 8485 * <p> 8486 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8487 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8488 * exception. 8489 * </p> 8490 * </li> 8491 * @throws DryRunOperationException 8492 * The request was rejected because the DryRun parameter was specified. 8493 * @throws SdkException 8494 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 8495 * catch all scenarios. 8496 * @throws SdkClientException 8497 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 8498 * @throws KmsException 8499 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 8500 * @sample KmsClient.GenerateDataKeyWithoutPlaintext 8501 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext" 8502 * target="_top">AWS API Documentation</a> 8503 */ generateDataKeyWithoutPlaintext( GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest)8504 default GenerateDataKeyWithoutPlaintextResponse generateDataKeyWithoutPlaintext( 8505 GenerateDataKeyWithoutPlaintextRequest generateDataKeyWithoutPlaintextRequest) throws NotFoundException, 8506 DisabledException, KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, 8507 InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, DryRunOperationException, 8508 AwsServiceException, SdkClientException, KmsException { 8509 throw new UnsupportedOperationException(); 8510 } 8511 8512 /** 8513 * <p> 8514 * Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted 8515 * under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to 8516 * the caller or to the KMS key. 8517 * </p> 8518 * <p> 8519 * <code>GenerateDataKeyWithoutPlaintext</code> is identical to the <a>GenerateDataKey</a> operation except that it 8520 * does not return a plaintext copy of the data key. 8521 * </p> 8522 * <p> 8523 * This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need 8524 * to encrypt the data, you call the <a>Decrypt</a> operation on the encrypted copy of the key. 8525 * </p> 8526 * <p> 8527 * It's also useful in distributed systems with different levels of trust. For example, you might store encrypted 8528 * data in containers. One component of your system creates new containers and stores an encrypted data key with 8529 * each container. Then, a different component puts the data into the containers. That component first decrypts the 8530 * data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then 8531 * destroys the plaintext data key. In this system, the component that creates the containers never sees the 8532 * plaintext data key. 8533 * </p> 8534 * <p> 8535 * To request an asymmetric data key pair, use the <a>GenerateDataKeyPair</a> or 8536 * <a>GenerateDataKeyPairWithoutPlaintext</a> operations. 8537 * </p> 8538 * <p> 8539 * To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. 8540 * You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of 8541 * your KMS key, use the <a>DescribeKey</a> operation. 8542 * </p> 8543 * <p> 8544 * You must also specify the length of the data key. Use either the <code>KeySpec</code> or 8545 * <code>NumberOfBytes</code> parameters (but not both). For 128-bit and 256-bit data keys, use the 8546 * <code>KeySpec</code> parameter. 8547 * </p> 8548 * <p> 8549 * To generate an SM4 data key (China Regions only), specify a <code>KeySpec</code> value of <code>AES_128</code> or 8550 * <code>NumberOfBytes</code> value of <code>16</code>. The symmetric encryption key used in China Regions to 8551 * encrypt your data key is an SM4 encryption key. 8552 * </p> 8553 * <p> 8554 * If the operation succeeds, you will find the encrypted copy of the data key in the <code>CiphertextBlob</code> 8555 * field. 8556 * </p> 8557 * <p> 8558 * You can use an optional encryption context to add additional security to the encryption operation. If you specify 8559 * an <code>EncryptionContext</code>, you must specify the same encryption context (a case-sensitive exact match) 8560 * when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an 8561 * <code>InvalidCiphertextException</code>. For more information, see <a 8562 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">Encryption Context</a> 8563 * in the <i>Key Management Service Developer Guide</i>. 8564 * </p> 8565 * <p> 8566 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8567 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8568 * <i>Key Management Service Developer Guide</i>. 8569 * </p> 8570 * <p> 8571 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8572 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8573 * </p> 8574 * <p> 8575 * <b>Required permissions</b>: <a 8576 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8577 * >kms:GenerateDataKeyWithoutPlaintext</a> (key policy) 8578 * </p> 8579 * <p> 8580 * <b>Related operations:</b> 8581 * </p> 8582 * <ul> 8583 * <li> 8584 * <p> 8585 * <a>Decrypt</a> 8586 * </p> 8587 * </li> 8588 * <li> 8589 * <p> 8590 * <a>Encrypt</a> 8591 * </p> 8592 * </li> 8593 * <li> 8594 * <p> 8595 * <a>GenerateDataKey</a> 8596 * </p> 8597 * </li> 8598 * <li> 8599 * <p> 8600 * <a>GenerateDataKeyPair</a> 8601 * </p> 8602 * </li> 8603 * <li> 8604 * <p> 8605 * <a>GenerateDataKeyPairWithoutPlaintext</a> 8606 * </p> 8607 * </li> 8608 * </ul> 8609 * <p> 8610 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8611 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8612 * consistency</a>. 8613 * </p> 8614 * <br/> 8615 * <p> 8616 * This is a convenience which creates an instance of the {@link GenerateDataKeyWithoutPlaintextRequest.Builder} 8617 * avoiding the need to create one manually via {@link GenerateDataKeyWithoutPlaintextRequest#builder()} 8618 * </p> 8619 * 8620 * @param generateDataKeyWithoutPlaintextRequest 8621 * A {@link Consumer} that will call methods on 8622 * {@link software.amazon.awssdk.services.kms.model.GenerateDataKeyWithoutPlaintextRequest.Builder} to create 8623 * a request. 8624 * @return Result of the GenerateDataKeyWithoutPlaintext operation returned by the service. 8625 * @throws NotFoundException 8626 * The request was rejected because the specified entity or resource could not be found. 8627 * @throws DisabledException 8628 * The request was rejected because the specified KMS key is not enabled. 8629 * @throws KeyUnavailableException 8630 * The request was rejected because the specified KMS key was not available. You can retry the request. 8631 * @throws DependencyTimeoutException 8632 * The system timed out while trying to fulfill the request. You can retry the request. 8633 * @throws InvalidKeyUsageException 8634 * The request was rejected for one of the following reasons: </p> 8635 * <ul> 8636 * <li> 8637 * <p> 8638 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8639 * </p> 8640 * </li> 8641 * <li> 8642 * <p> 8643 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8644 * of key material in the KMS key <code>(KeySpec</code>). 8645 * </p> 8646 * </li> 8647 * </ul> 8648 * <p> 8649 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8650 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8651 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8652 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8653 * KMS key, use the <a>DescribeKey</a> operation. 8654 * </p> 8655 * <p> 8656 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8657 * <a>DescribeKey</a> operation. 8658 * @throws InvalidGrantTokenException 8659 * The request was rejected because the specified grant token is not valid. 8660 * @throws KmsInternalException 8661 * The request was rejected because an internal exception occurred. The request can be retried. 8662 * @throws KmsInvalidStateException 8663 * The request was rejected because the state of the specified resource is not valid for this request. 8664 * </p> 8665 * <p> 8666 * This exceptions means one of the following: 8667 * </p> 8668 * <ul> 8669 * <li> 8670 * <p> 8671 * The key state of the KMS key is not compatible with the operation. 8672 * </p> 8673 * <p> 8674 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8675 * are compatible with each KMS operation, see <a 8676 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8677 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8678 * </p> 8679 * </li> 8680 * <li> 8681 * <p> 8682 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8683 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8684 * exception. 8685 * </p> 8686 * </li> 8687 * @throws DryRunOperationException 8688 * The request was rejected because the DryRun parameter was specified. 8689 * @throws SdkException 8690 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 8691 * catch all scenarios. 8692 * @throws SdkClientException 8693 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 8694 * @throws KmsException 8695 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 8696 * @sample KmsClient.GenerateDataKeyWithoutPlaintext 8697 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext" 8698 * target="_top">AWS API Documentation</a> 8699 */ generateDataKeyWithoutPlaintext( Consumer<GenerateDataKeyWithoutPlaintextRequest.Builder> generateDataKeyWithoutPlaintextRequest)8700 default GenerateDataKeyWithoutPlaintextResponse generateDataKeyWithoutPlaintext( 8701 Consumer<GenerateDataKeyWithoutPlaintextRequest.Builder> generateDataKeyWithoutPlaintextRequest) 8702 throws NotFoundException, DisabledException, KeyUnavailableException, DependencyTimeoutException, 8703 InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 8704 DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 8705 return generateDataKeyWithoutPlaintext(GenerateDataKeyWithoutPlaintextRequest.builder() 8706 .applyMutation(generateDataKeyWithoutPlaintextRequest).build()); 8707 } 8708 8709 /** 8710 * <p> 8711 * Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm 8712 * that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined 8713 * in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 8714 * </p> 8715 * <p> 8716 * You can use value that GenerateMac returns in the <a>VerifyMac</a> operation to demonstrate that the original 8717 * message has not changed. Also, because a secret key is used to create the hash, you can verify that the party 8718 * that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based 8719 * algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For 8720 * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in 8721 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8722 * </p> 8723 * <note> 8724 * <p> 8725 * Best practices recommend that you limit the time during which any signing mechanism, including an HMAC, is 8726 * effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long 8727 * after the message is superseded. HMAC tags do not include a timestamp, but you can include a timestamp in the 8728 * token or message to help you detect when its time to refresh the HMAC. 8729 * </p> 8730 * </note> 8731 * <p> 8732 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8733 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8734 * <i>Key Management Service Developer Guide</i>. 8735 * </p> 8736 * <p> 8737 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8738 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8739 * </p> 8740 * <p> 8741 * <b>Required permissions</b>: <a 8742 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8743 * >kms:GenerateMac</a> (key policy) 8744 * </p> 8745 * <p> 8746 * <b>Related operations</b>: <a>VerifyMac</a> 8747 * </p> 8748 * <p> 8749 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8750 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8751 * consistency</a>. 8752 * </p> 8753 * 8754 * @param generateMacRequest 8755 * @return Result of the GenerateMac operation returned by the service. 8756 * @throws NotFoundException 8757 * The request was rejected because the specified entity or resource could not be found. 8758 * @throws DisabledException 8759 * The request was rejected because the specified KMS key is not enabled. 8760 * @throws KeyUnavailableException 8761 * The request was rejected because the specified KMS key was not available. You can retry the request. 8762 * @throws InvalidKeyUsageException 8763 * The request was rejected for one of the following reasons: </p> 8764 * <ul> 8765 * <li> 8766 * <p> 8767 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8768 * </p> 8769 * </li> 8770 * <li> 8771 * <p> 8772 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8773 * of key material in the KMS key <code>(KeySpec</code>). 8774 * </p> 8775 * </li> 8776 * </ul> 8777 * <p> 8778 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8779 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8780 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8781 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8782 * KMS key, use the <a>DescribeKey</a> operation. 8783 * </p> 8784 * <p> 8785 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8786 * <a>DescribeKey</a> operation. 8787 * @throws InvalidGrantTokenException 8788 * The request was rejected because the specified grant token is not valid. 8789 * @throws KmsInternalException 8790 * The request was rejected because an internal exception occurred. The request can be retried. 8791 * @throws KmsInvalidStateException 8792 * The request was rejected because the state of the specified resource is not valid for this request. 8793 * </p> 8794 * <p> 8795 * This exceptions means one of the following: 8796 * </p> 8797 * <ul> 8798 * <li> 8799 * <p> 8800 * The key state of the KMS key is not compatible with the operation. 8801 * </p> 8802 * <p> 8803 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8804 * are compatible with each KMS operation, see <a 8805 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8806 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8807 * </p> 8808 * </li> 8809 * <li> 8810 * <p> 8811 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8812 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8813 * exception. 8814 * </p> 8815 * </li> 8816 * @throws DryRunOperationException 8817 * The request was rejected because the DryRun parameter was specified. 8818 * @throws SdkException 8819 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 8820 * catch all scenarios. 8821 * @throws SdkClientException 8822 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 8823 * @throws KmsException 8824 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 8825 * @sample KmsClient.GenerateMac 8826 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac" target="_top">AWS API 8827 * Documentation</a> 8828 */ generateMac(GenerateMacRequest generateMacRequest)8829 default GenerateMacResponse generateMac(GenerateMacRequest generateMacRequest) throws NotFoundException, DisabledException, 8830 KeyUnavailableException, InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, 8831 KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 8832 throw new UnsupportedOperationException(); 8833 } 8834 8835 /** 8836 * <p> 8837 * Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm 8838 * that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined 8839 * in <a href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 8840 * </p> 8841 * <p> 8842 * You can use value that GenerateMac returns in the <a>VerifyMac</a> operation to demonstrate that the original 8843 * message has not changed. Also, because a secret key is used to create the hash, you can verify that the party 8844 * that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based 8845 * algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For 8846 * details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in 8847 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8848 * </p> 8849 * <note> 8850 * <p> 8851 * Best practices recommend that you limit the time during which any signing mechanism, including an HMAC, is 8852 * effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long 8853 * after the message is superseded. HMAC tags do not include a timestamp, but you can include a timestamp in the 8854 * token or message to help you detect when its time to refresh the HMAC. 8855 * </p> 8856 * </note> 8857 * <p> 8858 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 8859 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 8860 * <i>Key Management Service Developer Guide</i>. 8861 * </p> 8862 * <p> 8863 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 8864 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 8865 * </p> 8866 * <p> 8867 * <b>Required permissions</b>: <a 8868 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 8869 * >kms:GenerateMac</a> (key policy) 8870 * </p> 8871 * <p> 8872 * <b>Related operations</b>: <a>VerifyMac</a> 8873 * </p> 8874 * <p> 8875 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 8876 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 8877 * consistency</a>. 8878 * </p> 8879 * <br/> 8880 * <p> 8881 * This is a convenience which creates an instance of the {@link GenerateMacRequest.Builder} avoiding the need to 8882 * create one manually via {@link GenerateMacRequest#builder()} 8883 * </p> 8884 * 8885 * @param generateMacRequest 8886 * A {@link Consumer} that will call methods on 8887 * {@link software.amazon.awssdk.services.kms.model.GenerateMacRequest.Builder} to create a request. 8888 * @return Result of the GenerateMac operation returned by the service. 8889 * @throws NotFoundException 8890 * The request was rejected because the specified entity or resource could not be found. 8891 * @throws DisabledException 8892 * The request was rejected because the specified KMS key is not enabled. 8893 * @throws KeyUnavailableException 8894 * The request was rejected because the specified KMS key was not available. You can retry the request. 8895 * @throws InvalidKeyUsageException 8896 * The request was rejected for one of the following reasons: </p> 8897 * <ul> 8898 * <li> 8899 * <p> 8900 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 8901 * </p> 8902 * </li> 8903 * <li> 8904 * <p> 8905 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 8906 * of key material in the KMS key <code>(KeySpec</code>). 8907 * </p> 8908 * </li> 8909 * </ul> 8910 * <p> 8911 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 8912 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 8913 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 8914 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 8915 * KMS key, use the <a>DescribeKey</a> operation. 8916 * </p> 8917 * <p> 8918 * To find the encryption or signing algorithms supported for a particular KMS key, use the 8919 * <a>DescribeKey</a> operation. 8920 * @throws InvalidGrantTokenException 8921 * The request was rejected because the specified grant token is not valid. 8922 * @throws KmsInternalException 8923 * The request was rejected because an internal exception occurred. The request can be retried. 8924 * @throws KmsInvalidStateException 8925 * The request was rejected because the state of the specified resource is not valid for this request. 8926 * </p> 8927 * <p> 8928 * This exceptions means one of the following: 8929 * </p> 8930 * <ul> 8931 * <li> 8932 * <p> 8933 * The key state of the KMS key is not compatible with the operation. 8934 * </p> 8935 * <p> 8936 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 8937 * are compatible with each KMS operation, see <a 8938 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 8939 * the <i> <i>Key Management Service Developer Guide</i> </i>. 8940 * </p> 8941 * </li> 8942 * <li> 8943 * <p> 8944 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 8945 * failure with many possible causes. To identify the cause, see the error message that accompanies the 8946 * exception. 8947 * </p> 8948 * </li> 8949 * @throws DryRunOperationException 8950 * The request was rejected because the DryRun parameter was specified. 8951 * @throws SdkException 8952 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 8953 * catch all scenarios. 8954 * @throws SdkClientException 8955 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 8956 * @throws KmsException 8957 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 8958 * @sample KmsClient.GenerateMac 8959 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateMac" target="_top">AWS API 8960 * Documentation</a> 8961 */ generateMac(Consumer<GenerateMacRequest.Builder> generateMacRequest)8962 default GenerateMacResponse generateMac(Consumer<GenerateMacRequest.Builder> generateMacRequest) throws NotFoundException, 8963 DisabledException, KeyUnavailableException, InvalidKeyUsageException, InvalidGrantTokenException, 8964 KmsInternalException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 8965 KmsException { 8966 return generateMac(GenerateMacRequest.builder().applyMutation(generateMacRequest).build()); 8967 } 8968 8969 /** 8970 * <p> 8971 * Returns a random byte string that is cryptographically secure. 8972 * </p> 8973 * <p> 8974 * You must use the <code>NumberOfBytes</code> parameter to specify the length of the random byte string. There is 8975 * no default value for string length. 8976 * </p> 8977 * <p> 8978 * By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster 8979 * associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code> parameter. 8980 * </p> 8981 * <p> 8982 * <code>GenerateRandom</code> also supports <a 8983 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 8984 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> 8985 * for a Nitro enclave, use the <a 8986 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 8987 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 8988 * attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes 8989 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>).For 8990 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 8991 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 8992 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 8993 * </p> 8994 * <p> 8995 * For more information about entropy and random number generation, see <a 8996 * href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic 8997 * Details</a>. 8998 * </p> 8999 * <p> 9000 * <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific 9001 * resources, such as KMS keys. 9002 * </p> 9003 * <p> 9004 * <b>Required permissions</b>: <a 9005 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9006 * >kms:GenerateRandom</a> (IAM policy) 9007 * </p> 9008 * <p> 9009 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9010 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9011 * consistency</a>. 9012 * </p> 9013 * 9014 * @param generateRandomRequest 9015 * @return Result of the GenerateRandom operation returned by the service. 9016 * @throws DependencyTimeoutException 9017 * The system timed out while trying to fulfill the request. You can retry the request. 9018 * @throws KmsInternalException 9019 * The request was rejected because an internal exception occurred. The request can be retried. 9020 * @throws UnsupportedOperationException 9021 * The request was rejected because a specified parameter is not supported or a specified resource is not 9022 * valid for this operation. 9023 * @throws CustomKeyStoreNotFoundException 9024 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 9025 * ID. 9026 * @throws CustomKeyStoreInvalidStateException 9027 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 9028 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 9029 * <p> 9030 * This exception is thrown under the following conditions: 9031 * </p> 9032 * <ul> 9033 * <li> 9034 * <p> 9035 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 9036 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 9037 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 9038 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 9039 * <code>ConnectCustomKeyStore</code>). 9040 * </p> 9041 * </li> 9042 * <li> 9043 * <p> 9044 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 9045 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 9046 * </p> 9047 * </li> 9048 * <li> 9049 * <p> 9050 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 9051 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 9052 * is valid for all other <code>ConnectionState</code> values. 9053 * </p> 9054 * </li> 9055 * <li> 9056 * <p> 9057 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 9058 * store that is not disconnected. This operation is valid only when the custom key store 9059 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 9060 * </p> 9061 * </li> 9062 * <li> 9063 * <p> 9064 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 9065 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 9066 * <code>CONNECTED</code>. 9067 * </p> 9068 * </li> 9069 * @throws SdkException 9070 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9071 * catch all scenarios. 9072 * @throws SdkClientException 9073 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9074 * @throws KmsException 9075 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9076 * @sample KmsClient.GenerateRandom 9077 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API 9078 * Documentation</a> 9079 */ generateRandom(GenerateRandomRequest generateRandomRequest)9080 default GenerateRandomResponse generateRandom(GenerateRandomRequest generateRandomRequest) throws DependencyTimeoutException, 9081 KmsInternalException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 9082 CustomKeyStoreNotFoundException, CustomKeyStoreInvalidStateException, AwsServiceException, SdkClientException, 9083 KmsException { 9084 throw new UnsupportedOperationException(); 9085 } 9086 9087 /** 9088 * <p> 9089 * Returns a random byte string that is cryptographically secure. 9090 * </p> 9091 * <p> 9092 * You must use the <code>NumberOfBytes</code> parameter to specify the length of the random byte string. There is 9093 * no default value for string length. 9094 * </p> 9095 * <p> 9096 * By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster 9097 * associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code> parameter. 9098 * </p> 9099 * <p> 9100 * <code>GenerateRandom</code> also supports <a 9101 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 9102 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> 9103 * for a Nitro enclave, use the <a 9104 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 9105 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 9106 * attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes 9107 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>).For 9108 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 9109 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 9110 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 9111 * </p> 9112 * <p> 9113 * For more information about entropy and random number generation, see <a 9114 * href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic 9115 * Details</a>. 9116 * </p> 9117 * <p> 9118 * <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific 9119 * resources, such as KMS keys. 9120 * </p> 9121 * <p> 9122 * <b>Required permissions</b>: <a 9123 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9124 * >kms:GenerateRandom</a> (IAM policy) 9125 * </p> 9126 * <p> 9127 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9128 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9129 * consistency</a>. 9130 * </p> 9131 * <br/> 9132 * <p> 9133 * This is a convenience which creates an instance of the {@link GenerateRandomRequest.Builder} avoiding the need to 9134 * create one manually via {@link GenerateRandomRequest#builder()} 9135 * </p> 9136 * 9137 * @param generateRandomRequest 9138 * A {@link Consumer} that will call methods on 9139 * {@link software.amazon.awssdk.services.kms.model.GenerateRandomRequest.Builder} to create a request. 9140 * @return Result of the GenerateRandom operation returned by the service. 9141 * @throws DependencyTimeoutException 9142 * The system timed out while trying to fulfill the request. You can retry the request. 9143 * @throws KmsInternalException 9144 * The request was rejected because an internal exception occurred. The request can be retried. 9145 * @throws UnsupportedOperationException 9146 * The request was rejected because a specified parameter is not supported or a specified resource is not 9147 * valid for this operation. 9148 * @throws CustomKeyStoreNotFoundException 9149 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 9150 * ID. 9151 * @throws CustomKeyStoreInvalidStateException 9152 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 9153 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 9154 * <p> 9155 * This exception is thrown under the following conditions: 9156 * </p> 9157 * <ul> 9158 * <li> 9159 * <p> 9160 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 9161 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 9162 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 9163 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 9164 * <code>ConnectCustomKeyStore</code>). 9165 * </p> 9166 * </li> 9167 * <li> 9168 * <p> 9169 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 9170 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 9171 * </p> 9172 * </li> 9173 * <li> 9174 * <p> 9175 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 9176 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 9177 * is valid for all other <code>ConnectionState</code> values. 9178 * </p> 9179 * </li> 9180 * <li> 9181 * <p> 9182 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 9183 * store that is not disconnected. This operation is valid only when the custom key store 9184 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 9185 * </p> 9186 * </li> 9187 * <li> 9188 * <p> 9189 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 9190 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 9191 * <code>CONNECTED</code>. 9192 * </p> 9193 * </li> 9194 * @throws SdkException 9195 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9196 * catch all scenarios. 9197 * @throws SdkClientException 9198 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9199 * @throws KmsException 9200 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9201 * @sample KmsClient.GenerateRandom 9202 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API 9203 * Documentation</a> 9204 */ generateRandom(Consumer<GenerateRandomRequest.Builder> generateRandomRequest)9205 default GenerateRandomResponse generateRandom(Consumer<GenerateRandomRequest.Builder> generateRandomRequest) 9206 throws DependencyTimeoutException, KmsInternalException, 9207 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, CustomKeyStoreNotFoundException, 9208 CustomKeyStoreInvalidStateException, AwsServiceException, SdkClientException, KmsException { 9209 return generateRandom(GenerateRandomRequest.builder().applyMutation(generateRandomRequest).build()); 9210 } 9211 9212 /** 9213 * <p> 9214 * Returns a random byte string that is cryptographically secure. 9215 * </p> 9216 * <p> 9217 * You must use the <code>NumberOfBytes</code> parameter to specify the length of the random byte string. There is 9218 * no default value for string length. 9219 * </p> 9220 * <p> 9221 * By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster 9222 * associated with an CloudHSM key store, use the <code>CustomKeyStoreId</code> parameter. 9223 * </p> 9224 * <p> 9225 * <code>GenerateRandom</code> also supports <a 9226 * href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave.html">Amazon Web Services Nitro 9227 * Enclaves</a>, which provide an isolated compute environment in Amazon EC2. To call <code>GenerateRandom</code> 9228 * for a Nitro enclave, use the <a 9229 * href="https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk">Amazon Web Services 9230 * Nitro Enclaves SDK</a> or any Amazon Web Services SDK. Use the <code>Recipient</code> parameter to provide the 9231 * attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes 9232 * encrypted under the public key from the attestation document (<code>CiphertextForRecipient</code>).For 9233 * information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see <a 9234 * href="https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html">How Amazon Web Services 9235 * Nitro Enclaves uses KMS</a> in the <i>Key Management Service Developer Guide</i>. 9236 * </p> 9237 * <p> 9238 * For more information about entropy and random number generation, see <a 9239 * href="https://docs.aws.amazon.com/kms/latest/cryptographic-details/">Key Management Service Cryptographic 9240 * Details</a>. 9241 * </p> 9242 * <p> 9243 * <b>Cross-account use</b>: Not applicable. <code>GenerateRandom</code> does not use any account-specific 9244 * resources, such as KMS keys. 9245 * </p> 9246 * <p> 9247 * <b>Required permissions</b>: <a 9248 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9249 * >kms:GenerateRandom</a> (IAM policy) 9250 * </p> 9251 * <p> 9252 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9253 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9254 * consistency</a>. 9255 * </p> 9256 * 9257 * @return Result of the GenerateRandom operation returned by the service. 9258 * @throws DependencyTimeoutException 9259 * The system timed out while trying to fulfill the request. You can retry the request. 9260 * @throws KmsInternalException 9261 * The request was rejected because an internal exception occurred. The request can be retried. 9262 * @throws UnsupportedOperationException 9263 * The request was rejected because a specified parameter is not supported or a specified resource is not 9264 * valid for this operation. 9265 * @throws CustomKeyStoreNotFoundException 9266 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 9267 * ID. 9268 * @throws CustomKeyStoreInvalidStateException 9269 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 9270 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation.</p> 9271 * <p> 9272 * This exception is thrown under the following conditions: 9273 * </p> 9274 * <ul> 9275 * <li> 9276 * <p> 9277 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 9278 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 9279 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 9280 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 9281 * <code>ConnectCustomKeyStore</code>). 9282 * </p> 9283 * </li> 9284 * <li> 9285 * <p> 9286 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 9287 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 9288 * </p> 9289 * </li> 9290 * <li> 9291 * <p> 9292 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 9293 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 9294 * is valid for all other <code>ConnectionState</code> values. 9295 * </p> 9296 * </li> 9297 * <li> 9298 * <p> 9299 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 9300 * store that is not disconnected. This operation is valid only when the custom key store 9301 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 9302 * </p> 9303 * </li> 9304 * <li> 9305 * <p> 9306 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 9307 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 9308 * <code>CONNECTED</code>. 9309 * </p> 9310 * </li> 9311 * @throws SdkException 9312 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9313 * catch all scenarios. 9314 * @throws SdkClientException 9315 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9316 * @throws KmsException 9317 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9318 * @sample KmsClient.GenerateRandom 9319 * @see #generateRandom(GenerateRandomRequest) 9320 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom" target="_top">AWS API 9321 * Documentation</a> 9322 */ generateRandom()9323 default GenerateRandomResponse generateRandom() throws DependencyTimeoutException, KmsInternalException, 9324 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, CustomKeyStoreNotFoundException, 9325 CustomKeyStoreInvalidStateException, AwsServiceException, SdkClientException, KmsException { 9326 return generateRandom(GenerateRandomRequest.builder().build()); 9327 } 9328 9329 /** 9330 * <p> 9331 * Gets a key policy attached to the specified KMS key. 9332 * </p> 9333 * <p> 9334 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9335 * account. 9336 * </p> 9337 * <p> 9338 * <b>Required permissions</b>: <a 9339 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9340 * >kms:GetKeyPolicy</a> (key policy) 9341 * </p> 9342 * <p> 9343 * <b>Related operations</b>: <a 9344 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 9345 * </p> 9346 * <p> 9347 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9348 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9349 * consistency</a>. 9350 * </p> 9351 * 9352 * @param getKeyPolicyRequest 9353 * @return Result of the GetKeyPolicy operation returned by the service. 9354 * @throws NotFoundException 9355 * The request was rejected because the specified entity or resource could not be found. 9356 * @throws InvalidArnException 9357 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 9358 * @throws DependencyTimeoutException 9359 * The system timed out while trying to fulfill the request. You can retry the request. 9360 * @throws KmsInternalException 9361 * The request was rejected because an internal exception occurred. The request can be retried. 9362 * @throws KmsInvalidStateException 9363 * The request was rejected because the state of the specified resource is not valid for this request.</p> 9364 * <p> 9365 * This exceptions means one of the following: 9366 * </p> 9367 * <ul> 9368 * <li> 9369 * <p> 9370 * The key state of the KMS key is not compatible with the operation. 9371 * </p> 9372 * <p> 9373 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9374 * are compatible with each KMS operation, see <a 9375 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9376 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9377 * </p> 9378 * </li> 9379 * <li> 9380 * <p> 9381 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9382 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9383 * exception. 9384 * </p> 9385 * </li> 9386 * @throws SdkException 9387 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9388 * catch all scenarios. 9389 * @throws SdkClientException 9390 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9391 * @throws KmsException 9392 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9393 * @sample KmsClient.GetKeyPolicy 9394 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy" target="_top">AWS API 9395 * Documentation</a> 9396 */ getKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest)9397 default GetKeyPolicyResponse getKeyPolicy(GetKeyPolicyRequest getKeyPolicyRequest) throws NotFoundException, 9398 InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, 9399 SdkClientException, KmsException { 9400 throw new UnsupportedOperationException(); 9401 } 9402 9403 /** 9404 * <p> 9405 * Gets a key policy attached to the specified KMS key. 9406 * </p> 9407 * <p> 9408 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9409 * account. 9410 * </p> 9411 * <p> 9412 * <b>Required permissions</b>: <a 9413 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9414 * >kms:GetKeyPolicy</a> (key policy) 9415 * </p> 9416 * <p> 9417 * <b>Related operations</b>: <a 9418 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 9419 * </p> 9420 * <p> 9421 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9422 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9423 * consistency</a>. 9424 * </p> 9425 * <br/> 9426 * <p> 9427 * This is a convenience which creates an instance of the {@link GetKeyPolicyRequest.Builder} avoiding the need to 9428 * create one manually via {@link GetKeyPolicyRequest#builder()} 9429 * </p> 9430 * 9431 * @param getKeyPolicyRequest 9432 * A {@link Consumer} that will call methods on 9433 * {@link software.amazon.awssdk.services.kms.model.GetKeyPolicyRequest.Builder} to create a request. 9434 * @return Result of the GetKeyPolicy operation returned by the service. 9435 * @throws NotFoundException 9436 * The request was rejected because the specified entity or resource could not be found. 9437 * @throws InvalidArnException 9438 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 9439 * @throws DependencyTimeoutException 9440 * The system timed out while trying to fulfill the request. You can retry the request. 9441 * @throws KmsInternalException 9442 * The request was rejected because an internal exception occurred. The request can be retried. 9443 * @throws KmsInvalidStateException 9444 * The request was rejected because the state of the specified resource is not valid for this request.</p> 9445 * <p> 9446 * This exceptions means one of the following: 9447 * </p> 9448 * <ul> 9449 * <li> 9450 * <p> 9451 * The key state of the KMS key is not compatible with the operation. 9452 * </p> 9453 * <p> 9454 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9455 * are compatible with each KMS operation, see <a 9456 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9457 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9458 * </p> 9459 * </li> 9460 * <li> 9461 * <p> 9462 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9463 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9464 * exception. 9465 * </p> 9466 * </li> 9467 * @throws SdkException 9468 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9469 * catch all scenarios. 9470 * @throws SdkClientException 9471 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9472 * @throws KmsException 9473 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9474 * @sample KmsClient.GetKeyPolicy 9475 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy" target="_top">AWS API 9476 * Documentation</a> 9477 */ getKeyPolicy(Consumer<GetKeyPolicyRequest.Builder> getKeyPolicyRequest)9478 default GetKeyPolicyResponse getKeyPolicy(Consumer<GetKeyPolicyRequest.Builder> getKeyPolicyRequest) 9479 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 9480 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 9481 return getKeyPolicy(GetKeyPolicyRequest.builder().applyMutation(getKeyPolicyRequest).build()); 9482 } 9483 9484 /** 9485 * <p> 9486 * Gets a Boolean value that indicates whether <a 9487 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key 9488 * material</a> is enabled for the specified KMS key. 9489 * </p> 9490 * <p> 9491 * When you enable automatic rotation for <a 9492 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 9493 * keys</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 9494 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 9495 * CloudWatch. 9496 * </p> 9497 * <p> 9498 * Automatic key rotation is supported only on <a 9499 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 9500 * KMS keys</a>. You cannot enable automatic rotation of <a 9501 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 9502 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 9503 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 9504 * KMS keys in a <a 9505 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9506 * To enable or disable automatic rotation of a set of related <a 9507 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 9508 * >multi-Region keys</a>, set the property on the primary key.. 9509 * </p> 9510 * <p> 9511 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key 9512 * material in customer managed KMS keys. Key material rotation of <a 9513 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 9514 * managed KMS keys</a> is not configurable. KMS always rotates the key material in Amazon Web Services managed KMS 9515 * keys every year. The key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>. 9516 * </p> 9517 * <note> 9518 * <p> 9519 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 9520 * every year. For details, see <a>EnableKeyRotation</a>. 9521 * </p> 9522 * </note> 9523 * <p> 9524 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9525 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9526 * <i>Key Management Service Developer Guide</i>. 9527 * </p> 9528 * <ul> 9529 * <li> 9530 * <p> 9531 * Disabled: The key rotation status does not change when you disable a KMS key. However, while the KMS key is 9532 * disabled, KMS does not rotate the key material. When you re-enable the KMS key, rotation resumes. If the key 9533 * material in the re-enabled KMS key hasn't been rotated in one year, KMS rotates it immediately, and every year 9534 * thereafter. If it's been less than a year since the key material in the re-enabled KMS key was rotated, the KMS 9535 * key resumes its prior rotation schedule. 9536 * </p> 9537 * </li> 9538 * <li> 9539 * <p> 9540 * Pending deletion: While a KMS key is pending deletion, its key rotation status is <code>false</code> and KMS does 9541 * not rotate the key material. If you cancel the deletion, the original key rotation status returns to 9542 * <code>true</code>. 9543 * </p> 9544 * </li> 9545 * </ul> 9546 * <p> 9547 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 9548 * specify the key ARN in the value of the <code>KeyId</code> parameter. 9549 * </p> 9550 * <p> 9551 * <b>Required permissions</b>: <a 9552 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9553 * >kms:GetKeyRotationStatus</a> (key policy) 9554 * </p> 9555 * <p> 9556 * <b>Related operations:</b> 9557 * </p> 9558 * <ul> 9559 * <li> 9560 * <p> 9561 * <a>DisableKeyRotation</a> 9562 * </p> 9563 * </li> 9564 * <li> 9565 * <p> 9566 * <a>EnableKeyRotation</a> 9567 * </p> 9568 * </li> 9569 * </ul> 9570 * <p> 9571 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9572 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9573 * consistency</a>. 9574 * </p> 9575 * 9576 * @param getKeyRotationStatusRequest 9577 * @return Result of the GetKeyRotationStatus operation returned by the service. 9578 * @throws NotFoundException 9579 * The request was rejected because the specified entity or resource could not be found. 9580 * @throws InvalidArnException 9581 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 9582 * @throws DependencyTimeoutException 9583 * The system timed out while trying to fulfill the request. You can retry the request. 9584 * @throws KmsInternalException 9585 * The request was rejected because an internal exception occurred. The request can be retried. 9586 * @throws KmsInvalidStateException 9587 * The request was rejected because the state of the specified resource is not valid for this request.</p> 9588 * <p> 9589 * This exceptions means one of the following: 9590 * </p> 9591 * <ul> 9592 * <li> 9593 * <p> 9594 * The key state of the KMS key is not compatible with the operation. 9595 * </p> 9596 * <p> 9597 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9598 * are compatible with each KMS operation, see <a 9599 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9600 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9601 * </p> 9602 * </li> 9603 * <li> 9604 * <p> 9605 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9606 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9607 * exception. 9608 * </p> 9609 * </li> 9610 * @throws UnsupportedOperationException 9611 * The request was rejected because a specified parameter is not supported or a specified resource is not 9612 * valid for this operation. 9613 * @throws SdkException 9614 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9615 * catch all scenarios. 9616 * @throws SdkClientException 9617 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9618 * @throws KmsException 9619 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9620 * @sample KmsClient.GetKeyRotationStatus 9621 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus" target="_top">AWS API 9622 * Documentation</a> 9623 */ getKeyRotationStatus(GetKeyRotationStatusRequest getKeyRotationStatusRequest)9624 default GetKeyRotationStatusResponse getKeyRotationStatus(GetKeyRotationStatusRequest getKeyRotationStatusRequest) 9625 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 9626 KmsInvalidStateException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 9627 AwsServiceException, SdkClientException, KmsException { 9628 throw new UnsupportedOperationException(); 9629 } 9630 9631 /** 9632 * <p> 9633 * Gets a Boolean value that indicates whether <a 9634 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic rotation of the key 9635 * material</a> is enabled for the specified KMS key. 9636 * </p> 9637 * <p> 9638 * When you enable automatic rotation for <a 9639 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed KMS 9640 * keys</a>, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and 9641 * every year thereafter. You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon 9642 * CloudWatch. 9643 * </p> 9644 * <p> 9645 * Automatic key rotation is supported only on <a 9646 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks">symmetric encryption 9647 * KMS keys</a>. You cannot enable automatic rotation of <a 9648 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">asymmetric KMS keys</a>, 9649 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC KMS keys</a>, KMS keys with <a 9650 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">imported key material</a>, or 9651 * KMS keys in a <a 9652 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9653 * To enable or disable automatic rotation of a set of related <a 9654 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-rotate" 9655 * >multi-Region keys</a>, set the property on the primary key.. 9656 * </p> 9657 * <p> 9658 * You can enable (<a>EnableKeyRotation</a>) and disable automatic rotation (<a>DisableKeyRotation</a>) of the key 9659 * material in customer managed KMS keys. Key material rotation of <a 9660 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 9661 * managed KMS keys</a> is not configurable. KMS always rotates the key material in Amazon Web Services managed KMS 9662 * keys every year. The key rotation status for Amazon Web Services managed KMS keys is always <code>true</code>. 9663 * </p> 9664 * <note> 9665 * <p> 9666 * In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to 9667 * every year. For details, see <a>EnableKeyRotation</a>. 9668 * </p> 9669 * </note> 9670 * <p> 9671 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9672 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9673 * <i>Key Management Service Developer Guide</i>. 9674 * </p> 9675 * <ul> 9676 * <li> 9677 * <p> 9678 * Disabled: The key rotation status does not change when you disable a KMS key. However, while the KMS key is 9679 * disabled, KMS does not rotate the key material. When you re-enable the KMS key, rotation resumes. If the key 9680 * material in the re-enabled KMS key hasn't been rotated in one year, KMS rotates it immediately, and every year 9681 * thereafter. If it's been less than a year since the key material in the re-enabled KMS key was rotated, the KMS 9682 * key resumes its prior rotation schedule. 9683 * </p> 9684 * </li> 9685 * <li> 9686 * <p> 9687 * Pending deletion: While a KMS key is pending deletion, its key rotation status is <code>false</code> and KMS does 9688 * not rotate the key material. If you cancel the deletion, the original key rotation status returns to 9689 * <code>true</code>. 9690 * </p> 9691 * </li> 9692 * </ul> 9693 * <p> 9694 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 9695 * specify the key ARN in the value of the <code>KeyId</code> parameter. 9696 * </p> 9697 * <p> 9698 * <b>Required permissions</b>: <a 9699 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9700 * >kms:GetKeyRotationStatus</a> (key policy) 9701 * </p> 9702 * <p> 9703 * <b>Related operations:</b> 9704 * </p> 9705 * <ul> 9706 * <li> 9707 * <p> 9708 * <a>DisableKeyRotation</a> 9709 * </p> 9710 * </li> 9711 * <li> 9712 * <p> 9713 * <a>EnableKeyRotation</a> 9714 * </p> 9715 * </li> 9716 * </ul> 9717 * <p> 9718 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9719 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9720 * consistency</a>. 9721 * </p> 9722 * <br/> 9723 * <p> 9724 * This is a convenience which creates an instance of the {@link GetKeyRotationStatusRequest.Builder} avoiding the 9725 * need to create one manually via {@link GetKeyRotationStatusRequest#builder()} 9726 * </p> 9727 * 9728 * @param getKeyRotationStatusRequest 9729 * A {@link Consumer} that will call methods on 9730 * {@link software.amazon.awssdk.services.kms.model.GetKeyRotationStatusRequest.Builder} to create a request. 9731 * @return Result of the GetKeyRotationStatus operation returned by the service. 9732 * @throws NotFoundException 9733 * The request was rejected because the specified entity or resource could not be found. 9734 * @throws InvalidArnException 9735 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 9736 * @throws DependencyTimeoutException 9737 * The system timed out while trying to fulfill the request. You can retry the request. 9738 * @throws KmsInternalException 9739 * The request was rejected because an internal exception occurred. The request can be retried. 9740 * @throws KmsInvalidStateException 9741 * The request was rejected because the state of the specified resource is not valid for this request.</p> 9742 * <p> 9743 * This exceptions means one of the following: 9744 * </p> 9745 * <ul> 9746 * <li> 9747 * <p> 9748 * The key state of the KMS key is not compatible with the operation. 9749 * </p> 9750 * <p> 9751 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9752 * are compatible with each KMS operation, see <a 9753 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9754 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9755 * </p> 9756 * </li> 9757 * <li> 9758 * <p> 9759 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9760 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9761 * exception. 9762 * </p> 9763 * </li> 9764 * @throws UnsupportedOperationException 9765 * The request was rejected because a specified parameter is not supported or a specified resource is not 9766 * valid for this operation. 9767 * @throws SdkException 9768 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9769 * catch all scenarios. 9770 * @throws SdkClientException 9771 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9772 * @throws KmsException 9773 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9774 * @sample KmsClient.GetKeyRotationStatus 9775 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus" target="_top">AWS API 9776 * Documentation</a> 9777 */ getKeyRotationStatus( Consumer<GetKeyRotationStatusRequest.Builder> getKeyRotationStatusRequest)9778 default GetKeyRotationStatusResponse getKeyRotationStatus( 9779 Consumer<GetKeyRotationStatusRequest.Builder> getKeyRotationStatusRequest) throws NotFoundException, 9780 InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, 9781 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, AwsServiceException, SdkClientException, 9782 KmsException { 9783 return getKeyRotationStatus(GetKeyRotationStatusRequest.builder().applyMutation(getKeyRotationStatusRequest).build()); 9784 } 9785 9786 /** 9787 * <p> 9788 * Returns the public key and an import token you need to import or reimport key material for a KMS key. 9789 * </p> 9790 * <p> 9791 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 9792 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 9793 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 9794 * information about importing key material into KMS, see <a 9795 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 9796 * the <i>Key Management Service Developer Guide</i>. 9797 * </p> 9798 * <p> 9799 * Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a> operation with an 9800 * <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with no key material. You can import key 9801 * material for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric signing 9802 * KMS key. You can also import key material into a <a 9803 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> 9804 * of any supported type. However, you can't import key material into a KMS key in a <a 9805 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9806 * You can also use <code>GetParametersForImport</code> to get a public key and import token to <a 9807 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 9808 * the original key material</a> into a KMS key whose key material expired or was deleted. 9809 * </p> 9810 * <p> 9811 * <code>GetParametersForImport</code> returns the items that you need to import your key material. 9812 * </p> 9813 * <ul> 9814 * <li> 9815 * <p> 9816 * The public key (or "wrapping key") of an RSA key pair that KMS generates. 9817 * </p> 9818 * <p> 9819 * You will use this public key to encrypt ("wrap") your key material while it's in transit to KMS. 9820 * </p> 9821 * </li> 9822 * <li> 9823 * <p> 9824 * A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key. 9825 * </p> 9826 * </li> 9827 * </ul> 9828 * <p> 9829 * The public key and its import token are permanently linked and must be used together. Each public key and import 9830 * token set is valid for 24 hours. The expiration date and time appear in the <code>ParametersValidTo</code> field 9831 * in the <code>GetParametersForImport</code> response. You cannot use an expired public key or import token in an 9832 * <a>ImportKeyMaterial</a> request. If your key and token expire, send another <code>GetParametersForImport</code> 9833 * request. 9834 * </p> 9835 * <p> 9836 * <code>GetParametersForImport</code> requires the following information: 9837 * </p> 9838 * <ul> 9839 * <li> 9840 * <p> 9841 * The key ID of the KMS key for which you are importing the key material. 9842 * </p> 9843 * </li> 9844 * <li> 9845 * <p> 9846 * The key spec of the public key ("wrapping key") that you will use to encrypt your key material during import. 9847 * </p> 9848 * </li> 9849 * <li> 9850 * <p> 9851 * The wrapping algorithm that you will use with the public key to encrypt your key material. 9852 * </p> 9853 * </li> 9854 * </ul> 9855 * <p> 9856 * You can use the same or a different public key spec and wrapping algorithm each time you import or reimport the 9857 * same key material. 9858 * </p> 9859 * <p> 9860 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 9861 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 9862 * <i>Key Management Service Developer Guide</i>. 9863 * </p> 9864 * <p> 9865 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 9866 * account. 9867 * </p> 9868 * <p> 9869 * <b>Required permissions</b>: <a 9870 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 9871 * >kms:GetParametersForImport</a> (key policy) 9872 * </p> 9873 * <p> 9874 * <b>Related operations:</b> 9875 * </p> 9876 * <ul> 9877 * <li> 9878 * <p> 9879 * <a>ImportKeyMaterial</a> 9880 * </p> 9881 * </li> 9882 * <li> 9883 * <p> 9884 * <a>DeleteImportedKeyMaterial</a> 9885 * </p> 9886 * </li> 9887 * </ul> 9888 * <p> 9889 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 9890 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 9891 * consistency</a>. 9892 * </p> 9893 * 9894 * @param getParametersForImportRequest 9895 * @return Result of the GetParametersForImport operation returned by the service. 9896 * @throws InvalidArnException 9897 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 9898 * @throws UnsupportedOperationException 9899 * The request was rejected because a specified parameter is not supported or a specified resource is not 9900 * valid for this operation. 9901 * @throws DependencyTimeoutException 9902 * The system timed out while trying to fulfill the request. You can retry the request. 9903 * @throws NotFoundException 9904 * The request was rejected because the specified entity or resource could not be found. 9905 * @throws KmsInternalException 9906 * The request was rejected because an internal exception occurred. The request can be retried. 9907 * @throws KmsInvalidStateException 9908 * The request was rejected because the state of the specified resource is not valid for this request.</p> 9909 * <p> 9910 * This exceptions means one of the following: 9911 * </p> 9912 * <ul> 9913 * <li> 9914 * <p> 9915 * The key state of the KMS key is not compatible with the operation. 9916 * </p> 9917 * <p> 9918 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 9919 * are compatible with each KMS operation, see <a 9920 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 9921 * the <i> <i>Key Management Service Developer Guide</i> </i>. 9922 * </p> 9923 * </li> 9924 * <li> 9925 * <p> 9926 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 9927 * failure with many possible causes. To identify the cause, see the error message that accompanies the 9928 * exception. 9929 * </p> 9930 * </li> 9931 * @throws SdkException 9932 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 9933 * catch all scenarios. 9934 * @throws SdkClientException 9935 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 9936 * @throws KmsException 9937 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 9938 * @sample KmsClient.GetParametersForImport 9939 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport" target="_top">AWS 9940 * API Documentation</a> 9941 */ getParametersForImport(GetParametersForImportRequest getParametersForImportRequest)9942 default GetParametersForImportResponse getParametersForImport(GetParametersForImportRequest getParametersForImportRequest) 9943 throws InvalidArnException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 9944 DependencyTimeoutException, NotFoundException, KmsInternalException, KmsInvalidStateException, AwsServiceException, 9945 SdkClientException, KmsException { 9946 throw new UnsupportedOperationException(); 9947 } 9948 9949 /** 9950 * <p> 9951 * Returns the public key and an import token you need to import or reimport key material for a KMS key. 9952 * </p> 9953 * <p> 9954 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 9955 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 9956 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 9957 * information about importing key material into KMS, see <a 9958 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 9959 * the <i>Key Management Service Developer Guide</i>. 9960 * </p> 9961 * <p> 9962 * Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a> operation with an 9963 * <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with no key material. You can import key 9964 * material for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric signing 9965 * KMS key. You can also import key material into a <a 9966 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> 9967 * of any supported type. However, you can't import key material into a KMS key in a <a 9968 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 9969 * You can also use <code>GetParametersForImport</code> to get a public key and import token to <a 9970 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 9971 * the original key material</a> into a KMS key whose key material expired or was deleted. 9972 * </p> 9973 * <p> 9974 * <code>GetParametersForImport</code> returns the items that you need to import your key material. 9975 * </p> 9976 * <ul> 9977 * <li> 9978 * <p> 9979 * The public key (or "wrapping key") of an RSA key pair that KMS generates. 9980 * </p> 9981 * <p> 9982 * You will use this public key to encrypt ("wrap") your key material while it's in transit to KMS. 9983 * </p> 9984 * </li> 9985 * <li> 9986 * <p> 9987 * A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key. 9988 * </p> 9989 * </li> 9990 * </ul> 9991 * <p> 9992 * The public key and its import token are permanently linked and must be used together. Each public key and import 9993 * token set is valid for 24 hours. The expiration date and time appear in the <code>ParametersValidTo</code> field 9994 * in the <code>GetParametersForImport</code> response. You cannot use an expired public key or import token in an 9995 * <a>ImportKeyMaterial</a> request. If your key and token expire, send another <code>GetParametersForImport</code> 9996 * request. 9997 * </p> 9998 * <p> 9999 * <code>GetParametersForImport</code> requires the following information: 10000 * </p> 10001 * <ul> 10002 * <li> 10003 * <p> 10004 * The key ID of the KMS key for which you are importing the key material. 10005 * </p> 10006 * </li> 10007 * <li> 10008 * <p> 10009 * The key spec of the public key ("wrapping key") that you will use to encrypt your key material during import. 10010 * </p> 10011 * </li> 10012 * <li> 10013 * <p> 10014 * The wrapping algorithm that you will use with the public key to encrypt your key material. 10015 * </p> 10016 * </li> 10017 * </ul> 10018 * <p> 10019 * You can use the same or a different public key spec and wrapping algorithm each time you import or reimport the 10020 * same key material. 10021 * </p> 10022 * <p> 10023 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10024 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10025 * <i>Key Management Service Developer Guide</i>. 10026 * </p> 10027 * <p> 10028 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 10029 * account. 10030 * </p> 10031 * <p> 10032 * <b>Required permissions</b>: <a 10033 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10034 * >kms:GetParametersForImport</a> (key policy) 10035 * </p> 10036 * <p> 10037 * <b>Related operations:</b> 10038 * </p> 10039 * <ul> 10040 * <li> 10041 * <p> 10042 * <a>ImportKeyMaterial</a> 10043 * </p> 10044 * </li> 10045 * <li> 10046 * <p> 10047 * <a>DeleteImportedKeyMaterial</a> 10048 * </p> 10049 * </li> 10050 * </ul> 10051 * <p> 10052 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10053 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10054 * consistency</a>. 10055 * </p> 10056 * <br/> 10057 * <p> 10058 * This is a convenience which creates an instance of the {@link GetParametersForImportRequest.Builder} avoiding the 10059 * need to create one manually via {@link GetParametersForImportRequest#builder()} 10060 * </p> 10061 * 10062 * @param getParametersForImportRequest 10063 * A {@link Consumer} that will call methods on 10064 * {@link software.amazon.awssdk.services.kms.model.GetParametersForImportRequest.Builder} to create a 10065 * request. 10066 * @return Result of the GetParametersForImport operation returned by the service. 10067 * @throws InvalidArnException 10068 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 10069 * @throws UnsupportedOperationException 10070 * The request was rejected because a specified parameter is not supported or a specified resource is not 10071 * valid for this operation. 10072 * @throws DependencyTimeoutException 10073 * The system timed out while trying to fulfill the request. You can retry the request. 10074 * @throws NotFoundException 10075 * The request was rejected because the specified entity or resource could not be found. 10076 * @throws KmsInternalException 10077 * The request was rejected because an internal exception occurred. The request can be retried. 10078 * @throws KmsInvalidStateException 10079 * The request was rejected because the state of the specified resource is not valid for this request.</p> 10080 * <p> 10081 * This exceptions means one of the following: 10082 * </p> 10083 * <ul> 10084 * <li> 10085 * <p> 10086 * The key state of the KMS key is not compatible with the operation. 10087 * </p> 10088 * <p> 10089 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10090 * are compatible with each KMS operation, see <a 10091 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10092 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10093 * </p> 10094 * </li> 10095 * <li> 10096 * <p> 10097 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10098 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10099 * exception. 10100 * </p> 10101 * </li> 10102 * @throws SdkException 10103 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 10104 * catch all scenarios. 10105 * @throws SdkClientException 10106 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 10107 * @throws KmsException 10108 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 10109 * @sample KmsClient.GetParametersForImport 10110 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport" target="_top">AWS 10111 * API Documentation</a> 10112 */ getParametersForImport( Consumer<GetParametersForImportRequest.Builder> getParametersForImportRequest)10113 default GetParametersForImportResponse getParametersForImport( 10114 Consumer<GetParametersForImportRequest.Builder> getParametersForImportRequest) throws InvalidArnException, 10115 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, DependencyTimeoutException, 10116 NotFoundException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, 10117 KmsException { 10118 return getParametersForImport(GetParametersForImportRequest.builder().applyMutation(getParametersForImportRequest) 10119 .build()); 10120 } 10121 10122 /** 10123 * <p> 10124 * Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric KMS key, which never 10125 * leaves KMS unencrypted, callers with <code>kms:GetPublicKey</code> permission can download the public key of an 10126 * asymmetric KMS key. You can share the public key to allow others to encrypt messages and verify signatures 10127 * outside of KMS. For information about asymmetric KMS keys, see <a 10128 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 10129 * the <i>Key Management Service Developer Guide</i>. 10130 * </p> 10131 * <p> 10132 * You do not need to download the public key. Instead, you can use the public key within KMS by calling the 10133 * <a>Encrypt</a>, <a>ReEncrypt</a>, or <a>Verify</a> operations with the identifier of an asymmetric KMS key. When 10134 * you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part 10135 * of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are 10136 * not effective outside of KMS. 10137 * </p> 10138 * <p> 10139 * To help you use the public key safely outside of KMS, <code>GetPublicKey</code> returns important information 10140 * about the public key in the response, including: 10141 * </p> 10142 * <ul> 10143 * <li> 10144 * <p> 10145 * <a href= 10146 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec" 10147 * >KeySpec</a>: The type of key material in the public key, such as <code>RSA_4096</code> or 10148 * <code>ECC_NIST_P521</code>. 10149 * </p> 10150 * </li> 10151 * <li> 10152 * <p> 10153 * <a href= 10154 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage" 10155 * >KeyUsage</a>: Whether the key is used for encryption or signing. 10156 * </p> 10157 * </li> 10158 * <li> 10159 * <p> 10160 * <a href= 10161 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms" 10162 * >EncryptionAlgorithms</a> or <a href= 10163 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms" 10164 * >SigningAlgorithms</a>: A list of the encryption algorithms or the signing algorithms for the key. 10165 * </p> 10166 * </li> 10167 * </ul> 10168 * <p> 10169 * Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this 10170 * information to prevent the public key from being used improperly. For example, you can prevent a public signing 10171 * key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is 10172 * not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification 10173 * operation. 10174 * </p> 10175 * <p> 10176 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 10177 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 10178 * information, see <a href= 10179 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 10180 * >Offline verification with SM2 key pairs</a>. 10181 * </p> 10182 * <p> 10183 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10184 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10185 * <i>Key Management Service Developer Guide</i>. 10186 * </p> 10187 * <p> 10188 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 10189 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 10190 * </p> 10191 * <p> 10192 * <b>Required permissions</b>: <a 10193 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10194 * >kms:GetPublicKey</a> (key policy) 10195 * </p> 10196 * <p> 10197 * <b>Related operations</b>: <a>CreateKey</a> 10198 * </p> 10199 * <p> 10200 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10201 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10202 * consistency</a>. 10203 * </p> 10204 * 10205 * @param getPublicKeyRequest 10206 * @return Result of the GetPublicKey operation returned by the service. 10207 * @throws NotFoundException 10208 * The request was rejected because the specified entity or resource could not be found. 10209 * @throws DisabledException 10210 * The request was rejected because the specified KMS key is not enabled. 10211 * @throws KeyUnavailableException 10212 * The request was rejected because the specified KMS key was not available. You can retry the request. 10213 * @throws DependencyTimeoutException 10214 * The system timed out while trying to fulfill the request. You can retry the request. 10215 * @throws UnsupportedOperationException 10216 * The request was rejected because a specified parameter is not supported or a specified resource is not 10217 * valid for this operation. 10218 * @throws InvalidArnException 10219 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 10220 * @throws InvalidGrantTokenException 10221 * The request was rejected because the specified grant token is not valid. 10222 * @throws InvalidKeyUsageException 10223 * The request was rejected for one of the following reasons: </p> 10224 * <ul> 10225 * <li> 10226 * <p> 10227 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 10228 * </p> 10229 * </li> 10230 * <li> 10231 * <p> 10232 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 10233 * of key material in the KMS key <code>(KeySpec</code>). 10234 * </p> 10235 * </li> 10236 * </ul> 10237 * <p> 10238 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 10239 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 10240 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 10241 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 10242 * KMS key, use the <a>DescribeKey</a> operation. 10243 * </p> 10244 * <p> 10245 * To find the encryption or signing algorithms supported for a particular KMS key, use the 10246 * <a>DescribeKey</a> operation. 10247 * @throws KmsInternalException 10248 * The request was rejected because an internal exception occurred. The request can be retried. 10249 * @throws KmsInvalidStateException 10250 * The request was rejected because the state of the specified resource is not valid for this request. 10251 * </p> 10252 * <p> 10253 * This exceptions means one of the following: 10254 * </p> 10255 * <ul> 10256 * <li> 10257 * <p> 10258 * The key state of the KMS key is not compatible with the operation. 10259 * </p> 10260 * <p> 10261 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10262 * are compatible with each KMS operation, see <a 10263 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10264 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10265 * </p> 10266 * </li> 10267 * <li> 10268 * <p> 10269 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10270 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10271 * exception. 10272 * </p> 10273 * </li> 10274 * @throws SdkException 10275 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 10276 * catch all scenarios. 10277 * @throws SdkClientException 10278 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 10279 * @throws KmsException 10280 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 10281 * @sample KmsClient.GetPublicKey 10282 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey" target="_top">AWS API 10283 * Documentation</a> 10284 */ getPublicKey(GetPublicKeyRequest getPublicKeyRequest)10285 default GetPublicKeyResponse getPublicKey(GetPublicKeyRequest getPublicKeyRequest) throws NotFoundException, 10286 DisabledException, KeyUnavailableException, DependencyTimeoutException, 10287 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, InvalidArnException, 10288 InvalidGrantTokenException, InvalidKeyUsageException, KmsInternalException, KmsInvalidStateException, 10289 AwsServiceException, SdkClientException, KmsException { 10290 throw new UnsupportedOperationException(); 10291 } 10292 10293 /** 10294 * <p> 10295 * Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric KMS key, which never 10296 * leaves KMS unencrypted, callers with <code>kms:GetPublicKey</code> permission can download the public key of an 10297 * asymmetric KMS key. You can share the public key to allow others to encrypt messages and verify signatures 10298 * outside of KMS. For information about asymmetric KMS keys, see <a 10299 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 10300 * the <i>Key Management Service Developer Guide</i>. 10301 * </p> 10302 * <p> 10303 * You do not need to download the public key. Instead, you can use the public key within KMS by calling the 10304 * <a>Encrypt</a>, <a>ReEncrypt</a>, or <a>Verify</a> operations with the identifier of an asymmetric KMS key. When 10305 * you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part 10306 * of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are 10307 * not effective outside of KMS. 10308 * </p> 10309 * <p> 10310 * To help you use the public key safely outside of KMS, <code>GetPublicKey</code> returns important information 10311 * about the public key in the response, including: 10312 * </p> 10313 * <ul> 10314 * <li> 10315 * <p> 10316 * <a href= 10317 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec" 10318 * >KeySpec</a>: The type of key material in the public key, such as <code>RSA_4096</code> or 10319 * <code>ECC_NIST_P521</code>. 10320 * </p> 10321 * </li> 10322 * <li> 10323 * <p> 10324 * <a href= 10325 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage" 10326 * >KeyUsage</a>: Whether the key is used for encryption or signing. 10327 * </p> 10328 * </li> 10329 * <li> 10330 * <p> 10331 * <a href= 10332 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms" 10333 * >EncryptionAlgorithms</a> or <a href= 10334 * "https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms" 10335 * >SigningAlgorithms</a>: A list of the encryption algorithms or the signing algorithms for the key. 10336 * </p> 10337 * </li> 10338 * </ul> 10339 * <p> 10340 * Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this 10341 * information to prevent the public key from being used improperly. For example, you can prevent a public signing 10342 * key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is 10343 * not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification 10344 * operation. 10345 * </p> 10346 * <p> 10347 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 10348 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 10349 * information, see <a href= 10350 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 10351 * >Offline verification with SM2 key pairs</a>. 10352 * </p> 10353 * <p> 10354 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10355 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10356 * <i>Key Management Service Developer Guide</i>. 10357 * </p> 10358 * <p> 10359 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 10360 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 10361 * </p> 10362 * <p> 10363 * <b>Required permissions</b>: <a 10364 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10365 * >kms:GetPublicKey</a> (key policy) 10366 * </p> 10367 * <p> 10368 * <b>Related operations</b>: <a>CreateKey</a> 10369 * </p> 10370 * <p> 10371 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10372 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10373 * consistency</a>. 10374 * </p> 10375 * <br/> 10376 * <p> 10377 * This is a convenience which creates an instance of the {@link GetPublicKeyRequest.Builder} avoiding the need to 10378 * create one manually via {@link GetPublicKeyRequest#builder()} 10379 * </p> 10380 * 10381 * @param getPublicKeyRequest 10382 * A {@link Consumer} that will call methods on 10383 * {@link software.amazon.awssdk.services.kms.model.GetPublicKeyRequest.Builder} to create a request. 10384 * @return Result of the GetPublicKey operation returned by the service. 10385 * @throws NotFoundException 10386 * The request was rejected because the specified entity or resource could not be found. 10387 * @throws DisabledException 10388 * The request was rejected because the specified KMS key is not enabled. 10389 * @throws KeyUnavailableException 10390 * The request was rejected because the specified KMS key was not available. You can retry the request. 10391 * @throws DependencyTimeoutException 10392 * The system timed out while trying to fulfill the request. You can retry the request. 10393 * @throws UnsupportedOperationException 10394 * The request was rejected because a specified parameter is not supported or a specified resource is not 10395 * valid for this operation. 10396 * @throws InvalidArnException 10397 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 10398 * @throws InvalidGrantTokenException 10399 * The request was rejected because the specified grant token is not valid. 10400 * @throws InvalidKeyUsageException 10401 * The request was rejected for one of the following reasons: </p> 10402 * <ul> 10403 * <li> 10404 * <p> 10405 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 10406 * </p> 10407 * </li> 10408 * <li> 10409 * <p> 10410 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 10411 * of key material in the KMS key <code>(KeySpec</code>). 10412 * </p> 10413 * </li> 10414 * </ul> 10415 * <p> 10416 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 10417 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 10418 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 10419 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 10420 * KMS key, use the <a>DescribeKey</a> operation. 10421 * </p> 10422 * <p> 10423 * To find the encryption or signing algorithms supported for a particular KMS key, use the 10424 * <a>DescribeKey</a> operation. 10425 * @throws KmsInternalException 10426 * The request was rejected because an internal exception occurred. The request can be retried. 10427 * @throws KmsInvalidStateException 10428 * The request was rejected because the state of the specified resource is not valid for this request. 10429 * </p> 10430 * <p> 10431 * This exceptions means one of the following: 10432 * </p> 10433 * <ul> 10434 * <li> 10435 * <p> 10436 * The key state of the KMS key is not compatible with the operation. 10437 * </p> 10438 * <p> 10439 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10440 * are compatible with each KMS operation, see <a 10441 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10442 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10443 * </p> 10444 * </li> 10445 * <li> 10446 * <p> 10447 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10448 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10449 * exception. 10450 * </p> 10451 * </li> 10452 * @throws SdkException 10453 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 10454 * catch all scenarios. 10455 * @throws SdkClientException 10456 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 10457 * @throws KmsException 10458 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 10459 * @sample KmsClient.GetPublicKey 10460 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey" target="_top">AWS API 10461 * Documentation</a> 10462 */ getPublicKey(Consumer<GetPublicKeyRequest.Builder> getPublicKeyRequest)10463 default GetPublicKeyResponse getPublicKey(Consumer<GetPublicKeyRequest.Builder> getPublicKeyRequest) 10464 throws NotFoundException, DisabledException, KeyUnavailableException, DependencyTimeoutException, 10465 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, InvalidArnException, 10466 InvalidGrantTokenException, InvalidKeyUsageException, KmsInternalException, KmsInvalidStateException, 10467 AwsServiceException, SdkClientException, KmsException { 10468 return getPublicKey(GetPublicKeyRequest.builder().applyMutation(getPublicKeyRequest).build()); 10469 } 10470 10471 /** 10472 * <p> 10473 * Imports or reimports key material into an existing KMS key that was created without key material. 10474 * <code>ImportKeyMaterial</code> also sets the expiration model and expiration date of the imported key material. 10475 * </p> 10476 * <p> 10477 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 10478 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 10479 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 10480 * information about importing key material into KMS, see <a 10481 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 10482 * the <i>Key Management Service Developer Guide</i>. 10483 * </p> 10484 * <p> 10485 * After you successfully import key material into a KMS key, you can <a 10486 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 10487 * the same key material</a> into that KMS key, but you cannot import different key material. You might reimport key 10488 * material to replace key material that expired or key material that you deleted. You might also reimport key 10489 * material to change the expiration model or expiration date of the key material. Before reimporting key material, 10490 * if necessary, call <a>DeleteImportedKeyMaterial</a> to delete the current imported key material. 10491 * </p> 10492 * <p> 10493 * Each time you import key material into KMS, you can determine whether (<code>ExpirationModel</code>) and when ( 10494 * <code>ValidTo</code>) the key material expires. To change the expiration of your key material, you must import it 10495 * again, either by calling <code>ImportKeyMaterial</code> or using the <a href= 10496 * "kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console" 10497 * >import features</a> of the KMS console. 10498 * </p> 10499 * <p> 10500 * Before calling <code>ImportKeyMaterial</code>: 10501 * </p> 10502 * <ul> 10503 * <li> 10504 * <p> 10505 * Create or identify a KMS key with no key material. The KMS key must have an <code>Origin</code> value of 10506 * <code>EXTERNAL</code>, which indicates that the KMS key is designed for imported key material. 10507 * </p> 10508 * <p> 10509 * To create an new KMS key for imported key material, call the <a>CreateKey</a> operation with an 10510 * <code>Origin</code> value of <code>EXTERNAL</code>. You can create a symmetric encryption KMS key, HMAC KMS key, 10511 * asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material into a <a 10512 * href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of any supported type. 10513 * However, you can't import key material into a KMS key in a <a 10514 * href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 10515 * </p> 10516 * </li> 10517 * <li> 10518 * <p> 10519 * Use the <a>DescribeKey</a> operation to verify that the <code>KeyState</code> of the KMS key is 10520 * <code>PendingImport</code>, which indicates that the KMS key has no key material. 10521 * </p> 10522 * <p> 10523 * If you are reimporting the same key material into an existing KMS key, you might need to call the 10524 * <a>DeleteImportedKeyMaterial</a> to delete its existing key material. 10525 * </p> 10526 * </li> 10527 * <li> 10528 * <p> 10529 * Call the <a>GetParametersForImport</a> operation to get a public key and import token set for importing key 10530 * material. 10531 * </p> 10532 * </li> 10533 * <li> 10534 * <p> 10535 * Use the public key in the <a>GetParametersForImport</a> response to encrypt your key material. 10536 * </p> 10537 * </li> 10538 * </ul> 10539 * <p> 10540 * Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key material and import token. When 10541 * calling this operation, you must specify the following values: 10542 * </p> 10543 * <ul> 10544 * <li> 10545 * <p> 10546 * The key ID or key ARN of the KMS key to associate with the imported key material. Its <code>Origin</code> must be 10547 * <code>EXTERNAL</code> and its <code>KeyState</code> must be <code>PendingImport</code>. You cannot perform this 10548 * operation on a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key 10549 * store</a>, or on a KMS key in a different Amazon Web Services account. To get the <code>Origin</code> and 10550 * <code>KeyState</code> of a KMS key, call <a>DescribeKey</a>. 10551 * </p> 10552 * </li> 10553 * <li> 10554 * <p> 10555 * The encrypted key material. 10556 * </p> 10557 * </li> 10558 * <li> 10559 * <p> 10560 * The import token that <a>GetParametersForImport</a> returned. You must use a public key and token from the same 10561 * <code>GetParametersForImport</code> response. 10562 * </p> 10563 * </li> 10564 * <li> 10565 * <p> 10566 * Whether the key material expires (<code>ExpirationModel</code>) and, if so, when (<code>ValidTo</code>). For help 10567 * with this choice, see <a href= 10568 * "https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration" 10569 * >Setting an expiration time</a> in the <i>Key Management Service Developer Guide</i>. 10570 * </p> 10571 * <p> 10572 * If you set an expiration date, KMS deletes the key material from the KMS key on the specified date, making the 10573 * KMS key unusable. To use the KMS key in cryptographic operations again, you must reimport the same key material. 10574 * However, you can delete and reimport the key material at any time, including before the key material expires. 10575 * Each time you reimport, you can eliminate or reset the expiration time. 10576 * </p> 10577 * </li> 10578 * </ul> 10579 * <p> 10580 * When this operation is successful, the key state of the KMS key changes from <code>PendingImport</code> to 10581 * <code>Enabled</code>, and you can use the KMS key in cryptographic operations. 10582 * </p> 10583 * <p> 10584 * If this operation fails, use the exception to help determine the problem. If the error is related to the key 10585 * material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import 10586 * token for the KMS key and repeat the import procedure. For help, see <a 10587 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview">How To 10588 * Import Key Material</a> in the <i>Key Management Service Developer Guide</i>. 10589 * </p> 10590 * <p> 10591 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10592 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10593 * <i>Key Management Service Developer Guide</i>. 10594 * </p> 10595 * <p> 10596 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 10597 * account. 10598 * </p> 10599 * <p> 10600 * <b>Required permissions</b>: <a 10601 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10602 * >kms:ImportKeyMaterial</a> (key policy) 10603 * </p> 10604 * <p> 10605 * <b>Related operations:</b> 10606 * </p> 10607 * <ul> 10608 * <li> 10609 * <p> 10610 * <a>DeleteImportedKeyMaterial</a> 10611 * </p> 10612 * </li> 10613 * <li> 10614 * <p> 10615 * <a>GetParametersForImport</a> 10616 * </p> 10617 * </li> 10618 * </ul> 10619 * <p> 10620 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10621 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10622 * consistency</a>. 10623 * </p> 10624 * 10625 * @param importKeyMaterialRequest 10626 * @return Result of the ImportKeyMaterial operation returned by the service. 10627 * @throws InvalidArnException 10628 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 10629 * @throws UnsupportedOperationException 10630 * The request was rejected because a specified parameter is not supported or a specified resource is not 10631 * valid for this operation. 10632 * @throws DependencyTimeoutException 10633 * The system timed out while trying to fulfill the request. You can retry the request. 10634 * @throws NotFoundException 10635 * The request was rejected because the specified entity or resource could not be found. 10636 * @throws KmsInternalException 10637 * The request was rejected because an internal exception occurred. The request can be retried. 10638 * @throws KmsInvalidStateException 10639 * The request was rejected because the state of the specified resource is not valid for this request.</p> 10640 * <p> 10641 * This exceptions means one of the following: 10642 * </p> 10643 * <ul> 10644 * <li> 10645 * <p> 10646 * The key state of the KMS key is not compatible with the operation. 10647 * </p> 10648 * <p> 10649 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10650 * are compatible with each KMS operation, see <a 10651 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10652 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10653 * </p> 10654 * </li> 10655 * <li> 10656 * <p> 10657 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10658 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10659 * exception. 10660 * </p> 10661 * </li> 10662 * @throws InvalidCiphertextException 10663 * From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was rejected because the specified 10664 * ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption 10665 * context, is corrupted, missing, or otherwise invalid.</p> 10666 * <p> 10667 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 10668 * encrypted (wrapped) key material. 10669 * @throws IncorrectKeyMaterialException 10670 * The request was rejected because the key material in the request is, expired, invalid, or is not the same 10671 * key material that was previously imported into this KMS key. 10672 * @throws ExpiredImportTokenException 10673 * The request was rejected because the specified import token is expired. Use <a>GetParametersForImport</a> 10674 * to get a new import token and public key, use the new public key to encrypt the key material, and then 10675 * try the request again. 10676 * @throws InvalidImportTokenException 10677 * The request was rejected because the provided import token is invalid or is associated with a different 10678 * KMS key. 10679 * @throws SdkException 10680 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 10681 * catch all scenarios. 10682 * @throws SdkClientException 10683 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 10684 * @throws KmsException 10685 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 10686 * @sample KmsClient.ImportKeyMaterial 10687 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial" target="_top">AWS API 10688 * Documentation</a> 10689 */ importKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest)10690 default ImportKeyMaterialResponse importKeyMaterial(ImportKeyMaterialRequest importKeyMaterialRequest) 10691 throws InvalidArnException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 10692 DependencyTimeoutException, NotFoundException, KmsInternalException, KmsInvalidStateException, 10693 InvalidCiphertextException, IncorrectKeyMaterialException, ExpiredImportTokenException, InvalidImportTokenException, 10694 AwsServiceException, SdkClientException, KmsException { 10695 throw new UnsupportedOperationException(); 10696 } 10697 10698 /** 10699 * <p> 10700 * Imports or reimports key material into an existing KMS key that was created without key material. 10701 * <code>ImportKeyMaterial</code> also sets the expiration model and expiration date of the imported key material. 10702 * </p> 10703 * <p> 10704 * By default, KMS keys are created with key material that KMS generates. This operation supports <a 10705 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a>, an 10706 * advanced feature that lets you generate and import the cryptographic key material for a KMS key. For more 10707 * information about importing key material into KMS, see <a 10708 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in 10709 * the <i>Key Management Service Developer Guide</i>. 10710 * </p> 10711 * <p> 10712 * After you successfully import key material into a KMS key, you can <a 10713 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport 10714 * the same key material</a> into that KMS key, but you cannot import different key material. You might reimport key 10715 * material to replace key material that expired or key material that you deleted. You might also reimport key 10716 * material to change the expiration model or expiration date of the key material. Before reimporting key material, 10717 * if necessary, call <a>DeleteImportedKeyMaterial</a> to delete the current imported key material. 10718 * </p> 10719 * <p> 10720 * Each time you import key material into KMS, you can determine whether (<code>ExpirationModel</code>) and when ( 10721 * <code>ValidTo</code>) the key material expires. To change the expiration of your key material, you must import it 10722 * again, either by calling <code>ImportKeyMaterial</code> or using the <a href= 10723 * "kms/latest/developerguide/importing-keys-import-key-material.html#importing-keys-import-key-material-console" 10724 * >import features</a> of the KMS console. 10725 * </p> 10726 * <p> 10727 * Before calling <code>ImportKeyMaterial</code>: 10728 * </p> 10729 * <ul> 10730 * <li> 10731 * <p> 10732 * Create or identify a KMS key with no key material. The KMS key must have an <code>Origin</code> value of 10733 * <code>EXTERNAL</code>, which indicates that the KMS key is designed for imported key material. 10734 * </p> 10735 * <p> 10736 * To create an new KMS key for imported key material, call the <a>CreateKey</a> operation with an 10737 * <code>Origin</code> value of <code>EXTERNAL</code>. You can create a symmetric encryption KMS key, HMAC KMS key, 10738 * asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material into a <a 10739 * href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of any supported type. 10740 * However, you can't import key material into a KMS key in a <a 10741 * href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. 10742 * </p> 10743 * </li> 10744 * <li> 10745 * <p> 10746 * Use the <a>DescribeKey</a> operation to verify that the <code>KeyState</code> of the KMS key is 10747 * <code>PendingImport</code>, which indicates that the KMS key has no key material. 10748 * </p> 10749 * <p> 10750 * If you are reimporting the same key material into an existing KMS key, you might need to call the 10751 * <a>DeleteImportedKeyMaterial</a> to delete its existing key material. 10752 * </p> 10753 * </li> 10754 * <li> 10755 * <p> 10756 * Call the <a>GetParametersForImport</a> operation to get a public key and import token set for importing key 10757 * material. 10758 * </p> 10759 * </li> 10760 * <li> 10761 * <p> 10762 * Use the public key in the <a>GetParametersForImport</a> response to encrypt your key material. 10763 * </p> 10764 * </li> 10765 * </ul> 10766 * <p> 10767 * Then, in an <code>ImportKeyMaterial</code> request, you submit your encrypted key material and import token. When 10768 * calling this operation, you must specify the following values: 10769 * </p> 10770 * <ul> 10771 * <li> 10772 * <p> 10773 * The key ID or key ARN of the KMS key to associate with the imported key material. Its <code>Origin</code> must be 10774 * <code>EXTERNAL</code> and its <code>KeyState</code> must be <code>PendingImport</code>. You cannot perform this 10775 * operation on a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key 10776 * store</a>, or on a KMS key in a different Amazon Web Services account. To get the <code>Origin</code> and 10777 * <code>KeyState</code> of a KMS key, call <a>DescribeKey</a>. 10778 * </p> 10779 * </li> 10780 * <li> 10781 * <p> 10782 * The encrypted key material. 10783 * </p> 10784 * </li> 10785 * <li> 10786 * <p> 10787 * The import token that <a>GetParametersForImport</a> returned. You must use a public key and token from the same 10788 * <code>GetParametersForImport</code> response. 10789 * </p> 10790 * </li> 10791 * <li> 10792 * <p> 10793 * Whether the key material expires (<code>ExpirationModel</code>) and, if so, when (<code>ValidTo</code>). For help 10794 * with this choice, see <a href= 10795 * "https://docs.aws.amazon.com/en_us/kms/latest/developerguide/importing-keys.html#importing-keys-expiration" 10796 * >Setting an expiration time</a> in the <i>Key Management Service Developer Guide</i>. 10797 * </p> 10798 * <p> 10799 * If you set an expiration date, KMS deletes the key material from the KMS key on the specified date, making the 10800 * KMS key unusable. To use the KMS key in cryptographic operations again, you must reimport the same key material. 10801 * However, you can delete and reimport the key material at any time, including before the key material expires. 10802 * Each time you reimport, you can eliminate or reset the expiration time. 10803 * </p> 10804 * </li> 10805 * </ul> 10806 * <p> 10807 * When this operation is successful, the key state of the KMS key changes from <code>PendingImport</code> to 10808 * <code>Enabled</code>, and you can use the KMS key in cryptographic operations. 10809 * </p> 10810 * <p> 10811 * If this operation fails, use the exception to help determine the problem. If the error is related to the key 10812 * material, the import token, or wrapping key, use <a>GetParametersForImport</a> to get a new public key and import 10813 * token for the KMS key and repeat the import procedure. For help, see <a 10814 * href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview">How To 10815 * Import Key Material</a> in the <i>Key Management Service Developer Guide</i>. 10816 * </p> 10817 * <p> 10818 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 10819 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 10820 * <i>Key Management Service Developer Guide</i>. 10821 * </p> 10822 * <p> 10823 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 10824 * account. 10825 * </p> 10826 * <p> 10827 * <b>Required permissions</b>: <a 10828 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10829 * >kms:ImportKeyMaterial</a> (key policy) 10830 * </p> 10831 * <p> 10832 * <b>Related operations:</b> 10833 * </p> 10834 * <ul> 10835 * <li> 10836 * <p> 10837 * <a>DeleteImportedKeyMaterial</a> 10838 * </p> 10839 * </li> 10840 * <li> 10841 * <p> 10842 * <a>GetParametersForImport</a> 10843 * </p> 10844 * </li> 10845 * </ul> 10846 * <p> 10847 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10848 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10849 * consistency</a>. 10850 * </p> 10851 * <br/> 10852 * <p> 10853 * This is a convenience which creates an instance of the {@link ImportKeyMaterialRequest.Builder} avoiding the need 10854 * to create one manually via {@link ImportKeyMaterialRequest#builder()} 10855 * </p> 10856 * 10857 * @param importKeyMaterialRequest 10858 * A {@link Consumer} that will call methods on 10859 * {@link software.amazon.awssdk.services.kms.model.ImportKeyMaterialRequest.Builder} to create a request. 10860 * @return Result of the ImportKeyMaterial operation returned by the service. 10861 * @throws InvalidArnException 10862 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 10863 * @throws UnsupportedOperationException 10864 * The request was rejected because a specified parameter is not supported or a specified resource is not 10865 * valid for this operation. 10866 * @throws DependencyTimeoutException 10867 * The system timed out while trying to fulfill the request. You can retry the request. 10868 * @throws NotFoundException 10869 * The request was rejected because the specified entity or resource could not be found. 10870 * @throws KmsInternalException 10871 * The request was rejected because an internal exception occurred. The request can be retried. 10872 * @throws KmsInvalidStateException 10873 * The request was rejected because the state of the specified resource is not valid for this request.</p> 10874 * <p> 10875 * This exceptions means one of the following: 10876 * </p> 10877 * <ul> 10878 * <li> 10879 * <p> 10880 * The key state of the KMS key is not compatible with the operation. 10881 * </p> 10882 * <p> 10883 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 10884 * are compatible with each KMS operation, see <a 10885 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 10886 * the <i> <i>Key Management Service Developer Guide</i> </i>. 10887 * </p> 10888 * </li> 10889 * <li> 10890 * <p> 10891 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 10892 * failure with many possible causes. To identify the cause, see the error message that accompanies the 10893 * exception. 10894 * </p> 10895 * </li> 10896 * @throws InvalidCiphertextException 10897 * From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was rejected because the specified 10898 * ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption 10899 * context, is corrupted, missing, or otherwise invalid.</p> 10900 * <p> 10901 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 10902 * encrypted (wrapped) key material. 10903 * @throws IncorrectKeyMaterialException 10904 * The request was rejected because the key material in the request is, expired, invalid, or is not the same 10905 * key material that was previously imported into this KMS key. 10906 * @throws ExpiredImportTokenException 10907 * The request was rejected because the specified import token is expired. Use <a>GetParametersForImport</a> 10908 * to get a new import token and public key, use the new public key to encrypt the key material, and then 10909 * try the request again. 10910 * @throws InvalidImportTokenException 10911 * The request was rejected because the provided import token is invalid or is associated with a different 10912 * KMS key. 10913 * @throws SdkException 10914 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 10915 * catch all scenarios. 10916 * @throws SdkClientException 10917 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 10918 * @throws KmsException 10919 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 10920 * @sample KmsClient.ImportKeyMaterial 10921 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial" target="_top">AWS API 10922 * Documentation</a> 10923 */ importKeyMaterial(Consumer<ImportKeyMaterialRequest.Builder> importKeyMaterialRequest)10924 default ImportKeyMaterialResponse importKeyMaterial(Consumer<ImportKeyMaterialRequest.Builder> importKeyMaterialRequest) 10925 throws InvalidArnException, software.amazon.awssdk.services.kms.model.UnsupportedOperationException, 10926 DependencyTimeoutException, NotFoundException, KmsInternalException, KmsInvalidStateException, 10927 InvalidCiphertextException, IncorrectKeyMaterialException, ExpiredImportTokenException, InvalidImportTokenException, 10928 AwsServiceException, SdkClientException, KmsException { 10929 return importKeyMaterial(ImportKeyMaterialRequest.builder().applyMutation(importKeyMaterialRequest).build()); 10930 } 10931 10932 /** 10933 * <p> 10934 * Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about 10935 * aliases, see <a>CreateAlias</a>. 10936 * </p> 10937 * <p> 10938 * By default, the <code>ListAliases</code> operation returns all aliases in the account and region. To get only the 10939 * aliases associated with a particular KMS key, use the <code>KeyId</code> parameter. 10940 * </p> 10941 * <p> 10942 * The <code>ListAliases</code> response can include aliases that you created and associated with your customer 10943 * managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys 10944 * in your account. You can recognize Amazon Web Services aliases because their names have the format 10945 * <code>aws/<service-name></code>, such as <code>aws/dynamodb</code>. 10946 * </p> 10947 * <p> 10948 * The response might also include aliases that have no <code>TargetKeyId</code> field. These are predefined aliases 10949 * that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services 10950 * creates in your account, including predefined aliases, do not count against your <a 10951 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit">KMS aliases quota</a>. 10952 * </p> 10953 * <p> 10954 * <b>Cross-account use</b>: No. <code>ListAliases</code> does not return aliases in other Amazon Web Services 10955 * accounts. 10956 * </p> 10957 * <p> 10958 * <b>Required permissions</b>: <a 10959 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 10960 * >kms:ListAliases</a> (IAM policy) 10961 * </p> 10962 * <p> 10963 * For details, see <a 10964 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 10965 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 10966 * </p> 10967 * <p> 10968 * <b>Related operations:</b> 10969 * </p> 10970 * <ul> 10971 * <li> 10972 * <p> 10973 * <a>CreateAlias</a> 10974 * </p> 10975 * </li> 10976 * <li> 10977 * <p> 10978 * <a>DeleteAlias</a> 10979 * </p> 10980 * </li> 10981 * <li> 10982 * <p> 10983 * <a>UpdateAlias</a> 10984 * </p> 10985 * </li> 10986 * </ul> 10987 * <p> 10988 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 10989 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 10990 * consistency</a>. 10991 * </p> 10992 * 10993 * @param listAliasesRequest 10994 * @return Result of the ListAliases operation returned by the service. 10995 * @throws DependencyTimeoutException 10996 * The system timed out while trying to fulfill the request. You can retry the request. 10997 * @throws InvalidMarkerException 10998 * The request was rejected because the marker that specifies where pagination should next begin is not 10999 * valid. 11000 * @throws KmsInternalException 11001 * The request was rejected because an internal exception occurred. The request can be retried. 11002 * @throws InvalidArnException 11003 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11004 * @throws NotFoundException 11005 * The request was rejected because the specified entity or resource could not be found. 11006 * @throws SdkException 11007 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11008 * catch all scenarios. 11009 * @throws SdkClientException 11010 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11011 * @throws KmsException 11012 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11013 * @sample KmsClient.ListAliases 11014 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11015 * Documentation</a> 11016 */ listAliases(ListAliasesRequest listAliasesRequest)11017 default ListAliasesResponse listAliases(ListAliasesRequest listAliasesRequest) throws DependencyTimeoutException, 11018 InvalidMarkerException, KmsInternalException, InvalidArnException, NotFoundException, AwsServiceException, 11019 SdkClientException, KmsException { 11020 throw new UnsupportedOperationException(); 11021 } 11022 11023 /** 11024 * <p> 11025 * Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about 11026 * aliases, see <a>CreateAlias</a>. 11027 * </p> 11028 * <p> 11029 * By default, the <code>ListAliases</code> operation returns all aliases in the account and region. To get only the 11030 * aliases associated with a particular KMS key, use the <code>KeyId</code> parameter. 11031 * </p> 11032 * <p> 11033 * The <code>ListAliases</code> response can include aliases that you created and associated with your customer 11034 * managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys 11035 * in your account. You can recognize Amazon Web Services aliases because their names have the format 11036 * <code>aws/<service-name></code>, such as <code>aws/dynamodb</code>. 11037 * </p> 11038 * <p> 11039 * The response might also include aliases that have no <code>TargetKeyId</code> field. These are predefined aliases 11040 * that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services 11041 * creates in your account, including predefined aliases, do not count against your <a 11042 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit">KMS aliases quota</a>. 11043 * </p> 11044 * <p> 11045 * <b>Cross-account use</b>: No. <code>ListAliases</code> does not return aliases in other Amazon Web Services 11046 * accounts. 11047 * </p> 11048 * <p> 11049 * <b>Required permissions</b>: <a 11050 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11051 * >kms:ListAliases</a> (IAM policy) 11052 * </p> 11053 * <p> 11054 * For details, see <a 11055 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 11056 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 11057 * </p> 11058 * <p> 11059 * <b>Related operations:</b> 11060 * </p> 11061 * <ul> 11062 * <li> 11063 * <p> 11064 * <a>CreateAlias</a> 11065 * </p> 11066 * </li> 11067 * <li> 11068 * <p> 11069 * <a>DeleteAlias</a> 11070 * </p> 11071 * </li> 11072 * <li> 11073 * <p> 11074 * <a>UpdateAlias</a> 11075 * </p> 11076 * </li> 11077 * </ul> 11078 * <p> 11079 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11080 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11081 * consistency</a>. 11082 * </p> 11083 * <br/> 11084 * <p> 11085 * This is a convenience which creates an instance of the {@link ListAliasesRequest.Builder} avoiding the need to 11086 * create one manually via {@link ListAliasesRequest#builder()} 11087 * </p> 11088 * 11089 * @param listAliasesRequest 11090 * A {@link Consumer} that will call methods on 11091 * {@link software.amazon.awssdk.services.kms.model.ListAliasesRequest.Builder} to create a request. 11092 * @return Result of the ListAliases operation returned by the service. 11093 * @throws DependencyTimeoutException 11094 * The system timed out while trying to fulfill the request. You can retry the request. 11095 * @throws InvalidMarkerException 11096 * The request was rejected because the marker that specifies where pagination should next begin is not 11097 * valid. 11098 * @throws KmsInternalException 11099 * The request was rejected because an internal exception occurred. The request can be retried. 11100 * @throws InvalidArnException 11101 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11102 * @throws NotFoundException 11103 * The request was rejected because the specified entity or resource could not be found. 11104 * @throws SdkException 11105 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11106 * catch all scenarios. 11107 * @throws SdkClientException 11108 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11109 * @throws KmsException 11110 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11111 * @sample KmsClient.ListAliases 11112 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11113 * Documentation</a> 11114 */ listAliases(Consumer<ListAliasesRequest.Builder> listAliasesRequest)11115 default ListAliasesResponse listAliases(Consumer<ListAliasesRequest.Builder> listAliasesRequest) 11116 throws DependencyTimeoutException, InvalidMarkerException, KmsInternalException, InvalidArnException, 11117 NotFoundException, AwsServiceException, SdkClientException, KmsException { 11118 return listAliases(ListAliasesRequest.builder().applyMutation(listAliasesRequest).build()); 11119 } 11120 11121 /** 11122 * <p> 11123 * Gets a list of aliases in the caller's Amazon Web Services account and region. For more information about 11124 * aliases, see <a>CreateAlias</a>. 11125 * </p> 11126 * <p> 11127 * By default, the <code>ListAliases</code> operation returns all aliases in the account and region. To get only the 11128 * aliases associated with a particular KMS key, use the <code>KeyId</code> parameter. 11129 * </p> 11130 * <p> 11131 * The <code>ListAliases</code> response can include aliases that you created and associated with your customer 11132 * managed keys, and aliases that Amazon Web Services created and associated with Amazon Web Services managed keys 11133 * in your account. You can recognize Amazon Web Services aliases because their names have the format 11134 * <code>aws/<service-name></code>, such as <code>aws/dynamodb</code>. 11135 * </p> 11136 * <p> 11137 * The response might also include aliases that have no <code>TargetKeyId</code> field. These are predefined aliases 11138 * that Amazon Web Services has created but has not yet associated with a KMS key. Aliases that Amazon Web Services 11139 * creates in your account, including predefined aliases, do not count against your <a 11140 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit">KMS aliases quota</a>. 11141 * </p> 11142 * <p> 11143 * <b>Cross-account use</b>: No. <code>ListAliases</code> does not return aliases in other Amazon Web Services 11144 * accounts. 11145 * </p> 11146 * <p> 11147 * <b>Required permissions</b>: <a 11148 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11149 * >kms:ListAliases</a> (IAM policy) 11150 * </p> 11151 * <p> 11152 * For details, see <a 11153 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 11154 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 11155 * </p> 11156 * <p> 11157 * <b>Related operations:</b> 11158 * </p> 11159 * <ul> 11160 * <li> 11161 * <p> 11162 * <a>CreateAlias</a> 11163 * </p> 11164 * </li> 11165 * <li> 11166 * <p> 11167 * <a>DeleteAlias</a> 11168 * </p> 11169 * </li> 11170 * <li> 11171 * <p> 11172 * <a>UpdateAlias</a> 11173 * </p> 11174 * </li> 11175 * </ul> 11176 * <p> 11177 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11178 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11179 * consistency</a>. 11180 * </p> 11181 * 11182 * @return Result of the ListAliases operation returned by the service. 11183 * @throws DependencyTimeoutException 11184 * The system timed out while trying to fulfill the request. You can retry the request. 11185 * @throws InvalidMarkerException 11186 * The request was rejected because the marker that specifies where pagination should next begin is not 11187 * valid. 11188 * @throws KmsInternalException 11189 * The request was rejected because an internal exception occurred. The request can be retried. 11190 * @throws InvalidArnException 11191 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11192 * @throws NotFoundException 11193 * The request was rejected because the specified entity or resource could not be found. 11194 * @throws SdkException 11195 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11196 * catch all scenarios. 11197 * @throws SdkClientException 11198 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11199 * @throws KmsException 11200 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11201 * @sample KmsClient.ListAliases 11202 * @see #listAliases(ListAliasesRequest) 11203 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11204 * Documentation</a> 11205 */ listAliases()11206 default ListAliasesResponse listAliases() throws DependencyTimeoutException, InvalidMarkerException, KmsInternalException, 11207 InvalidArnException, NotFoundException, AwsServiceException, SdkClientException, KmsException { 11208 return listAliases(ListAliasesRequest.builder().build()); 11209 } 11210 11211 /** 11212 * <p> 11213 * This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} 11214 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 11215 * internally handle making service calls for you. 11216 * </p> 11217 * <p> 11218 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 11219 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 11220 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 11221 * request, you will see the failures only after you start iterating through the iterable. 11222 * </p> 11223 * 11224 * <p> 11225 * The following are few ways to iterate through the response pages: 11226 * </p> 11227 * 1) Using a Stream 11228 * 11229 * <pre> 11230 * {@code 11231 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11232 * responses.stream().forEach(....); 11233 * } 11234 * </pre> 11235 * 11236 * 2) Using For loop 11237 * 11238 * <pre> 11239 * { 11240 * @code 11241 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11242 * for (software.amazon.awssdk.services.kms.model.ListAliasesResponse response : responses) { 11243 * // do something; 11244 * } 11245 * } 11246 * </pre> 11247 * 11248 * 3) Use iterator directly 11249 * 11250 * <pre> 11251 * {@code 11252 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11253 * responses.iterator().forEachRemaining(....); 11254 * } 11255 * </pre> 11256 * <p> 11257 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11258 * only limits the number of results in each page.</b> 11259 * </p> 11260 * <p> 11261 * <b>Note: If you prefer to have control on service calls, use the 11262 * {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.</b> 11263 * </p> 11264 * 11265 * @return A custom iterable that can be used to iterate through all the response pages. 11266 * @throws DependencyTimeoutException 11267 * The system timed out while trying to fulfill the request. You can retry the request. 11268 * @throws InvalidMarkerException 11269 * The request was rejected because the marker that specifies where pagination should next begin is not 11270 * valid. 11271 * @throws KmsInternalException 11272 * The request was rejected because an internal exception occurred. The request can be retried. 11273 * @throws InvalidArnException 11274 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11275 * @throws NotFoundException 11276 * The request was rejected because the specified entity or resource could not be found. 11277 * @throws SdkException 11278 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11279 * catch all scenarios. 11280 * @throws SdkClientException 11281 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11282 * @throws KmsException 11283 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11284 * @sample KmsClient.ListAliases 11285 * @see #listAliasesPaginator(ListAliasesRequest) 11286 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11287 * Documentation</a> 11288 */ listAliasesPaginator()11289 default ListAliasesIterable listAliasesPaginator() throws DependencyTimeoutException, InvalidMarkerException, 11290 KmsInternalException, InvalidArnException, NotFoundException, AwsServiceException, SdkClientException, KmsException { 11291 return listAliasesPaginator(ListAliasesRequest.builder().build()); 11292 } 11293 11294 /** 11295 * <p> 11296 * This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} 11297 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 11298 * internally handle making service calls for you. 11299 * </p> 11300 * <p> 11301 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 11302 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 11303 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 11304 * request, you will see the failures only after you start iterating through the iterable. 11305 * </p> 11306 * 11307 * <p> 11308 * The following are few ways to iterate through the response pages: 11309 * </p> 11310 * 1) Using a Stream 11311 * 11312 * <pre> 11313 * {@code 11314 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11315 * responses.stream().forEach(....); 11316 * } 11317 * </pre> 11318 * 11319 * 2) Using For loop 11320 * 11321 * <pre> 11322 * { 11323 * @code 11324 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11325 * for (software.amazon.awssdk.services.kms.model.ListAliasesResponse response : responses) { 11326 * // do something; 11327 * } 11328 * } 11329 * </pre> 11330 * 11331 * 3) Use iterator directly 11332 * 11333 * <pre> 11334 * {@code 11335 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11336 * responses.iterator().forEachRemaining(....); 11337 * } 11338 * </pre> 11339 * <p> 11340 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11341 * only limits the number of results in each page.</b> 11342 * </p> 11343 * <p> 11344 * <b>Note: If you prefer to have control on service calls, use the 11345 * {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.</b> 11346 * </p> 11347 * 11348 * @param listAliasesRequest 11349 * @return A custom iterable that can be used to iterate through all the response pages. 11350 * @throws DependencyTimeoutException 11351 * The system timed out while trying to fulfill the request. You can retry the request. 11352 * @throws InvalidMarkerException 11353 * The request was rejected because the marker that specifies where pagination should next begin is not 11354 * valid. 11355 * @throws KmsInternalException 11356 * The request was rejected because an internal exception occurred. The request can be retried. 11357 * @throws InvalidArnException 11358 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11359 * @throws NotFoundException 11360 * The request was rejected because the specified entity or resource could not be found. 11361 * @throws SdkException 11362 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11363 * catch all scenarios. 11364 * @throws SdkClientException 11365 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11366 * @throws KmsException 11367 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11368 * @sample KmsClient.ListAliases 11369 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11370 * Documentation</a> 11371 */ listAliasesPaginator(ListAliasesRequest listAliasesRequest)11372 default ListAliasesIterable listAliasesPaginator(ListAliasesRequest listAliasesRequest) throws DependencyTimeoutException, 11373 InvalidMarkerException, KmsInternalException, InvalidArnException, NotFoundException, AwsServiceException, 11374 SdkClientException, KmsException { 11375 return new ListAliasesIterable(this, listAliasesRequest); 11376 } 11377 11378 /** 11379 * <p> 11380 * This is a variant of {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} 11381 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 11382 * internally handle making service calls for you. 11383 * </p> 11384 * <p> 11385 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 11386 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 11387 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 11388 * request, you will see the failures only after you start iterating through the iterable. 11389 * </p> 11390 * 11391 * <p> 11392 * The following are few ways to iterate through the response pages: 11393 * </p> 11394 * 1) Using a Stream 11395 * 11396 * <pre> 11397 * {@code 11398 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11399 * responses.stream().forEach(....); 11400 * } 11401 * </pre> 11402 * 11403 * 2) Using For loop 11404 * 11405 * <pre> 11406 * { 11407 * @code 11408 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11409 * for (software.amazon.awssdk.services.kms.model.ListAliasesResponse response : responses) { 11410 * // do something; 11411 * } 11412 * } 11413 * </pre> 11414 * 11415 * 3) Use iterator directly 11416 * 11417 * <pre> 11418 * {@code 11419 * software.amazon.awssdk.services.kms.paginators.ListAliasesIterable responses = client.listAliasesPaginator(request); 11420 * responses.iterator().forEachRemaining(....); 11421 * } 11422 * </pre> 11423 * <p> 11424 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11425 * only limits the number of results in each page.</b> 11426 * </p> 11427 * <p> 11428 * <b>Note: If you prefer to have control on service calls, use the 11429 * {@link #listAliases(software.amazon.awssdk.services.kms.model.ListAliasesRequest)} operation.</b> 11430 * </p> 11431 * <br/> 11432 * <p> 11433 * This is a convenience which creates an instance of the {@link ListAliasesRequest.Builder} avoiding the need to 11434 * create one manually via {@link ListAliasesRequest#builder()} 11435 * </p> 11436 * 11437 * @param listAliasesRequest 11438 * A {@link Consumer} that will call methods on 11439 * {@link software.amazon.awssdk.services.kms.model.ListAliasesRequest.Builder} to create a request. 11440 * @return A custom iterable that can be used to iterate through all the response pages. 11441 * @throws DependencyTimeoutException 11442 * The system timed out while trying to fulfill the request. You can retry the request. 11443 * @throws InvalidMarkerException 11444 * The request was rejected because the marker that specifies where pagination should next begin is not 11445 * valid. 11446 * @throws KmsInternalException 11447 * The request was rejected because an internal exception occurred. The request can be retried. 11448 * @throws InvalidArnException 11449 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11450 * @throws NotFoundException 11451 * The request was rejected because the specified entity or resource could not be found. 11452 * @throws SdkException 11453 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11454 * catch all scenarios. 11455 * @throws SdkClientException 11456 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11457 * @throws KmsException 11458 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11459 * @sample KmsClient.ListAliases 11460 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases" target="_top">AWS API 11461 * Documentation</a> 11462 */ listAliasesPaginator(Consumer<ListAliasesRequest.Builder> listAliasesRequest)11463 default ListAliasesIterable listAliasesPaginator(Consumer<ListAliasesRequest.Builder> listAliasesRequest) 11464 throws DependencyTimeoutException, InvalidMarkerException, KmsInternalException, InvalidArnException, 11465 NotFoundException, AwsServiceException, SdkClientException, KmsException { 11466 return listAliasesPaginator(ListAliasesRequest.builder().applyMutation(listAliasesRequest).build()); 11467 } 11468 11469 /** 11470 * <p> 11471 * Gets a list of all grants for the specified KMS key. 11472 * </p> 11473 * <p> 11474 * You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal. 11475 * </p> 11476 * <p> 11477 * For detailed information about grants, including grant terminology, see <a 11478 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 11479 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 11480 * languages, see <a 11481 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 11482 * </p> 11483 * <note> 11484 * <p> 11485 * The <code>GranteePrincipal</code> field in the <code>ListGrants</code> response usually contains the user or role 11486 * designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon 11487 * Web Services service, the <code>GranteePrincipal</code> field contains the <a href= 11488 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services" 11489 * >service principal</a>, which might represent several different grantee principals. 11490 * </p> 11491 * </note> 11492 * <p> 11493 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 11494 * specify the key ARN in the value of the <code>KeyId</code> parameter. 11495 * </p> 11496 * <p> 11497 * <b>Required permissions</b>: <a 11498 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11499 * >kms:ListGrants</a> (key policy) 11500 * </p> 11501 * <p> 11502 * <b>Related operations:</b> 11503 * </p> 11504 * <ul> 11505 * <li> 11506 * <p> 11507 * <a>CreateGrant</a> 11508 * </p> 11509 * </li> 11510 * <li> 11511 * <p> 11512 * <a>ListRetirableGrants</a> 11513 * </p> 11514 * </li> 11515 * <li> 11516 * <p> 11517 * <a>RetireGrant</a> 11518 * </p> 11519 * </li> 11520 * <li> 11521 * <p> 11522 * <a>RevokeGrant</a> 11523 * </p> 11524 * </li> 11525 * </ul> 11526 * <p> 11527 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11528 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11529 * consistency</a>. 11530 * </p> 11531 * 11532 * @param listGrantsRequest 11533 * @return Result of the ListGrants operation returned by the service. 11534 * @throws NotFoundException 11535 * The request was rejected because the specified entity or resource could not be found. 11536 * @throws DependencyTimeoutException 11537 * The system timed out while trying to fulfill the request. You can retry the request. 11538 * @throws InvalidMarkerException 11539 * The request was rejected because the marker that specifies where pagination should next begin is not 11540 * valid. 11541 * @throws InvalidGrantIdException 11542 * The request was rejected because the specified <code>GrantId</code> is not valid. 11543 * @throws InvalidArnException 11544 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11545 * @throws KmsInternalException 11546 * The request was rejected because an internal exception occurred. The request can be retried. 11547 * @throws KmsInvalidStateException 11548 * The request was rejected because the state of the specified resource is not valid for this request.</p> 11549 * <p> 11550 * This exceptions means one of the following: 11551 * </p> 11552 * <ul> 11553 * <li> 11554 * <p> 11555 * The key state of the KMS key is not compatible with the operation. 11556 * </p> 11557 * <p> 11558 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11559 * are compatible with each KMS operation, see <a 11560 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11561 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11562 * </p> 11563 * </li> 11564 * <li> 11565 * <p> 11566 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11567 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11568 * exception. 11569 * </p> 11570 * </li> 11571 * @throws SdkException 11572 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11573 * catch all scenarios. 11574 * @throws SdkClientException 11575 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11576 * @throws KmsException 11577 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11578 * @sample KmsClient.ListGrants 11579 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11580 * Documentation</a> 11581 */ listGrants(ListGrantsRequest listGrantsRequest)11582 default ListGrantsResponse listGrants(ListGrantsRequest listGrantsRequest) throws NotFoundException, 11583 DependencyTimeoutException, InvalidMarkerException, InvalidGrantIdException, InvalidArnException, 11584 KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 11585 throw new UnsupportedOperationException(); 11586 } 11587 11588 /** 11589 * <p> 11590 * Gets a list of all grants for the specified KMS key. 11591 * </p> 11592 * <p> 11593 * You must specify the KMS key in all requests. You can filter the grant list by grant ID or grantee principal. 11594 * </p> 11595 * <p> 11596 * For detailed information about grants, including grant terminology, see <a 11597 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 11598 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 11599 * languages, see <a 11600 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 11601 * </p> 11602 * <note> 11603 * <p> 11604 * The <code>GranteePrincipal</code> field in the <code>ListGrants</code> response usually contains the user or role 11605 * designated as the grantee principal in the grant. However, when the grantee principal in the grant is an Amazon 11606 * Web Services service, the <code>GranteePrincipal</code> field contains the <a href= 11607 * "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services" 11608 * >service principal</a>, which might represent several different grantee principals. 11609 * </p> 11610 * </note> 11611 * <p> 11612 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 11613 * specify the key ARN in the value of the <code>KeyId</code> parameter. 11614 * </p> 11615 * <p> 11616 * <b>Required permissions</b>: <a 11617 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11618 * >kms:ListGrants</a> (key policy) 11619 * </p> 11620 * <p> 11621 * <b>Related operations:</b> 11622 * </p> 11623 * <ul> 11624 * <li> 11625 * <p> 11626 * <a>CreateGrant</a> 11627 * </p> 11628 * </li> 11629 * <li> 11630 * <p> 11631 * <a>ListRetirableGrants</a> 11632 * </p> 11633 * </li> 11634 * <li> 11635 * <p> 11636 * <a>RetireGrant</a> 11637 * </p> 11638 * </li> 11639 * <li> 11640 * <p> 11641 * <a>RevokeGrant</a> 11642 * </p> 11643 * </li> 11644 * </ul> 11645 * <p> 11646 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11647 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11648 * consistency</a>. 11649 * </p> 11650 * <br/> 11651 * <p> 11652 * This is a convenience which creates an instance of the {@link ListGrantsRequest.Builder} avoiding the need to 11653 * create one manually via {@link ListGrantsRequest#builder()} 11654 * </p> 11655 * 11656 * @param listGrantsRequest 11657 * A {@link Consumer} that will call methods on 11658 * {@link software.amazon.awssdk.services.kms.model.ListGrantsRequest.Builder} to create a request. 11659 * @return Result of the ListGrants operation returned by the service. 11660 * @throws NotFoundException 11661 * The request was rejected because the specified entity or resource could not be found. 11662 * @throws DependencyTimeoutException 11663 * The system timed out while trying to fulfill the request. You can retry the request. 11664 * @throws InvalidMarkerException 11665 * The request was rejected because the marker that specifies where pagination should next begin is not 11666 * valid. 11667 * @throws InvalidGrantIdException 11668 * The request was rejected because the specified <code>GrantId</code> is not valid. 11669 * @throws InvalidArnException 11670 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11671 * @throws KmsInternalException 11672 * The request was rejected because an internal exception occurred. The request can be retried. 11673 * @throws KmsInvalidStateException 11674 * The request was rejected because the state of the specified resource is not valid for this request.</p> 11675 * <p> 11676 * This exceptions means one of the following: 11677 * </p> 11678 * <ul> 11679 * <li> 11680 * <p> 11681 * The key state of the KMS key is not compatible with the operation. 11682 * </p> 11683 * <p> 11684 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11685 * are compatible with each KMS operation, see <a 11686 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11687 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11688 * </p> 11689 * </li> 11690 * <li> 11691 * <p> 11692 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11693 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11694 * exception. 11695 * </p> 11696 * </li> 11697 * @throws SdkException 11698 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11699 * catch all scenarios. 11700 * @throws SdkClientException 11701 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11702 * @throws KmsException 11703 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11704 * @sample KmsClient.ListGrants 11705 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11706 * Documentation</a> 11707 */ listGrants(Consumer<ListGrantsRequest.Builder> listGrantsRequest)11708 default ListGrantsResponse listGrants(Consumer<ListGrantsRequest.Builder> listGrantsRequest) throws NotFoundException, 11709 DependencyTimeoutException, InvalidMarkerException, InvalidGrantIdException, InvalidArnException, 11710 KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 11711 return listGrants(ListGrantsRequest.builder().applyMutation(listGrantsRequest).build()); 11712 } 11713 11714 /** 11715 * <p> 11716 * This is a variant of {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation. 11717 * The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally 11718 * handle making service calls for you. 11719 * </p> 11720 * <p> 11721 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 11722 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 11723 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 11724 * request, you will see the failures only after you start iterating through the iterable. 11725 * </p> 11726 * 11727 * <p> 11728 * The following are few ways to iterate through the response pages: 11729 * </p> 11730 * 1) Using a Stream 11731 * 11732 * <pre> 11733 * {@code 11734 * software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request); 11735 * responses.stream().forEach(....); 11736 * } 11737 * </pre> 11738 * 11739 * 2) Using For loop 11740 * 11741 * <pre> 11742 * { 11743 * @code 11744 * software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request); 11745 * for (software.amazon.awssdk.services.kms.model.ListGrantsResponse response : responses) { 11746 * // do something; 11747 * } 11748 * } 11749 * </pre> 11750 * 11751 * 3) Use iterator directly 11752 * 11753 * <pre> 11754 * {@code 11755 * software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request); 11756 * responses.iterator().forEachRemaining(....); 11757 * } 11758 * </pre> 11759 * <p> 11760 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11761 * only limits the number of results in each page.</b> 11762 * </p> 11763 * <p> 11764 * <b>Note: If you prefer to have control on service calls, use the 11765 * {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation.</b> 11766 * </p> 11767 * 11768 * @param listGrantsRequest 11769 * @return A custom iterable that can be used to iterate through all the response pages. 11770 * @throws NotFoundException 11771 * The request was rejected because the specified entity or resource could not be found. 11772 * @throws DependencyTimeoutException 11773 * The system timed out while trying to fulfill the request. You can retry the request. 11774 * @throws InvalidMarkerException 11775 * The request was rejected because the marker that specifies where pagination should next begin is not 11776 * valid. 11777 * @throws InvalidGrantIdException 11778 * The request was rejected because the specified <code>GrantId</code> is not valid. 11779 * @throws InvalidArnException 11780 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11781 * @throws KmsInternalException 11782 * The request was rejected because an internal exception occurred. The request can be retried. 11783 * @throws KmsInvalidStateException 11784 * The request was rejected because the state of the specified resource is not valid for this request.</p> 11785 * <p> 11786 * This exceptions means one of the following: 11787 * </p> 11788 * <ul> 11789 * <li> 11790 * <p> 11791 * The key state of the KMS key is not compatible with the operation. 11792 * </p> 11793 * <p> 11794 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11795 * are compatible with each KMS operation, see <a 11796 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11797 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11798 * </p> 11799 * </li> 11800 * <li> 11801 * <p> 11802 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11803 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11804 * exception. 11805 * </p> 11806 * </li> 11807 * @throws SdkException 11808 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11809 * catch all scenarios. 11810 * @throws SdkClientException 11811 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11812 * @throws KmsException 11813 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11814 * @sample KmsClient.ListGrants 11815 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11816 * Documentation</a> 11817 */ listGrantsPaginator(ListGrantsRequest listGrantsRequest)11818 default ListGrantsIterable listGrantsPaginator(ListGrantsRequest listGrantsRequest) throws NotFoundException, 11819 DependencyTimeoutException, InvalidMarkerException, InvalidGrantIdException, InvalidArnException, 11820 KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 11821 return new ListGrantsIterable(this, listGrantsRequest); 11822 } 11823 11824 /** 11825 * <p> 11826 * This is a variant of {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation. 11827 * The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally 11828 * handle making service calls for you. 11829 * </p> 11830 * <p> 11831 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 11832 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 11833 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 11834 * request, you will see the failures only after you start iterating through the iterable. 11835 * </p> 11836 * 11837 * <p> 11838 * The following are few ways to iterate through the response pages: 11839 * </p> 11840 * 1) Using a Stream 11841 * 11842 * <pre> 11843 * {@code 11844 * software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request); 11845 * responses.stream().forEach(....); 11846 * } 11847 * </pre> 11848 * 11849 * 2) Using For loop 11850 * 11851 * <pre> 11852 * { 11853 * @code 11854 * software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request); 11855 * for (software.amazon.awssdk.services.kms.model.ListGrantsResponse response : responses) { 11856 * // do something; 11857 * } 11858 * } 11859 * </pre> 11860 * 11861 * 3) Use iterator directly 11862 * 11863 * <pre> 11864 * {@code 11865 * software.amazon.awssdk.services.kms.paginators.ListGrantsIterable responses = client.listGrantsPaginator(request); 11866 * responses.iterator().forEachRemaining(....); 11867 * } 11868 * </pre> 11869 * <p> 11870 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 11871 * only limits the number of results in each page.</b> 11872 * </p> 11873 * <p> 11874 * <b>Note: If you prefer to have control on service calls, use the 11875 * {@link #listGrants(software.amazon.awssdk.services.kms.model.ListGrantsRequest)} operation.</b> 11876 * </p> 11877 * <br/> 11878 * <p> 11879 * This is a convenience which creates an instance of the {@link ListGrantsRequest.Builder} avoiding the need to 11880 * create one manually via {@link ListGrantsRequest#builder()} 11881 * </p> 11882 * 11883 * @param listGrantsRequest 11884 * A {@link Consumer} that will call methods on 11885 * {@link software.amazon.awssdk.services.kms.model.ListGrantsRequest.Builder} to create a request. 11886 * @return A custom iterable that can be used to iterate through all the response pages. 11887 * @throws NotFoundException 11888 * The request was rejected because the specified entity or resource could not be found. 11889 * @throws DependencyTimeoutException 11890 * The system timed out while trying to fulfill the request. You can retry the request. 11891 * @throws InvalidMarkerException 11892 * The request was rejected because the marker that specifies where pagination should next begin is not 11893 * valid. 11894 * @throws InvalidGrantIdException 11895 * The request was rejected because the specified <code>GrantId</code> is not valid. 11896 * @throws InvalidArnException 11897 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11898 * @throws KmsInternalException 11899 * The request was rejected because an internal exception occurred. The request can be retried. 11900 * @throws KmsInvalidStateException 11901 * The request was rejected because the state of the specified resource is not valid for this request.</p> 11902 * <p> 11903 * This exceptions means one of the following: 11904 * </p> 11905 * <ul> 11906 * <li> 11907 * <p> 11908 * The key state of the KMS key is not compatible with the operation. 11909 * </p> 11910 * <p> 11911 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11912 * are compatible with each KMS operation, see <a 11913 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 11914 * the <i> <i>Key Management Service Developer Guide</i> </i>. 11915 * </p> 11916 * </li> 11917 * <li> 11918 * <p> 11919 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 11920 * failure with many possible causes. To identify the cause, see the error message that accompanies the 11921 * exception. 11922 * </p> 11923 * </li> 11924 * @throws SdkException 11925 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 11926 * catch all scenarios. 11927 * @throws SdkClientException 11928 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 11929 * @throws KmsException 11930 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 11931 * @sample KmsClient.ListGrants 11932 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants" target="_top">AWS API 11933 * Documentation</a> 11934 */ listGrantsPaginator(Consumer<ListGrantsRequest.Builder> listGrantsRequest)11935 default ListGrantsIterable listGrantsPaginator(Consumer<ListGrantsRequest.Builder> listGrantsRequest) 11936 throws NotFoundException, DependencyTimeoutException, InvalidMarkerException, InvalidGrantIdException, 11937 InvalidArnException, KmsInternalException, KmsInvalidStateException, AwsServiceException, SdkClientException, 11938 KmsException { 11939 return listGrantsPaginator(ListGrantsRequest.builder().applyMutation(listGrantsRequest).build()); 11940 } 11941 11942 /** 11943 * <p> 11944 * Gets the names of the key policies that are attached to a KMS key. This operation is designed to get policy names 11945 * that you can use in a <a>GetKeyPolicy</a> operation. However, the only valid policy name is <code>default</code>. 11946 * </p> 11947 * <p> 11948 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 11949 * account. 11950 * </p> 11951 * <p> 11952 * <b>Required permissions</b>: <a 11953 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 11954 * >kms:ListKeyPolicies</a> (key policy) 11955 * </p> 11956 * <p> 11957 * <b>Related operations:</b> 11958 * </p> 11959 * <ul> 11960 * <li> 11961 * <p> 11962 * <a>GetKeyPolicy</a> 11963 * </p> 11964 * </li> 11965 * <li> 11966 * <p> 11967 * <a href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 11968 * </p> 11969 * </li> 11970 * </ul> 11971 * <p> 11972 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 11973 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 11974 * consistency</a>. 11975 * </p> 11976 * 11977 * @param listKeyPoliciesRequest 11978 * @return Result of the ListKeyPolicies operation returned by the service. 11979 * @throws NotFoundException 11980 * The request was rejected because the specified entity or resource could not be found. 11981 * @throws InvalidArnException 11982 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 11983 * @throws DependencyTimeoutException 11984 * The system timed out while trying to fulfill the request. You can retry the request. 11985 * @throws KmsInternalException 11986 * The request was rejected because an internal exception occurred. The request can be retried. 11987 * @throws KmsInvalidStateException 11988 * The request was rejected because the state of the specified resource is not valid for this request.</p> 11989 * <p> 11990 * This exceptions means one of the following: 11991 * </p> 11992 * <ul> 11993 * <li> 11994 * <p> 11995 * The key state of the KMS key is not compatible with the operation. 11996 * </p> 11997 * <p> 11998 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 11999 * are compatible with each KMS operation, see <a 12000 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 12001 * the <i> <i>Key Management Service Developer Guide</i> </i>. 12002 * </p> 12003 * </li> 12004 * <li> 12005 * <p> 12006 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 12007 * failure with many possible causes. To identify the cause, see the error message that accompanies the 12008 * exception. 12009 * </p> 12010 * </li> 12011 * @throws SdkException 12012 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12013 * catch all scenarios. 12014 * @throws SdkClientException 12015 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12016 * @throws KmsException 12017 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12018 * @sample KmsClient.ListKeyPolicies 12019 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 12020 * Documentation</a> 12021 */ listKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest)12022 default ListKeyPoliciesResponse listKeyPolicies(ListKeyPoliciesRequest listKeyPoliciesRequest) throws NotFoundException, 12023 InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, 12024 SdkClientException, KmsException { 12025 throw new UnsupportedOperationException(); 12026 } 12027 12028 /** 12029 * <p> 12030 * Gets the names of the key policies that are attached to a KMS key. This operation is designed to get policy names 12031 * that you can use in a <a>GetKeyPolicy</a> operation. However, the only valid policy name is <code>default</code>. 12032 * </p> 12033 * <p> 12034 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12035 * account. 12036 * </p> 12037 * <p> 12038 * <b>Required permissions</b>: <a 12039 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 12040 * >kms:ListKeyPolicies</a> (key policy) 12041 * </p> 12042 * <p> 12043 * <b>Related operations:</b> 12044 * </p> 12045 * <ul> 12046 * <li> 12047 * <p> 12048 * <a>GetKeyPolicy</a> 12049 * </p> 12050 * </li> 12051 * <li> 12052 * <p> 12053 * <a href="https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html">PutKeyPolicy</a> 12054 * </p> 12055 * </li> 12056 * </ul> 12057 * <p> 12058 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12059 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12060 * consistency</a>. 12061 * </p> 12062 * <br/> 12063 * <p> 12064 * This is a convenience which creates an instance of the {@link ListKeyPoliciesRequest.Builder} avoiding the need 12065 * to create one manually via {@link ListKeyPoliciesRequest#builder()} 12066 * </p> 12067 * 12068 * @param listKeyPoliciesRequest 12069 * A {@link Consumer} that will call methods on 12070 * {@link software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest.Builder} to create a request. 12071 * @return Result of the ListKeyPolicies operation returned by the service. 12072 * @throws NotFoundException 12073 * The request was rejected because the specified entity or resource could not be found. 12074 * @throws InvalidArnException 12075 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 12076 * @throws DependencyTimeoutException 12077 * The system timed out while trying to fulfill the request. You can retry the request. 12078 * @throws KmsInternalException 12079 * The request was rejected because an internal exception occurred. The request can be retried. 12080 * @throws KmsInvalidStateException 12081 * The request was rejected because the state of the specified resource is not valid for this request.</p> 12082 * <p> 12083 * This exceptions means one of the following: 12084 * </p> 12085 * <ul> 12086 * <li> 12087 * <p> 12088 * The key state of the KMS key is not compatible with the operation. 12089 * </p> 12090 * <p> 12091 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 12092 * are compatible with each KMS operation, see <a 12093 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 12094 * the <i> <i>Key Management Service Developer Guide</i> </i>. 12095 * </p> 12096 * </li> 12097 * <li> 12098 * <p> 12099 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 12100 * failure with many possible causes. To identify the cause, see the error message that accompanies the 12101 * exception. 12102 * </p> 12103 * </li> 12104 * @throws SdkException 12105 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12106 * catch all scenarios. 12107 * @throws SdkClientException 12108 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12109 * @throws KmsException 12110 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12111 * @sample KmsClient.ListKeyPolicies 12112 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 12113 * Documentation</a> 12114 */ listKeyPolicies(Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest)12115 default ListKeyPoliciesResponse listKeyPolicies(Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest) 12116 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 12117 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 12118 return listKeyPolicies(ListKeyPoliciesRequest.builder().applyMutation(listKeyPoliciesRequest).build()); 12119 } 12120 12121 /** 12122 * <p> 12123 * This is a variant of {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} 12124 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 12125 * internally handle making service calls for you. 12126 * </p> 12127 * <p> 12128 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 12129 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 12130 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 12131 * request, you will see the failures only after you start iterating through the iterable. 12132 * </p> 12133 * 12134 * <p> 12135 * The following are few ways to iterate through the response pages: 12136 * </p> 12137 * 1) Using a Stream 12138 * 12139 * <pre> 12140 * {@code 12141 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request); 12142 * responses.stream().forEach(....); 12143 * } 12144 * </pre> 12145 * 12146 * 2) Using For loop 12147 * 12148 * <pre> 12149 * { 12150 * @code 12151 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request); 12152 * for (software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse response : responses) { 12153 * // do something; 12154 * } 12155 * } 12156 * </pre> 12157 * 12158 * 3) Use iterator directly 12159 * 12160 * <pre> 12161 * {@code 12162 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request); 12163 * responses.iterator().forEachRemaining(....); 12164 * } 12165 * </pre> 12166 * <p> 12167 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12168 * only limits the number of results in each page.</b> 12169 * </p> 12170 * <p> 12171 * <b>Note: If you prefer to have control on service calls, use the 12172 * {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} operation.</b> 12173 * </p> 12174 * 12175 * @param listKeyPoliciesRequest 12176 * @return A custom iterable that can be used to iterate through all the response pages. 12177 * @throws NotFoundException 12178 * The request was rejected because the specified entity or resource could not be found. 12179 * @throws InvalidArnException 12180 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 12181 * @throws DependencyTimeoutException 12182 * The system timed out while trying to fulfill the request. You can retry the request. 12183 * @throws KmsInternalException 12184 * The request was rejected because an internal exception occurred. The request can be retried. 12185 * @throws KmsInvalidStateException 12186 * The request was rejected because the state of the specified resource is not valid for this request.</p> 12187 * <p> 12188 * This exceptions means one of the following: 12189 * </p> 12190 * <ul> 12191 * <li> 12192 * <p> 12193 * The key state of the KMS key is not compatible with the operation. 12194 * </p> 12195 * <p> 12196 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 12197 * are compatible with each KMS operation, see <a 12198 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 12199 * the <i> <i>Key Management Service Developer Guide</i> </i>. 12200 * </p> 12201 * </li> 12202 * <li> 12203 * <p> 12204 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 12205 * failure with many possible causes. To identify the cause, see the error message that accompanies the 12206 * exception. 12207 * </p> 12208 * </li> 12209 * @throws SdkException 12210 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12211 * catch all scenarios. 12212 * @throws SdkClientException 12213 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12214 * @throws KmsException 12215 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12216 * @sample KmsClient.ListKeyPolicies 12217 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 12218 * Documentation</a> 12219 */ listKeyPoliciesPaginator(ListKeyPoliciesRequest listKeyPoliciesRequest)12220 default ListKeyPoliciesIterable listKeyPoliciesPaginator(ListKeyPoliciesRequest listKeyPoliciesRequest) 12221 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 12222 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 12223 return new ListKeyPoliciesIterable(this, listKeyPoliciesRequest); 12224 } 12225 12226 /** 12227 * <p> 12228 * This is a variant of {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} 12229 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 12230 * internally handle making service calls for you. 12231 * </p> 12232 * <p> 12233 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 12234 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 12235 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 12236 * request, you will see the failures only after you start iterating through the iterable. 12237 * </p> 12238 * 12239 * <p> 12240 * The following are few ways to iterate through the response pages: 12241 * </p> 12242 * 1) Using a Stream 12243 * 12244 * <pre> 12245 * {@code 12246 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request); 12247 * responses.stream().forEach(....); 12248 * } 12249 * </pre> 12250 * 12251 * 2) Using For loop 12252 * 12253 * <pre> 12254 * { 12255 * @code 12256 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request); 12257 * for (software.amazon.awssdk.services.kms.model.ListKeyPoliciesResponse response : responses) { 12258 * // do something; 12259 * } 12260 * } 12261 * </pre> 12262 * 12263 * 3) Use iterator directly 12264 * 12265 * <pre> 12266 * {@code 12267 * software.amazon.awssdk.services.kms.paginators.ListKeyPoliciesIterable responses = client.listKeyPoliciesPaginator(request); 12268 * responses.iterator().forEachRemaining(....); 12269 * } 12270 * </pre> 12271 * <p> 12272 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12273 * only limits the number of results in each page.</b> 12274 * </p> 12275 * <p> 12276 * <b>Note: If you prefer to have control on service calls, use the 12277 * {@link #listKeyPolicies(software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest)} operation.</b> 12278 * </p> 12279 * <br/> 12280 * <p> 12281 * This is a convenience which creates an instance of the {@link ListKeyPoliciesRequest.Builder} avoiding the need 12282 * to create one manually via {@link ListKeyPoliciesRequest#builder()} 12283 * </p> 12284 * 12285 * @param listKeyPoliciesRequest 12286 * A {@link Consumer} that will call methods on 12287 * {@link software.amazon.awssdk.services.kms.model.ListKeyPoliciesRequest.Builder} to create a request. 12288 * @return A custom iterable that can be used to iterate through all the response pages. 12289 * @throws NotFoundException 12290 * The request was rejected because the specified entity or resource could not be found. 12291 * @throws InvalidArnException 12292 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 12293 * @throws DependencyTimeoutException 12294 * The system timed out while trying to fulfill the request. You can retry the request. 12295 * @throws KmsInternalException 12296 * The request was rejected because an internal exception occurred. The request can be retried. 12297 * @throws KmsInvalidStateException 12298 * The request was rejected because the state of the specified resource is not valid for this request.</p> 12299 * <p> 12300 * This exceptions means one of the following: 12301 * </p> 12302 * <ul> 12303 * <li> 12304 * <p> 12305 * The key state of the KMS key is not compatible with the operation. 12306 * </p> 12307 * <p> 12308 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 12309 * are compatible with each KMS operation, see <a 12310 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 12311 * the <i> <i>Key Management Service Developer Guide</i> </i>. 12312 * </p> 12313 * </li> 12314 * <li> 12315 * <p> 12316 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 12317 * failure with many possible causes. To identify the cause, see the error message that accompanies the 12318 * exception. 12319 * </p> 12320 * </li> 12321 * @throws SdkException 12322 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12323 * catch all scenarios. 12324 * @throws SdkClientException 12325 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12326 * @throws KmsException 12327 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12328 * @sample KmsClient.ListKeyPolicies 12329 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies" target="_top">AWS API 12330 * Documentation</a> 12331 */ listKeyPoliciesPaginator(Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest)12332 default ListKeyPoliciesIterable listKeyPoliciesPaginator(Consumer<ListKeyPoliciesRequest.Builder> listKeyPoliciesRequest) 12333 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 12334 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 12335 return listKeyPoliciesPaginator(ListKeyPoliciesRequest.builder().applyMutation(listKeyPoliciesRequest).build()); 12336 } 12337 12338 /** 12339 * <p> 12340 * Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. 12341 * </p> 12342 * <p> 12343 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12344 * account. 12345 * </p> 12346 * <p> 12347 * <b>Required permissions</b>: <a 12348 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListKeys</a> 12349 * (IAM policy) 12350 * </p> 12351 * <p> 12352 * <b>Related operations:</b> 12353 * </p> 12354 * <ul> 12355 * <li> 12356 * <p> 12357 * <a>CreateKey</a> 12358 * </p> 12359 * </li> 12360 * <li> 12361 * <p> 12362 * <a>DescribeKey</a> 12363 * </p> 12364 * </li> 12365 * <li> 12366 * <p> 12367 * <a>ListAliases</a> 12368 * </p> 12369 * </li> 12370 * <li> 12371 * <p> 12372 * <a>ListResourceTags</a> 12373 * </p> 12374 * </li> 12375 * </ul> 12376 * <p> 12377 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12378 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12379 * consistency</a>. 12380 * </p> 12381 * 12382 * @param listKeysRequest 12383 * @return Result of the ListKeys operation returned by the service. 12384 * @throws DependencyTimeoutException 12385 * The system timed out while trying to fulfill the request. You can retry the request. 12386 * @throws KmsInternalException 12387 * The request was rejected because an internal exception occurred. The request can be retried. 12388 * @throws InvalidMarkerException 12389 * The request was rejected because the marker that specifies where pagination should next begin is not 12390 * valid. 12391 * @throws SdkException 12392 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12393 * catch all scenarios. 12394 * @throws SdkClientException 12395 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12396 * @throws KmsException 12397 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12398 * @sample KmsClient.ListKeys 12399 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12400 * Documentation</a> 12401 */ listKeys(ListKeysRequest listKeysRequest)12402 default ListKeysResponse listKeys(ListKeysRequest listKeysRequest) throws DependencyTimeoutException, KmsInternalException, 12403 InvalidMarkerException, AwsServiceException, SdkClientException, KmsException { 12404 throw new UnsupportedOperationException(); 12405 } 12406 12407 /** 12408 * <p> 12409 * Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. 12410 * </p> 12411 * <p> 12412 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12413 * account. 12414 * </p> 12415 * <p> 12416 * <b>Required permissions</b>: <a 12417 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListKeys</a> 12418 * (IAM policy) 12419 * </p> 12420 * <p> 12421 * <b>Related operations:</b> 12422 * </p> 12423 * <ul> 12424 * <li> 12425 * <p> 12426 * <a>CreateKey</a> 12427 * </p> 12428 * </li> 12429 * <li> 12430 * <p> 12431 * <a>DescribeKey</a> 12432 * </p> 12433 * </li> 12434 * <li> 12435 * <p> 12436 * <a>ListAliases</a> 12437 * </p> 12438 * </li> 12439 * <li> 12440 * <p> 12441 * <a>ListResourceTags</a> 12442 * </p> 12443 * </li> 12444 * </ul> 12445 * <p> 12446 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12447 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12448 * consistency</a>. 12449 * </p> 12450 * <br/> 12451 * <p> 12452 * This is a convenience which creates an instance of the {@link ListKeysRequest.Builder} avoiding the need to 12453 * create one manually via {@link ListKeysRequest#builder()} 12454 * </p> 12455 * 12456 * @param listKeysRequest 12457 * A {@link Consumer} that will call methods on 12458 * {@link software.amazon.awssdk.services.kms.model.ListKeysRequest.Builder} to create a request. 12459 * @return Result of the ListKeys operation returned by the service. 12460 * @throws DependencyTimeoutException 12461 * The system timed out while trying to fulfill the request. You can retry the request. 12462 * @throws KmsInternalException 12463 * The request was rejected because an internal exception occurred. The request can be retried. 12464 * @throws InvalidMarkerException 12465 * The request was rejected because the marker that specifies where pagination should next begin is not 12466 * valid. 12467 * @throws SdkException 12468 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12469 * catch all scenarios. 12470 * @throws SdkClientException 12471 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12472 * @throws KmsException 12473 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12474 * @sample KmsClient.ListKeys 12475 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12476 * Documentation</a> 12477 */ listKeys(Consumer<ListKeysRequest.Builder> listKeysRequest)12478 default ListKeysResponse listKeys(Consumer<ListKeysRequest.Builder> listKeysRequest) throws DependencyTimeoutException, 12479 KmsInternalException, InvalidMarkerException, AwsServiceException, SdkClientException, KmsException { 12480 return listKeys(ListKeysRequest.builder().applyMutation(listKeysRequest).build()); 12481 } 12482 12483 /** 12484 * <p> 12485 * Gets a list of all KMS keys in the caller's Amazon Web Services account and Region. 12486 * </p> 12487 * <p> 12488 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12489 * account. 12490 * </p> 12491 * <p> 12492 * <b>Required permissions</b>: <a 12493 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ListKeys</a> 12494 * (IAM policy) 12495 * </p> 12496 * <p> 12497 * <b>Related operations:</b> 12498 * </p> 12499 * <ul> 12500 * <li> 12501 * <p> 12502 * <a>CreateKey</a> 12503 * </p> 12504 * </li> 12505 * <li> 12506 * <p> 12507 * <a>DescribeKey</a> 12508 * </p> 12509 * </li> 12510 * <li> 12511 * <p> 12512 * <a>ListAliases</a> 12513 * </p> 12514 * </li> 12515 * <li> 12516 * <p> 12517 * <a>ListResourceTags</a> 12518 * </p> 12519 * </li> 12520 * </ul> 12521 * <p> 12522 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12523 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12524 * consistency</a>. 12525 * </p> 12526 * 12527 * @return Result of the ListKeys operation returned by the service. 12528 * @throws DependencyTimeoutException 12529 * The system timed out while trying to fulfill the request. You can retry the request. 12530 * @throws KmsInternalException 12531 * The request was rejected because an internal exception occurred. The request can be retried. 12532 * @throws InvalidMarkerException 12533 * The request was rejected because the marker that specifies where pagination should next begin is not 12534 * valid. 12535 * @throws SdkException 12536 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12537 * catch all scenarios. 12538 * @throws SdkClientException 12539 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12540 * @throws KmsException 12541 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12542 * @sample KmsClient.ListKeys 12543 * @see #listKeys(ListKeysRequest) 12544 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12545 * Documentation</a> 12546 */ listKeys()12547 default ListKeysResponse listKeys() throws DependencyTimeoutException, KmsInternalException, InvalidMarkerException, 12548 AwsServiceException, SdkClientException, KmsException { 12549 return listKeys(ListKeysRequest.builder().build()); 12550 } 12551 12552 /** 12553 * <p> 12554 * This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The 12555 * return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle 12556 * making service calls for you. 12557 * </p> 12558 * <p> 12559 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 12560 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 12561 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 12562 * request, you will see the failures only after you start iterating through the iterable. 12563 * </p> 12564 * 12565 * <p> 12566 * The following are few ways to iterate through the response pages: 12567 * </p> 12568 * 1) Using a Stream 12569 * 12570 * <pre> 12571 * {@code 12572 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12573 * responses.stream().forEach(....); 12574 * } 12575 * </pre> 12576 * 12577 * 2) Using For loop 12578 * 12579 * <pre> 12580 * { 12581 * @code 12582 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12583 * for (software.amazon.awssdk.services.kms.model.ListKeysResponse response : responses) { 12584 * // do something; 12585 * } 12586 * } 12587 * </pre> 12588 * 12589 * 3) Use iterator directly 12590 * 12591 * <pre> 12592 * {@code 12593 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12594 * responses.iterator().forEachRemaining(....); 12595 * } 12596 * </pre> 12597 * <p> 12598 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12599 * only limits the number of results in each page.</b> 12600 * </p> 12601 * <p> 12602 * <b>Note: If you prefer to have control on service calls, use the 12603 * {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.</b> 12604 * </p> 12605 * 12606 * @return A custom iterable that can be used to iterate through all the response pages. 12607 * @throws DependencyTimeoutException 12608 * The system timed out while trying to fulfill the request. You can retry the request. 12609 * @throws KmsInternalException 12610 * The request was rejected because an internal exception occurred. The request can be retried. 12611 * @throws InvalidMarkerException 12612 * The request was rejected because the marker that specifies where pagination should next begin is not 12613 * valid. 12614 * @throws SdkException 12615 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12616 * catch all scenarios. 12617 * @throws SdkClientException 12618 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12619 * @throws KmsException 12620 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12621 * @sample KmsClient.ListKeys 12622 * @see #listKeysPaginator(ListKeysRequest) 12623 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12624 * Documentation</a> 12625 */ listKeysPaginator()12626 default ListKeysIterable listKeysPaginator() throws DependencyTimeoutException, KmsInternalException, InvalidMarkerException, 12627 AwsServiceException, SdkClientException, KmsException { 12628 return listKeysPaginator(ListKeysRequest.builder().build()); 12629 } 12630 12631 /** 12632 * <p> 12633 * This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The 12634 * return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle 12635 * making service calls for you. 12636 * </p> 12637 * <p> 12638 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 12639 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 12640 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 12641 * request, you will see the failures only after you start iterating through the iterable. 12642 * </p> 12643 * 12644 * <p> 12645 * The following are few ways to iterate through the response pages: 12646 * </p> 12647 * 1) Using a Stream 12648 * 12649 * <pre> 12650 * {@code 12651 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12652 * responses.stream().forEach(....); 12653 * } 12654 * </pre> 12655 * 12656 * 2) Using For loop 12657 * 12658 * <pre> 12659 * { 12660 * @code 12661 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12662 * for (software.amazon.awssdk.services.kms.model.ListKeysResponse response : responses) { 12663 * // do something; 12664 * } 12665 * } 12666 * </pre> 12667 * 12668 * 3) Use iterator directly 12669 * 12670 * <pre> 12671 * {@code 12672 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12673 * responses.iterator().forEachRemaining(....); 12674 * } 12675 * </pre> 12676 * <p> 12677 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12678 * only limits the number of results in each page.</b> 12679 * </p> 12680 * <p> 12681 * <b>Note: If you prefer to have control on service calls, use the 12682 * {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.</b> 12683 * </p> 12684 * 12685 * @param listKeysRequest 12686 * @return A custom iterable that can be used to iterate through all the response pages. 12687 * @throws DependencyTimeoutException 12688 * The system timed out while trying to fulfill the request. You can retry the request. 12689 * @throws KmsInternalException 12690 * The request was rejected because an internal exception occurred. The request can be retried. 12691 * @throws InvalidMarkerException 12692 * The request was rejected because the marker that specifies where pagination should next begin is not 12693 * valid. 12694 * @throws SdkException 12695 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12696 * catch all scenarios. 12697 * @throws SdkClientException 12698 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12699 * @throws KmsException 12700 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12701 * @sample KmsClient.ListKeys 12702 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12703 * Documentation</a> 12704 */ listKeysPaginator(ListKeysRequest listKeysRequest)12705 default ListKeysIterable listKeysPaginator(ListKeysRequest listKeysRequest) throws DependencyTimeoutException, 12706 KmsInternalException, InvalidMarkerException, AwsServiceException, SdkClientException, KmsException { 12707 return new ListKeysIterable(this, listKeysRequest); 12708 } 12709 12710 /** 12711 * <p> 12712 * This is a variant of {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation. The 12713 * return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle 12714 * making service calls for you. 12715 * </p> 12716 * <p> 12717 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 12718 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 12719 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 12720 * request, you will see the failures only after you start iterating through the iterable. 12721 * </p> 12722 * 12723 * <p> 12724 * The following are few ways to iterate through the response pages: 12725 * </p> 12726 * 1) Using a Stream 12727 * 12728 * <pre> 12729 * {@code 12730 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12731 * responses.stream().forEach(....); 12732 * } 12733 * </pre> 12734 * 12735 * 2) Using For loop 12736 * 12737 * <pre> 12738 * { 12739 * @code 12740 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12741 * for (software.amazon.awssdk.services.kms.model.ListKeysResponse response : responses) { 12742 * // do something; 12743 * } 12744 * } 12745 * </pre> 12746 * 12747 * 3) Use iterator directly 12748 * 12749 * <pre> 12750 * {@code 12751 * software.amazon.awssdk.services.kms.paginators.ListKeysIterable responses = client.listKeysPaginator(request); 12752 * responses.iterator().forEachRemaining(....); 12753 * } 12754 * </pre> 12755 * <p> 12756 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 12757 * only limits the number of results in each page.</b> 12758 * </p> 12759 * <p> 12760 * <b>Note: If you prefer to have control on service calls, use the 12761 * {@link #listKeys(software.amazon.awssdk.services.kms.model.ListKeysRequest)} operation.</b> 12762 * </p> 12763 * <br/> 12764 * <p> 12765 * This is a convenience which creates an instance of the {@link ListKeysRequest.Builder} avoiding the need to 12766 * create one manually via {@link ListKeysRequest#builder()} 12767 * </p> 12768 * 12769 * @param listKeysRequest 12770 * A {@link Consumer} that will call methods on 12771 * {@link software.amazon.awssdk.services.kms.model.ListKeysRequest.Builder} to create a request. 12772 * @return A custom iterable that can be used to iterate through all the response pages. 12773 * @throws DependencyTimeoutException 12774 * The system timed out while trying to fulfill the request. You can retry the request. 12775 * @throws KmsInternalException 12776 * The request was rejected because an internal exception occurred. The request can be retried. 12777 * @throws InvalidMarkerException 12778 * The request was rejected because the marker that specifies where pagination should next begin is not 12779 * valid. 12780 * @throws SdkException 12781 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12782 * catch all scenarios. 12783 * @throws SdkClientException 12784 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12785 * @throws KmsException 12786 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12787 * @sample KmsClient.ListKeys 12788 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys" target="_top">AWS API 12789 * Documentation</a> 12790 */ listKeysPaginator(Consumer<ListKeysRequest.Builder> listKeysRequest)12791 default ListKeysIterable listKeysPaginator(Consumer<ListKeysRequest.Builder> listKeysRequest) 12792 throws DependencyTimeoutException, KmsInternalException, InvalidMarkerException, AwsServiceException, 12793 SdkClientException, KmsException { 12794 return listKeysPaginator(ListKeysRequest.builder().applyMutation(listKeysRequest).build()); 12795 } 12796 12797 /** 12798 * <p> 12799 * Returns all tags on the specified KMS key. 12800 * </p> 12801 * <p> 12802 * For general information about tags, including the format and syntax, see <a 12803 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 12804 * in the <i>Amazon Web Services General Reference</i>. For information about using tags in KMS, see <a 12805 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. 12806 * </p> 12807 * <p> 12808 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12809 * account. 12810 * </p> 12811 * <p> 12812 * <b>Required permissions</b>: <a 12813 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 12814 * >kms:ListResourceTags</a> (key policy) 12815 * </p> 12816 * <p> 12817 * <b>Related operations:</b> 12818 * </p> 12819 * <ul> 12820 * <li> 12821 * <p> 12822 * <a>CreateKey</a> 12823 * </p> 12824 * </li> 12825 * <li> 12826 * <p> 12827 * <a>ReplicateKey</a> 12828 * </p> 12829 * </li> 12830 * <li> 12831 * <p> 12832 * <a>TagResource</a> 12833 * </p> 12834 * </li> 12835 * <li> 12836 * <p> 12837 * <a>UntagResource</a> 12838 * </p> 12839 * </li> 12840 * </ul> 12841 * <p> 12842 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12843 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12844 * consistency</a>. 12845 * </p> 12846 * 12847 * @param listResourceTagsRequest 12848 * @return Result of the ListResourceTags operation returned by the service. 12849 * @throws KmsInternalException 12850 * The request was rejected because an internal exception occurred. The request can be retried. 12851 * @throws NotFoundException 12852 * The request was rejected because the specified entity or resource could not be found. 12853 * @throws InvalidArnException 12854 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 12855 * @throws InvalidMarkerException 12856 * The request was rejected because the marker that specifies where pagination should next begin is not 12857 * valid. 12858 * @throws SdkException 12859 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12860 * catch all scenarios. 12861 * @throws SdkClientException 12862 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12863 * @throws KmsException 12864 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12865 * @sample KmsClient.ListResourceTags 12866 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 12867 * Documentation</a> 12868 */ listResourceTags(ListResourceTagsRequest listResourceTagsRequest)12869 default ListResourceTagsResponse listResourceTags(ListResourceTagsRequest listResourceTagsRequest) 12870 throws KmsInternalException, NotFoundException, InvalidArnException, InvalidMarkerException, AwsServiceException, 12871 SdkClientException, KmsException { 12872 throw new UnsupportedOperationException(); 12873 } 12874 12875 /** 12876 * <p> 12877 * Returns all tags on the specified KMS key. 12878 * </p> 12879 * <p> 12880 * For general information about tags, including the format and syntax, see <a 12881 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 12882 * in the <i>Amazon Web Services General Reference</i>. For information about using tags in KMS, see <a 12883 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. 12884 * </p> 12885 * <p> 12886 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 12887 * account. 12888 * </p> 12889 * <p> 12890 * <b>Required permissions</b>: <a 12891 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 12892 * >kms:ListResourceTags</a> (key policy) 12893 * </p> 12894 * <p> 12895 * <b>Related operations:</b> 12896 * </p> 12897 * <ul> 12898 * <li> 12899 * <p> 12900 * <a>CreateKey</a> 12901 * </p> 12902 * </li> 12903 * <li> 12904 * <p> 12905 * <a>ReplicateKey</a> 12906 * </p> 12907 * </li> 12908 * <li> 12909 * <p> 12910 * <a>TagResource</a> 12911 * </p> 12912 * </li> 12913 * <li> 12914 * <p> 12915 * <a>UntagResource</a> 12916 * </p> 12917 * </li> 12918 * </ul> 12919 * <p> 12920 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 12921 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 12922 * consistency</a>. 12923 * </p> 12924 * <br/> 12925 * <p> 12926 * This is a convenience which creates an instance of the {@link ListResourceTagsRequest.Builder} avoiding the need 12927 * to create one manually via {@link ListResourceTagsRequest#builder()} 12928 * </p> 12929 * 12930 * @param listResourceTagsRequest 12931 * A {@link Consumer} that will call methods on 12932 * {@link software.amazon.awssdk.services.kms.model.ListResourceTagsRequest.Builder} to create a request. 12933 * @return Result of the ListResourceTags operation returned by the service. 12934 * @throws KmsInternalException 12935 * The request was rejected because an internal exception occurred. The request can be retried. 12936 * @throws NotFoundException 12937 * The request was rejected because the specified entity or resource could not be found. 12938 * @throws InvalidArnException 12939 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 12940 * @throws InvalidMarkerException 12941 * The request was rejected because the marker that specifies where pagination should next begin is not 12942 * valid. 12943 * @throws SdkException 12944 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 12945 * catch all scenarios. 12946 * @throws SdkClientException 12947 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 12948 * @throws KmsException 12949 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 12950 * @sample KmsClient.ListResourceTags 12951 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 12952 * Documentation</a> 12953 */ listResourceTags(Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest)12954 default ListResourceTagsResponse listResourceTags(Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest) 12955 throws KmsInternalException, NotFoundException, InvalidArnException, InvalidMarkerException, AwsServiceException, 12956 SdkClientException, KmsException { 12957 return listResourceTags(ListResourceTagsRequest.builder().applyMutation(listResourceTagsRequest).build()); 12958 } 12959 12960 /** 12961 * <p> 12962 * This is a variant of {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} 12963 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 12964 * internally handle making service calls for you. 12965 * </p> 12966 * <p> 12967 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 12968 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 12969 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 12970 * request, you will see the failures only after you start iterating through the iterable. 12971 * </p> 12972 * 12973 * <p> 12974 * The following are few ways to iterate through the response pages: 12975 * </p> 12976 * 1) Using a Stream 12977 * 12978 * <pre> 12979 * {@code 12980 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable responses = client.listResourceTagsPaginator(request); 12981 * responses.stream().forEach(....); 12982 * } 12983 * </pre> 12984 * 12985 * 2) Using For loop 12986 * 12987 * <pre> 12988 * { 12989 * @code 12990 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable responses = client.listResourceTagsPaginator(request); 12991 * for (software.amazon.awssdk.services.kms.model.ListResourceTagsResponse response : responses) { 12992 * // do something; 12993 * } 12994 * } 12995 * </pre> 12996 * 12997 * 3) Use iterator directly 12998 * 12999 * <pre> 13000 * {@code 13001 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable responses = client.listResourceTagsPaginator(request); 13002 * responses.iterator().forEachRemaining(....); 13003 * } 13004 * </pre> 13005 * <p> 13006 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 13007 * only limits the number of results in each page.</b> 13008 * </p> 13009 * <p> 13010 * <b>Note: If you prefer to have control on service calls, use the 13011 * {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} operation.</b> 13012 * </p> 13013 * 13014 * @param listResourceTagsRequest 13015 * @return A custom iterable that can be used to iterate through all the response pages. 13016 * @throws KmsInternalException 13017 * The request was rejected because an internal exception occurred. The request can be retried. 13018 * @throws NotFoundException 13019 * The request was rejected because the specified entity or resource could not be found. 13020 * @throws InvalidArnException 13021 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13022 * @throws InvalidMarkerException 13023 * The request was rejected because the marker that specifies where pagination should next begin is not 13024 * valid. 13025 * @throws SdkException 13026 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13027 * catch all scenarios. 13028 * @throws SdkClientException 13029 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13030 * @throws KmsException 13031 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13032 * @sample KmsClient.ListResourceTags 13033 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 13034 * Documentation</a> 13035 */ listResourceTagsPaginator(ListResourceTagsRequest listResourceTagsRequest)13036 default ListResourceTagsIterable listResourceTagsPaginator(ListResourceTagsRequest listResourceTagsRequest) 13037 throws KmsInternalException, NotFoundException, InvalidArnException, InvalidMarkerException, AwsServiceException, 13038 SdkClientException, KmsException { 13039 return new ListResourceTagsIterable(this, listResourceTagsRequest); 13040 } 13041 13042 /** 13043 * <p> 13044 * This is a variant of {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} 13045 * operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will 13046 * internally handle making service calls for you. 13047 * </p> 13048 * <p> 13049 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 13050 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 13051 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 13052 * request, you will see the failures only after you start iterating through the iterable. 13053 * </p> 13054 * 13055 * <p> 13056 * The following are few ways to iterate through the response pages: 13057 * </p> 13058 * 1) Using a Stream 13059 * 13060 * <pre> 13061 * {@code 13062 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable responses = client.listResourceTagsPaginator(request); 13063 * responses.stream().forEach(....); 13064 * } 13065 * </pre> 13066 * 13067 * 2) Using For loop 13068 * 13069 * <pre> 13070 * { 13071 * @code 13072 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable responses = client.listResourceTagsPaginator(request); 13073 * for (software.amazon.awssdk.services.kms.model.ListResourceTagsResponse response : responses) { 13074 * // do something; 13075 * } 13076 * } 13077 * </pre> 13078 * 13079 * 3) Use iterator directly 13080 * 13081 * <pre> 13082 * {@code 13083 * software.amazon.awssdk.services.kms.paginators.ListResourceTagsIterable responses = client.listResourceTagsPaginator(request); 13084 * responses.iterator().forEachRemaining(....); 13085 * } 13086 * </pre> 13087 * <p> 13088 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 13089 * only limits the number of results in each page.</b> 13090 * </p> 13091 * <p> 13092 * <b>Note: If you prefer to have control on service calls, use the 13093 * {@link #listResourceTags(software.amazon.awssdk.services.kms.model.ListResourceTagsRequest)} operation.</b> 13094 * </p> 13095 * <br/> 13096 * <p> 13097 * This is a convenience which creates an instance of the {@link ListResourceTagsRequest.Builder} avoiding the need 13098 * to create one manually via {@link ListResourceTagsRequest#builder()} 13099 * </p> 13100 * 13101 * @param listResourceTagsRequest 13102 * A {@link Consumer} that will call methods on 13103 * {@link software.amazon.awssdk.services.kms.model.ListResourceTagsRequest.Builder} to create a request. 13104 * @return A custom iterable that can be used to iterate through all the response pages. 13105 * @throws KmsInternalException 13106 * The request was rejected because an internal exception occurred. The request can be retried. 13107 * @throws NotFoundException 13108 * The request was rejected because the specified entity or resource could not be found. 13109 * @throws InvalidArnException 13110 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13111 * @throws InvalidMarkerException 13112 * The request was rejected because the marker that specifies where pagination should next begin is not 13113 * valid. 13114 * @throws SdkException 13115 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13116 * catch all scenarios. 13117 * @throws SdkClientException 13118 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13119 * @throws KmsException 13120 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13121 * @sample KmsClient.ListResourceTags 13122 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags" target="_top">AWS API 13123 * Documentation</a> 13124 */ listResourceTagsPaginator(Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest)13125 default ListResourceTagsIterable listResourceTagsPaginator(Consumer<ListResourceTagsRequest.Builder> listResourceTagsRequest) 13126 throws KmsInternalException, NotFoundException, InvalidArnException, InvalidMarkerException, AwsServiceException, 13127 SdkClientException, KmsException { 13128 return listResourceTagsPaginator(ListResourceTagsRequest.builder().applyMutation(listResourceTagsRequest).build()); 13129 } 13130 13131 /** 13132 * <p> 13133 * Returns information about all grants in the Amazon Web Services account and Region that have the specified 13134 * retiring principal. 13135 * </p> 13136 * <p> 13137 * You can specify any principal in your Amazon Web Services account. The grants that are returned include grants 13138 * for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this 13139 * operation to determine which grants you may retire. To retire a grant, use the <a>RetireGrant</a> operation. 13140 * </p> 13141 * <p> 13142 * For detailed information about grants, including grant terminology, see <a 13143 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 13144 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 13145 * languages, see <a 13146 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 13147 * </p> 13148 * <p> 13149 * <b>Cross-account use</b>: You must specify a principal in your Amazon Web Services account. This operation 13150 * returns a list of grants where the retiring principal specified in the <code>ListRetirableGrants</code> request 13151 * is the same retiring principal on the grant. This can include grants on KMS keys owned by other Amazon Web 13152 * Services accounts, but you do not need <code>kms:ListRetirableGrants</code> permission (or any other additional 13153 * permission) in any Amazon Web Services account other than your own. 13154 * </p> 13155 * <p> 13156 * <b>Required permissions</b>: <a 13157 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13158 * >kms:ListRetirableGrants</a> (IAM policy) in your Amazon Web Services account. 13159 * </p> 13160 * <note> 13161 * <p> 13162 * KMS authorizes <code>ListRetirableGrants</code> requests by evaluating the caller account's 13163 * kms:ListRetirableGrants permissions. The authorized resource in <code>ListRetirableGrants</code> calls is the 13164 * retiring principal specified in the request. KMS does not evaluate the caller's permissions to verify their 13165 * access to any KMS keys or grants that might be returned by the <code>ListRetirableGrants</code> call. 13166 * </p> 13167 * </note> 13168 * <p> 13169 * <b>Related operations:</b> 13170 * </p> 13171 * <ul> 13172 * <li> 13173 * <p> 13174 * <a>CreateGrant</a> 13175 * </p> 13176 * </li> 13177 * <li> 13178 * <p> 13179 * <a>ListGrants</a> 13180 * </p> 13181 * </li> 13182 * <li> 13183 * <p> 13184 * <a>RetireGrant</a> 13185 * </p> 13186 * </li> 13187 * <li> 13188 * <p> 13189 * <a>RevokeGrant</a> 13190 * </p> 13191 * </li> 13192 * </ul> 13193 * <p> 13194 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13195 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13196 * consistency</a>. 13197 * </p> 13198 * 13199 * @param listRetirableGrantsRequest 13200 * @return Result of the ListRetirableGrants operation returned by the service. 13201 * @throws DependencyTimeoutException 13202 * The system timed out while trying to fulfill the request. You can retry the request. 13203 * @throws InvalidMarkerException 13204 * The request was rejected because the marker that specifies where pagination should next begin is not 13205 * valid. 13206 * @throws InvalidArnException 13207 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13208 * @throws NotFoundException 13209 * The request was rejected because the specified entity or resource could not be found. 13210 * @throws KmsInternalException 13211 * The request was rejected because an internal exception occurred. The request can be retried. 13212 * @throws SdkException 13213 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13214 * catch all scenarios. 13215 * @throws SdkClientException 13216 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13217 * @throws KmsException 13218 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13219 * @sample KmsClient.ListRetirableGrants 13220 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13221 * Documentation</a> 13222 */ listRetirableGrants(ListRetirableGrantsRequest listRetirableGrantsRequest)13223 default ListRetirableGrantsResponse listRetirableGrants(ListRetirableGrantsRequest listRetirableGrantsRequest) 13224 throws DependencyTimeoutException, InvalidMarkerException, InvalidArnException, NotFoundException, 13225 KmsInternalException, AwsServiceException, SdkClientException, KmsException { 13226 throw new UnsupportedOperationException(); 13227 } 13228 13229 /** 13230 * <p> 13231 * Returns information about all grants in the Amazon Web Services account and Region that have the specified 13232 * retiring principal. 13233 * </p> 13234 * <p> 13235 * You can specify any principal in your Amazon Web Services account. The grants that are returned include grants 13236 * for KMS keys in your Amazon Web Services account and other Amazon Web Services accounts. You might use this 13237 * operation to determine which grants you may retire. To retire a grant, use the <a>RetireGrant</a> operation. 13238 * </p> 13239 * <p> 13240 * For detailed information about grants, including grant terminology, see <a 13241 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 13242 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 13243 * languages, see <a 13244 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 13245 * </p> 13246 * <p> 13247 * <b>Cross-account use</b>: You must specify a principal in your Amazon Web Services account. This operation 13248 * returns a list of grants where the retiring principal specified in the <code>ListRetirableGrants</code> request 13249 * is the same retiring principal on the grant. This can include grants on KMS keys owned by other Amazon Web 13250 * Services accounts, but you do not need <code>kms:ListRetirableGrants</code> permission (or any other additional 13251 * permission) in any Amazon Web Services account other than your own. 13252 * </p> 13253 * <p> 13254 * <b>Required permissions</b>: <a 13255 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13256 * >kms:ListRetirableGrants</a> (IAM policy) in your Amazon Web Services account. 13257 * </p> 13258 * <note> 13259 * <p> 13260 * KMS authorizes <code>ListRetirableGrants</code> requests by evaluating the caller account's 13261 * kms:ListRetirableGrants permissions. The authorized resource in <code>ListRetirableGrants</code> calls is the 13262 * retiring principal specified in the request. KMS does not evaluate the caller's permissions to verify their 13263 * access to any KMS keys or grants that might be returned by the <code>ListRetirableGrants</code> call. 13264 * </p> 13265 * </note> 13266 * <p> 13267 * <b>Related operations:</b> 13268 * </p> 13269 * <ul> 13270 * <li> 13271 * <p> 13272 * <a>CreateGrant</a> 13273 * </p> 13274 * </li> 13275 * <li> 13276 * <p> 13277 * <a>ListGrants</a> 13278 * </p> 13279 * </li> 13280 * <li> 13281 * <p> 13282 * <a>RetireGrant</a> 13283 * </p> 13284 * </li> 13285 * <li> 13286 * <p> 13287 * <a>RevokeGrant</a> 13288 * </p> 13289 * </li> 13290 * </ul> 13291 * <p> 13292 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13293 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13294 * consistency</a>. 13295 * </p> 13296 * <br/> 13297 * <p> 13298 * This is a convenience which creates an instance of the {@link ListRetirableGrantsRequest.Builder} avoiding the 13299 * need to create one manually via {@link ListRetirableGrantsRequest#builder()} 13300 * </p> 13301 * 13302 * @param listRetirableGrantsRequest 13303 * A {@link Consumer} that will call methods on 13304 * {@link software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest.Builder} to create a request. 13305 * @return Result of the ListRetirableGrants operation returned by the service. 13306 * @throws DependencyTimeoutException 13307 * The system timed out while trying to fulfill the request. You can retry the request. 13308 * @throws InvalidMarkerException 13309 * The request was rejected because the marker that specifies where pagination should next begin is not 13310 * valid. 13311 * @throws InvalidArnException 13312 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13313 * @throws NotFoundException 13314 * The request was rejected because the specified entity or resource could not be found. 13315 * @throws KmsInternalException 13316 * The request was rejected because an internal exception occurred. The request can be retried. 13317 * @throws SdkException 13318 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13319 * catch all scenarios. 13320 * @throws SdkClientException 13321 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13322 * @throws KmsException 13323 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13324 * @sample KmsClient.ListRetirableGrants 13325 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13326 * Documentation</a> 13327 */ listRetirableGrants( Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest)13328 default ListRetirableGrantsResponse listRetirableGrants( 13329 Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest) throws DependencyTimeoutException, 13330 InvalidMarkerException, InvalidArnException, NotFoundException, KmsInternalException, AwsServiceException, 13331 SdkClientException, KmsException { 13332 return listRetirableGrants(ListRetirableGrantsRequest.builder().applyMutation(listRetirableGrantsRequest).build()); 13333 } 13334 13335 /** 13336 * <p> 13337 * This is a variant of 13338 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation. The 13339 * return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle 13340 * making service calls for you. 13341 * </p> 13342 * <p> 13343 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 13344 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 13345 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 13346 * request, you will see the failures only after you start iterating through the iterable. 13347 * </p> 13348 * 13349 * <p> 13350 * The following are few ways to iterate through the response pages: 13351 * </p> 13352 * 1) Using a Stream 13353 * 13354 * <pre> 13355 * {@code 13356 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable responses = client.listRetirableGrantsPaginator(request); 13357 * responses.stream().forEach(....); 13358 * } 13359 * </pre> 13360 * 13361 * 2) Using For loop 13362 * 13363 * <pre> 13364 * { 13365 * @code 13366 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable responses = client 13367 * .listRetirableGrantsPaginator(request); 13368 * for (software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse response : responses) { 13369 * // do something; 13370 * } 13371 * } 13372 * </pre> 13373 * 13374 * 3) Use iterator directly 13375 * 13376 * <pre> 13377 * {@code 13378 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable responses = client.listRetirableGrantsPaginator(request); 13379 * responses.iterator().forEachRemaining(....); 13380 * } 13381 * </pre> 13382 * <p> 13383 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 13384 * only limits the number of results in each page.</b> 13385 * </p> 13386 * <p> 13387 * <b>Note: If you prefer to have control on service calls, use the 13388 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation.</b> 13389 * </p> 13390 * 13391 * @param listRetirableGrantsRequest 13392 * @return A custom iterable that can be used to iterate through all the response pages. 13393 * @throws DependencyTimeoutException 13394 * The system timed out while trying to fulfill the request. You can retry the request. 13395 * @throws InvalidMarkerException 13396 * The request was rejected because the marker that specifies where pagination should next begin is not 13397 * valid. 13398 * @throws InvalidArnException 13399 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13400 * @throws NotFoundException 13401 * The request was rejected because the specified entity or resource could not be found. 13402 * @throws KmsInternalException 13403 * The request was rejected because an internal exception occurred. The request can be retried. 13404 * @throws SdkException 13405 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13406 * catch all scenarios. 13407 * @throws SdkClientException 13408 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13409 * @throws KmsException 13410 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13411 * @sample KmsClient.ListRetirableGrants 13412 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13413 * Documentation</a> 13414 */ listRetirableGrantsPaginator(ListRetirableGrantsRequest listRetirableGrantsRequest)13415 default ListRetirableGrantsIterable listRetirableGrantsPaginator(ListRetirableGrantsRequest listRetirableGrantsRequest) 13416 throws DependencyTimeoutException, InvalidMarkerException, InvalidArnException, NotFoundException, 13417 KmsInternalException, AwsServiceException, SdkClientException, KmsException { 13418 return new ListRetirableGrantsIterable(this, listRetirableGrantsRequest); 13419 } 13420 13421 /** 13422 * <p> 13423 * This is a variant of 13424 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation. The 13425 * return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle 13426 * making service calls for you. 13427 * </p> 13428 * <p> 13429 * When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no 13430 * guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response 13431 * pages by making service calls until there are no pages left or your iteration stops. If there are errors in your 13432 * request, you will see the failures only after you start iterating through the iterable. 13433 * </p> 13434 * 13435 * <p> 13436 * The following are few ways to iterate through the response pages: 13437 * </p> 13438 * 1) Using a Stream 13439 * 13440 * <pre> 13441 * {@code 13442 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable responses = client.listRetirableGrantsPaginator(request); 13443 * responses.stream().forEach(....); 13444 * } 13445 * </pre> 13446 * 13447 * 2) Using For loop 13448 * 13449 * <pre> 13450 * { 13451 * @code 13452 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable responses = client 13453 * .listRetirableGrantsPaginator(request); 13454 * for (software.amazon.awssdk.services.kms.model.ListRetirableGrantsResponse response : responses) { 13455 * // do something; 13456 * } 13457 * } 13458 * </pre> 13459 * 13460 * 3) Use iterator directly 13461 * 13462 * <pre> 13463 * {@code 13464 * software.amazon.awssdk.services.kms.paginators.ListRetirableGrantsIterable responses = client.listRetirableGrantsPaginator(request); 13465 * responses.iterator().forEachRemaining(....); 13466 * } 13467 * </pre> 13468 * <p> 13469 * <b>Please notice that the configuration of Limit won't limit the number of results you get with the paginator. It 13470 * only limits the number of results in each page.</b> 13471 * </p> 13472 * <p> 13473 * <b>Note: If you prefer to have control on service calls, use the 13474 * {@link #listRetirableGrants(software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest)} operation.</b> 13475 * </p> 13476 * <br/> 13477 * <p> 13478 * This is a convenience which creates an instance of the {@link ListRetirableGrantsRequest.Builder} avoiding the 13479 * need to create one manually via {@link ListRetirableGrantsRequest#builder()} 13480 * </p> 13481 * 13482 * @param listRetirableGrantsRequest 13483 * A {@link Consumer} that will call methods on 13484 * {@link software.amazon.awssdk.services.kms.model.ListRetirableGrantsRequest.Builder} to create a request. 13485 * @return A custom iterable that can be used to iterate through all the response pages. 13486 * @throws DependencyTimeoutException 13487 * The system timed out while trying to fulfill the request. You can retry the request. 13488 * @throws InvalidMarkerException 13489 * The request was rejected because the marker that specifies where pagination should next begin is not 13490 * valid. 13491 * @throws InvalidArnException 13492 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13493 * @throws NotFoundException 13494 * The request was rejected because the specified entity or resource could not be found. 13495 * @throws KmsInternalException 13496 * The request was rejected because an internal exception occurred. The request can be retried. 13497 * @throws SdkException 13498 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13499 * catch all scenarios. 13500 * @throws SdkClientException 13501 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13502 * @throws KmsException 13503 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13504 * @sample KmsClient.ListRetirableGrants 13505 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants" target="_top">AWS API 13506 * Documentation</a> 13507 */ listRetirableGrantsPaginator( Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest)13508 default ListRetirableGrantsIterable listRetirableGrantsPaginator( 13509 Consumer<ListRetirableGrantsRequest.Builder> listRetirableGrantsRequest) throws DependencyTimeoutException, 13510 InvalidMarkerException, InvalidArnException, NotFoundException, KmsInternalException, AwsServiceException, 13511 SdkClientException, KmsException { 13512 return listRetirableGrantsPaginator(ListRetirableGrantsRequest.builder().applyMutation(listRetirableGrantsRequest) 13513 .build()); 13514 } 13515 13516 /** 13517 * <p> 13518 * Attaches a key policy to the specified KMS key. 13519 * </p> 13520 * <p> 13521 * For more information about key policies, see <a 13522 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">Key Policies</a> in the <i>Key 13523 * Management Service Developer Guide</i>. For help writing and formatting a JSON policy document, see the <a 13524 * href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON Policy Reference</a> in 13525 * the <i> <i>Identity and Access Management User Guide</i> </i>. For examples of adding a key policy in multiple 13526 * programming languages, see <a 13527 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy">Setting a 13528 * key policy</a> in the <i>Key Management Service Developer Guide</i>. 13529 * </p> 13530 * <p> 13531 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 13532 * account. 13533 * </p> 13534 * <p> 13535 * <b>Required permissions</b>: <a 13536 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13537 * >kms:PutKeyPolicy</a> (key policy) 13538 * </p> 13539 * <p> 13540 * <b>Related operations</b>: <a>GetKeyPolicy</a> 13541 * </p> 13542 * <p> 13543 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13544 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13545 * consistency</a>. 13546 * </p> 13547 * 13548 * @param putKeyPolicyRequest 13549 * @return Result of the PutKeyPolicy operation returned by the service. 13550 * @throws NotFoundException 13551 * The request was rejected because the specified entity or resource could not be found. 13552 * @throws InvalidArnException 13553 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13554 * @throws MalformedPolicyDocumentException 13555 * The request was rejected because the specified policy is not syntactically or semantically correct. 13556 * @throws DependencyTimeoutException 13557 * The system timed out while trying to fulfill the request. You can retry the request. 13558 * @throws UnsupportedOperationException 13559 * The request was rejected because a specified parameter is not supported or a specified resource is not 13560 * valid for this operation. 13561 * @throws KmsInternalException 13562 * The request was rejected because an internal exception occurred. The request can be retried. 13563 * @throws LimitExceededException 13564 * The request was rejected because a quota was exceeded. For more information, see <a 13565 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 13566 * Management Service Developer Guide</i>. 13567 * @throws KmsInvalidStateException 13568 * The request was rejected because the state of the specified resource is not valid for this request.</p> 13569 * <p> 13570 * This exceptions means one of the following: 13571 * </p> 13572 * <ul> 13573 * <li> 13574 * <p> 13575 * The key state of the KMS key is not compatible with the operation. 13576 * </p> 13577 * <p> 13578 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13579 * are compatible with each KMS operation, see <a 13580 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13581 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13582 * </p> 13583 * </li> 13584 * <li> 13585 * <p> 13586 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13587 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13588 * exception. 13589 * </p> 13590 * </li> 13591 * @throws SdkException 13592 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13593 * catch all scenarios. 13594 * @throws SdkClientException 13595 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13596 * @throws KmsException 13597 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13598 * @sample KmsClient.PutKeyPolicy 13599 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy" target="_top">AWS API 13600 * Documentation</a> 13601 */ putKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest)13602 default PutKeyPolicyResponse putKeyPolicy(PutKeyPolicyRequest putKeyPolicyRequest) throws NotFoundException, 13603 InvalidArnException, MalformedPolicyDocumentException, DependencyTimeoutException, 13604 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, KmsInternalException, 13605 LimitExceededException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 13606 throw new UnsupportedOperationException(); 13607 } 13608 13609 /** 13610 * <p> 13611 * Attaches a key policy to the specified KMS key. 13612 * </p> 13613 * <p> 13614 * For more information about key policies, see <a 13615 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">Key Policies</a> in the <i>Key 13616 * Management Service Developer Guide</i>. For help writing and formatting a JSON policy document, see the <a 13617 * href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html">IAM JSON Policy Reference</a> in 13618 * the <i> <i>Identity and Access Management User Guide</i> </i>. For examples of adding a key policy in multiple 13619 * programming languages, see <a 13620 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy">Setting a 13621 * key policy</a> in the <i>Key Management Service Developer Guide</i>. 13622 * </p> 13623 * <p> 13624 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 13625 * account. 13626 * </p> 13627 * <p> 13628 * <b>Required permissions</b>: <a 13629 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 13630 * >kms:PutKeyPolicy</a> (key policy) 13631 * </p> 13632 * <p> 13633 * <b>Related operations</b>: <a>GetKeyPolicy</a> 13634 * </p> 13635 * <p> 13636 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13637 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13638 * consistency</a>. 13639 * </p> 13640 * <br/> 13641 * <p> 13642 * This is a convenience which creates an instance of the {@link PutKeyPolicyRequest.Builder} avoiding the need to 13643 * create one manually via {@link PutKeyPolicyRequest#builder()} 13644 * </p> 13645 * 13646 * @param putKeyPolicyRequest 13647 * A {@link Consumer} that will call methods on 13648 * {@link software.amazon.awssdk.services.kms.model.PutKeyPolicyRequest.Builder} to create a request. 13649 * @return Result of the PutKeyPolicy operation returned by the service. 13650 * @throws NotFoundException 13651 * The request was rejected because the specified entity or resource could not be found. 13652 * @throws InvalidArnException 13653 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 13654 * @throws MalformedPolicyDocumentException 13655 * The request was rejected because the specified policy is not syntactically or semantically correct. 13656 * @throws DependencyTimeoutException 13657 * The system timed out while trying to fulfill the request. You can retry the request. 13658 * @throws UnsupportedOperationException 13659 * The request was rejected because a specified parameter is not supported or a specified resource is not 13660 * valid for this operation. 13661 * @throws KmsInternalException 13662 * The request was rejected because an internal exception occurred. The request can be retried. 13663 * @throws LimitExceededException 13664 * The request was rejected because a quota was exceeded. For more information, see <a 13665 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 13666 * Management Service Developer Guide</i>. 13667 * @throws KmsInvalidStateException 13668 * The request was rejected because the state of the specified resource is not valid for this request.</p> 13669 * <p> 13670 * This exceptions means one of the following: 13671 * </p> 13672 * <ul> 13673 * <li> 13674 * <p> 13675 * The key state of the KMS key is not compatible with the operation. 13676 * </p> 13677 * <p> 13678 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13679 * are compatible with each KMS operation, see <a 13680 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13681 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13682 * </p> 13683 * </li> 13684 * <li> 13685 * <p> 13686 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13687 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13688 * exception. 13689 * </p> 13690 * </li> 13691 * @throws SdkException 13692 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13693 * catch all scenarios. 13694 * @throws SdkClientException 13695 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13696 * @throws KmsException 13697 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13698 * @sample KmsClient.PutKeyPolicy 13699 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy" target="_top">AWS API 13700 * Documentation</a> 13701 */ putKeyPolicy(Consumer<PutKeyPolicyRequest.Builder> putKeyPolicyRequest)13702 default PutKeyPolicyResponse putKeyPolicy(Consumer<PutKeyPolicyRequest.Builder> putKeyPolicyRequest) 13703 throws NotFoundException, InvalidArnException, MalformedPolicyDocumentException, DependencyTimeoutException, 13704 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, KmsInternalException, 13705 LimitExceededException, KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 13706 return putKeyPolicy(PutKeyPolicyRequest.builder().applyMutation(putKeyPolicyRequest).build()); 13707 } 13708 13709 /** 13710 * <p> 13711 * Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key 13712 * under which data is encrypted, such as when you <a 13713 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually">manually 13714 * rotate</a> a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt 13715 * ciphertext under the same KMS key, such as to change the <a 13716 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">encryption context</a> 13717 * of a ciphertext. 13718 * </p> 13719 * <p> 13720 * The <code>ReEncrypt</code> operation can decrypt ciphertext that was encrypted by using a KMS key in an KMS 13721 * operation, such as <a>Encrypt</a> or <a>GenerateDataKey</a>. It can also decrypt ciphertext that was encrypted by 13722 * using the public key of an <a 13723 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric 13724 * KMS key</a> outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the <a 13725 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a> 13726 * or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 13727 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 13728 * </p> 13729 * <p> 13730 * When you use the <code>ReEncrypt</code> operation, you need to provide information for the decrypt operation and 13731 * the subsequent encrypt operation. 13732 * </p> 13733 * <ul> 13734 * <li> 13735 * <p> 13736 * If your ciphertext was encrypted under an asymmetric KMS key, you must use the <code>SourceKeyId</code> parameter 13737 * to identify the KMS key that encrypted the ciphertext. You must also supply the encryption algorithm that was 13738 * used. This information is required to decrypt the data. 13739 * </p> 13740 * </li> 13741 * <li> 13742 * <p> 13743 * If your ciphertext was encrypted under a symmetric encryption KMS key, the <code>SourceKeyId</code> parameter is 13744 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 13745 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 13746 * was encrypted, even if they've lost track of the key ID. However, specifying the source KMS key is always 13747 * recommended as a best practice. When you use the <code>SourceKeyId</code> parameter to specify a KMS key, KMS 13748 * uses only the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the 13749 * <code>ReEncrypt</code> operation fails. This practice ensures that you use the KMS key that you intend. 13750 * </p> 13751 * </li> 13752 * <li> 13753 * <p> 13754 * To reencrypt the data, you must use the <code>DestinationKeyId</code> parameter to specify the KMS key that 13755 * re-encrypts the data after it is decrypted. If the destination KMS key is an asymmetric KMS key, you must also 13756 * provide the encryption algorithm. The algorithm that you choose must be compatible with the KMS key. 13757 * </p> 13758 * <important> 13759 * <p> 13760 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 13761 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 13762 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 13763 * operation fails. 13764 * </p> 13765 * <p> 13766 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 13767 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 13768 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 13769 * fields. 13770 * </p> 13771 * </important></li> 13772 * </ul> 13773 * <p> 13774 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 13775 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 13776 * <i>Key Management Service Developer Guide</i>. 13777 * </p> 13778 * <p> 13779 * <b>Cross-account use</b>: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services 13780 * accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a 13781 * different account, you must use its key ARN or alias ARN. 13782 * </p> 13783 * <p> 13784 * <b>Required permissions</b>: 13785 * </p> 13786 * <ul> 13787 * <li> 13788 * <p> 13789 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms: 13790 * ReEncryptFrom</a> permission on the source KMS key (key policy) 13791 * </p> 13792 * </li> 13793 * <li> 13794 * <p> 13795 * <a 13796 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ReEncryptTo 13797 * </a> permission on the destination KMS key (key policy) 13798 * </p> 13799 * </li> 13800 * </ul> 13801 * <p> 13802 * To permit reencryption from or to a KMS key, include the <code>"kms:ReEncrypt*"</code> permission in your <a 13803 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>. This permission is 13804 * automatically included in the key policy when you use the console to create a KMS key. But you must include it 13805 * manually when you create a KMS key programmatically or when you use the <a>PutKeyPolicy</a> operation to set a 13806 * key policy. 13807 * </p> 13808 * <p> 13809 * <b>Related operations:</b> 13810 * </p> 13811 * <ul> 13812 * <li> 13813 * <p> 13814 * <a>Decrypt</a> 13815 * </p> 13816 * </li> 13817 * <li> 13818 * <p> 13819 * <a>Encrypt</a> 13820 * </p> 13821 * </li> 13822 * <li> 13823 * <p> 13824 * <a>GenerateDataKey</a> 13825 * </p> 13826 * </li> 13827 * <li> 13828 * <p> 13829 * <a>GenerateDataKeyPair</a> 13830 * </p> 13831 * </li> 13832 * </ul> 13833 * <p> 13834 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 13835 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 13836 * consistency</a>. 13837 * </p> 13838 * 13839 * @param reEncryptRequest 13840 * @return Result of the ReEncrypt operation returned by the service. 13841 * @throws NotFoundException 13842 * The request was rejected because the specified entity or resource could not be found. 13843 * @throws DisabledException 13844 * The request was rejected because the specified KMS key is not enabled. 13845 * @throws InvalidCiphertextException 13846 * From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was rejected because the specified 13847 * ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption 13848 * context, is corrupted, missing, or otherwise invalid.</p> 13849 * <p> 13850 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 13851 * encrypted (wrapped) key material. 13852 * @throws KeyUnavailableException 13853 * The request was rejected because the specified KMS key was not available. You can retry the request. 13854 * @throws IncorrectKeyException 13855 * The request was rejected because the specified KMS key cannot decrypt the data. The <code>KeyId</code> in 13856 * a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> request must identify the 13857 * same KMS key that was used to encrypt the ciphertext. 13858 * @throws DependencyTimeoutException 13859 * The system timed out while trying to fulfill the request. You can retry the request. 13860 * @throws InvalidKeyUsageException 13861 * The request was rejected for one of the following reasons: 13862 * </p> 13863 * <ul> 13864 * <li> 13865 * <p> 13866 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 13867 * </p> 13868 * </li> 13869 * <li> 13870 * <p> 13871 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 13872 * of key material in the KMS key <code>(KeySpec</code>). 13873 * </p> 13874 * </li> 13875 * </ul> 13876 * <p> 13877 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 13878 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 13879 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 13880 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 13881 * KMS key, use the <a>DescribeKey</a> operation. 13882 * </p> 13883 * <p> 13884 * To find the encryption or signing algorithms supported for a particular KMS key, use the 13885 * <a>DescribeKey</a> operation. 13886 * @throws InvalidGrantTokenException 13887 * The request was rejected because the specified grant token is not valid. 13888 * @throws KmsInternalException 13889 * The request was rejected because an internal exception occurred. The request can be retried. 13890 * @throws KmsInvalidStateException 13891 * The request was rejected because the state of the specified resource is not valid for this request. 13892 * </p> 13893 * <p> 13894 * This exceptions means one of the following: 13895 * </p> 13896 * <ul> 13897 * <li> 13898 * <p> 13899 * The key state of the KMS key is not compatible with the operation. 13900 * </p> 13901 * <p> 13902 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 13903 * are compatible with each KMS operation, see <a 13904 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 13905 * the <i> <i>Key Management Service Developer Guide</i> </i>. 13906 * </p> 13907 * </li> 13908 * <li> 13909 * <p> 13910 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 13911 * failure with many possible causes. To identify the cause, see the error message that accompanies the 13912 * exception. 13913 * </p> 13914 * </li> 13915 * @throws DryRunOperationException 13916 * The request was rejected because the DryRun parameter was specified. 13917 * @throws SdkException 13918 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 13919 * catch all scenarios. 13920 * @throws SdkClientException 13921 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 13922 * @throws KmsException 13923 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 13924 * @sample KmsClient.ReEncrypt 13925 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt" target="_top">AWS API 13926 * Documentation</a> 13927 */ reEncrypt(ReEncryptRequest reEncryptRequest)13928 default ReEncryptResponse reEncrypt(ReEncryptRequest reEncryptRequest) throws NotFoundException, DisabledException, 13929 InvalidCiphertextException, KeyUnavailableException, IncorrectKeyException, DependencyTimeoutException, 13930 InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, KmsInvalidStateException, 13931 DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 13932 throw new UnsupportedOperationException(); 13933 } 13934 13935 /** 13936 * <p> 13937 * Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key 13938 * under which data is encrypted, such as when you <a 13939 * href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually">manually 13940 * rotate</a> a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt 13941 * ciphertext under the same KMS key, such as to change the <a 13942 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context">encryption context</a> 13943 * of a ciphertext. 13944 * </p> 13945 * <p> 13946 * The <code>ReEncrypt</code> operation can decrypt ciphertext that was encrypted by using a KMS key in an KMS 13947 * operation, such as <a>Encrypt</a> or <a>GenerateDataKey</a>. It can also decrypt ciphertext that was encrypted by 13948 * using the public key of an <a 13949 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks">asymmetric 13950 * KMS key</a> outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the <a 13951 * href="https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/">Amazon Web Services Encryption SDK</a> 13952 * or <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 client-side 13953 * encryption</a>. These libraries return a ciphertext format that is incompatible with KMS. 13954 * </p> 13955 * <p> 13956 * When you use the <code>ReEncrypt</code> operation, you need to provide information for the decrypt operation and 13957 * the subsequent encrypt operation. 13958 * </p> 13959 * <ul> 13960 * <li> 13961 * <p> 13962 * If your ciphertext was encrypted under an asymmetric KMS key, you must use the <code>SourceKeyId</code> parameter 13963 * to identify the KMS key that encrypted the ciphertext. You must also supply the encryption algorithm that was 13964 * used. This information is required to decrypt the data. 13965 * </p> 13966 * </li> 13967 * <li> 13968 * <p> 13969 * If your ciphertext was encrypted under a symmetric encryption KMS key, the <code>SourceKeyId</code> parameter is 13970 * optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature 13971 * adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it 13972 * was encrypted, even if they've lost track of the key ID. However, specifying the source KMS key is always 13973 * recommended as a best practice. When you use the <code>SourceKeyId</code> parameter to specify a KMS key, KMS 13974 * uses only the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the 13975 * <code>ReEncrypt</code> operation fails. This practice ensures that you use the KMS key that you intend. 13976 * </p> 13977 * </li> 13978 * <li> 13979 * <p> 13980 * To reencrypt the data, you must use the <code>DestinationKeyId</code> parameter to specify the KMS key that 13981 * re-encrypts the data after it is decrypted. If the destination KMS key is an asymmetric KMS key, you must also 13982 * provide the encryption algorithm. The algorithm that you choose must be compatible with the KMS key. 13983 * </p> 13984 * <important> 13985 * <p> 13986 * When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption 13987 * algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you 13988 * decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt 13989 * operation fails. 13990 * </p> 13991 * <p> 13992 * You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS 13993 * keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext 13994 * generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable 13995 * fields. 13996 * </p> 13997 * </important></li> 13998 * </ul> 13999 * <p> 14000 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 14001 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 14002 * <i>Key Management Service Developer Guide</i>. 14003 * </p> 14004 * <p> 14005 * <b>Cross-account use</b>: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services 14006 * accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a 14007 * different account, you must use its key ARN or alias ARN. 14008 * </p> 14009 * <p> 14010 * <b>Required permissions</b>: 14011 * </p> 14012 * <ul> 14013 * <li> 14014 * <p> 14015 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms: 14016 * ReEncryptFrom</a> permission on the source KMS key (key policy) 14017 * </p> 14018 * </li> 14019 * <li> 14020 * <p> 14021 * <a 14022 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:ReEncryptTo 14023 * </a> permission on the destination KMS key (key policy) 14024 * </p> 14025 * </li> 14026 * </ul> 14027 * <p> 14028 * To permit reencryption from or to a KMS key, include the <code>"kms:ReEncrypt*"</code> permission in your <a 14029 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>. This permission is 14030 * automatically included in the key policy when you use the console to create a KMS key. But you must include it 14031 * manually when you create a KMS key programmatically or when you use the <a>PutKeyPolicy</a> operation to set a 14032 * key policy. 14033 * </p> 14034 * <p> 14035 * <b>Related operations:</b> 14036 * </p> 14037 * <ul> 14038 * <li> 14039 * <p> 14040 * <a>Decrypt</a> 14041 * </p> 14042 * </li> 14043 * <li> 14044 * <p> 14045 * <a>Encrypt</a> 14046 * </p> 14047 * </li> 14048 * <li> 14049 * <p> 14050 * <a>GenerateDataKey</a> 14051 * </p> 14052 * </li> 14053 * <li> 14054 * <p> 14055 * <a>GenerateDataKeyPair</a> 14056 * </p> 14057 * </li> 14058 * </ul> 14059 * <p> 14060 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14061 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14062 * consistency</a>. 14063 * </p> 14064 * <br/> 14065 * <p> 14066 * This is a convenience which creates an instance of the {@link ReEncryptRequest.Builder} avoiding the need to 14067 * create one manually via {@link ReEncryptRequest#builder()} 14068 * </p> 14069 * 14070 * @param reEncryptRequest 14071 * A {@link Consumer} that will call methods on 14072 * {@link software.amazon.awssdk.services.kms.model.ReEncryptRequest.Builder} to create a request. 14073 * @return Result of the ReEncrypt operation returned by the service. 14074 * @throws NotFoundException 14075 * The request was rejected because the specified entity or resource could not be found. 14076 * @throws DisabledException 14077 * The request was rejected because the specified KMS key is not enabled. 14078 * @throws InvalidCiphertextException 14079 * From the <a>Decrypt</a> or <a>ReEncrypt</a> operation, the request was rejected because the specified 14080 * ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption 14081 * context, is corrupted, missing, or otherwise invalid.</p> 14082 * <p> 14083 * From the <a>ImportKeyMaterial</a> operation, the request was rejected because KMS could not decrypt the 14084 * encrypted (wrapped) key material. 14085 * @throws KeyUnavailableException 14086 * The request was rejected because the specified KMS key was not available. You can retry the request. 14087 * @throws IncorrectKeyException 14088 * The request was rejected because the specified KMS key cannot decrypt the data. The <code>KeyId</code> in 14089 * a <a>Decrypt</a> request and the <code>SourceKeyId</code> in a <a>ReEncrypt</a> request must identify the 14090 * same KMS key that was used to encrypt the ciphertext. 14091 * @throws DependencyTimeoutException 14092 * The system timed out while trying to fulfill the request. You can retry the request. 14093 * @throws InvalidKeyUsageException 14094 * The request was rejected for one of the following reasons: 14095 * </p> 14096 * <ul> 14097 * <li> 14098 * <p> 14099 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 14100 * </p> 14101 * </li> 14102 * <li> 14103 * <p> 14104 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 14105 * of key material in the KMS key <code>(KeySpec</code>). 14106 * </p> 14107 * </li> 14108 * </ul> 14109 * <p> 14110 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 14111 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 14112 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 14113 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 14114 * KMS key, use the <a>DescribeKey</a> operation. 14115 * </p> 14116 * <p> 14117 * To find the encryption or signing algorithms supported for a particular KMS key, use the 14118 * <a>DescribeKey</a> operation. 14119 * @throws InvalidGrantTokenException 14120 * The request was rejected because the specified grant token is not valid. 14121 * @throws KmsInternalException 14122 * The request was rejected because an internal exception occurred. The request can be retried. 14123 * @throws KmsInvalidStateException 14124 * The request was rejected because the state of the specified resource is not valid for this request. 14125 * </p> 14126 * <p> 14127 * This exceptions means one of the following: 14128 * </p> 14129 * <ul> 14130 * <li> 14131 * <p> 14132 * The key state of the KMS key is not compatible with the operation. 14133 * </p> 14134 * <p> 14135 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14136 * are compatible with each KMS operation, see <a 14137 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14138 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14139 * </p> 14140 * </li> 14141 * <li> 14142 * <p> 14143 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14144 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14145 * exception. 14146 * </p> 14147 * </li> 14148 * @throws DryRunOperationException 14149 * The request was rejected because the DryRun parameter was specified. 14150 * @throws SdkException 14151 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 14152 * catch all scenarios. 14153 * @throws SdkClientException 14154 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 14155 * @throws KmsException 14156 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 14157 * @sample KmsClient.ReEncrypt 14158 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt" target="_top">AWS API 14159 * Documentation</a> 14160 */ reEncrypt(Consumer<ReEncryptRequest.Builder> reEncryptRequest)14161 default ReEncryptResponse reEncrypt(Consumer<ReEncryptRequest.Builder> reEncryptRequest) throws NotFoundException, 14162 DisabledException, InvalidCiphertextException, KeyUnavailableException, IncorrectKeyException, 14163 DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, 14164 KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 14165 return reEncrypt(ReEncryptRequest.builder().applyMutation(reEncryptRequest).build()); 14166 } 14167 14168 /** 14169 * <p> 14170 * Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based 14171 * on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create 14172 * multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, 14173 * use the <a>CreateKey</a> operation. 14174 * </p> 14175 * <p> 14176 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 14177 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 14178 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 14179 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 14180 * information about multi-Region keys, see <a 14181 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 14182 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 14183 * </p> 14184 * <p> 14185 * A <i>replica key</i> is a fully-functional KMS key that can be used independently of its primary and peer replica 14186 * keys. A primary key and its replica keys share properties that make them interoperable. They have the same <a 14187 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a> and key 14188 * material. They also have the same <a 14189 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 14190 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 14191 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 14192 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation 14193 * status</a>. KMS automatically synchronizes these shared properties among related multi-Region keys. All other 14194 * properties of a replica key can differ, including its <a 14195 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>, <a 14196 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">tags</a>, <a 14197 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">aliases</a>, and <a 14198 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a>. KMS 14199 * pricing and quotas for KMS keys apply to each primary key and replica key. 14200 * </p> 14201 * <p> 14202 * When this operation completes, the new replica key has a transient key state of <code>Creating</code>. This key 14203 * state changes to <code>Enabled</code> (or <code>PendingImport</code>) after a few seconds when the process of 14204 * creating the new replica key is complete. While the key state is <code>Creating</code>, you can manage key, but 14205 * you cannot yet use it in cryptographic operations. If you are creating and using the replica key 14206 * programmatically, retry on <code>KMSInvalidStateException</code> or call <code>DescribeKey</code> to check its 14207 * <code>KeyState</code> value before using it. For details about the <code>Creating</code> key state, see <a 14208 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 14209 * <i>Key Management Service Developer Guide</i>. 14210 * </p> 14211 * <p> 14212 * You cannot create more than one replica of a primary key in any Region. If the Region already includes a replica 14213 * of the key you're trying to replicate, <code>ReplicateKey</code> returns an <code>AlreadyExistsException</code> 14214 * error. If the key state of the existing replica is <code>PendingDeletion</code>, you can cancel the scheduled key 14215 * deletion (<a>CancelKeyDeletion</a>) or wait for the key to be deleted. The new replica key you create will have 14216 * the same <a href= 14217 * "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties" 14218 * >shared properties</a> as the original replica key. 14219 * </p> 14220 * <p> 14221 * The CloudTrail log of a <code>ReplicateKey</code> operation records a <code>ReplicateKey</code> operation in the 14222 * primary key's Region and a <a>CreateKey</a> operation in the replica key's Region. 14223 * </p> 14224 * <p> 14225 * If you replicate a multi-Region primary key with imported key material, the replica key is created with no key 14226 * material. You must import the same key material that you imported into the primary key. For details, see <a 14227 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html">Importing key material 14228 * into multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>. 14229 * </p> 14230 * <p> 14231 * To convert a replica key to a primary key, use the <a>UpdatePrimaryRegion</a> operation. 14232 * </p> 14233 * <note> 14234 * <p> 14235 * <code>ReplicateKey</code> uses different default values for the <code>KeyPolicy</code> and <code>Tags</code> 14236 * parameters than those used in the KMS console. For details, see the parameter descriptions. 14237 * </p> 14238 * </note> 14239 * <p> 14240 * <b>Cross-account use</b>: No. You cannot use this operation to create a replica key in a different Amazon Web 14241 * Services account. 14242 * </p> 14243 * <p> 14244 * <b>Required permissions</b>: 14245 * </p> 14246 * <ul> 14247 * <li> 14248 * <p> 14249 * <code>kms:ReplicateKey</code> on the primary key (in the primary key's Region). Include this permission in the 14250 * primary key's key policy. 14251 * </p> 14252 * </li> 14253 * <li> 14254 * <p> 14255 * <code>kms:CreateKey</code> in an IAM policy in the replica Region. 14256 * </p> 14257 * </li> 14258 * <li> 14259 * <p> 14260 * To use the <code>Tags</code> parameter, <code>kms:TagResource</code> in an IAM policy in the replica Region. 14261 * </p> 14262 * </li> 14263 * </ul> 14264 * <p> 14265 * <b>Related operations</b> 14266 * </p> 14267 * <ul> 14268 * <li> 14269 * <p> 14270 * <a>CreateKey</a> 14271 * </p> 14272 * </li> 14273 * <li> 14274 * <p> 14275 * <a>UpdatePrimaryRegion</a> 14276 * </p> 14277 * </li> 14278 * </ul> 14279 * <p> 14280 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14281 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14282 * consistency</a>. 14283 * </p> 14284 * 14285 * @param replicateKeyRequest 14286 * @return Result of the ReplicateKey operation returned by the service. 14287 * @throws AlreadyExistsException 14288 * The request was rejected because it attempted to create a resource that already exists. 14289 * @throws DisabledException 14290 * The request was rejected because the specified KMS key is not enabled. 14291 * @throws InvalidArnException 14292 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 14293 * @throws KmsInvalidStateException 14294 * The request was rejected because the state of the specified resource is not valid for this request.</p> 14295 * <p> 14296 * This exceptions means one of the following: 14297 * </p> 14298 * <ul> 14299 * <li> 14300 * <p> 14301 * The key state of the KMS key is not compatible with the operation. 14302 * </p> 14303 * <p> 14304 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14305 * are compatible with each KMS operation, see <a 14306 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14307 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14308 * </p> 14309 * </li> 14310 * <li> 14311 * <p> 14312 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14313 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14314 * exception. 14315 * </p> 14316 * </li> 14317 * @throws KmsInternalException 14318 * The request was rejected because an internal exception occurred. The request can be retried. 14319 * @throws LimitExceededException 14320 * The request was rejected because a quota was exceeded. For more information, see <a 14321 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 14322 * Management Service Developer Guide</i>. 14323 * @throws MalformedPolicyDocumentException 14324 * The request was rejected because the specified policy is not syntactically or semantically correct. 14325 * @throws NotFoundException 14326 * The request was rejected because the specified entity or resource could not be found. 14327 * @throws TagException 14328 * The request was rejected because one or more tags are not valid. 14329 * @throws UnsupportedOperationException 14330 * The request was rejected because a specified parameter is not supported or a specified resource is not 14331 * valid for this operation. 14332 * @throws SdkException 14333 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 14334 * catch all scenarios. 14335 * @throws SdkClientException 14336 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 14337 * @throws KmsException 14338 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 14339 * @sample KmsClient.ReplicateKey 14340 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey" target="_top">AWS API 14341 * Documentation</a> 14342 */ replicateKey(ReplicateKeyRequest replicateKeyRequest)14343 default ReplicateKeyResponse replicateKey(ReplicateKeyRequest replicateKeyRequest) throws AlreadyExistsException, 14344 DisabledException, InvalidArnException, KmsInvalidStateException, KmsInternalException, LimitExceededException, 14345 MalformedPolicyDocumentException, NotFoundException, TagException, 14346 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, AwsServiceException, SdkClientException, 14347 KmsException { 14348 throw new UnsupportedOperationException(); 14349 } 14350 14351 /** 14352 * <p> 14353 * Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based 14354 * on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create 14355 * multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, 14356 * use the <a>CreateKey</a> operation. 14357 * </p> 14358 * <p> 14359 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 14360 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 14361 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 14362 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 14363 * information about multi-Region keys, see <a 14364 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 14365 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 14366 * </p> 14367 * <p> 14368 * A <i>replica key</i> is a fully-functional KMS key that can be used independently of its primary and peer replica 14369 * keys. A primary key and its replica keys share properties that make them interoperable. They have the same <a 14370 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a> and key 14371 * material. They also have the same <a 14372 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 14373 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 14374 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 14375 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation 14376 * status</a>. KMS automatically synchronizes these shared properties among related multi-Region keys. All other 14377 * properties of a replica key can differ, including its <a 14378 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html">key policy</a>, <a 14379 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">tags</a>, <a 14380 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html">aliases</a>, and <a 14381 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a>. KMS 14382 * pricing and quotas for KMS keys apply to each primary key and replica key. 14383 * </p> 14384 * <p> 14385 * When this operation completes, the new replica key has a transient key state of <code>Creating</code>. This key 14386 * state changes to <code>Enabled</code> (or <code>PendingImport</code>) after a few seconds when the process of 14387 * creating the new replica key is complete. While the key state is <code>Creating</code>, you can manage key, but 14388 * you cannot yet use it in cryptographic operations. If you are creating and using the replica key 14389 * programmatically, retry on <code>KMSInvalidStateException</code> or call <code>DescribeKey</code> to check its 14390 * <code>KeyState</code> value before using it. For details about the <code>Creating</code> key state, see <a 14391 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 14392 * <i>Key Management Service Developer Guide</i>. 14393 * </p> 14394 * <p> 14395 * You cannot create more than one replica of a primary key in any Region. If the Region already includes a replica 14396 * of the key you're trying to replicate, <code>ReplicateKey</code> returns an <code>AlreadyExistsException</code> 14397 * error. If the key state of the existing replica is <code>PendingDeletion</code>, you can cancel the scheduled key 14398 * deletion (<a>CancelKeyDeletion</a>) or wait for the key to be deleted. The new replica key you create will have 14399 * the same <a href= 14400 * "https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-sync-properties" 14401 * >shared properties</a> as the original replica key. 14402 * </p> 14403 * <p> 14404 * The CloudTrail log of a <code>ReplicateKey</code> operation records a <code>ReplicateKey</code> operation in the 14405 * primary key's Region and a <a>CreateKey</a> operation in the replica key's Region. 14406 * </p> 14407 * <p> 14408 * If you replicate a multi-Region primary key with imported key material, the replica key is created with no key 14409 * material. You must import the same key material that you imported into the primary key. For details, see <a 14410 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-import.html">Importing key material 14411 * into multi-Region keys</a> in the <i>Key Management Service Developer Guide</i>. 14412 * </p> 14413 * <p> 14414 * To convert a replica key to a primary key, use the <a>UpdatePrimaryRegion</a> operation. 14415 * </p> 14416 * <note> 14417 * <p> 14418 * <code>ReplicateKey</code> uses different default values for the <code>KeyPolicy</code> and <code>Tags</code> 14419 * parameters than those used in the KMS console. For details, see the parameter descriptions. 14420 * </p> 14421 * </note> 14422 * <p> 14423 * <b>Cross-account use</b>: No. You cannot use this operation to create a replica key in a different Amazon Web 14424 * Services account. 14425 * </p> 14426 * <p> 14427 * <b>Required permissions</b>: 14428 * </p> 14429 * <ul> 14430 * <li> 14431 * <p> 14432 * <code>kms:ReplicateKey</code> on the primary key (in the primary key's Region). Include this permission in the 14433 * primary key's key policy. 14434 * </p> 14435 * </li> 14436 * <li> 14437 * <p> 14438 * <code>kms:CreateKey</code> in an IAM policy in the replica Region. 14439 * </p> 14440 * </li> 14441 * <li> 14442 * <p> 14443 * To use the <code>Tags</code> parameter, <code>kms:TagResource</code> in an IAM policy in the replica Region. 14444 * </p> 14445 * </li> 14446 * </ul> 14447 * <p> 14448 * <b>Related operations</b> 14449 * </p> 14450 * <ul> 14451 * <li> 14452 * <p> 14453 * <a>CreateKey</a> 14454 * </p> 14455 * </li> 14456 * <li> 14457 * <p> 14458 * <a>UpdatePrimaryRegion</a> 14459 * </p> 14460 * </li> 14461 * </ul> 14462 * <p> 14463 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14464 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14465 * consistency</a>. 14466 * </p> 14467 * <br/> 14468 * <p> 14469 * This is a convenience which creates an instance of the {@link ReplicateKeyRequest.Builder} avoiding the need to 14470 * create one manually via {@link ReplicateKeyRequest#builder()} 14471 * </p> 14472 * 14473 * @param replicateKeyRequest 14474 * A {@link Consumer} that will call methods on 14475 * {@link software.amazon.awssdk.services.kms.model.ReplicateKeyRequest.Builder} to create a request. 14476 * @return Result of the ReplicateKey operation returned by the service. 14477 * @throws AlreadyExistsException 14478 * The request was rejected because it attempted to create a resource that already exists. 14479 * @throws DisabledException 14480 * The request was rejected because the specified KMS key is not enabled. 14481 * @throws InvalidArnException 14482 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 14483 * @throws KmsInvalidStateException 14484 * The request was rejected because the state of the specified resource is not valid for this request.</p> 14485 * <p> 14486 * This exceptions means one of the following: 14487 * </p> 14488 * <ul> 14489 * <li> 14490 * <p> 14491 * The key state of the KMS key is not compatible with the operation. 14492 * </p> 14493 * <p> 14494 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14495 * are compatible with each KMS operation, see <a 14496 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14497 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14498 * </p> 14499 * </li> 14500 * <li> 14501 * <p> 14502 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14503 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14504 * exception. 14505 * </p> 14506 * </li> 14507 * @throws KmsInternalException 14508 * The request was rejected because an internal exception occurred. The request can be retried. 14509 * @throws LimitExceededException 14510 * The request was rejected because a quota was exceeded. For more information, see <a 14511 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 14512 * Management Service Developer Guide</i>. 14513 * @throws MalformedPolicyDocumentException 14514 * The request was rejected because the specified policy is not syntactically or semantically correct. 14515 * @throws NotFoundException 14516 * The request was rejected because the specified entity or resource could not be found. 14517 * @throws TagException 14518 * The request was rejected because one or more tags are not valid. 14519 * @throws UnsupportedOperationException 14520 * The request was rejected because a specified parameter is not supported or a specified resource is not 14521 * valid for this operation. 14522 * @throws SdkException 14523 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 14524 * catch all scenarios. 14525 * @throws SdkClientException 14526 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 14527 * @throws KmsException 14528 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 14529 * @sample KmsClient.ReplicateKey 14530 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey" target="_top">AWS API 14531 * Documentation</a> 14532 */ replicateKey(Consumer<ReplicateKeyRequest.Builder> replicateKeyRequest)14533 default ReplicateKeyResponse replicateKey(Consumer<ReplicateKeyRequest.Builder> replicateKeyRequest) 14534 throws AlreadyExistsException, DisabledException, InvalidArnException, KmsInvalidStateException, 14535 KmsInternalException, LimitExceededException, MalformedPolicyDocumentException, NotFoundException, TagException, 14536 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, AwsServiceException, SdkClientException, 14537 KmsException { 14538 return replicateKey(ReplicateKeyRequest.builder().applyMutation(replicateKeyRequest).build()); 14539 } 14540 14541 /** 14542 * <p> 14543 * Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to 14544 * retire, use a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">grant 14545 * token</a>, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The <a>CreateGrant</a> 14546 * operation returns both values. 14547 * </p> 14548 * <p> 14549 * This operation can be called by the <i>retiring principal</i> for a grant, by the <i>grantee principal</i> if the 14550 * grant allows the <code>RetireGrant</code> operation, and by the Amazon Web Services account in which the grant is 14551 * created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, 14552 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14553 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14554 * </p> 14555 * <p> 14556 * For detailed information about grants, including grant terminology, see <a 14557 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14558 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14559 * languages, see <a 14560 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14561 * </p> 14562 * <p> 14563 * <b>Cross-account use</b>: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. 14564 * </p> 14565 * <p> 14566 * <b>Required permissions</b>: Permission to retire a grant is determined primarily by the grant. For details, see 14567 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14568 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14569 * </p> 14570 * <p> 14571 * <b>Related operations:</b> 14572 * </p> 14573 * <ul> 14574 * <li> 14575 * <p> 14576 * <a>CreateGrant</a> 14577 * </p> 14578 * </li> 14579 * <li> 14580 * <p> 14581 * <a>ListGrants</a> 14582 * </p> 14583 * </li> 14584 * <li> 14585 * <p> 14586 * <a>ListRetirableGrants</a> 14587 * </p> 14588 * </li> 14589 * <li> 14590 * <p> 14591 * <a>RevokeGrant</a> 14592 * </p> 14593 * </li> 14594 * </ul> 14595 * <p> 14596 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14597 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14598 * consistency</a>. 14599 * </p> 14600 * 14601 * @param retireGrantRequest 14602 * @return Result of the RetireGrant operation returned by the service. 14603 * @throws InvalidArnException 14604 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 14605 * @throws InvalidGrantTokenException 14606 * The request was rejected because the specified grant token is not valid. 14607 * @throws InvalidGrantIdException 14608 * The request was rejected because the specified <code>GrantId</code> is not valid. 14609 * @throws NotFoundException 14610 * The request was rejected because the specified entity or resource could not be found. 14611 * @throws DependencyTimeoutException 14612 * The system timed out while trying to fulfill the request. You can retry the request. 14613 * @throws KmsInternalException 14614 * The request was rejected because an internal exception occurred. The request can be retried. 14615 * @throws KmsInvalidStateException 14616 * The request was rejected because the state of the specified resource is not valid for this request.</p> 14617 * <p> 14618 * This exceptions means one of the following: 14619 * </p> 14620 * <ul> 14621 * <li> 14622 * <p> 14623 * The key state of the KMS key is not compatible with the operation. 14624 * </p> 14625 * <p> 14626 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14627 * are compatible with each KMS operation, see <a 14628 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14629 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14630 * </p> 14631 * </li> 14632 * <li> 14633 * <p> 14634 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14635 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14636 * exception. 14637 * </p> 14638 * </li> 14639 * @throws DryRunOperationException 14640 * The request was rejected because the DryRun parameter was specified. 14641 * @throws SdkException 14642 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 14643 * catch all scenarios. 14644 * @throws SdkClientException 14645 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 14646 * @throws KmsException 14647 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 14648 * @sample KmsClient.RetireGrant 14649 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API 14650 * Documentation</a> 14651 */ retireGrant(RetireGrantRequest retireGrantRequest)14652 default RetireGrantResponse retireGrant(RetireGrantRequest retireGrantRequest) throws InvalidArnException, 14653 InvalidGrantTokenException, InvalidGrantIdException, NotFoundException, DependencyTimeoutException, 14654 KmsInternalException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 14655 KmsException { 14656 throw new UnsupportedOperationException(); 14657 } 14658 14659 /** 14660 * <p> 14661 * Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to 14662 * retire, use a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">grant 14663 * token</a>, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The <a>CreateGrant</a> 14664 * operation returns both values. 14665 * </p> 14666 * <p> 14667 * This operation can be called by the <i>retiring principal</i> for a grant, by the <i>grantee principal</i> if the 14668 * grant allows the <code>RetireGrant</code> operation, and by the Amazon Web Services account in which the grant is 14669 * created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, 14670 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14671 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14672 * </p> 14673 * <p> 14674 * For detailed information about grants, including grant terminology, see <a 14675 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14676 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14677 * languages, see <a 14678 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14679 * </p> 14680 * <p> 14681 * <b>Cross-account use</b>: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. 14682 * </p> 14683 * <p> 14684 * <b>Required permissions</b>: Permission to retire a grant is determined primarily by the grant. For details, see 14685 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14686 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14687 * </p> 14688 * <p> 14689 * <b>Related operations:</b> 14690 * </p> 14691 * <ul> 14692 * <li> 14693 * <p> 14694 * <a>CreateGrant</a> 14695 * </p> 14696 * </li> 14697 * <li> 14698 * <p> 14699 * <a>ListGrants</a> 14700 * </p> 14701 * </li> 14702 * <li> 14703 * <p> 14704 * <a>ListRetirableGrants</a> 14705 * </p> 14706 * </li> 14707 * <li> 14708 * <p> 14709 * <a>RevokeGrant</a> 14710 * </p> 14711 * </li> 14712 * </ul> 14713 * <p> 14714 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14715 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14716 * consistency</a>. 14717 * </p> 14718 * <br/> 14719 * <p> 14720 * This is a convenience which creates an instance of the {@link RetireGrantRequest.Builder} avoiding the need to 14721 * create one manually via {@link RetireGrantRequest#builder()} 14722 * </p> 14723 * 14724 * @param retireGrantRequest 14725 * A {@link Consumer} that will call methods on 14726 * {@link software.amazon.awssdk.services.kms.model.RetireGrantRequest.Builder} to create a request. 14727 * @return Result of the RetireGrant operation returned by the service. 14728 * @throws InvalidArnException 14729 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 14730 * @throws InvalidGrantTokenException 14731 * The request was rejected because the specified grant token is not valid. 14732 * @throws InvalidGrantIdException 14733 * The request was rejected because the specified <code>GrantId</code> is not valid. 14734 * @throws NotFoundException 14735 * The request was rejected because the specified entity or resource could not be found. 14736 * @throws DependencyTimeoutException 14737 * The system timed out while trying to fulfill the request. You can retry the request. 14738 * @throws KmsInternalException 14739 * The request was rejected because an internal exception occurred. The request can be retried. 14740 * @throws KmsInvalidStateException 14741 * The request was rejected because the state of the specified resource is not valid for this request.</p> 14742 * <p> 14743 * This exceptions means one of the following: 14744 * </p> 14745 * <ul> 14746 * <li> 14747 * <p> 14748 * The key state of the KMS key is not compatible with the operation. 14749 * </p> 14750 * <p> 14751 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14752 * are compatible with each KMS operation, see <a 14753 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14754 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14755 * </p> 14756 * </li> 14757 * <li> 14758 * <p> 14759 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14760 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14761 * exception. 14762 * </p> 14763 * </li> 14764 * @throws DryRunOperationException 14765 * The request was rejected because the DryRun parameter was specified. 14766 * @throws SdkException 14767 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 14768 * catch all scenarios. 14769 * @throws SdkClientException 14770 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 14771 * @throws KmsException 14772 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 14773 * @sample KmsClient.RetireGrant 14774 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API 14775 * Documentation</a> 14776 */ retireGrant(Consumer<RetireGrantRequest.Builder> retireGrantRequest)14777 default RetireGrantResponse retireGrant(Consumer<RetireGrantRequest.Builder> retireGrantRequest) throws InvalidArnException, 14778 InvalidGrantTokenException, InvalidGrantIdException, NotFoundException, DependencyTimeoutException, 14779 KmsInternalException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 14780 KmsException { 14781 return retireGrant(RetireGrantRequest.builder().applyMutation(retireGrantRequest).build()); 14782 } 14783 14784 /** 14785 * <p> 14786 * Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to 14787 * retire, use a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token">grant 14788 * token</a>, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The <a>CreateGrant</a> 14789 * operation returns both values. 14790 * </p> 14791 * <p> 14792 * This operation can be called by the <i>retiring principal</i> for a grant, by the <i>grantee principal</i> if the 14793 * grant allows the <code>RetireGrant</code> operation, and by the Amazon Web Services account in which the grant is 14794 * created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, 14795 * see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14796 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14797 * </p> 14798 * <p> 14799 * For detailed information about grants, including grant terminology, see <a 14800 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14801 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14802 * languages, see <a 14803 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14804 * </p> 14805 * <p> 14806 * <b>Cross-account use</b>: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account. 14807 * </p> 14808 * <p> 14809 * <b>Required permissions</b>: Permission to retire a grant is determined primarily by the grant. For details, see 14810 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete">Retiring and 14811 * revoking grants</a> in the <i>Key Management Service Developer Guide</i>. 14812 * </p> 14813 * <p> 14814 * <b>Related operations:</b> 14815 * </p> 14816 * <ul> 14817 * <li> 14818 * <p> 14819 * <a>CreateGrant</a> 14820 * </p> 14821 * </li> 14822 * <li> 14823 * <p> 14824 * <a>ListGrants</a> 14825 * </p> 14826 * </li> 14827 * <li> 14828 * <p> 14829 * <a>ListRetirableGrants</a> 14830 * </p> 14831 * </li> 14832 * <li> 14833 * <p> 14834 * <a>RevokeGrant</a> 14835 * </p> 14836 * </li> 14837 * </ul> 14838 * <p> 14839 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14840 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14841 * consistency</a>. 14842 * </p> 14843 * 14844 * @return Result of the RetireGrant operation returned by the service. 14845 * @throws InvalidArnException 14846 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 14847 * @throws InvalidGrantTokenException 14848 * The request was rejected because the specified grant token is not valid. 14849 * @throws InvalidGrantIdException 14850 * The request was rejected because the specified <code>GrantId</code> is not valid. 14851 * @throws NotFoundException 14852 * The request was rejected because the specified entity or resource could not be found. 14853 * @throws DependencyTimeoutException 14854 * The system timed out while trying to fulfill the request. You can retry the request. 14855 * @throws KmsInternalException 14856 * The request was rejected because an internal exception occurred. The request can be retried. 14857 * @throws KmsInvalidStateException 14858 * The request was rejected because the state of the specified resource is not valid for this request.</p> 14859 * <p> 14860 * This exceptions means one of the following: 14861 * </p> 14862 * <ul> 14863 * <li> 14864 * <p> 14865 * The key state of the KMS key is not compatible with the operation. 14866 * </p> 14867 * <p> 14868 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14869 * are compatible with each KMS operation, see <a 14870 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14871 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14872 * </p> 14873 * </li> 14874 * <li> 14875 * <p> 14876 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14877 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14878 * exception. 14879 * </p> 14880 * </li> 14881 * @throws DryRunOperationException 14882 * The request was rejected because the DryRun parameter was specified. 14883 * @throws SdkException 14884 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 14885 * catch all scenarios. 14886 * @throws SdkClientException 14887 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 14888 * @throws KmsException 14889 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 14890 * @sample KmsClient.RetireGrant 14891 * @see #retireGrant(RetireGrantRequest) 14892 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant" target="_top">AWS API 14893 * Documentation</a> 14894 */ retireGrant()14895 default RetireGrantResponse retireGrant() throws InvalidArnException, InvalidGrantTokenException, InvalidGrantIdException, 14896 NotFoundException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, 14897 DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 14898 return retireGrant(RetireGrantRequest.builder().build()); 14899 } 14900 14901 /** 14902 * <p> 14903 * Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more 14904 * information, see <a 14905 * href="https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete">Retiring and 14906 * revoking grants</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 14907 * </p> 14908 * <p> 14909 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 14910 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. For details, see <a 14911 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency">Eventual 14912 * consistency</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 14913 * </p> 14914 * <p> 14915 * For detailed information about grants, including grant terminology, see <a 14916 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 14917 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 14918 * languages, see <a 14919 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 14920 * </p> 14921 * <p> 14922 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 14923 * specify the key ARN in the value of the <code>KeyId</code> parameter. 14924 * </p> 14925 * <p> 14926 * <b>Required permissions</b>: <a 14927 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 14928 * >kms:RevokeGrant</a> (key policy). 14929 * </p> 14930 * <p> 14931 * <b>Related operations:</b> 14932 * </p> 14933 * <ul> 14934 * <li> 14935 * <p> 14936 * <a>CreateGrant</a> 14937 * </p> 14938 * </li> 14939 * <li> 14940 * <p> 14941 * <a>ListGrants</a> 14942 * </p> 14943 * </li> 14944 * <li> 14945 * <p> 14946 * <a>ListRetirableGrants</a> 14947 * </p> 14948 * </li> 14949 * <li> 14950 * <p> 14951 * <a>RetireGrant</a> 14952 * </p> 14953 * </li> 14954 * </ul> 14955 * <p> 14956 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 14957 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 14958 * consistency</a>. 14959 * </p> 14960 * 14961 * @param revokeGrantRequest 14962 * @return Result of the RevokeGrant operation returned by the service. 14963 * @throws NotFoundException 14964 * The request was rejected because the specified entity or resource could not be found. 14965 * @throws DependencyTimeoutException 14966 * The system timed out while trying to fulfill the request. You can retry the request. 14967 * @throws InvalidArnException 14968 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 14969 * @throws InvalidGrantIdException 14970 * The request was rejected because the specified <code>GrantId</code> is not valid. 14971 * @throws KmsInternalException 14972 * The request was rejected because an internal exception occurred. The request can be retried. 14973 * @throws KmsInvalidStateException 14974 * The request was rejected because the state of the specified resource is not valid for this request.</p> 14975 * <p> 14976 * This exceptions means one of the following: 14977 * </p> 14978 * <ul> 14979 * <li> 14980 * <p> 14981 * The key state of the KMS key is not compatible with the operation. 14982 * </p> 14983 * <p> 14984 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 14985 * are compatible with each KMS operation, see <a 14986 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 14987 * the <i> <i>Key Management Service Developer Guide</i> </i>. 14988 * </p> 14989 * </li> 14990 * <li> 14991 * <p> 14992 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 14993 * failure with many possible causes. To identify the cause, see the error message that accompanies the 14994 * exception. 14995 * </p> 14996 * </li> 14997 * @throws DryRunOperationException 14998 * The request was rejected because the DryRun parameter was specified. 14999 * @throws SdkException 15000 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15001 * catch all scenarios. 15002 * @throws SdkClientException 15003 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15004 * @throws KmsException 15005 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15006 * @sample KmsClient.RevokeGrant 15007 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant" target="_top">AWS API 15008 * Documentation</a> 15009 */ revokeGrant(RevokeGrantRequest revokeGrantRequest)15010 default RevokeGrantResponse revokeGrant(RevokeGrantRequest revokeGrantRequest) throws NotFoundException, 15011 DependencyTimeoutException, InvalidArnException, InvalidGrantIdException, KmsInternalException, 15012 KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 15013 throw new UnsupportedOperationException(); 15014 } 15015 15016 /** 15017 * <p> 15018 * Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more 15019 * information, see <a 15020 * href="https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete">Retiring and 15021 * revoking grants</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 15022 * </p> 15023 * <p> 15024 * When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until 15025 * the grant is available throughout KMS. This state is known as <i>eventual consistency</i>. For details, see <a 15026 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency">Eventual 15027 * consistency</a> in the <i> <i>Key Management Service Developer Guide</i> </i>. 15028 * </p> 15029 * <p> 15030 * For detailed information about grants, including grant terminology, see <a 15031 * href="https://docs.aws.amazon.com/kms/latest/developerguide/grants.html">Grants in KMS</a> in the <i> <i>Key 15032 * Management Service Developer Guide</i> </i>. For examples of working with grants in several programming 15033 * languages, see <a 15034 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html">Programming grants</a>. 15035 * </p> 15036 * <p> 15037 * <b>Cross-account use</b>: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, 15038 * specify the key ARN in the value of the <code>KeyId</code> parameter. 15039 * </p> 15040 * <p> 15041 * <b>Required permissions</b>: <a 15042 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15043 * >kms:RevokeGrant</a> (key policy). 15044 * </p> 15045 * <p> 15046 * <b>Related operations:</b> 15047 * </p> 15048 * <ul> 15049 * <li> 15050 * <p> 15051 * <a>CreateGrant</a> 15052 * </p> 15053 * </li> 15054 * <li> 15055 * <p> 15056 * <a>ListGrants</a> 15057 * </p> 15058 * </li> 15059 * <li> 15060 * <p> 15061 * <a>ListRetirableGrants</a> 15062 * </p> 15063 * </li> 15064 * <li> 15065 * <p> 15066 * <a>RetireGrant</a> 15067 * </p> 15068 * </li> 15069 * </ul> 15070 * <p> 15071 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15072 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15073 * consistency</a>. 15074 * </p> 15075 * <br/> 15076 * <p> 15077 * This is a convenience which creates an instance of the {@link RevokeGrantRequest.Builder} avoiding the need to 15078 * create one manually via {@link RevokeGrantRequest#builder()} 15079 * </p> 15080 * 15081 * @param revokeGrantRequest 15082 * A {@link Consumer} that will call methods on 15083 * {@link software.amazon.awssdk.services.kms.model.RevokeGrantRequest.Builder} to create a request. 15084 * @return Result of the RevokeGrant operation returned by the service. 15085 * @throws NotFoundException 15086 * The request was rejected because the specified entity or resource could not be found. 15087 * @throws DependencyTimeoutException 15088 * The system timed out while trying to fulfill the request. You can retry the request. 15089 * @throws InvalidArnException 15090 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 15091 * @throws InvalidGrantIdException 15092 * The request was rejected because the specified <code>GrantId</code> is not valid. 15093 * @throws KmsInternalException 15094 * The request was rejected because an internal exception occurred. The request can be retried. 15095 * @throws KmsInvalidStateException 15096 * The request was rejected because the state of the specified resource is not valid for this request.</p> 15097 * <p> 15098 * This exceptions means one of the following: 15099 * </p> 15100 * <ul> 15101 * <li> 15102 * <p> 15103 * The key state of the KMS key is not compatible with the operation. 15104 * </p> 15105 * <p> 15106 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15107 * are compatible with each KMS operation, see <a 15108 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15109 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15110 * </p> 15111 * </li> 15112 * <li> 15113 * <p> 15114 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15115 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15116 * exception. 15117 * </p> 15118 * </li> 15119 * @throws DryRunOperationException 15120 * The request was rejected because the DryRun parameter was specified. 15121 * @throws SdkException 15122 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15123 * catch all scenarios. 15124 * @throws SdkClientException 15125 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15126 * @throws KmsException 15127 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15128 * @sample KmsClient.RevokeGrant 15129 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant" target="_top">AWS API 15130 * Documentation</a> 15131 */ revokeGrant(Consumer<RevokeGrantRequest.Builder> revokeGrantRequest)15132 default RevokeGrantResponse revokeGrant(Consumer<RevokeGrantRequest.Builder> revokeGrantRequest) throws NotFoundException, 15133 DependencyTimeoutException, InvalidArnException, InvalidGrantIdException, KmsInternalException, 15134 KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 15135 return revokeGrant(RevokeGrantRequest.builder().applyMutation(revokeGrantRequest).build()); 15136 } 15137 15138 /** 15139 * <p> 15140 * Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a 15141 * waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to 15142 * <code>PendingDeletion</code> and the key can't be used in any cryptographic operations. It remains in this state 15143 * for the duration of the waiting period. Before the waiting period ends, you can use <a>CancelKeyDeletion</a> to 15144 * cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and 15145 * all KMS data associated with it, including all aliases that refer to it. 15146 * </p> 15147 * <important> 15148 * <p> 15149 * Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that 15150 * was encrypted under the KMS key is unrecoverable. (The only exception is a <a 15151 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">multi-Region replica 15152 * key</a>, or an <a href="kms/latest/developerguide/importing-keys-managing.html#import-delete-key">asymmetric or 15153 * HMAC KMS key with imported key material</a>.) To prevent the use of a KMS key without deleting it, use 15154 * <a>DisableKey</a>. 15155 * </p> 15156 * </important> 15157 * <p> 15158 * You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will 15159 * not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key 15160 * with replicas, its key state changes to <code>PendingReplicaDeletion</code> and it cannot be replicated or used 15161 * in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted 15162 * (not just scheduled), the key state of the primary key changes to <code>PendingDeletion</code> and its waiting 15163 * period (<code>PendingWindowInDays</code>) begins. For details, see <a 15164 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">Deleting multi-Region 15165 * keys</a> in the <i>Key Management Service Developer Guide</i>. 15166 * </p> 15167 * <p> 15168 * When KMS <a href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html">deletes a KMS 15169 * key from an CloudHSM key store</a>, it makes a best effort to delete the associated key material from the 15170 * associated CloudHSM cluster. However, you might need to manually <a 15171 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 15172 * the orphaned key material</a> from the cluster and its backups. <a 15173 * href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html">Deleting a KMS key from an 15174 * external key store</a> has no effect on the associated external key. However, for both types of custom key 15175 * stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS 15176 * key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external 15177 * key store by creating a new KMS key with the same key material. 15178 * </p> 15179 * <p> 15180 * For more information about scheduling a KMS key for deletion, see <a 15181 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 15182 * <i>Key Management Service Developer Guide</i>. 15183 * </p> 15184 * <p> 15185 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15186 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15187 * <i>Key Management Service Developer Guide</i>. 15188 * </p> 15189 * <p> 15190 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15191 * account. 15192 * </p> 15193 * <p> 15194 * <b>Required permissions</b>: kms:ScheduleKeyDeletion (key policy) 15195 * </p> 15196 * <p> 15197 * <b>Related operations</b> 15198 * </p> 15199 * <ul> 15200 * <li> 15201 * <p> 15202 * <a>CancelKeyDeletion</a> 15203 * </p> 15204 * </li> 15205 * <li> 15206 * <p> 15207 * <a>DisableKey</a> 15208 * </p> 15209 * </li> 15210 * </ul> 15211 * <p> 15212 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15213 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15214 * consistency</a>. 15215 * </p> 15216 * 15217 * @param scheduleKeyDeletionRequest 15218 * @return Result of the ScheduleKeyDeletion operation returned by the service. 15219 * @throws NotFoundException 15220 * The request was rejected because the specified entity or resource could not be found. 15221 * @throws InvalidArnException 15222 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 15223 * @throws DependencyTimeoutException 15224 * The system timed out while trying to fulfill the request. You can retry the request. 15225 * @throws KmsInternalException 15226 * The request was rejected because an internal exception occurred. The request can be retried. 15227 * @throws KmsInvalidStateException 15228 * The request was rejected because the state of the specified resource is not valid for this request.</p> 15229 * <p> 15230 * This exceptions means one of the following: 15231 * </p> 15232 * <ul> 15233 * <li> 15234 * <p> 15235 * The key state of the KMS key is not compatible with the operation. 15236 * </p> 15237 * <p> 15238 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15239 * are compatible with each KMS operation, see <a 15240 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15241 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15242 * </p> 15243 * </li> 15244 * <li> 15245 * <p> 15246 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15247 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15248 * exception. 15249 * </p> 15250 * </li> 15251 * @throws SdkException 15252 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15253 * catch all scenarios. 15254 * @throws SdkClientException 15255 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15256 * @throws KmsException 15257 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15258 * @sample KmsClient.ScheduleKeyDeletion 15259 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion" target="_top">AWS API 15260 * Documentation</a> 15261 */ scheduleKeyDeletion(ScheduleKeyDeletionRequest scheduleKeyDeletionRequest)15262 default ScheduleKeyDeletionResponse scheduleKeyDeletion(ScheduleKeyDeletionRequest scheduleKeyDeletionRequest) 15263 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 15264 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 15265 throw new UnsupportedOperationException(); 15266 } 15267 15268 /** 15269 * <p> 15270 * Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a 15271 * waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to 15272 * <code>PendingDeletion</code> and the key can't be used in any cryptographic operations. It remains in this state 15273 * for the duration of the waiting period. Before the waiting period ends, you can use <a>CancelKeyDeletion</a> to 15274 * cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and 15275 * all KMS data associated with it, including all aliases that refer to it. 15276 * </p> 15277 * <important> 15278 * <p> 15279 * Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that 15280 * was encrypted under the KMS key is unrecoverable. (The only exception is a <a 15281 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">multi-Region replica 15282 * key</a>, or an <a href="kms/latest/developerguide/importing-keys-managing.html#import-delete-key">asymmetric or 15283 * HMAC KMS key with imported key material</a>.) To prevent the use of a KMS key without deleting it, use 15284 * <a>DisableKey</a>. 15285 * </p> 15286 * </important> 15287 * <p> 15288 * You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will 15289 * not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key 15290 * with replicas, its key state changes to <code>PendingReplicaDeletion</code> and it cannot be replicated or used 15291 * in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted 15292 * (not just scheduled), the key state of the primary key changes to <code>PendingDeletion</code> and its waiting 15293 * period (<code>PendingWindowInDays</code>) begins. For details, see <a 15294 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html">Deleting multi-Region 15295 * keys</a> in the <i>Key Management Service Developer Guide</i>. 15296 * </p> 15297 * <p> 15298 * When KMS <a href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html">deletes a KMS 15299 * key from an CloudHSM key store</a>, it makes a best effort to delete the associated key material from the 15300 * associated CloudHSM cluster. However, you might need to manually <a 15301 * href="https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key">delete 15302 * the orphaned key material</a> from the cluster and its backups. <a 15303 * href="https://docs.aws.amazon.com/kms/latest/developerguide/delete-xks-key.html">Deleting a KMS key from an 15304 * external key store</a> has no effect on the associated external key. However, for both types of custom key 15305 * stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS 15306 * key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external 15307 * key store by creating a new KMS key with the same key material. 15308 * </p> 15309 * <p> 15310 * For more information about scheduling a KMS key for deletion, see <a 15311 * href="https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html">Deleting KMS keys</a> in the 15312 * <i>Key Management Service Developer Guide</i>. 15313 * </p> 15314 * <p> 15315 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15316 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15317 * <i>Key Management Service Developer Guide</i>. 15318 * </p> 15319 * <p> 15320 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15321 * account. 15322 * </p> 15323 * <p> 15324 * <b>Required permissions</b>: kms:ScheduleKeyDeletion (key policy) 15325 * </p> 15326 * <p> 15327 * <b>Related operations</b> 15328 * </p> 15329 * <ul> 15330 * <li> 15331 * <p> 15332 * <a>CancelKeyDeletion</a> 15333 * </p> 15334 * </li> 15335 * <li> 15336 * <p> 15337 * <a>DisableKey</a> 15338 * </p> 15339 * </li> 15340 * </ul> 15341 * <p> 15342 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15343 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15344 * consistency</a>. 15345 * </p> 15346 * <br/> 15347 * <p> 15348 * This is a convenience which creates an instance of the {@link ScheduleKeyDeletionRequest.Builder} avoiding the 15349 * need to create one manually via {@link ScheduleKeyDeletionRequest#builder()} 15350 * </p> 15351 * 15352 * @param scheduleKeyDeletionRequest 15353 * A {@link Consumer} that will call methods on 15354 * {@link software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest.Builder} to create a request. 15355 * @return Result of the ScheduleKeyDeletion operation returned by the service. 15356 * @throws NotFoundException 15357 * The request was rejected because the specified entity or resource could not be found. 15358 * @throws InvalidArnException 15359 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 15360 * @throws DependencyTimeoutException 15361 * The system timed out while trying to fulfill the request. You can retry the request. 15362 * @throws KmsInternalException 15363 * The request was rejected because an internal exception occurred. The request can be retried. 15364 * @throws KmsInvalidStateException 15365 * The request was rejected because the state of the specified resource is not valid for this request.</p> 15366 * <p> 15367 * This exceptions means one of the following: 15368 * </p> 15369 * <ul> 15370 * <li> 15371 * <p> 15372 * The key state of the KMS key is not compatible with the operation. 15373 * </p> 15374 * <p> 15375 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15376 * are compatible with each KMS operation, see <a 15377 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15378 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15379 * </p> 15380 * </li> 15381 * <li> 15382 * <p> 15383 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15384 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15385 * exception. 15386 * </p> 15387 * </li> 15388 * @throws SdkException 15389 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15390 * catch all scenarios. 15391 * @throws SdkClientException 15392 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15393 * @throws KmsException 15394 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15395 * @sample KmsClient.ScheduleKeyDeletion 15396 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion" target="_top">AWS API 15397 * Documentation</a> 15398 */ scheduleKeyDeletion( Consumer<ScheduleKeyDeletionRequest.Builder> scheduleKeyDeletionRequest)15399 default ScheduleKeyDeletionResponse scheduleKeyDeletion( 15400 Consumer<ScheduleKeyDeletionRequest.Builder> scheduleKeyDeletionRequest) throws NotFoundException, 15401 InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, 15402 SdkClientException, KmsException { 15403 return scheduleKeyDeletion(ScheduleKeyDeletionRequest.builder().applyMutation(scheduleKeyDeletionRequest).build()); 15404 } 15405 15406 /** 15407 * <p> 15408 * Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a> for a message or 15409 * message digest by using the private key in an asymmetric signing KMS key. To verify the signature, use the 15410 * <a>Verify</a> operation, or use the public key in the same asymmetric KMS key outside of KMS. For information 15411 * about asymmetric KMS keys, see <a 15412 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 15413 * the <i>Key Management Service Developer Guide</i>. 15414 * </p> 15415 * <p> 15416 * Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is 15417 * represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a 15418 * message. Anyone with the public key can verify that the message was signed with that particular private key and 15419 * that the message hasn't changed since it was signed. 15420 * </p> 15421 * <p> 15422 * To use the <code>Sign</code> operation, provide the following information: 15423 * </p> 15424 * <ul> 15425 * <li> 15426 * <p> 15427 * Use the <code>KeyId</code> parameter to identify an asymmetric KMS key with a <code>KeyUsage</code> value of 15428 * <code>SIGN_VERIFY</code>. To get the <code>KeyUsage</code> value of a KMS key, use the <a>DescribeKey</a> 15429 * operation. The caller must have <code>kms:Sign</code> permission on the KMS key. 15430 * </p> 15431 * </li> 15432 * <li> 15433 * <p> 15434 * Use the <code>Message</code> parameter to specify the message or message digest to sign. You can submit messages 15435 * of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash 15436 * digest in the <code>Message</code> parameter. To indicate whether the message is a full message or a digest, use 15437 * the <code>MessageType</code> parameter. 15438 * </p> 15439 * </li> 15440 * <li> 15441 * <p> 15442 * Choose a signing algorithm that is compatible with the KMS key. 15443 * </p> 15444 * </li> 15445 * </ul> 15446 * <important> 15447 * <p> 15448 * When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to 15449 * verify the signature. 15450 * </p> 15451 * </important> <note> 15452 * <p> 15453 * Best practices recommend that you limit the time during which any signature is effective. This deters an attack 15454 * where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. 15455 * Signatures do not include a timestamp, but you can include a timestamp in the signed message to help you detect 15456 * when its time to refresh the signature. 15457 * </p> 15458 * </note> 15459 * <p> 15460 * To verify the signature that this operation generates, use the <a>Verify</a> operation. Or use the 15461 * <a>GetPublicKey</a> operation to download the public key and then use the public key to verify the signature 15462 * outside of KMS. 15463 * </p> 15464 * <p> 15465 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15466 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15467 * <i>Key Management Service Developer Guide</i>. 15468 * </p> 15469 * <p> 15470 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 15471 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 15472 * </p> 15473 * <p> 15474 * <b>Required permissions</b>: <a 15475 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Sign</a> (key 15476 * policy) 15477 * </p> 15478 * <p> 15479 * <b>Related operations</b>: <a>Verify</a> 15480 * </p> 15481 * <p> 15482 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15483 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15484 * consistency</a>. 15485 * </p> 15486 * 15487 * @param signRequest 15488 * @return Result of the Sign operation returned by the service. 15489 * @throws NotFoundException 15490 * The request was rejected because the specified entity or resource could not be found. 15491 * @throws DisabledException 15492 * The request was rejected because the specified KMS key is not enabled. 15493 * @throws KeyUnavailableException 15494 * The request was rejected because the specified KMS key was not available. You can retry the request. 15495 * @throws DependencyTimeoutException 15496 * The system timed out while trying to fulfill the request. You can retry the request. 15497 * @throws InvalidKeyUsageException 15498 * The request was rejected for one of the following reasons: </p> 15499 * <ul> 15500 * <li> 15501 * <p> 15502 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 15503 * </p> 15504 * </li> 15505 * <li> 15506 * <p> 15507 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 15508 * of key material in the KMS key <code>(KeySpec</code>). 15509 * </p> 15510 * </li> 15511 * </ul> 15512 * <p> 15513 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 15514 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 15515 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 15516 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 15517 * KMS key, use the <a>DescribeKey</a> operation. 15518 * </p> 15519 * <p> 15520 * To find the encryption or signing algorithms supported for a particular KMS key, use the 15521 * <a>DescribeKey</a> operation. 15522 * @throws InvalidGrantTokenException 15523 * The request was rejected because the specified grant token is not valid. 15524 * @throws KmsInternalException 15525 * The request was rejected because an internal exception occurred. The request can be retried. 15526 * @throws KmsInvalidStateException 15527 * The request was rejected because the state of the specified resource is not valid for this request. 15528 * </p> 15529 * <p> 15530 * This exceptions means one of the following: 15531 * </p> 15532 * <ul> 15533 * <li> 15534 * <p> 15535 * The key state of the KMS key is not compatible with the operation. 15536 * </p> 15537 * <p> 15538 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15539 * are compatible with each KMS operation, see <a 15540 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15541 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15542 * </p> 15543 * </li> 15544 * <li> 15545 * <p> 15546 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15547 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15548 * exception. 15549 * </p> 15550 * </li> 15551 * @throws DryRunOperationException 15552 * The request was rejected because the DryRun parameter was specified. 15553 * @throws SdkException 15554 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15555 * catch all scenarios. 15556 * @throws SdkClientException 15557 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15558 * @throws KmsException 15559 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15560 * @sample KmsClient.Sign 15561 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign" target="_top">AWS API 15562 * Documentation</a> 15563 */ sign(SignRequest signRequest)15564 default SignResponse sign(SignRequest signRequest) throws NotFoundException, DisabledException, KeyUnavailableException, 15565 DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, 15566 KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, KmsException { 15567 throw new UnsupportedOperationException(); 15568 } 15569 15570 /** 15571 * <p> 15572 * Creates a <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a> for a message or 15573 * message digest by using the private key in an asymmetric signing KMS key. To verify the signature, use the 15574 * <a>Verify</a> operation, or use the public key in the same asymmetric KMS key outside of KMS. For information 15575 * about asymmetric KMS keys, see <a 15576 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 15577 * the <i>Key Management Service Developer Guide</i>. 15578 * </p> 15579 * <p> 15580 * Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is 15581 * represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a 15582 * message. Anyone with the public key can verify that the message was signed with that particular private key and 15583 * that the message hasn't changed since it was signed. 15584 * </p> 15585 * <p> 15586 * To use the <code>Sign</code> operation, provide the following information: 15587 * </p> 15588 * <ul> 15589 * <li> 15590 * <p> 15591 * Use the <code>KeyId</code> parameter to identify an asymmetric KMS key with a <code>KeyUsage</code> value of 15592 * <code>SIGN_VERIFY</code>. To get the <code>KeyUsage</code> value of a KMS key, use the <a>DescribeKey</a> 15593 * operation. The caller must have <code>kms:Sign</code> permission on the KMS key. 15594 * </p> 15595 * </li> 15596 * <li> 15597 * <p> 15598 * Use the <code>Message</code> parameter to specify the message or message digest to sign. You can submit messages 15599 * of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash 15600 * digest in the <code>Message</code> parameter. To indicate whether the message is a full message or a digest, use 15601 * the <code>MessageType</code> parameter. 15602 * </p> 15603 * </li> 15604 * <li> 15605 * <p> 15606 * Choose a signing algorithm that is compatible with the KMS key. 15607 * </p> 15608 * </li> 15609 * </ul> 15610 * <important> 15611 * <p> 15612 * When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to 15613 * verify the signature. 15614 * </p> 15615 * </important> <note> 15616 * <p> 15617 * Best practices recommend that you limit the time during which any signature is effective. This deters an attack 15618 * where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. 15619 * Signatures do not include a timestamp, but you can include a timestamp in the signed message to help you detect 15620 * when its time to refresh the signature. 15621 * </p> 15622 * </note> 15623 * <p> 15624 * To verify the signature that this operation generates, use the <a>Verify</a> operation. Or use the 15625 * <a>GetPublicKey</a> operation to download the public key and then use the public key to verify the signature 15626 * outside of KMS. 15627 * </p> 15628 * <p> 15629 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15630 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15631 * <i>Key Management Service Developer Guide</i>. 15632 * </p> 15633 * <p> 15634 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 15635 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 15636 * </p> 15637 * <p> 15638 * <b>Required permissions</b>: <a 15639 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Sign</a> (key 15640 * policy) 15641 * </p> 15642 * <p> 15643 * <b>Related operations</b>: <a>Verify</a> 15644 * </p> 15645 * <p> 15646 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15647 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15648 * consistency</a>. 15649 * </p> 15650 * <br/> 15651 * <p> 15652 * This is a convenience which creates an instance of the {@link SignRequest.Builder} avoiding the need to create 15653 * one manually via {@link SignRequest#builder()} 15654 * </p> 15655 * 15656 * @param signRequest 15657 * A {@link Consumer} that will call methods on 15658 * {@link software.amazon.awssdk.services.kms.model.SignRequest.Builder} to create a request. 15659 * @return Result of the Sign operation returned by the service. 15660 * @throws NotFoundException 15661 * The request was rejected because the specified entity or resource could not be found. 15662 * @throws DisabledException 15663 * The request was rejected because the specified KMS key is not enabled. 15664 * @throws KeyUnavailableException 15665 * The request was rejected because the specified KMS key was not available. You can retry the request. 15666 * @throws DependencyTimeoutException 15667 * The system timed out while trying to fulfill the request. You can retry the request. 15668 * @throws InvalidKeyUsageException 15669 * The request was rejected for one of the following reasons: </p> 15670 * <ul> 15671 * <li> 15672 * <p> 15673 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 15674 * </p> 15675 * </li> 15676 * <li> 15677 * <p> 15678 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 15679 * of key material in the KMS key <code>(KeySpec</code>). 15680 * </p> 15681 * </li> 15682 * </ul> 15683 * <p> 15684 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 15685 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 15686 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 15687 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 15688 * KMS key, use the <a>DescribeKey</a> operation. 15689 * </p> 15690 * <p> 15691 * To find the encryption or signing algorithms supported for a particular KMS key, use the 15692 * <a>DescribeKey</a> operation. 15693 * @throws InvalidGrantTokenException 15694 * The request was rejected because the specified grant token is not valid. 15695 * @throws KmsInternalException 15696 * The request was rejected because an internal exception occurred. The request can be retried. 15697 * @throws KmsInvalidStateException 15698 * The request was rejected because the state of the specified resource is not valid for this request. 15699 * </p> 15700 * <p> 15701 * This exceptions means one of the following: 15702 * </p> 15703 * <ul> 15704 * <li> 15705 * <p> 15706 * The key state of the KMS key is not compatible with the operation. 15707 * </p> 15708 * <p> 15709 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15710 * are compatible with each KMS operation, see <a 15711 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15712 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15713 * </p> 15714 * </li> 15715 * <li> 15716 * <p> 15717 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15718 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15719 * exception. 15720 * </p> 15721 * </li> 15722 * @throws DryRunOperationException 15723 * The request was rejected because the DryRun parameter was specified. 15724 * @throws SdkException 15725 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15726 * catch all scenarios. 15727 * @throws SdkClientException 15728 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15729 * @throws KmsException 15730 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15731 * @sample KmsClient.Sign 15732 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign" target="_top">AWS API 15733 * Documentation</a> 15734 */ sign(Consumer<SignRequest.Builder> signRequest)15735 default SignResponse sign(Consumer<SignRequest.Builder> signRequest) throws NotFoundException, DisabledException, 15736 KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, 15737 KmsInternalException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 15738 KmsException { 15739 return sign(SignRequest.builder().applyMutation(signRequest).build()); 15740 } 15741 15742 /** 15743 * <p> 15744 * Adds or edits tags on a <a 15745 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 15746 * </p> 15747 * <note> 15748 * <p> 15749 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 15750 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15751 * Service Developer Guide</i>. 15752 * </p> 15753 * </note> 15754 * <p> 15755 * Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an 15756 * empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag 15757 * key and a new tag value. 15758 * </p> 15759 * <p> 15760 * You can use this operation to tag a <a 15761 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>, 15762 * but you cannot tag an <a 15763 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 15764 * managed key</a>, an <a 15765 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 15766 * owned key</a>, a <a 15767 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept">custom key store</a>, 15768 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept">alias</a>. 15769 * </p> 15770 * <p> 15771 * You can also add tags to a KMS key while creating it (<a>CreateKey</a>) or replicating it (<a>ReplicateKey</a>). 15772 * </p> 15773 * <p> 15774 * For information about using tags in KMS, see <a 15775 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 15776 * information about tags, including the format and syntax, see <a 15777 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 15778 * in the <i>Amazon Web Services General Reference</i>. 15779 * </p> 15780 * <p> 15781 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15782 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15783 * <i>Key Management Service Developer Guide</i>. 15784 * </p> 15785 * <p> 15786 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15787 * account. 15788 * </p> 15789 * <p> 15790 * <b>Required permissions</b>: <a 15791 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15792 * >kms:TagResource</a> (key policy) 15793 * </p> 15794 * <p> 15795 * <b>Related operations</b> 15796 * </p> 15797 * <ul> 15798 * <li> 15799 * <p> 15800 * <a>CreateKey</a> 15801 * </p> 15802 * </li> 15803 * <li> 15804 * <p> 15805 * <a>ListResourceTags</a> 15806 * </p> 15807 * </li> 15808 * <li> 15809 * <p> 15810 * <a>ReplicateKey</a> 15811 * </p> 15812 * </li> 15813 * <li> 15814 * <p> 15815 * <a>UntagResource</a> 15816 * </p> 15817 * </li> 15818 * </ul> 15819 * <p> 15820 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15821 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15822 * consistency</a>. 15823 * </p> 15824 * 15825 * @param tagResourceRequest 15826 * @return Result of the TagResource operation returned by the service. 15827 * @throws KmsInternalException 15828 * The request was rejected because an internal exception occurred. The request can be retried. 15829 * @throws NotFoundException 15830 * The request was rejected because the specified entity or resource could not be found. 15831 * @throws InvalidArnException 15832 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 15833 * @throws KmsInvalidStateException 15834 * The request was rejected because the state of the specified resource is not valid for this request.</p> 15835 * <p> 15836 * This exceptions means one of the following: 15837 * </p> 15838 * <ul> 15839 * <li> 15840 * <p> 15841 * The key state of the KMS key is not compatible with the operation. 15842 * </p> 15843 * <p> 15844 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15845 * are compatible with each KMS operation, see <a 15846 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15847 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15848 * </p> 15849 * </li> 15850 * <li> 15851 * <p> 15852 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15853 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15854 * exception. 15855 * </p> 15856 * </li> 15857 * @throws LimitExceededException 15858 * The request was rejected because a quota was exceeded. For more information, see <a 15859 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 15860 * Management Service Developer Guide</i>. 15861 * @throws TagException 15862 * The request was rejected because one or more tags are not valid. 15863 * @throws SdkException 15864 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 15865 * catch all scenarios. 15866 * @throws SdkClientException 15867 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 15868 * @throws KmsException 15869 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 15870 * @sample KmsClient.TagResource 15871 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource" target="_top">AWS API 15872 * Documentation</a> 15873 */ tagResource(TagResourceRequest tagResourceRequest)15874 default TagResourceResponse tagResource(TagResourceRequest tagResourceRequest) throws KmsInternalException, 15875 NotFoundException, InvalidArnException, KmsInvalidStateException, LimitExceededException, TagException, 15876 AwsServiceException, SdkClientException, KmsException { 15877 throw new UnsupportedOperationException(); 15878 } 15879 15880 /** 15881 * <p> 15882 * Adds or edits tags on a <a 15883 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 15884 * </p> 15885 * <note> 15886 * <p> 15887 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 15888 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 15889 * Service Developer Guide</i>. 15890 * </p> 15891 * </note> 15892 * <p> 15893 * Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an 15894 * empty (null) string. To add a tag, specify a new tag key and a tag value. To edit a tag, specify an existing tag 15895 * key and a new tag value. 15896 * </p> 15897 * <p> 15898 * You can use this operation to tag a <a 15899 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>, 15900 * but you cannot tag an <a 15901 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk">Amazon Web Services 15902 * managed key</a>, an <a 15903 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk">Amazon Web Services 15904 * owned key</a>, a <a 15905 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept">custom key store</a>, 15906 * or an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept">alias</a>. 15907 * </p> 15908 * <p> 15909 * You can also add tags to a KMS key while creating it (<a>CreateKey</a>) or replicating it (<a>ReplicateKey</a>). 15910 * </p> 15911 * <p> 15912 * For information about using tags in KMS, see <a 15913 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 15914 * information about tags, including the format and syntax, see <a 15915 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 15916 * in the <i>Amazon Web Services General Reference</i>. 15917 * </p> 15918 * <p> 15919 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 15920 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 15921 * <i>Key Management Service Developer Guide</i>. 15922 * </p> 15923 * <p> 15924 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 15925 * account. 15926 * </p> 15927 * <p> 15928 * <b>Required permissions</b>: <a 15929 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 15930 * >kms:TagResource</a> (key policy) 15931 * </p> 15932 * <p> 15933 * <b>Related operations</b> 15934 * </p> 15935 * <ul> 15936 * <li> 15937 * <p> 15938 * <a>CreateKey</a> 15939 * </p> 15940 * </li> 15941 * <li> 15942 * <p> 15943 * <a>ListResourceTags</a> 15944 * </p> 15945 * </li> 15946 * <li> 15947 * <p> 15948 * <a>ReplicateKey</a> 15949 * </p> 15950 * </li> 15951 * <li> 15952 * <p> 15953 * <a>UntagResource</a> 15954 * </p> 15955 * </li> 15956 * </ul> 15957 * <p> 15958 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 15959 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 15960 * consistency</a>. 15961 * </p> 15962 * <br/> 15963 * <p> 15964 * This is a convenience which creates an instance of the {@link TagResourceRequest.Builder} avoiding the need to 15965 * create one manually via {@link TagResourceRequest#builder()} 15966 * </p> 15967 * 15968 * @param tagResourceRequest 15969 * A {@link Consumer} that will call methods on 15970 * {@link software.amazon.awssdk.services.kms.model.TagResourceRequest.Builder} to create a request. 15971 * @return Result of the TagResource operation returned by the service. 15972 * @throws KmsInternalException 15973 * The request was rejected because an internal exception occurred. The request can be retried. 15974 * @throws NotFoundException 15975 * The request was rejected because the specified entity or resource could not be found. 15976 * @throws InvalidArnException 15977 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 15978 * @throws KmsInvalidStateException 15979 * The request was rejected because the state of the specified resource is not valid for this request.</p> 15980 * <p> 15981 * This exceptions means one of the following: 15982 * </p> 15983 * <ul> 15984 * <li> 15985 * <p> 15986 * The key state of the KMS key is not compatible with the operation. 15987 * </p> 15988 * <p> 15989 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 15990 * are compatible with each KMS operation, see <a 15991 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 15992 * the <i> <i>Key Management Service Developer Guide</i> </i>. 15993 * </p> 15994 * </li> 15995 * <li> 15996 * <p> 15997 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 15998 * failure with many possible causes. To identify the cause, see the error message that accompanies the 15999 * exception. 16000 * </p> 16001 * </li> 16002 * @throws LimitExceededException 16003 * The request was rejected because a quota was exceeded. For more information, see <a 16004 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 16005 * Management Service Developer Guide</i>. 16006 * @throws TagException 16007 * The request was rejected because one or more tags are not valid. 16008 * @throws SdkException 16009 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 16010 * catch all scenarios. 16011 * @throws SdkClientException 16012 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 16013 * @throws KmsException 16014 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 16015 * @sample KmsClient.TagResource 16016 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource" target="_top">AWS API 16017 * Documentation</a> 16018 */ tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest)16019 default TagResourceResponse tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest) throws KmsInternalException, 16020 NotFoundException, InvalidArnException, KmsInvalidStateException, LimitExceededException, TagException, 16021 AwsServiceException, SdkClientException, KmsException { 16022 return tagResource(TagResourceRequest.builder().applyMutation(tagResourceRequest).build()); 16023 } 16024 16025 /** 16026 * <p> 16027 * Deletes tags from a <a 16028 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 16029 * To delete a tag, specify the tag key and the KMS key. 16030 * </p> 16031 * <note> 16032 * <p> 16033 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 16034 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 16035 * Service Developer Guide</i>. 16036 * </p> 16037 * </note> 16038 * <p> 16039 * When it succeeds, the <code>UntagResource</code> operation doesn't return any output. Also, if the specified tag 16040 * key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation 16041 * worked, use the <a>ListResourceTags</a> operation. 16042 * </p> 16043 * <p> 16044 * For information about using tags in KMS, see <a 16045 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 16046 * information about tags, including the format and syntax, see <a 16047 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 16048 * in the <i>Amazon Web Services General Reference</i>. 16049 * </p> 16050 * <p> 16051 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16052 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16053 * <i>Key Management Service Developer Guide</i>. 16054 * </p> 16055 * <p> 16056 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16057 * account. 16058 * </p> 16059 * <p> 16060 * <b>Required permissions</b>: <a 16061 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16062 * >kms:UntagResource</a> (key policy) 16063 * </p> 16064 * <p> 16065 * <b>Related operations</b> 16066 * </p> 16067 * <ul> 16068 * <li> 16069 * <p> 16070 * <a>CreateKey</a> 16071 * </p> 16072 * </li> 16073 * <li> 16074 * <p> 16075 * <a>ListResourceTags</a> 16076 * </p> 16077 * </li> 16078 * <li> 16079 * <p> 16080 * <a>ReplicateKey</a> 16081 * </p> 16082 * </li> 16083 * <li> 16084 * <p> 16085 * <a>TagResource</a> 16086 * </p> 16087 * </li> 16088 * </ul> 16089 * <p> 16090 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16091 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16092 * consistency</a>. 16093 * </p> 16094 * 16095 * @param untagResourceRequest 16096 * @return Result of the UntagResource operation returned by the service. 16097 * @throws KmsInternalException 16098 * The request was rejected because an internal exception occurred. The request can be retried. 16099 * @throws NotFoundException 16100 * The request was rejected because the specified entity or resource could not be found. 16101 * @throws InvalidArnException 16102 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 16103 * @throws KmsInvalidStateException 16104 * The request was rejected because the state of the specified resource is not valid for this request.</p> 16105 * <p> 16106 * This exceptions means one of the following: 16107 * </p> 16108 * <ul> 16109 * <li> 16110 * <p> 16111 * The key state of the KMS key is not compatible with the operation. 16112 * </p> 16113 * <p> 16114 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16115 * are compatible with each KMS operation, see <a 16116 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16117 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16118 * </p> 16119 * </li> 16120 * <li> 16121 * <p> 16122 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16123 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16124 * exception. 16125 * </p> 16126 * </li> 16127 * @throws TagException 16128 * The request was rejected because one or more tags are not valid. 16129 * @throws SdkException 16130 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 16131 * catch all scenarios. 16132 * @throws SdkClientException 16133 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 16134 * @throws KmsException 16135 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 16136 * @sample KmsClient.UntagResource 16137 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource" target="_top">AWS API 16138 * Documentation</a> 16139 */ untagResource(UntagResourceRequest untagResourceRequest)16140 default UntagResourceResponse untagResource(UntagResourceRequest untagResourceRequest) throws KmsInternalException, 16141 NotFoundException, InvalidArnException, KmsInvalidStateException, TagException, AwsServiceException, 16142 SdkClientException, KmsException { 16143 throw new UnsupportedOperationException(); 16144 } 16145 16146 /** 16147 * <p> 16148 * Deletes tags from a <a 16149 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk">customer managed key</a>. 16150 * To delete a tag, specify the tag key and the KMS key. 16151 * </p> 16152 * <note> 16153 * <p> 16154 * Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see <a 16155 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 16156 * Service Developer Guide</i>. 16157 * </p> 16158 * </note> 16159 * <p> 16160 * When it succeeds, the <code>UntagResource</code> operation doesn't return any output. Also, if the specified tag 16161 * key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation 16162 * worked, use the <a>ListResourceTags</a> operation. 16163 * </p> 16164 * <p> 16165 * For information about using tags in KMS, see <a 16166 * href="https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html">Tagging keys</a>. For general 16167 * information about tags, including the format and syntax, see <a 16168 * href="https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html">Tagging Amazon Web Services resources</a> 16169 * in the <i>Amazon Web Services General Reference</i>. 16170 * </p> 16171 * <p> 16172 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16173 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16174 * <i>Key Management Service Developer Guide</i>. 16175 * </p> 16176 * <p> 16177 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16178 * account. 16179 * </p> 16180 * <p> 16181 * <b>Required permissions</b>: <a 16182 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16183 * >kms:UntagResource</a> (key policy) 16184 * </p> 16185 * <p> 16186 * <b>Related operations</b> 16187 * </p> 16188 * <ul> 16189 * <li> 16190 * <p> 16191 * <a>CreateKey</a> 16192 * </p> 16193 * </li> 16194 * <li> 16195 * <p> 16196 * <a>ListResourceTags</a> 16197 * </p> 16198 * </li> 16199 * <li> 16200 * <p> 16201 * <a>ReplicateKey</a> 16202 * </p> 16203 * </li> 16204 * <li> 16205 * <p> 16206 * <a>TagResource</a> 16207 * </p> 16208 * </li> 16209 * </ul> 16210 * <p> 16211 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16212 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16213 * consistency</a>. 16214 * </p> 16215 * <br/> 16216 * <p> 16217 * This is a convenience which creates an instance of the {@link UntagResourceRequest.Builder} avoiding the need to 16218 * create one manually via {@link UntagResourceRequest#builder()} 16219 * </p> 16220 * 16221 * @param untagResourceRequest 16222 * A {@link Consumer} that will call methods on 16223 * {@link software.amazon.awssdk.services.kms.model.UntagResourceRequest.Builder} to create a request. 16224 * @return Result of the UntagResource operation returned by the service. 16225 * @throws KmsInternalException 16226 * The request was rejected because an internal exception occurred. The request can be retried. 16227 * @throws NotFoundException 16228 * The request was rejected because the specified entity or resource could not be found. 16229 * @throws InvalidArnException 16230 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 16231 * @throws KmsInvalidStateException 16232 * The request was rejected because the state of the specified resource is not valid for this request.</p> 16233 * <p> 16234 * This exceptions means one of the following: 16235 * </p> 16236 * <ul> 16237 * <li> 16238 * <p> 16239 * The key state of the KMS key is not compatible with the operation. 16240 * </p> 16241 * <p> 16242 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16243 * are compatible with each KMS operation, see <a 16244 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16245 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16246 * </p> 16247 * </li> 16248 * <li> 16249 * <p> 16250 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16251 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16252 * exception. 16253 * </p> 16254 * </li> 16255 * @throws TagException 16256 * The request was rejected because one or more tags are not valid. 16257 * @throws SdkException 16258 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 16259 * catch all scenarios. 16260 * @throws SdkClientException 16261 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 16262 * @throws KmsException 16263 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 16264 * @sample KmsClient.UntagResource 16265 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource" target="_top">AWS API 16266 * Documentation</a> 16267 */ untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest)16268 default UntagResourceResponse untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest) 16269 throws KmsInternalException, NotFoundException, InvalidArnException, KmsInvalidStateException, TagException, 16270 AwsServiceException, SdkClientException, KmsException { 16271 return untagResource(UntagResourceRequest.builder().applyMutation(untagResourceRequest).build()); 16272 } 16273 16274 /** 16275 * <p> 16276 * Associates an existing KMS alias with a different KMS key. Each alias is associated with only one KMS key at a 16277 * time, although a KMS key can have multiple aliases. The alias and the KMS key must be in the same Amazon Web 16278 * Services account and Region. 16279 * </p> 16280 * <note> 16281 * <p> 16282 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 16283 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 16284 * Service Developer Guide</i>. 16285 * </p> 16286 * </note> 16287 * <p> 16288 * The current and new KMS key must be the same type (both symmetric or both asymmetric or both HMAC), and they must 16289 * have the same key usage. This restriction prevents errors in code that uses aliases. If you must assign an alias 16290 * to a different type of KMS key, use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to create a 16291 * new alias. 16292 * </p> 16293 * <p> 16294 * You cannot use <code>UpdateAlias</code> to change an alias name. To change an alias name, use <a>DeleteAlias</a> 16295 * to delete the old alias and <a>CreateAlias</a> to create a new alias. 16296 * </p> 16297 * <p> 16298 * Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key 16299 * without affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. 16300 * To get the aliases of all KMS keys in the account, use the <a>ListAliases</a> operation. 16301 * </p> 16302 * <p> 16303 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16304 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16305 * <i>Key Management Service Developer Guide</i>. 16306 * </p> 16307 * <p> 16308 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16309 * account. 16310 * </p> 16311 * <p> 16312 * <b>Required permissions</b> 16313 * </p> 16314 * <ul> 16315 * <li> 16316 * <p> 16317 * <a 16318 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16319 * </a> on the alias (IAM policy). 16320 * </p> 16321 * </li> 16322 * <li> 16323 * <p> 16324 * <a 16325 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16326 * </a> on the current KMS key (key policy). 16327 * </p> 16328 * </li> 16329 * <li> 16330 * <p> 16331 * <a 16332 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16333 * </a> on the new KMS key (key policy). 16334 * </p> 16335 * </li> 16336 * </ul> 16337 * <p> 16338 * For details, see <a 16339 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 16340 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 16341 * </p> 16342 * <p> 16343 * <b>Related operations:</b> 16344 * </p> 16345 * <ul> 16346 * <li> 16347 * <p> 16348 * <a>CreateAlias</a> 16349 * </p> 16350 * </li> 16351 * <li> 16352 * <p> 16353 * <a>DeleteAlias</a> 16354 * </p> 16355 * </li> 16356 * <li> 16357 * <p> 16358 * <a>ListAliases</a> 16359 * </p> 16360 * </li> 16361 * </ul> 16362 * <p> 16363 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16364 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16365 * consistency</a>. 16366 * </p> 16367 * 16368 * @param updateAliasRequest 16369 * @return Result of the UpdateAlias operation returned by the service. 16370 * @throws DependencyTimeoutException 16371 * The system timed out while trying to fulfill the request. You can retry the request. 16372 * @throws NotFoundException 16373 * The request was rejected because the specified entity or resource could not be found. 16374 * @throws KmsInternalException 16375 * The request was rejected because an internal exception occurred. The request can be retried. 16376 * @throws LimitExceededException 16377 * The request was rejected because a quota was exceeded. For more information, see <a 16378 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 16379 * Management Service Developer Guide</i>. 16380 * @throws KmsInvalidStateException 16381 * The request was rejected because the state of the specified resource is not valid for this request.</p> 16382 * <p> 16383 * This exceptions means one of the following: 16384 * </p> 16385 * <ul> 16386 * <li> 16387 * <p> 16388 * The key state of the KMS key is not compatible with the operation. 16389 * </p> 16390 * <p> 16391 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16392 * are compatible with each KMS operation, see <a 16393 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16394 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16395 * </p> 16396 * </li> 16397 * <li> 16398 * <p> 16399 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16400 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16401 * exception. 16402 * </p> 16403 * </li> 16404 * @throws SdkException 16405 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 16406 * catch all scenarios. 16407 * @throws SdkClientException 16408 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 16409 * @throws KmsException 16410 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 16411 * @sample KmsClient.UpdateAlias 16412 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias" target="_top">AWS API 16413 * Documentation</a> 16414 */ updateAlias(UpdateAliasRequest updateAliasRequest)16415 default UpdateAliasResponse updateAlias(UpdateAliasRequest updateAliasRequest) throws DependencyTimeoutException, 16416 NotFoundException, KmsInternalException, LimitExceededException, KmsInvalidStateException, AwsServiceException, 16417 SdkClientException, KmsException { 16418 throw new UnsupportedOperationException(); 16419 } 16420 16421 /** 16422 * <p> 16423 * Associates an existing KMS alias with a different KMS key. Each alias is associated with only one KMS key at a 16424 * time, although a KMS key can have multiple aliases. The alias and the KMS key must be in the same Amazon Web 16425 * Services account and Region. 16426 * </p> 16427 * <note> 16428 * <p> 16429 * Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see <a 16430 * href="https://docs.aws.amazon.com/kms/latest/developerguide/abac.html">ABAC for KMS</a> in the <i>Key Management 16431 * Service Developer Guide</i>. 16432 * </p> 16433 * </note> 16434 * <p> 16435 * The current and new KMS key must be the same type (both symmetric or both asymmetric or both HMAC), and they must 16436 * have the same key usage. This restriction prevents errors in code that uses aliases. If you must assign an alias 16437 * to a different type of KMS key, use <a>DeleteAlias</a> to delete the old alias and <a>CreateAlias</a> to create a 16438 * new alias. 16439 * </p> 16440 * <p> 16441 * You cannot use <code>UpdateAlias</code> to change an alias name. To change an alias name, use <a>DeleteAlias</a> 16442 * to delete the old alias and <a>CreateAlias</a> to create a new alias. 16443 * </p> 16444 * <p> 16445 * Because an alias is not a property of a KMS key, you can create, update, and delete the aliases of a KMS key 16446 * without affecting the KMS key. Also, aliases do not appear in the response from the <a>DescribeKey</a> operation. 16447 * To get the aliases of all KMS keys in the account, use the <a>ListAliases</a> operation. 16448 * </p> 16449 * <p> 16450 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 16451 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 16452 * <i>Key Management Service Developer Guide</i>. 16453 * </p> 16454 * <p> 16455 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 16456 * account. 16457 * </p> 16458 * <p> 16459 * <b>Required permissions</b> 16460 * </p> 16461 * <ul> 16462 * <li> 16463 * <p> 16464 * <a 16465 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16466 * </a> on the alias (IAM policy). 16467 * </p> 16468 * </li> 16469 * <li> 16470 * <p> 16471 * <a 16472 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16473 * </a> on the current KMS key (key policy). 16474 * </p> 16475 * </li> 16476 * <li> 16477 * <p> 16478 * <a 16479 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:UpdateAlias 16480 * </a> on the new KMS key (key policy). 16481 * </p> 16482 * </li> 16483 * </ul> 16484 * <p> 16485 * For details, see <a 16486 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access">Controlling access to 16487 * aliases</a> in the <i>Key Management Service Developer Guide</i>. 16488 * </p> 16489 * <p> 16490 * <b>Related operations:</b> 16491 * </p> 16492 * <ul> 16493 * <li> 16494 * <p> 16495 * <a>CreateAlias</a> 16496 * </p> 16497 * </li> 16498 * <li> 16499 * <p> 16500 * <a>DeleteAlias</a> 16501 * </p> 16502 * </li> 16503 * <li> 16504 * <p> 16505 * <a>ListAliases</a> 16506 * </p> 16507 * </li> 16508 * </ul> 16509 * <p> 16510 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16511 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16512 * consistency</a>. 16513 * </p> 16514 * <br/> 16515 * <p> 16516 * This is a convenience which creates an instance of the {@link UpdateAliasRequest.Builder} avoiding the need to 16517 * create one manually via {@link UpdateAliasRequest#builder()} 16518 * </p> 16519 * 16520 * @param updateAliasRequest 16521 * A {@link Consumer} that will call methods on 16522 * {@link software.amazon.awssdk.services.kms.model.UpdateAliasRequest.Builder} to create a request. 16523 * @return Result of the UpdateAlias operation returned by the service. 16524 * @throws DependencyTimeoutException 16525 * The system timed out while trying to fulfill the request. You can retry the request. 16526 * @throws NotFoundException 16527 * The request was rejected because the specified entity or resource could not be found. 16528 * @throws KmsInternalException 16529 * The request was rejected because an internal exception occurred. The request can be retried. 16530 * @throws LimitExceededException 16531 * The request was rejected because a quota was exceeded. For more information, see <a 16532 * href="https://docs.aws.amazon.com/kms/latest/developerguide/limits.html">Quotas</a> in the <i>Key 16533 * Management Service Developer Guide</i>. 16534 * @throws KmsInvalidStateException 16535 * The request was rejected because the state of the specified resource is not valid for this request.</p> 16536 * <p> 16537 * This exceptions means one of the following: 16538 * </p> 16539 * <ul> 16540 * <li> 16541 * <p> 16542 * The key state of the KMS key is not compatible with the operation. 16543 * </p> 16544 * <p> 16545 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 16546 * are compatible with each KMS operation, see <a 16547 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 16548 * the <i> <i>Key Management Service Developer Guide</i> </i>. 16549 * </p> 16550 * </li> 16551 * <li> 16552 * <p> 16553 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 16554 * failure with many possible causes. To identify the cause, see the error message that accompanies the 16555 * exception. 16556 * </p> 16557 * </li> 16558 * @throws SdkException 16559 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 16560 * catch all scenarios. 16561 * @throws SdkClientException 16562 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 16563 * @throws KmsException 16564 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 16565 * @sample KmsClient.UpdateAlias 16566 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias" target="_top">AWS API 16567 * Documentation</a> 16568 */ updateAlias(Consumer<UpdateAliasRequest.Builder> updateAliasRequest)16569 default UpdateAliasResponse updateAlias(Consumer<UpdateAliasRequest.Builder> updateAliasRequest) 16570 throws DependencyTimeoutException, NotFoundException, KmsInternalException, LimitExceededException, 16571 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 16572 return updateAlias(UpdateAliasRequest.builder().applyMutation(updateAliasRequest).build()); 16573 } 16574 16575 /** 16576 * <p> 16577 * Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM 16578 * key store or an external key store. 16579 * </p> 16580 * <p> 16581 * Use the required <code>CustomKeyStoreId</code> parameter to identify the custom key store. Use the remaining 16582 * optional parameters to change its properties. This operation does not return any property values. To verify the 16583 * updated property values, use the <a>DescribeCustomKeyStores</a> operation. 16584 * </p> 16585 * <p> 16586 * This operation is part of the <a 16587 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 16588 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 16589 * a key store that you own and manage. 16590 * </p> 16591 * <important> 16592 * <p> 16593 * When updating the properties of an external key store, verify that the updated settings connect your key store, 16594 * via the external key store proxy, to the same external key manager as the previous settings, or to a backup or 16595 * snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, 16596 * you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if 16597 * KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable. 16598 * </p> 16599 * </important> <note> 16600 * <p> 16601 * For external key stores: 16602 * </p> 16603 * <p> 16604 * Some external key managers provide a simpler method for updating an external key store. For details, see your 16605 * external key manager documentation. 16606 * </p> 16607 * <p> 16608 * When updating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 16609 * the desired values. You cannot upload the proxy configuration file to the <code>UpdateCustomKeyStore</code> 16610 * operation. However, you can use the file to help you determine the correct values for the 16611 * <code>UpdateCustomKeyStore</code> parameters. 16612 * </p> 16613 * </note> 16614 * <p> 16615 * For an CloudHSM key store, you can use this operation to change the custom key store friendly name ( 16616 * <code>NewCustomKeyStoreName</code>), to tell KMS about a change to the <code>kmsuser</code> crypto user password 16617 * (<code>KeyStorePassword</code>), or to associate the custom key store with a different, but related, CloudHSM 16618 * cluster (<code>CloudHsmClusterId</code>). To update any property of an CloudHSM key store, the 16619 * <code>ConnectionState</code> of the CloudHSM key store must be <code>DISCONNECTED</code>. 16620 * </p> 16621 * <p> 16622 * For an external key store, you can use this operation to change the custom key store friendly name ( 16623 * <code>NewCustomKeyStoreName</code>), or to tell KMS about a change to the external key store proxy authentication 16624 * credentials (<code>XksProxyAuthenticationCredential</code>), connection method (<code>XksProxyConnectivity</code> 16625 * ), external proxy endpoint (<code>XksProxyUriEndpoint</code>) and path (<code>XksProxyUriPath</code>). For 16626 * external key stores with an <code>XksProxyConnectivity</code> of <code>VPC_ENDPOINT_SERVICE</code>, you can also 16627 * update the Amazon VPC endpoint service name (<code>XksProxyVpcEndpointServiceName</code>). To update most 16628 * properties of an external key store, the <code>ConnectionState</code> of the external key store must be 16629 * <code>DISCONNECTED</code>. However, you can update the <code>CustomKeyStoreName</code>, 16630 * <code>XksProxyAuthenticationCredential</code>, and <code>XksProxyUriPath</code> of an external key store when it 16631 * is in the CONNECTED or DISCONNECTED state. 16632 * </p> 16633 * <p> 16634 * If your update requires a <code>DISCONNECTED</code> state, before using <code>UpdateCustomKeyStore</code>, use 16635 * the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store. After the 16636 * <code>UpdateCustomKeyStore</code> operation completes, use the <a>ConnectCustomKeyStore</a> to reconnect the 16637 * custom key store. To find the <code>ConnectionState</code> of the custom key store, use the 16638 * <a>DescribeCustomKeyStores</a> operation. 16639 * </p> 16640 * <p> 16641 * </p> 16642 * <p> 16643 * Before updating the custom key store, verify that the new values allow KMS to connect the custom key store to its 16644 * backing key store. For example, before you change the <code>XksProxyUriPath</code> value, verify that the 16645 * external key store proxy is reachable at the new path. 16646 * </p> 16647 * <p> 16648 * If the operation succeeds, it returns a JSON object with no properties. 16649 * </p> 16650 * <p> 16651 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 16652 * Services account. 16653 * </p> 16654 * <p> 16655 * <b>Required permissions</b>: <a 16656 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16657 * >kms:UpdateCustomKeyStore</a> (IAM policy) 16658 * </p> 16659 * <p> 16660 * <b>Related operations:</b> 16661 * </p> 16662 * <ul> 16663 * <li> 16664 * <p> 16665 * <a>ConnectCustomKeyStore</a> 16666 * </p> 16667 * </li> 16668 * <li> 16669 * <p> 16670 * <a>CreateCustomKeyStore</a> 16671 * </p> 16672 * </li> 16673 * <li> 16674 * <p> 16675 * <a>DeleteCustomKeyStore</a> 16676 * </p> 16677 * </li> 16678 * <li> 16679 * <p> 16680 * <a>DescribeCustomKeyStores</a> 16681 * </p> 16682 * </li> 16683 * <li> 16684 * <p> 16685 * <a>DisconnectCustomKeyStore</a> 16686 * </p> 16687 * </li> 16688 * </ul> 16689 * <p> 16690 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 16691 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 16692 * consistency</a>. 16693 * </p> 16694 * 16695 * @param updateCustomKeyStoreRequest 16696 * @return Result of the UpdateCustomKeyStore operation returned by the service. 16697 * @throws CustomKeyStoreNotFoundException 16698 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 16699 * ID. 16700 * @throws CustomKeyStoreNameInUseException 16701 * The request was rejected because the specified custom key store name is already assigned to another 16702 * custom key store in the account. Try again with a custom key store name that is unique in the account. 16703 * @throws CloudHsmClusterNotFoundException 16704 * The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. 16705 * Retry the request with a different cluster ID. 16706 * @throws CloudHsmClusterNotRelatedException 16707 * The request was rejected because the specified CloudHSM cluster has a different cluster certificate than 16708 * the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key 16709 * store.</p> 16710 * <p> 16711 * Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes 16712 * clusters that were created from a backup of the current cluster, and clusters that were created from the 16713 * same backup that produced the current cluster. 16714 * </p> 16715 * <p> 16716 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 16717 * certificate of an CloudHSM cluster, use the <a 16718 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 16719 * >DescribeClusters</a> operation. 16720 * @throws CustomKeyStoreInvalidStateException 16721 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 16722 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation. 16723 * </p> 16724 * <p> 16725 * This exception is thrown under the following conditions: 16726 * </p> 16727 * <ul> 16728 * <li> 16729 * <p> 16730 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 16731 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 16732 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 16733 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 16734 * <code>ConnectCustomKeyStore</code>). 16735 * </p> 16736 * </li> 16737 * <li> 16738 * <p> 16739 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 16740 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 16741 * </p> 16742 * </li> 16743 * <li> 16744 * <p> 16745 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 16746 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 16747 * is valid for all other <code>ConnectionState</code> values. 16748 * </p> 16749 * </li> 16750 * <li> 16751 * <p> 16752 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 16753 * store that is not disconnected. This operation is valid only when the custom key store 16754 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 16755 * </p> 16756 * </li> 16757 * <li> 16758 * <p> 16759 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 16760 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 16761 * <code>CONNECTED</code>. 16762 * </p> 16763 * </li> 16764 * @throws KmsInternalException 16765 * The request was rejected because an internal exception occurred. The request can be retried. 16766 * @throws CloudHsmClusterNotActiveException 16767 * The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not 16768 * active. Initialize and activate the cluster and try the command again. For detailed instructions, see <a 16769 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 16770 * the <i>CloudHSM User Guide</i>. 16771 * @throws CloudHsmClusterInvalidConfigurationException 16772 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 16773 * requirements for an CloudHSM key store.</p> 16774 * <ul> 16775 * <li> 16776 * <p> 16777 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 16778 * in the Region. 16779 * </p> 16780 * </li> 16781 * <li> 16782 * <p> 16783 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 16784 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 16785 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 16786 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 16787 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 16788 * security group, use the <a 16789 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 16790 * >DescribeSecurityGroups</a> operation. 16791 * </p> 16792 * </li> 16793 * <li> 16794 * <p> 16795 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 16796 * CloudHSM <a 16797 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 16798 * operation. 16799 * </p> 16800 * <p> 16801 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 16802 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 16803 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 16804 * </p> 16805 * </li> 16806 * </ul> 16807 * <p> 16808 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 16809 * store, see <a 16810 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 16811 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 16812 * about creating a private subnet for an CloudHSM cluster, see <a 16813 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 16814 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 16815 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 16816 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 16817 * @throws XksProxyUriInUseException 16818 * The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code> and 16819 * <code>XksProxyUriPath</code> is already associated with another external key store in this Amazon Web 16820 * Services Region. Each external key store in a Region must use a unique external key store proxy API 16821 * address. 16822 * @throws XksProxyUriEndpointInUseException 16823 * The request was rejected because the <code>XksProxyUriEndpoint</code> is already associated with another 16824 * external key store in this Amazon Web Services Region. To identify the cause, see the error message that 16825 * accompanies the exception. 16826 * @throws XksProxyUriUnreachableException 16827 * KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be reachable before you 16828 * create the external key store or update its settings. 16829 * </p> 16830 * <p> 16831 * This exception is also thrown when the external key store proxy response to a 16832 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable. 16833 * @throws XksProxyIncorrectAuthenticationCredentialException 16834 * The request was rejected because the proxy credentials failed to authenticate to the specified external 16835 * key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid 16836 * credentials. This can indicate an error in the credentials or in the identification of the external key 16837 * store proxy. 16838 * @throws XksProxyVpcEndpointServiceInUseException 16839 * The request was rejected because the specified Amazon VPC endpoint service is already associated with 16840 * another external key store in this Amazon Web Services Region. Each external key store in a Region must 16841 * use a different Amazon VPC endpoint service. 16842 * @throws XksProxyVpcEndpointServiceNotFoundException 16843 * The request was rejected because KMS could not find the specified VPC endpoint service. Use 16844 * <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the external key store. Also, 16845 * confirm that the <code>Allow principals</code> list for the VPC endpoint service includes the KMS service 16846 * principal for the Region, such as <code>cks.kms.us-east-1.amazonaws.com</code>. 16847 * @throws XksProxyVpcEndpointServiceInvalidConfigurationException 16848 * The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the 16849 * requirements for an external key store. To identify the cause, see the error message that accompanies the 16850 * exception and <a 16851 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 16852 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store. 16853 * @throws XksProxyInvalidResponseException 16854 * <p> 16855 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 16856 * poorly constructed response, but it could also be a transient network issue. If you see this error 16857 * repeatedly, report it to the proxy vendor. 16858 * @throws XksProxyInvalidConfigurationException 16859 * The request was rejected because the external key store proxy is not configured correctly. To identify 16860 * the cause, see the error message that accompanies the exception. 16861 * @throws SdkException 16862 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 16863 * catch all scenarios. 16864 * @throws SdkClientException 16865 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 16866 * @throws KmsException 16867 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 16868 * @sample KmsClient.UpdateCustomKeyStore 16869 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore" target="_top">AWS API 16870 * Documentation</a> 16871 */ updateCustomKeyStore(UpdateCustomKeyStoreRequest updateCustomKeyStoreRequest)16872 default UpdateCustomKeyStoreResponse updateCustomKeyStore(UpdateCustomKeyStoreRequest updateCustomKeyStoreRequest) 16873 throws CustomKeyStoreNotFoundException, CustomKeyStoreNameInUseException, CloudHsmClusterNotFoundException, 16874 CloudHsmClusterNotRelatedException, CustomKeyStoreInvalidStateException, KmsInternalException, 16875 CloudHsmClusterNotActiveException, CloudHsmClusterInvalidConfigurationException, XksProxyUriInUseException, 16876 XksProxyUriEndpointInUseException, XksProxyUriUnreachableException, 16877 XksProxyIncorrectAuthenticationCredentialException, XksProxyVpcEndpointServiceInUseException, 16878 XksProxyVpcEndpointServiceNotFoundException, XksProxyVpcEndpointServiceInvalidConfigurationException, 16879 XksProxyInvalidResponseException, XksProxyInvalidConfigurationException, AwsServiceException, SdkClientException, 16880 KmsException { 16881 throw new UnsupportedOperationException(); 16882 } 16883 16884 /** 16885 * <p> 16886 * Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM 16887 * key store or an external key store. 16888 * </p> 16889 * <p> 16890 * Use the required <code>CustomKeyStoreId</code> parameter to identify the custom key store. Use the remaining 16891 * optional parameters to change its properties. This operation does not return any property values. To verify the 16892 * updated property values, use the <a>DescribeCustomKeyStores</a> operation. 16893 * </p> 16894 * <p> 16895 * This operation is part of the <a 16896 * href="https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html">custom key stores</a> 16897 * feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of 16898 * a key store that you own and manage. 16899 * </p> 16900 * <important> 16901 * <p> 16902 * When updating the properties of an external key store, verify that the updated settings connect your key store, 16903 * via the external key store proxy, to the same external key manager as the previous settings, or to a backup or 16904 * snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, 16905 * you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if 16906 * KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable. 16907 * </p> 16908 * </important> <note> 16909 * <p> 16910 * For external key stores: 16911 * </p> 16912 * <p> 16913 * Some external key managers provide a simpler method for updating an external key store. For details, see your 16914 * external key manager documentation. 16915 * </p> 16916 * <p> 16917 * When updating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with 16918 * the desired values. You cannot upload the proxy configuration file to the <code>UpdateCustomKeyStore</code> 16919 * operation. However, you can use the file to help you determine the correct values for the 16920 * <code>UpdateCustomKeyStore</code> parameters. 16921 * </p> 16922 * </note> 16923 * <p> 16924 * For an CloudHSM key store, you can use this operation to change the custom key store friendly name ( 16925 * <code>NewCustomKeyStoreName</code>), to tell KMS about a change to the <code>kmsuser</code> crypto user password 16926 * (<code>KeyStorePassword</code>), or to associate the custom key store with a different, but related, CloudHSM 16927 * cluster (<code>CloudHsmClusterId</code>). To update any property of an CloudHSM key store, the 16928 * <code>ConnectionState</code> of the CloudHSM key store must be <code>DISCONNECTED</code>. 16929 * </p> 16930 * <p> 16931 * For an external key store, you can use this operation to change the custom key store friendly name ( 16932 * <code>NewCustomKeyStoreName</code>), or to tell KMS about a change to the external key store proxy authentication 16933 * credentials (<code>XksProxyAuthenticationCredential</code>), connection method (<code>XksProxyConnectivity</code> 16934 * ), external proxy endpoint (<code>XksProxyUriEndpoint</code>) and path (<code>XksProxyUriPath</code>). For 16935 * external key stores with an <code>XksProxyConnectivity</code> of <code>VPC_ENDPOINT_SERVICE</code>, you can also 16936 * update the Amazon VPC endpoint service name (<code>XksProxyVpcEndpointServiceName</code>). To update most 16937 * properties of an external key store, the <code>ConnectionState</code> of the external key store must be 16938 * <code>DISCONNECTED</code>. However, you can update the <code>CustomKeyStoreName</code>, 16939 * <code>XksProxyAuthenticationCredential</code>, and <code>XksProxyUriPath</code> of an external key store when it 16940 * is in the CONNECTED or DISCONNECTED state. 16941 * </p> 16942 * <p> 16943 * If your update requires a <code>DISCONNECTED</code> state, before using <code>UpdateCustomKeyStore</code>, use 16944 * the <a>DisconnectCustomKeyStore</a> operation to disconnect the custom key store. After the 16945 * <code>UpdateCustomKeyStore</code> operation completes, use the <a>ConnectCustomKeyStore</a> to reconnect the 16946 * custom key store. To find the <code>ConnectionState</code> of the custom key store, use the 16947 * <a>DescribeCustomKeyStores</a> operation. 16948 * </p> 16949 * <p> 16950 * </p> 16951 * <p> 16952 * Before updating the custom key store, verify that the new values allow KMS to connect the custom key store to its 16953 * backing key store. For example, before you change the <code>XksProxyUriPath</code> value, verify that the 16954 * external key store proxy is reachable at the new path. 16955 * </p> 16956 * <p> 16957 * If the operation succeeds, it returns a JSON object with no properties. 16958 * </p> 16959 * <p> 16960 * <b>Cross-account use</b>: No. You cannot perform this operation on a custom key store in a different Amazon Web 16961 * Services account. 16962 * </p> 16963 * <p> 16964 * <b>Required permissions</b>: <a 16965 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 16966 * >kms:UpdateCustomKeyStore</a> (IAM policy) 16967 * </p> 16968 * <p> 16969 * <b>Related operations:</b> 16970 * </p> 16971 * <ul> 16972 * <li> 16973 * <p> 16974 * <a>ConnectCustomKeyStore</a> 16975 * </p> 16976 * </li> 16977 * <li> 16978 * <p> 16979 * <a>CreateCustomKeyStore</a> 16980 * </p> 16981 * </li> 16982 * <li> 16983 * <p> 16984 * <a>DeleteCustomKeyStore</a> 16985 * </p> 16986 * </li> 16987 * <li> 16988 * <p> 16989 * <a>DescribeCustomKeyStores</a> 16990 * </p> 16991 * </li> 16992 * <li> 16993 * <p> 16994 * <a>DisconnectCustomKeyStore</a> 16995 * </p> 16996 * </li> 16997 * </ul> 16998 * <p> 16999 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17000 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17001 * consistency</a>. 17002 * </p> 17003 * <br/> 17004 * <p> 17005 * This is a convenience which creates an instance of the {@link UpdateCustomKeyStoreRequest.Builder} avoiding the 17006 * need to create one manually via {@link UpdateCustomKeyStoreRequest#builder()} 17007 * </p> 17008 * 17009 * @param updateCustomKeyStoreRequest 17010 * A {@link Consumer} that will call methods on 17011 * {@link software.amazon.awssdk.services.kms.model.UpdateCustomKeyStoreRequest.Builder} to create a request. 17012 * @return Result of the UpdateCustomKeyStore operation returned by the service. 17013 * @throws CustomKeyStoreNotFoundException 17014 * The request was rejected because KMS cannot find a custom key store with the specified key store name or 17015 * ID. 17016 * @throws CustomKeyStoreNameInUseException 17017 * The request was rejected because the specified custom key store name is already assigned to another 17018 * custom key store in the account. Try again with a custom key store name that is unique in the account. 17019 * @throws CloudHsmClusterNotFoundException 17020 * The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. 17021 * Retry the request with a different cluster ID. 17022 * @throws CloudHsmClusterNotRelatedException 17023 * The request was rejected because the specified CloudHSM cluster has a different cluster certificate than 17024 * the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key 17025 * store.</p> 17026 * <p> 17027 * Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes 17028 * clusters that were created from a backup of the current cluster, and clusters that were created from the 17029 * same backup that produced the current cluster. 17030 * </p> 17031 * <p> 17032 * CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster 17033 * certificate of an CloudHSM cluster, use the <a 17034 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html" 17035 * >DescribeClusters</a> operation. 17036 * @throws CustomKeyStoreInvalidStateException 17037 * The request was rejected because of the <code>ConnectionState</code> of the custom key store. To get the 17038 * <code>ConnectionState</code> of a custom key store, use the <a>DescribeCustomKeyStores</a> operation. 17039 * </p> 17040 * <p> 17041 * This exception is thrown under the following conditions: 17042 * </p> 17043 * <ul> 17044 * <li> 17045 * <p> 17046 * You requested the <a>ConnectCustomKeyStore</a> operation on a custom key store with a 17047 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>FAILED</code>. This operation is 17048 * valid for all other <code>ConnectionState</code> values. To reconnect a custom key store in a 17049 * <code>FAILED</code> state, disconnect it (<a>DisconnectCustomKeyStore</a>), then connect it ( 17050 * <code>ConnectCustomKeyStore</code>). 17051 * </p> 17052 * </li> 17053 * <li> 17054 * <p> 17055 * You requested the <a>CreateKey</a> operation in a custom key store that is not connected. This operations 17056 * is valid only when the custom key store <code>ConnectionState</code> is <code>CONNECTED</code>. 17057 * </p> 17058 * </li> 17059 * <li> 17060 * <p> 17061 * You requested the <a>DisconnectCustomKeyStore</a> operation on a custom key store with a 17062 * <code>ConnectionState</code> of <code>DISCONNECTING</code> or <code>DISCONNECTED</code>. This operation 17063 * is valid for all other <code>ConnectionState</code> values. 17064 * </p> 17065 * </li> 17066 * <li> 17067 * <p> 17068 * You requested the <a>UpdateCustomKeyStore</a> or <a>DeleteCustomKeyStore</a> operation on a custom key 17069 * store that is not disconnected. This operation is valid only when the custom key store 17070 * <code>ConnectionState</code> is <code>DISCONNECTED</code>. 17071 * </p> 17072 * </li> 17073 * <li> 17074 * <p> 17075 * You requested the <a>GenerateRandom</a> operation in an CloudHSM key store that is not connected. This 17076 * operation is valid only when the CloudHSM key store <code>ConnectionState</code> is 17077 * <code>CONNECTED</code>. 17078 * </p> 17079 * </li> 17080 * @throws KmsInternalException 17081 * The request was rejected because an internal exception occurred. The request can be retried. 17082 * @throws CloudHsmClusterNotActiveException 17083 * The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not 17084 * active. Initialize and activate the cluster and try the command again. For detailed instructions, see <a 17085 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html">Getting Started</a> in 17086 * the <i>CloudHSM User Guide</i>. 17087 * @throws CloudHsmClusterInvalidConfigurationException 17088 * The request was rejected because the associated CloudHSM cluster did not meet the configuration 17089 * requirements for an CloudHSM key store.</p> 17090 * <ul> 17091 * <li> 17092 * <p> 17093 * The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones 17094 * in the Region. 17095 * </p> 17096 * </li> 17097 * <li> 17098 * <p> 17099 * The <a href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">security group for 17100 * the cluster</a> (cloudhsm-cluster-<i><cluster-id></i>-sg) must include inbound rules and outbound 17101 * rules that allow TCP traffic on ports 2223-2225. The <b>Source</b> in the inbound rules and the 17102 * <b>Destination</b> in the outbound rules must match the security group ID. These rules are set by default 17103 * when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular 17104 * security group, use the <a 17105 * href="https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html" 17106 * >DescribeSecurityGroups</a> operation. 17107 * </p> 17108 * </li> 17109 * <li> 17110 * <p> 17111 * The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the 17112 * CloudHSM <a 17113 * href="https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html">CreateHsm</a> 17114 * operation. 17115 * </p> 17116 * <p> 17117 * For the <a>CreateCustomKeyStore</a>, <a>UpdateCustomKeyStore</a>, and <a>CreateKey</a> operations, the 17118 * CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the 17119 * <a>ConnectCustomKeyStore</a> operation, the CloudHSM must contain at least one active HSM. 17120 * </p> 17121 * </li> 17122 * </ul> 17123 * <p> 17124 * For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key 17125 * store, see <a 17126 * href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore" 17127 * >Assemble the Prerequisites</a> in the <i>Key Management Service Developer Guide</i>. For information 17128 * about creating a private subnet for an CloudHSM cluster, see <a 17129 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html">Create a Private 17130 * Subnet</a> in the <i>CloudHSM User Guide</i>. For information about cluster security groups, see <a 17131 * href="https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html">Configure a Default 17132 * Security Group</a> in the <i> <i>CloudHSM User Guide</i> </i>. 17133 * @throws XksProxyUriInUseException 17134 * The request was rejected because the concatenation of the <code>XksProxyUriEndpoint</code> and 17135 * <code>XksProxyUriPath</code> is already associated with another external key store in this Amazon Web 17136 * Services Region. Each external key store in a Region must use a unique external key store proxy API 17137 * address. 17138 * @throws XksProxyUriEndpointInUseException 17139 * The request was rejected because the <code>XksProxyUriEndpoint</code> is already associated with another 17140 * external key store in this Amazon Web Services Region. To identify the cause, see the error message that 17141 * accompanies the exception. 17142 * @throws XksProxyUriUnreachableException 17143 * KMS was unable to reach the specified <code>XksProxyUriPath</code>. The path must be reachable before you 17144 * create the external key store or update its settings. 17145 * </p> 17146 * <p> 17147 * This exception is also thrown when the external key store proxy response to a 17148 * <code>GetHealthStatus</code> request indicates that all external key manager instances are unavailable. 17149 * @throws XksProxyIncorrectAuthenticationCredentialException 17150 * The request was rejected because the proxy credentials failed to authenticate to the specified external 17151 * key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid 17152 * credentials. This can indicate an error in the credentials or in the identification of the external key 17153 * store proxy. 17154 * @throws XksProxyVpcEndpointServiceInUseException 17155 * The request was rejected because the specified Amazon VPC endpoint service is already associated with 17156 * another external key store in this Amazon Web Services Region. Each external key store in a Region must 17157 * use a different Amazon VPC endpoint service. 17158 * @throws XksProxyVpcEndpointServiceNotFoundException 17159 * The request was rejected because KMS could not find the specified VPC endpoint service. Use 17160 * <a>DescribeCustomKeyStores</a> to verify the VPC endpoint service name for the external key store. Also, 17161 * confirm that the <code>Allow principals</code> list for the VPC endpoint service includes the KMS service 17162 * principal for the Region, such as <code>cks.kms.us-east-1.amazonaws.com</code>. 17163 * @throws XksProxyVpcEndpointServiceInvalidConfigurationException 17164 * The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the 17165 * requirements for an external key store. To identify the cause, see the error message that accompanies the 17166 * exception and <a 17167 * href="https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-vpc-requirements" 17168 * >review the requirements</a> for Amazon VPC endpoint service connectivity for an external key store. 17169 * @throws XksProxyInvalidResponseException 17170 * <p> 17171 * KMS cannot interpret the response it received from the external key store proxy. The problem might be a 17172 * poorly constructed response, but it could also be a transient network issue. If you see this error 17173 * repeatedly, report it to the proxy vendor. 17174 * @throws XksProxyInvalidConfigurationException 17175 * The request was rejected because the external key store proxy is not configured correctly. To identify 17176 * the cause, see the error message that accompanies the exception. 17177 * @throws SdkException 17178 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17179 * catch all scenarios. 17180 * @throws SdkClientException 17181 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17182 * @throws KmsException 17183 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17184 * @sample KmsClient.UpdateCustomKeyStore 17185 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore" target="_top">AWS API 17186 * Documentation</a> 17187 */ updateCustomKeyStore( Consumer<UpdateCustomKeyStoreRequest.Builder> updateCustomKeyStoreRequest)17188 default UpdateCustomKeyStoreResponse updateCustomKeyStore( 17189 Consumer<UpdateCustomKeyStoreRequest.Builder> updateCustomKeyStoreRequest) throws CustomKeyStoreNotFoundException, 17190 CustomKeyStoreNameInUseException, CloudHsmClusterNotFoundException, CloudHsmClusterNotRelatedException, 17191 CustomKeyStoreInvalidStateException, KmsInternalException, CloudHsmClusterNotActiveException, 17192 CloudHsmClusterInvalidConfigurationException, XksProxyUriInUseException, XksProxyUriEndpointInUseException, 17193 XksProxyUriUnreachableException, XksProxyIncorrectAuthenticationCredentialException, 17194 XksProxyVpcEndpointServiceInUseException, XksProxyVpcEndpointServiceNotFoundException, 17195 XksProxyVpcEndpointServiceInvalidConfigurationException, XksProxyInvalidResponseException, 17196 XksProxyInvalidConfigurationException, AwsServiceException, SdkClientException, KmsException { 17197 return updateCustomKeyStore(UpdateCustomKeyStoreRequest.builder().applyMutation(updateCustomKeyStoreRequest).build()); 17198 } 17199 17200 /** 17201 * <p> 17202 * Updates the description of a KMS key. To see the description of a KMS key, use <a>DescribeKey</a>. 17203 * </p> 17204 * <p> 17205 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17206 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17207 * <i>Key Management Service Developer Guide</i>. 17208 * </p> 17209 * <p> 17210 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 17211 * account. 17212 * </p> 17213 * <p> 17214 * <b>Required permissions</b>: <a 17215 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 17216 * >kms:UpdateKeyDescription</a> (key policy) 17217 * </p> 17218 * <p> 17219 * <b>Related operations</b> 17220 * </p> 17221 * <ul> 17222 * <li> 17223 * <p> 17224 * <a>CreateKey</a> 17225 * </p> 17226 * </li> 17227 * <li> 17228 * <p> 17229 * <a>DescribeKey</a> 17230 * </p> 17231 * </li> 17232 * </ul> 17233 * <p> 17234 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17235 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17236 * consistency</a>. 17237 * </p> 17238 * 17239 * @param updateKeyDescriptionRequest 17240 * @return Result of the UpdateKeyDescription operation returned by the service. 17241 * @throws NotFoundException 17242 * The request was rejected because the specified entity or resource could not be found. 17243 * @throws InvalidArnException 17244 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 17245 * @throws DependencyTimeoutException 17246 * The system timed out while trying to fulfill the request. You can retry the request. 17247 * @throws KmsInternalException 17248 * The request was rejected because an internal exception occurred. The request can be retried. 17249 * @throws KmsInvalidStateException 17250 * The request was rejected because the state of the specified resource is not valid for this request.</p> 17251 * <p> 17252 * This exceptions means one of the following: 17253 * </p> 17254 * <ul> 17255 * <li> 17256 * <p> 17257 * The key state of the KMS key is not compatible with the operation. 17258 * </p> 17259 * <p> 17260 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17261 * are compatible with each KMS operation, see <a 17262 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17263 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17264 * </p> 17265 * </li> 17266 * <li> 17267 * <p> 17268 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17269 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17270 * exception. 17271 * </p> 17272 * </li> 17273 * @throws SdkException 17274 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17275 * catch all scenarios. 17276 * @throws SdkClientException 17277 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17278 * @throws KmsException 17279 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17280 * @sample KmsClient.UpdateKeyDescription 17281 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription" target="_top">AWS API 17282 * Documentation</a> 17283 */ updateKeyDescription(UpdateKeyDescriptionRequest updateKeyDescriptionRequest)17284 default UpdateKeyDescriptionResponse updateKeyDescription(UpdateKeyDescriptionRequest updateKeyDescriptionRequest) 17285 throws NotFoundException, InvalidArnException, DependencyTimeoutException, KmsInternalException, 17286 KmsInvalidStateException, AwsServiceException, SdkClientException, KmsException { 17287 throw new UnsupportedOperationException(); 17288 } 17289 17290 /** 17291 * <p> 17292 * Updates the description of a KMS key. To see the description of a KMS key, use <a>DescribeKey</a>. 17293 * </p> 17294 * <p> 17295 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17296 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17297 * <i>Key Management Service Developer Guide</i>. 17298 * </p> 17299 * <p> 17300 * <b>Cross-account use</b>: No. You cannot perform this operation on a KMS key in a different Amazon Web Services 17301 * account. 17302 * </p> 17303 * <p> 17304 * <b>Required permissions</b>: <a 17305 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html" 17306 * >kms:UpdateKeyDescription</a> (key policy) 17307 * </p> 17308 * <p> 17309 * <b>Related operations</b> 17310 * </p> 17311 * <ul> 17312 * <li> 17313 * <p> 17314 * <a>CreateKey</a> 17315 * </p> 17316 * </li> 17317 * <li> 17318 * <p> 17319 * <a>DescribeKey</a> 17320 * </p> 17321 * </li> 17322 * </ul> 17323 * <p> 17324 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17325 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17326 * consistency</a>. 17327 * </p> 17328 * <br/> 17329 * <p> 17330 * This is a convenience which creates an instance of the {@link UpdateKeyDescriptionRequest.Builder} avoiding the 17331 * need to create one manually via {@link UpdateKeyDescriptionRequest#builder()} 17332 * </p> 17333 * 17334 * @param updateKeyDescriptionRequest 17335 * A {@link Consumer} that will call methods on 17336 * {@link software.amazon.awssdk.services.kms.model.UpdateKeyDescriptionRequest.Builder} to create a request. 17337 * @return Result of the UpdateKeyDescription operation returned by the service. 17338 * @throws NotFoundException 17339 * The request was rejected because the specified entity or resource could not be found. 17340 * @throws InvalidArnException 17341 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 17342 * @throws DependencyTimeoutException 17343 * The system timed out while trying to fulfill the request. You can retry the request. 17344 * @throws KmsInternalException 17345 * The request was rejected because an internal exception occurred. The request can be retried. 17346 * @throws KmsInvalidStateException 17347 * The request was rejected because the state of the specified resource is not valid for this request.</p> 17348 * <p> 17349 * This exceptions means one of the following: 17350 * </p> 17351 * <ul> 17352 * <li> 17353 * <p> 17354 * The key state of the KMS key is not compatible with the operation. 17355 * </p> 17356 * <p> 17357 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17358 * are compatible with each KMS operation, see <a 17359 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17360 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17361 * </p> 17362 * </li> 17363 * <li> 17364 * <p> 17365 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17366 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17367 * exception. 17368 * </p> 17369 * </li> 17370 * @throws SdkException 17371 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17372 * catch all scenarios. 17373 * @throws SdkClientException 17374 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17375 * @throws KmsException 17376 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17377 * @sample KmsClient.UpdateKeyDescription 17378 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription" target="_top">AWS API 17379 * Documentation</a> 17380 */ updateKeyDescription( Consumer<UpdateKeyDescriptionRequest.Builder> updateKeyDescriptionRequest)17381 default UpdateKeyDescriptionResponse updateKeyDescription( 17382 Consumer<UpdateKeyDescriptionRequest.Builder> updateKeyDescriptionRequest) throws NotFoundException, 17383 InvalidArnException, DependencyTimeoutException, KmsInternalException, KmsInvalidStateException, AwsServiceException, 17384 SdkClientException, KmsException { 17385 return updateKeyDescription(UpdateKeyDescriptionRequest.builder().applyMutation(updateKeyDescriptionRequest).build()); 17386 } 17387 17388 /** 17389 * <p> 17390 * Changes the primary key of a multi-Region key. 17391 * </p> 17392 * <p> 17393 * This operation changes the replica key in the specified Region to a primary key and changes the former primary 17394 * key to a replica key. For example, suppose you have a primary key in <code>us-east-1</code> and a replica key in 17395 * <code>eu-west-2</code>. If you run <code>UpdatePrimaryRegion</code> with a <code>PrimaryRegion</code> value of 17396 * <code>eu-west-2</code>, the primary key is now the key in <code>eu-west-2</code>, and the key in 17397 * <code>us-east-1</code> becomes a replica key. For details, see <a 17398 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update" 17399 * >Updating the primary Region</a> in the <i>Key Management Service Developer Guide</i>. 17400 * </p> 17401 * <p> 17402 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 17403 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 17404 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 17405 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 17406 * information about multi-Region keys, see <a 17407 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 17408 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 17409 * </p> 17410 * <p> 17411 * The <i>primary key</i> of a multi-Region key is the source for properties that are always shared by primary and 17412 * replica keys, including the key material, <a 17413 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a>, <a 17414 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 17415 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 17416 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 17417 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation</a>. 17418 * It's the only key that can be replicated. You cannot <a 17419 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html">delete the primary 17420 * key</a> until all replica keys are deleted. 17421 * </p> 17422 * <p> 17423 * The key ID and primary Region that you specify uniquely identify the replica key that will become the primary 17424 * key. The primary Region must already have a replica key. This operation does not create a KMS key in the 17425 * specified Region. To find the replica keys, use the <a>DescribeKey</a> operation on the primary key or any 17426 * replica key. To create a replica key, use the <a>ReplicateKey</a> operation. 17427 * </p> 17428 * <p> 17429 * You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation 17430 * should not delay, interrupt, or cause failures in cryptographic operations. 17431 * </p> 17432 * <p> 17433 * Even after this operation completes, the process of updating the primary Region might still be in progress for a 17434 * few more seconds. Operations such as <code>DescribeKey</code> might display both the old and new primary keys as 17435 * replicas. The old and new primary keys have a transient key state of <code>Updating</code>. The original key 17436 * state is restored when the update is complete. While the key state is <code>Updating</code>, you can use the keys 17437 * in cryptographic operations, but you cannot replicate the new primary key or perform certain management 17438 * operations, such as enabling or disabling these keys. For details about the <code>Updating</code> key state, see 17439 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17440 * <i>Key Management Service Developer Guide</i>. 17441 * </p> 17442 * <p> 17443 * This operation does not return any output. To verify that primary key is changed, use the <a>DescribeKey</a> 17444 * operation. 17445 * </p> 17446 * <p> 17447 * <b>Cross-account use</b>: No. You cannot use this operation in a different Amazon Web Services account. 17448 * </p> 17449 * <p> 17450 * <b>Required permissions</b>: 17451 * </p> 17452 * <ul> 17453 * <li> 17454 * <p> 17455 * <code>kms:UpdatePrimaryRegion</code> on the current primary key (in the primary key's Region). Include this 17456 * permission primary key's key policy. 17457 * </p> 17458 * </li> 17459 * <li> 17460 * <p> 17461 * <code>kms:UpdatePrimaryRegion</code> on the current replica key (in the replica key's Region). Include this 17462 * permission in the replica key's key policy. 17463 * </p> 17464 * </li> 17465 * </ul> 17466 * <p> 17467 * <b>Related operations</b> 17468 * </p> 17469 * <ul> 17470 * <li> 17471 * <p> 17472 * <a>CreateKey</a> 17473 * </p> 17474 * </li> 17475 * <li> 17476 * <p> 17477 * <a>ReplicateKey</a> 17478 * </p> 17479 * </li> 17480 * </ul> 17481 * <p> 17482 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17483 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17484 * consistency</a>. 17485 * </p> 17486 * 17487 * @param updatePrimaryRegionRequest 17488 * @return Result of the UpdatePrimaryRegion operation returned by the service. 17489 * @throws DisabledException 17490 * The request was rejected because the specified KMS key is not enabled. 17491 * @throws InvalidArnException 17492 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 17493 * @throws KmsInvalidStateException 17494 * The request was rejected because the state of the specified resource is not valid for this request.</p> 17495 * <p> 17496 * This exceptions means one of the following: 17497 * </p> 17498 * <ul> 17499 * <li> 17500 * <p> 17501 * The key state of the KMS key is not compatible with the operation. 17502 * </p> 17503 * <p> 17504 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17505 * are compatible with each KMS operation, see <a 17506 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17507 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17508 * </p> 17509 * </li> 17510 * <li> 17511 * <p> 17512 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17513 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17514 * exception. 17515 * </p> 17516 * </li> 17517 * @throws KmsInternalException 17518 * The request was rejected because an internal exception occurred. The request can be retried. 17519 * @throws NotFoundException 17520 * The request was rejected because the specified entity or resource could not be found. 17521 * @throws UnsupportedOperationException 17522 * The request was rejected because a specified parameter is not supported or a specified resource is not 17523 * valid for this operation. 17524 * @throws SdkException 17525 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17526 * catch all scenarios. 17527 * @throws SdkClientException 17528 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17529 * @throws KmsException 17530 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17531 * @sample KmsClient.UpdatePrimaryRegion 17532 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion" target="_top">AWS API 17533 * Documentation</a> 17534 */ updatePrimaryRegion(UpdatePrimaryRegionRequest updatePrimaryRegionRequest)17535 default UpdatePrimaryRegionResponse updatePrimaryRegion(UpdatePrimaryRegionRequest updatePrimaryRegionRequest) 17536 throws DisabledException, InvalidArnException, KmsInvalidStateException, KmsInternalException, NotFoundException, 17537 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, AwsServiceException, SdkClientException, 17538 KmsException { 17539 throw new UnsupportedOperationException(); 17540 } 17541 17542 /** 17543 * <p> 17544 * Changes the primary key of a multi-Region key. 17545 * </p> 17546 * <p> 17547 * This operation changes the replica key in the specified Region to a primary key and changes the former primary 17548 * key to a replica key. For example, suppose you have a primary key in <code>us-east-1</code> and a replica key in 17549 * <code>eu-west-2</code>. If you run <code>UpdatePrimaryRegion</code> with a <code>PrimaryRegion</code> value of 17550 * <code>eu-west-2</code>, the primary key is now the key in <code>eu-west-2</code>, and the key in 17551 * <code>us-east-1</code> becomes a replica key. For details, see <a 17552 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update" 17553 * >Updating the primary Region</a> in the <i>Key Management Service Developer Guide</i>. 17554 * </p> 17555 * <p> 17556 * This operation supports <i>multi-Region keys</i>, an KMS feature that lets you create multiple interoperable KMS 17557 * keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and 17558 * other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it 17559 * in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more 17560 * information about multi-Region keys, see <a 17561 * href="https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html">Multi-Region keys in 17562 * KMS</a> in the <i>Key Management Service Developer Guide</i>. 17563 * </p> 17564 * <p> 17565 * The <i>primary key</i> of a multi-Region key is the source for properties that are always shared by primary and 17566 * replica keys, including the key material, <a 17567 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id">key ID</a>, <a 17568 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec">key spec</a>, <a 17569 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage">key usage</a>, <a 17570 * href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin">key material origin</a>, 17571 * and <a href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html">automatic key rotation</a>. 17572 * It's the only key that can be replicated. You cannot <a 17573 * href="https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html">delete the primary 17574 * key</a> until all replica keys are deleted. 17575 * </p> 17576 * <p> 17577 * The key ID and primary Region that you specify uniquely identify the replica key that will become the primary 17578 * key. The primary Region must already have a replica key. This operation does not create a KMS key in the 17579 * specified Region. To find the replica keys, use the <a>DescribeKey</a> operation on the primary key or any 17580 * replica key. To create a replica key, use the <a>ReplicateKey</a> operation. 17581 * </p> 17582 * <p> 17583 * You can run this operation while using the affected multi-Region keys in cryptographic operations. This operation 17584 * should not delay, interrupt, or cause failures in cryptographic operations. 17585 * </p> 17586 * <p> 17587 * Even after this operation completes, the process of updating the primary Region might still be in progress for a 17588 * few more seconds. Operations such as <code>DescribeKey</code> might display both the old and new primary keys as 17589 * replicas. The old and new primary keys have a transient key state of <code>Updating</code>. The original key 17590 * state is restored when the update is complete. While the key state is <code>Updating</code>, you can use the keys 17591 * in cryptographic operations, but you cannot replicate the new primary key or perform certain management 17592 * operations, such as enabling or disabling these keys. For details about the <code>Updating</code> key state, see 17593 * <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17594 * <i>Key Management Service Developer Guide</i>. 17595 * </p> 17596 * <p> 17597 * This operation does not return any output. To verify that primary key is changed, use the <a>DescribeKey</a> 17598 * operation. 17599 * </p> 17600 * <p> 17601 * <b>Cross-account use</b>: No. You cannot use this operation in a different Amazon Web Services account. 17602 * </p> 17603 * <p> 17604 * <b>Required permissions</b>: 17605 * </p> 17606 * <ul> 17607 * <li> 17608 * <p> 17609 * <code>kms:UpdatePrimaryRegion</code> on the current primary key (in the primary key's Region). Include this 17610 * permission primary key's key policy. 17611 * </p> 17612 * </li> 17613 * <li> 17614 * <p> 17615 * <code>kms:UpdatePrimaryRegion</code> on the current replica key (in the replica key's Region). Include this 17616 * permission in the replica key's key policy. 17617 * </p> 17618 * </li> 17619 * </ul> 17620 * <p> 17621 * <b>Related operations</b> 17622 * </p> 17623 * <ul> 17624 * <li> 17625 * <p> 17626 * <a>CreateKey</a> 17627 * </p> 17628 * </li> 17629 * <li> 17630 * <p> 17631 * <a>ReplicateKey</a> 17632 * </p> 17633 * </li> 17634 * </ul> 17635 * <p> 17636 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17637 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17638 * consistency</a>. 17639 * </p> 17640 * <br/> 17641 * <p> 17642 * This is a convenience which creates an instance of the {@link UpdatePrimaryRegionRequest.Builder} avoiding the 17643 * need to create one manually via {@link UpdatePrimaryRegionRequest#builder()} 17644 * </p> 17645 * 17646 * @param updatePrimaryRegionRequest 17647 * A {@link Consumer} that will call methods on 17648 * {@link software.amazon.awssdk.services.kms.model.UpdatePrimaryRegionRequest.Builder} to create a request. 17649 * @return Result of the UpdatePrimaryRegion operation returned by the service. 17650 * @throws DisabledException 17651 * The request was rejected because the specified KMS key is not enabled. 17652 * @throws InvalidArnException 17653 * The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. 17654 * @throws KmsInvalidStateException 17655 * The request was rejected because the state of the specified resource is not valid for this request.</p> 17656 * <p> 17657 * This exceptions means one of the following: 17658 * </p> 17659 * <ul> 17660 * <li> 17661 * <p> 17662 * The key state of the KMS key is not compatible with the operation. 17663 * </p> 17664 * <p> 17665 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17666 * are compatible with each KMS operation, see <a 17667 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17668 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17669 * </p> 17670 * </li> 17671 * <li> 17672 * <p> 17673 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17674 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17675 * exception. 17676 * </p> 17677 * </li> 17678 * @throws KmsInternalException 17679 * The request was rejected because an internal exception occurred. The request can be retried. 17680 * @throws NotFoundException 17681 * The request was rejected because the specified entity or resource could not be found. 17682 * @throws UnsupportedOperationException 17683 * The request was rejected because a specified parameter is not supported or a specified resource is not 17684 * valid for this operation. 17685 * @throws SdkException 17686 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17687 * catch all scenarios. 17688 * @throws SdkClientException 17689 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17690 * @throws KmsException 17691 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17692 * @sample KmsClient.UpdatePrimaryRegion 17693 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion" target="_top">AWS API 17694 * Documentation</a> 17695 */ updatePrimaryRegion( Consumer<UpdatePrimaryRegionRequest.Builder> updatePrimaryRegionRequest)17696 default UpdatePrimaryRegionResponse updatePrimaryRegion( 17697 Consumer<UpdatePrimaryRegionRequest.Builder> updatePrimaryRegionRequest) throws DisabledException, 17698 InvalidArnException, KmsInvalidStateException, KmsInternalException, NotFoundException, 17699 software.amazon.awssdk.services.kms.model.UnsupportedOperationException, AwsServiceException, SdkClientException, 17700 KmsException { 17701 return updatePrimaryRegion(UpdatePrimaryRegionRequest.builder().applyMutation(updatePrimaryRegionRequest).build()); 17702 } 17703 17704 /** 17705 * <p> 17706 * Verifies a digital signature that was generated by the <a>Sign</a> operation. 17707 * </p> 17708 * <p/> 17709 * <p> 17710 * Verification confirms that an authorized user signed the message with the specified KMS key and signing 17711 * algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the 17712 * <code>SignatureValid</code> field in the response is <code>True</code>. If the signature verification fails, the 17713 * <code>Verify</code> operation fails with an <code>KMSInvalidSignatureException</code> exception. 17714 * </p> 17715 * <p> 17716 * A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by 17717 * using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see <a 17718 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 17719 * the <i>Key Management Service Developer Guide</i>. 17720 * </p> 17721 * <p> 17722 * To use the <code>Verify</code> operation, specify the same asymmetric KMS key, message, and signing algorithm 17723 * that were used to produce the signature. The message type does not need to be the same as the one used for 17724 * signing, but it must indicate whether the value of the <code>Message</code> parameter should be hashed as part of 17725 * the verification process. 17726 * </p> 17727 * <p> 17728 * You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the 17729 * <a>GetPublicKey</a> operation to download the public key in the asymmetric KMS key and then use the public key to 17730 * verify the signature outside of KMS. The advantage of using the <code>Verify</code> operation is that it is 17731 * performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is 17732 * logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key 17733 * to verify signatures. 17734 * </p> 17735 * <p> 17736 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 17737 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 17738 * information, see <a href= 17739 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 17740 * >Offline verification with SM2 key pairs</a>. 17741 * </p> 17742 * <p> 17743 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17744 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17745 * <i>Key Management Service Developer Guide</i>. 17746 * </p> 17747 * <p> 17748 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 17749 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 17750 * </p> 17751 * <p> 17752 * <b>Required permissions</b>: <a 17753 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Verify</a> 17754 * (key policy) 17755 * </p> 17756 * <p> 17757 * <b>Related operations</b>: <a>Sign</a> 17758 * </p> 17759 * <p> 17760 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17761 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17762 * consistency</a>. 17763 * </p> 17764 * 17765 * @param verifyRequest 17766 * @return Result of the Verify operation returned by the service. 17767 * @throws NotFoundException 17768 * The request was rejected because the specified entity or resource could not be found. 17769 * @throws DisabledException 17770 * The request was rejected because the specified KMS key is not enabled. 17771 * @throws KeyUnavailableException 17772 * The request was rejected because the specified KMS key was not available. You can retry the request. 17773 * @throws DependencyTimeoutException 17774 * The system timed out while trying to fulfill the request. You can retry the request. 17775 * @throws InvalidKeyUsageException 17776 * The request was rejected for one of the following reasons: </p> 17777 * <ul> 17778 * <li> 17779 * <p> 17780 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 17781 * </p> 17782 * </li> 17783 * <li> 17784 * <p> 17785 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 17786 * of key material in the KMS key <code>(KeySpec</code>). 17787 * </p> 17788 * </li> 17789 * </ul> 17790 * <p> 17791 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 17792 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 17793 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 17794 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 17795 * KMS key, use the <a>DescribeKey</a> operation. 17796 * </p> 17797 * <p> 17798 * To find the encryption or signing algorithms supported for a particular KMS key, use the 17799 * <a>DescribeKey</a> operation. 17800 * @throws InvalidGrantTokenException 17801 * The request was rejected because the specified grant token is not valid. 17802 * @throws KmsInternalException 17803 * The request was rejected because an internal exception occurred. The request can be retried. 17804 * @throws KmsInvalidStateException 17805 * The request was rejected because the state of the specified resource is not valid for this request. 17806 * </p> 17807 * <p> 17808 * This exceptions means one of the following: 17809 * </p> 17810 * <ul> 17811 * <li> 17812 * <p> 17813 * The key state of the KMS key is not compatible with the operation. 17814 * </p> 17815 * <p> 17816 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17817 * are compatible with each KMS operation, see <a 17818 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17819 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17820 * </p> 17821 * </li> 17822 * <li> 17823 * <p> 17824 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17825 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17826 * exception. 17827 * </p> 17828 * </li> 17829 * @throws KmsInvalidSignatureException 17830 * The request was rejected because the signature verification failed. Signature verification fails when it 17831 * cannot confirm that signature was produced by signing the specified message with the specified KMS key 17832 * and signing algorithm. 17833 * @throws DryRunOperationException 17834 * The request was rejected because the DryRun parameter was specified. 17835 * @throws SdkException 17836 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17837 * catch all scenarios. 17838 * @throws SdkClientException 17839 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17840 * @throws KmsException 17841 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17842 * @sample KmsClient.Verify 17843 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify" target="_top">AWS API 17844 * Documentation</a> 17845 */ verify(VerifyRequest verifyRequest)17846 default VerifyResponse verify(VerifyRequest verifyRequest) throws NotFoundException, DisabledException, 17847 KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, 17848 KmsInternalException, KmsInvalidStateException, KmsInvalidSignatureException, DryRunOperationException, 17849 AwsServiceException, SdkClientException, KmsException { 17850 throw new UnsupportedOperationException(); 17851 } 17852 17853 /** 17854 * <p> 17855 * Verifies a digital signature that was generated by the <a>Sign</a> operation. 17856 * </p> 17857 * <p/> 17858 * <p> 17859 * Verification confirms that an authorized user signed the message with the specified KMS key and signing 17860 * algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the 17861 * <code>SignatureValid</code> field in the response is <code>True</code>. If the signature verification fails, the 17862 * <code>Verify</code> operation fails with an <code>KMSInvalidSignatureException</code> exception. 17863 * </p> 17864 * <p> 17865 * A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by 17866 * using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see <a 17867 * href="https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html">Asymmetric KMS keys</a> in 17868 * the <i>Key Management Service Developer Guide</i>. 17869 * </p> 17870 * <p> 17871 * To use the <code>Verify</code> operation, specify the same asymmetric KMS key, message, and signing algorithm 17872 * that were used to produce the signature. The message type does not need to be the same as the one used for 17873 * signing, but it must indicate whether the value of the <code>Message</code> parameter should be hashed as part of 17874 * the verification process. 17875 * </p> 17876 * <p> 17877 * You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the 17878 * <a>GetPublicKey</a> operation to download the public key in the asymmetric KMS key and then use the public key to 17879 * verify the signature outside of KMS. The advantage of using the <code>Verify</code> operation is that it is 17880 * performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is 17881 * logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key 17882 * to verify signatures. 17883 * </p> 17884 * <p> 17885 * To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the 17886 * distinguishing ID. By default, KMS uses <code>1234567812345678</code> as the distinguishing ID. For more 17887 * information, see <a href= 17888 * "https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html#key-spec-sm-offline-verification" 17889 * >Offline verification with SM2 key pairs</a>. 17890 * </p> 17891 * <p> 17892 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 17893 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 17894 * <i>Key Management Service Developer Guide</i>. 17895 * </p> 17896 * <p> 17897 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 17898 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 17899 * </p> 17900 * <p> 17901 * <b>Required permissions</b>: <a 17902 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:Verify</a> 17903 * (key policy) 17904 * </p> 17905 * <p> 17906 * <b>Related operations</b>: <a>Sign</a> 17907 * </p> 17908 * <p> 17909 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 17910 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 17911 * consistency</a>. 17912 * </p> 17913 * <br/> 17914 * <p> 17915 * This is a convenience which creates an instance of the {@link VerifyRequest.Builder} avoiding the need to create 17916 * one manually via {@link VerifyRequest#builder()} 17917 * </p> 17918 * 17919 * @param verifyRequest 17920 * A {@link Consumer} that will call methods on 17921 * {@link software.amazon.awssdk.services.kms.model.VerifyRequest.Builder} to create a request. 17922 * @return Result of the Verify operation returned by the service. 17923 * @throws NotFoundException 17924 * The request was rejected because the specified entity or resource could not be found. 17925 * @throws DisabledException 17926 * The request was rejected because the specified KMS key is not enabled. 17927 * @throws KeyUnavailableException 17928 * The request was rejected because the specified KMS key was not available. You can retry the request. 17929 * @throws DependencyTimeoutException 17930 * The system timed out while trying to fulfill the request. You can retry the request. 17931 * @throws InvalidKeyUsageException 17932 * The request was rejected for one of the following reasons: </p> 17933 * <ul> 17934 * <li> 17935 * <p> 17936 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 17937 * </p> 17938 * </li> 17939 * <li> 17940 * <p> 17941 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 17942 * of key material in the KMS key <code>(KeySpec</code>). 17943 * </p> 17944 * </li> 17945 * </ul> 17946 * <p> 17947 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 17948 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 17949 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 17950 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 17951 * KMS key, use the <a>DescribeKey</a> operation. 17952 * </p> 17953 * <p> 17954 * To find the encryption or signing algorithms supported for a particular KMS key, use the 17955 * <a>DescribeKey</a> operation. 17956 * @throws InvalidGrantTokenException 17957 * The request was rejected because the specified grant token is not valid. 17958 * @throws KmsInternalException 17959 * The request was rejected because an internal exception occurred. The request can be retried. 17960 * @throws KmsInvalidStateException 17961 * The request was rejected because the state of the specified resource is not valid for this request. 17962 * </p> 17963 * <p> 17964 * This exceptions means one of the following: 17965 * </p> 17966 * <ul> 17967 * <li> 17968 * <p> 17969 * The key state of the KMS key is not compatible with the operation. 17970 * </p> 17971 * <p> 17972 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 17973 * are compatible with each KMS operation, see <a 17974 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 17975 * the <i> <i>Key Management Service Developer Guide</i> </i>. 17976 * </p> 17977 * </li> 17978 * <li> 17979 * <p> 17980 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 17981 * failure with many possible causes. To identify the cause, see the error message that accompanies the 17982 * exception. 17983 * </p> 17984 * </li> 17985 * @throws KmsInvalidSignatureException 17986 * The request was rejected because the signature verification failed. Signature verification fails when it 17987 * cannot confirm that signature was produced by signing the specified message with the specified KMS key 17988 * and signing algorithm. 17989 * @throws DryRunOperationException 17990 * The request was rejected because the DryRun parameter was specified. 17991 * @throws SdkException 17992 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 17993 * catch all scenarios. 17994 * @throws SdkClientException 17995 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 17996 * @throws KmsException 17997 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 17998 * @sample KmsClient.Verify 17999 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify" target="_top">AWS API 18000 * Documentation</a> 18001 */ verify(Consumer<VerifyRequest.Builder> verifyRequest)18002 default VerifyResponse verify(Consumer<VerifyRequest.Builder> verifyRequest) throws NotFoundException, DisabledException, 18003 KeyUnavailableException, DependencyTimeoutException, InvalidKeyUsageException, InvalidGrantTokenException, 18004 KmsInternalException, KmsInvalidStateException, KmsInvalidSignatureException, DryRunOperationException, 18005 AwsServiceException, SdkClientException, KmsException { 18006 return verify(VerifyRequest.builder().applyMutation(verifyRequest).build()); 18007 } 18008 18009 /** 18010 * <p> 18011 * Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC KMS key, and MAC 18012 * algorithm. To verify the HMAC, <code>VerifyMac</code> computes an HMAC using the message, HMAC KMS key, and MAC 18013 * algorithm that you specify, and compares the computed HMAC to the HMAC that you specify. If the HMACs are 18014 * identical, the verification succeeds; otherwise, it fails. Verification indicates that the message hasn't changed 18015 * since the HMAC was calculated, and the specified key was used to generate and verify the HMAC. 18016 * </p> 18017 * <p> 18018 * HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in <a 18019 * href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 18020 * </p> 18021 * <p> 18022 * This operation is part of KMS support for HMAC KMS keys. For details, see <a 18023 * href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>Key 18024 * Management Service Developer Guide</i>. 18025 * </p> 18026 * <p> 18027 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 18028 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 18029 * <i>Key Management Service Developer Guide</i>. 18030 * </p> 18031 * <p> 18032 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 18033 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 18034 * </p> 18035 * <p> 18036 * <b>Required permissions</b>: <a 18037 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:VerifyMac</a> 18038 * (key policy) 18039 * </p> 18040 * <p> 18041 * <b>Related operations</b>: <a>GenerateMac</a> 18042 * </p> 18043 * <p> 18044 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 18045 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 18046 * consistency</a>. 18047 * </p> 18048 * 18049 * @param verifyMacRequest 18050 * @return Result of the VerifyMac operation returned by the service. 18051 * @throws NotFoundException 18052 * The request was rejected because the specified entity or resource could not be found. 18053 * @throws DisabledException 18054 * The request was rejected because the specified KMS key is not enabled. 18055 * @throws KeyUnavailableException 18056 * The request was rejected because the specified KMS key was not available. You can retry the request. 18057 * @throws InvalidKeyUsageException 18058 * The request was rejected for one of the following reasons: </p> 18059 * <ul> 18060 * <li> 18061 * <p> 18062 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 18063 * </p> 18064 * </li> 18065 * <li> 18066 * <p> 18067 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 18068 * of key material in the KMS key <code>(KeySpec</code>). 18069 * </p> 18070 * </li> 18071 * </ul> 18072 * <p> 18073 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 18074 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 18075 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 18076 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 18077 * KMS key, use the <a>DescribeKey</a> operation. 18078 * </p> 18079 * <p> 18080 * To find the encryption or signing algorithms supported for a particular KMS key, use the 18081 * <a>DescribeKey</a> operation. 18082 * @throws InvalidGrantTokenException 18083 * The request was rejected because the specified grant token is not valid. 18084 * @throws KmsInternalException 18085 * The request was rejected because an internal exception occurred. The request can be retried. 18086 * @throws KmsInvalidMacException 18087 * The request was rejected because the HMAC verification failed. HMAC verification fails when the HMAC 18088 * computed by using the specified message, HMAC KMS key, and MAC algorithm does not match the HMAC 18089 * specified in the request. 18090 * @throws KmsInvalidStateException 18091 * The request was rejected because the state of the specified resource is not valid for this request. 18092 * </p> 18093 * <p> 18094 * This exceptions means one of the following: 18095 * </p> 18096 * <ul> 18097 * <li> 18098 * <p> 18099 * The key state of the KMS key is not compatible with the operation. 18100 * </p> 18101 * <p> 18102 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 18103 * are compatible with each KMS operation, see <a 18104 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 18105 * the <i> <i>Key Management Service Developer Guide</i> </i>. 18106 * </p> 18107 * </li> 18108 * <li> 18109 * <p> 18110 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 18111 * failure with many possible causes. To identify the cause, see the error message that accompanies the 18112 * exception. 18113 * </p> 18114 * </li> 18115 * @throws DryRunOperationException 18116 * The request was rejected because the DryRun parameter was specified. 18117 * @throws SdkException 18118 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 18119 * catch all scenarios. 18120 * @throws SdkClientException 18121 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 18122 * @throws KmsException 18123 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 18124 * @sample KmsClient.VerifyMac 18125 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac" target="_top">AWS API 18126 * Documentation</a> 18127 */ verifyMac(VerifyMacRequest verifyMacRequest)18128 default VerifyMacResponse verifyMac(VerifyMacRequest verifyMacRequest) throws NotFoundException, DisabledException, 18129 KeyUnavailableException, InvalidKeyUsageException, InvalidGrantTokenException, KmsInternalException, 18130 KmsInvalidMacException, KmsInvalidStateException, DryRunOperationException, AwsServiceException, SdkClientException, 18131 KmsException { 18132 throw new UnsupportedOperationException(); 18133 } 18134 18135 /** 18136 * <p> 18137 * Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC KMS key, and MAC 18138 * algorithm. To verify the HMAC, <code>VerifyMac</code> computes an HMAC using the message, HMAC KMS key, and MAC 18139 * algorithm that you specify, and compares the computed HMAC to the HMAC that you specify. If the HMACs are 18140 * identical, the verification succeeds; otherwise, it fails. Verification indicates that the message hasn't changed 18141 * since the HMAC was calculated, and the specified key was used to generate and verify the HMAC. 18142 * </p> 18143 * <p> 18144 * HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in <a 18145 * href="https://datatracker.ietf.org/doc/html/rfc2104">RFC 2104</a>. 18146 * </p> 18147 * <p> 18148 * This operation is part of KMS support for HMAC KMS keys. For details, see <a 18149 * href="https://docs.aws.amazon.com/kms/latest/developerguide/hmac.html">HMAC keys in KMS</a> in the <i>Key 18150 * Management Service Developer Guide</i>. 18151 * </p> 18152 * <p> 18153 * The KMS key that you use for this operation must be in a compatible key state. For details, see <a 18154 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the 18155 * <i>Key Management Service Developer Guide</i>. 18156 * </p> 18157 * <p> 18158 * <b>Cross-account use</b>: Yes. To perform this operation with a KMS key in a different Amazon Web Services 18159 * account, specify the key ARN or alias ARN in the value of the <code>KeyId</code> parameter. 18160 * </p> 18161 * <p> 18162 * <b>Required permissions</b>: <a 18163 * href="https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html">kms:VerifyMac</a> 18164 * (key policy) 18165 * </p> 18166 * <p> 18167 * <b>Related operations</b>: <a>GenerateMac</a> 18168 * </p> 18169 * <p> 18170 * <b>Eventual consistency</b>: The KMS API follows an eventual consistency model. For more information, see <a 18171 * href="https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html">KMS eventual 18172 * consistency</a>. 18173 * </p> 18174 * <br/> 18175 * <p> 18176 * This is a convenience which creates an instance of the {@link VerifyMacRequest.Builder} avoiding the need to 18177 * create one manually via {@link VerifyMacRequest#builder()} 18178 * </p> 18179 * 18180 * @param verifyMacRequest 18181 * A {@link Consumer} that will call methods on 18182 * {@link software.amazon.awssdk.services.kms.model.VerifyMacRequest.Builder} to create a request. 18183 * @return Result of the VerifyMac operation returned by the service. 18184 * @throws NotFoundException 18185 * The request was rejected because the specified entity or resource could not be found. 18186 * @throws DisabledException 18187 * The request was rejected because the specified KMS key is not enabled. 18188 * @throws KeyUnavailableException 18189 * The request was rejected because the specified KMS key was not available. You can retry the request. 18190 * @throws InvalidKeyUsageException 18191 * The request was rejected for one of the following reasons: </p> 18192 * <ul> 18193 * <li> 18194 * <p> 18195 * The <code>KeyUsage</code> value of the KMS key is incompatible with the API operation. 18196 * </p> 18197 * </li> 18198 * <li> 18199 * <p> 18200 * The encryption algorithm or signing algorithm specified for the operation is incompatible with the type 18201 * of key material in the KMS key <code>(KeySpec</code>). 18202 * </p> 18203 * </li> 18204 * </ul> 18205 * <p> 18206 * For encrypting, decrypting, re-encrypting, and generating data keys, the <code>KeyUsage</code> must be 18207 * <code>ENCRYPT_DECRYPT</code>. For signing and verifying messages, the <code>KeyUsage</code> must be 18208 * <code>SIGN_VERIFY</code>. For generating and verifying message authentication codes (MACs), the 18209 * <code>KeyUsage</code> must be <code>GENERATE_VERIFY_MAC</code>. To find the <code>KeyUsage</code> of a 18210 * KMS key, use the <a>DescribeKey</a> operation. 18211 * </p> 18212 * <p> 18213 * To find the encryption or signing algorithms supported for a particular KMS key, use the 18214 * <a>DescribeKey</a> operation. 18215 * @throws InvalidGrantTokenException 18216 * The request was rejected because the specified grant token is not valid. 18217 * @throws KmsInternalException 18218 * The request was rejected because an internal exception occurred. The request can be retried. 18219 * @throws KmsInvalidMacException 18220 * The request was rejected because the HMAC verification failed. HMAC verification fails when the HMAC 18221 * computed by using the specified message, HMAC KMS key, and MAC algorithm does not match the HMAC 18222 * specified in the request. 18223 * @throws KmsInvalidStateException 18224 * The request was rejected because the state of the specified resource is not valid for this request. 18225 * </p> 18226 * <p> 18227 * This exceptions means one of the following: 18228 * </p> 18229 * <ul> 18230 * <li> 18231 * <p> 18232 * The key state of the KMS key is not compatible with the operation. 18233 * </p> 18234 * <p> 18235 * To find the key state, use the <a>DescribeKey</a> operation. For more information about which key states 18236 * are compatible with each KMS operation, see <a 18237 * href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in 18238 * the <i> <i>Key Management Service Developer Guide</i> </i>. 18239 * </p> 18240 * </li> 18241 * <li> 18242 * <p> 18243 * For cryptographic operations on KMS keys in custom key stores, this exception represents a general 18244 * failure with many possible causes. To identify the cause, see the error message that accompanies the 18245 * exception. 18246 * </p> 18247 * </li> 18248 * @throws DryRunOperationException 18249 * The request was rejected because the DryRun parameter was specified. 18250 * @throws SdkException 18251 * Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for 18252 * catch all scenarios. 18253 * @throws SdkClientException 18254 * If any client side error occurs such as an IO related failure, failure to get credentials, etc. 18255 * @throws KmsException 18256 * Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type. 18257 * @sample KmsClient.VerifyMac 18258 * @see <a href="https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/VerifyMac" target="_top">AWS API 18259 * Documentation</a> 18260 */ verifyMac(Consumer<VerifyMacRequest.Builder> verifyMacRequest)18261 default VerifyMacResponse verifyMac(Consumer<VerifyMacRequest.Builder> verifyMacRequest) throws NotFoundException, 18262 DisabledException, KeyUnavailableException, InvalidKeyUsageException, InvalidGrantTokenException, 18263 KmsInternalException, KmsInvalidMacException, KmsInvalidStateException, DryRunOperationException, 18264 AwsServiceException, SdkClientException, KmsException { 18265 return verifyMac(VerifyMacRequest.builder().applyMutation(verifyMacRequest).build()); 18266 } 18267 18268 /** 18269 * Create a {@link KmsClient} with the region loaded from the 18270 * {@link software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain} and credentials loaded from the 18271 * {@link software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider}. 18272 */ create()18273 static KmsClient create() { 18274 return builder().build(); 18275 } 18276 18277 /** 18278 * Create a builder that can be used to configure and create a {@link KmsClient}. 18279 */ builder()18280 static KmsClientBuilder builder() { 18281 return new DefaultKmsClientBuilder(); 18282 } 18283 serviceMetadata()18284 static ServiceMetadata serviceMetadata() { 18285 return ServiceMetadata.of(SERVICE_METADATA_ID); 18286 } 18287 18288 @Override serviceClientConfiguration()18289 default KmsServiceClientConfiguration serviceClientConfiguration() { 18290 throw new UnsupportedOperationException(); 18291 } 18292 } 18293