From 4ad5b4ae7ce59237be5f22e8714cc9a0e55f79b4 Mon Sep 17 00:00:00 2001 From: "darcy.rayner" Date: Mon, 17 Jun 2019 18:12:47 -0400 Subject: [PATCH] Implement KMS key decrypter --- go.mod | 3 +- go.sum | 15 + internal/metrics/api.go | 50 +- internal/metrics/api_test.go | 8 +- internal/metrics/kms_decrypter.go | 55 + internal/metrics/listener.go | 2 +- .../aws/aws-sdk-go/service/kms/api.go | 10267 ++++++++++++++++ .../aws/aws-sdk-go/service/kms/doc.go | 98 + .../aws/aws-sdk-go/service/kms/errors.go | 297 + .../aws/aws-sdk-go/service/kms/service.go | 97 + 10 files changed, 10879 insertions(+), 13 deletions(-) create mode 100644 internal/metrics/kms_decrypter.go create mode 100644 vendor/github.com/aws/aws-sdk-go/service/kms/api.go create mode 100644 vendor/github.com/aws/aws-sdk-go/service/kms/doc.go create mode 100644 vendor/github.com/aws/aws-sdk-go/service/kms/errors.go create mode 100644 vendor/github.com/aws/aws-sdk-go/service/kms/service.go diff --git a/go.mod b/go.mod index 5d66743e..b4afd48d 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,10 @@ module github.com/DataDog/datadog-lambda-go go 1.12 require ( - github.com/aws/aws-sdk-go v1.19.40 // indirect + github.com/aws/aws-sdk-go v1.20.2 github.com/aws/aws-xray-sdk-go v1.0.0-rc.9 github.com/cenkalti/backoff v2.1.1+incompatible github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 // indirect github.com/pkg/errors v0.8.1 // indirect + github.com/stretchr/testify v1.3.0 ) diff --git a/go.sum b/go.sum index 13c1f3e1..05233981 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,21 @@ +github.com/aws/aws-sdk-go v1.19.40 h1:omRrS4bCM/IbzU6UEb8Ojg1PvlElZzYZkOh8vWWgFMc= github.com/aws/aws-sdk-go v1.19.40/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.20.2 h1:/BBeW8F4PPmvJ5jpFvgkCK4RJQXErNndVRnNhO2qEkQ= +github.com/aws/aws-sdk-go v1.20.2/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-xray-sdk-go v1.0.0-rc.9 h1:MC5zypTWx5YIbWE3pgcPaG8+1ytirvfCVBkcgHbVZ5Q= github.com/aws/aws-xray-sdk-go v1.0.0-rc.9/go.mod h1:XtMKdBQfpVut+tJEwI7+dJFRxxRdxHDyVNp2tHXRq04= +github.com/cenkalti/backoff v2.1.1+incompatible h1:tKJnvO2kl0zmb/jA5UKAt4VoEVw1qxKWjE/Bpp46npY= github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575 h1:kHaBemcxl8o/pQ5VM1c8PVE1PubbNx3mjUr09OqWGCs= github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575/go.mod h1:9d6lWj8KzO/fd/NrVaLscBKmPigpZpn5YawRPw+e3Yo= +github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= diff --git a/internal/metrics/api.go b/internal/metrics/api.go index 9d6ed3f5..4ad3306b 100644 --- a/internal/metrics/api.go +++ b/internal/metrics/api.go @@ -27,10 +27,19 @@ type ( // APIClient send metrics to Datadog, via the Datadog API APIClient struct { - apiKey string + apiKey string + apiKeyDecryptChan <-chan string + baseAPIURL string + httpClient *http.Client + context context.Context + } + + // APIClientOptions contains instantiation options from creating an APIClient. + APIClientOptions struct { baseAPIURL string - httpClient *http.Client - context context.Context + apiKey string + kmsAPIKey string + decrypter Decrypter } postMetricsModel struct { @@ -39,18 +48,30 @@ type ( ) // MakeAPIClient creates a new API client with the given api and app keys -func MakeAPIClient(ctx context.Context, baseAPIURL, apiKey string) *APIClient { +func MakeAPIClient(ctx context.Context, options APIClientOptions) *APIClient { httpClient := &http.Client{} - return &APIClient{ - apiKey: apiKey, - baseAPIURL: baseAPIURL, + client := &APIClient{ + apiKey: options.apiKey, + baseAPIURL: options.baseAPIURL, httpClient: httpClient, context: ctx, } + if len(options.apiKey) == 0 && len(options.kmsAPIKey) != 0 { + client.apiKeyDecryptChan = client.decryptAPIKey(options.decrypter, options.kmsAPIKey) + } + + return client } // SendMetrics posts a batch metrics payload to the Datadog API func (cl *APIClient) SendMetrics(metrics []APIMetric) error { + + // If the api key was provided as a kms key, wait for it to finish decrypting + if cl.apiKeyDecryptChan != nil { + cl.apiKey = <-cl.apiKeyDecryptChan + cl.apiKeyDecryptChan = nil + } + content, err := marshalAPIMetricsModel(metrics) if err != nil { return fmt.Errorf("Couldn't marshal metrics model: %v", err) @@ -92,6 +113,21 @@ func (cl *APIClient) SendMetrics(metrics []APIMetric) error { return nil } +func (cl *APIClient) decryptAPIKey(decrypter Decrypter, kmsAPIKey string) <-chan string { + + ch := make(chan string) + + go func() { + result, err := decrypter.Decrypt(kmsAPIKey) + if err != nil { + logger.Error(fmt.Errorf("Couldn't decrypt api kms key %s", err)) + } + ch <- result + close(ch) + }() + return ch +} + func (cl *APIClient) addAPICredentials(req *http.Request) { query := req.URL.Query() query.Add(apiKeyParam, cl.apiKey) diff --git a/internal/metrics/api_test.go b/internal/metrics/api_test.go index 17918849..a8e3334a 100644 --- a/internal/metrics/api_test.go +++ b/internal/metrics/api_test.go @@ -23,7 +23,7 @@ const ( ) func TestAddAPICredentials(t *testing.T) { - cl := MakeAPIClient(context.Background(), "", mockAPIKey) + cl := MakeAPIClient(context.Background(), APIClientOptions{baseAPIURL: "", apiKey: mockAPIKey}) req, _ := http.NewRequest("GET", "http://some-api.com/endpoint", nil) cl.addAPICredentials(req) assert.Equal(t, "http://some-api.com/endpoint?api_key=12345", req.URL.String()) @@ -57,7 +57,7 @@ func TestSendMetricsSuccess(t *testing.T) { }, } - cl := MakeAPIClient(context.Background(), server.URL, mockAPIKey) + cl := MakeAPIClient(context.Background(), APIClientOptions{baseAPIURL: server.URL, apiKey: mockAPIKey}) err := cl.SendMetrics(am) assert.NoError(t, err) @@ -92,7 +92,7 @@ func TestSendMetricsBadRequest(t *testing.T) { }, } - cl := MakeAPIClient(context.Background(), server.URL, mockAPIKey) + cl := MakeAPIClient(context.Background(), APIClientOptions{baseAPIURL: server.URL, apiKey: mockAPIKey}) err := cl.SendMetrics(am) assert.Error(t, err) @@ -120,7 +120,7 @@ func TestSendMetricsCantReachServer(t *testing.T) { }, } - cl := MakeAPIClient(context.Background(), "httpa:///badly-formatted-url", mockAPIKey) + cl := MakeAPIClient(context.Background(), APIClientOptions{baseAPIURL: "httpa:///badly-formatted-url", apiKey: mockAPIKey}) err := cl.SendMetrics(am) assert.Error(t, err) diff --git a/internal/metrics/kms_decrypter.go b/internal/metrics/kms_decrypter.go new file mode 100644 index 00000000..bbcc0a83 --- /dev/null +++ b/internal/metrics/kms_decrypter.go @@ -0,0 +1,55 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed + * under the Apache License Version 2.0. + * + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019 Datadog, Inc. + */ +package metrics + +import ( + "encoding/base64" + "fmt" + + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/kms" +) + +type ( + // Decrypter attempts to decrypt a key + Decrypter interface { + Decrypt(cipherText string) (string, error) + } + + kmsDecrypter struct { + kmsClient *kms.KMS + } +) + +// MakeKMSDecrypter creates a new decrypter which uses the AWS KMS service to decrypt variables +func MakeKMSDecrypter() Decrypter { + return &kmsDecrypter{ + kmsClient: kms.New(session.New(nil)), + } +} + +func (kd *kmsDecrypter) Decrypt(cipherText string) (string, error) { + + decodedBytes, err := base64.StdEncoding.DecodeString(cipherText) + if err != nil { + return "", fmt.Errorf("Failed to encode cipher text to base64: %v", err) + } + + params := &kms.DecryptInput{ + CiphertextBlob: decodedBytes, + } + + response, err := kd.kmsClient.Decrypt(params) + if err != nil { + return "", fmt.Errorf("Failed to decrypt ciphertext with kms: %v", err) + } + // Plaintext is a byte array, so convert to string + decrypted := string(response.Plaintext[:]) + + return decrypted, nil +} diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go index d9d86a39..556e752b 100644 --- a/internal/metrics/listener.go +++ b/internal/metrics/listener.go @@ -42,7 +42,7 @@ func MakeListener(config Config) Listener { } baseAPIURL := fmt.Sprintf("https://api.%s/api/v1", site) - apiClient := MakeAPIClient(context.Background(), baseAPIURL, config.APIKey) + apiClient := MakeAPIClient(context.Background(), APIClientOptions{baseAPIURL: baseAPIURL, apiKey: config.APIKey}) if config.BatchInterval <= 0 { config.BatchInterval = defaultBatchInterval } diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go new file mode 100644 index 00000000..de91f57a --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go @@ -0,0 +1,10267 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package kms + +import ( + "fmt" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awsutil" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/private/protocol" + "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" +) + +const opCancelKeyDeletion = "CancelKeyDeletion" + +// CancelKeyDeletionRequest generates a "aws/request.Request" representing the +// client's request for the CancelKeyDeletion operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CancelKeyDeletion for more information on using the CancelKeyDeletion +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CancelKeyDeletionRequest method. +// req, resp := client.CancelKeyDeletionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion +func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *request.Request, output *CancelKeyDeletionOutput) { + op := &request.Operation{ + Name: opCancelKeyDeletion, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CancelKeyDeletionInput{} + } + + output = &CancelKeyDeletionOutput{} + req = c.newRequest(op, input, output) + return +} + +// CancelKeyDeletion API operation for AWS Key Management Service. +// +// Cancels the deletion of a customer master key (CMK). When this operation +// is successful, the CMK is set to the Disabled state. To enable a CMK, use +// EnableKey. You cannot perform this operation on a CMK in a different AWS +// account. +// +// For more information about scheduling and canceling deletion of a CMK, see +// Deleting Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CancelKeyDeletion for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion +func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) { + req, out := c.CancelKeyDeletionRequest(input) + return out, req.Send() +} + +// CancelKeyDeletionWithContext is the same as CancelKeyDeletion with the addition of +// the ability to pass a context and additional request options. +// +// See CancelKeyDeletion for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CancelKeyDeletionWithContext(ctx aws.Context, input *CancelKeyDeletionInput, opts ...request.Option) (*CancelKeyDeletionOutput, error) { + req, out := c.CancelKeyDeletionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opConnectCustomKeyStore = "ConnectCustomKeyStore" + +// ConnectCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the ConnectCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ConnectCustomKeyStore for more information on using the ConnectCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ConnectCustomKeyStoreRequest method. +// req, resp := client.ConnectCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore +func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (req *request.Request, output *ConnectCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opConnectCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ConnectCustomKeyStoreInput{} + } + + output = &ConnectCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// ConnectCustomKeyStore API operation for AWS Key Management Service. +// +// Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// to its associated AWS CloudHSM cluster. +// +// The custom key store must be connected before you can create customer master +// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect +// and reconnect a custom key store at any time. +// +// To connect a custom key store, its associated AWS CloudHSM cluster must have +// at least one active HSM. To get the number of active HSMs in a cluster, use +// the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. +// +// The connection process can take an extended amount of time to complete; up +// to 20 minutes. This operation starts the connection process, but it does +// not wait for it to complete. When it succeeds, this operation quickly returns +// an HTTP 200 response and a JSON object with no properties. However, this +// response does not indicate that the custom key store is connected. To get +// the connection state of the custom key store, use the DescribeCustomKeyStores +// operation. +// +// During the connection process, AWS KMS finds the AWS CloudHSM cluster that +// is associated with the custom key store, creates the connection infrastructure, +// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser +// (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) +// crypto user (CU), and rotates its password. +// +// The ConnectCustomKeyStore operation might fail for various reasons. To find +// the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode +// in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. +// +// To fix the failure, use the DisconnectCustomKeyStore operation to disconnect +// the custom key store, correct the error, use the UpdateCustomKeyStore operation +// if necessary, and then use ConnectCustomKeyStore again. +// +// If you are having trouble connecting or disconnecting a custom key store, +// see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ConnectCustomKeyStore for usage and error information. +// +// Returned Error Codes: +// * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException" +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +// +// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. +// +// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, +// the AWS CloudHSM cluster must have at least two active HSMs, each in a +// different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore +func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) { + req, out := c.ConnectCustomKeyStoreRequest(input) + return out, req.Send() +} + +// ConnectCustomKeyStoreWithContext is the same as ConnectCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See ConnectCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ConnectCustomKeyStoreWithContext(ctx aws.Context, input *ConnectCustomKeyStoreInput, opts ...request.Option) (*ConnectCustomKeyStoreOutput, error) { + req, out := c.ConnectCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateAlias = "CreateAlias" + +// CreateAliasRequest generates a "aws/request.Request" representing the +// client's request for the CreateAlias operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateAlias for more information on using the CreateAlias +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateAliasRequest method. +// req, resp := client.CreateAliasRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias +func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, output *CreateAliasOutput) { + op := &request.Operation{ + Name: opCreateAlias, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateAliasInput{} + } + + output = &CreateAliasOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// CreateAlias API operation for AWS Key Management Service. +// +// Creates a display name for a customer managed customer master key (CMK). +// You can use an alias to identify a CMK in selected operations, such as Encrypt +// and GenerateDataKey. +// +// Each CMK can have multiple aliases, but each alias points to only one CMK. +// The alias name must be unique in the AWS account and region. To simplify +// code that runs in multiple regions, use the same alias name, but point it +// to a different CMK in each region. +// +// Because an alias is not a property of a CMK, you can delete and change the +// aliases of a CMK without affecting the CMK. Also, aliases do not appear in +// the response from the DescribeKey operation. To get the aliases of all CMKs, +// use the ListAliases operation. +// +// The alias name must begin with alias/ followed by a name, such as alias/ExampleAlias. +// It can contain only alphanumeric characters, forward slashes (/), underscores +// (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ +// prefix is reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). +// +// The alias and the CMK it is mapped to must be in the same AWS account and +// the same region. You cannot perform this operation on an alias in a different +// AWS account. +// +// To map an existing alias to a different CMK, call UpdateAlias. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateAlias for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeAlreadyExistsException "AlreadyExistsException" +// The request was rejected because it attempted to create a resource that already +// exists. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidAliasNameException "InvalidAliasNameException" +// The request was rejected because the specified alias name is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeLimitExceededException "LimitExceededException" +// The request was rejected because a limit was exceeded. For more information, +// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias +func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) { + req, out := c.CreateAliasRequest(input) + return out, req.Send() +} + +// CreateAliasWithContext is the same as CreateAlias with the addition of +// the ability to pass a context and additional request options. +// +// See CreateAlias for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateAliasWithContext(ctx aws.Context, input *CreateAliasInput, opts ...request.Option) (*CreateAliasOutput, error) { + req, out := c.CreateAliasRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateCustomKeyStore = "CreateCustomKeyStore" + +// CreateCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the CreateCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateCustomKeyStore for more information on using the CreateCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateCustomKeyStoreRequest method. +// req, resp := client.CreateCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore +func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req *request.Request, output *CreateCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opCreateCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateCustomKeyStoreInput{} + } + + output = &CreateCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateCustomKeyStore API operation for AWS Key Management Service. +// +// Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// that is associated with an AWS CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) +// that you own and manage. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Before you create the custom key store, you must assemble the required elements, +// including an AWS CloudHSM cluster that fulfills the requirements for a custom +// key store. For details about the required elements, see Assemble the Prerequisites +// (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. +// +// When the operation completes successfully, it returns the ID of the new custom +// key store. Before you can use your new custom key store, you need to use +// the ConnectCustomKeyStore operation to connect the new key store to its AWS +// CloudHSM cluster. Even if you are not going to use your custom key store +// immediately, you might want to connect it to verify that all settings are +// correct and then disconnect it until you are ready to use it. +// +// For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateCustomKeyStore for usage and error information. +// +// Returned Error Codes: +// * ErrCodeCloudHsmClusterInUseException "CloudHsmClusterInUseException" +// The request was rejected because the specified AWS CloudHSM cluster is already +// associated with a custom key store or it shares a backup history with a cluster +// that is associated with a custom key store. Each custom key store must be +// associated with a different AWS CloudHSM cluster. +// +// Clusters that share a backup history have the same cluster certificate. To +// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. +// +// * ErrCodeCustomKeyStoreNameInUseException "CustomKeyStoreNameInUseException" +// The request was rejected because the specified custom key store name is already +// assigned to another custom key store in the account. Try again with a custom +// key store name that is unique in the account. +// +// * ErrCodeCloudHsmClusterNotFoundException "CloudHsmClusterNotFoundException" +// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster +// with the specified cluster ID. Retry the request with a different cluster +// ID. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException" +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +// +// * ErrCodeIncorrectTrustAnchorException "IncorrectTrustAnchorException" +// The request was rejected because the trust anchor certificate in the request +// is not the trust anchor certificate for the specified AWS CloudHSM cluster. +// +// When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), +// you create the trust anchor certificate and save it in the customerCA.crt +// file. +// +// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. +// +// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, +// the AWS CloudHSM cluster must have at least two active HSMs, each in a +// different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore +func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) { + req, out := c.CreateCustomKeyStoreRequest(input) + return out, req.Send() +} + +// CreateCustomKeyStoreWithContext is the same as CreateCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See CreateCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateCustomKeyStoreWithContext(ctx aws.Context, input *CreateCustomKeyStoreInput, opts ...request.Option) (*CreateCustomKeyStoreOutput, error) { + req, out := c.CreateCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateGrant = "CreateGrant" + +// CreateGrantRequest generates a "aws/request.Request" representing the +// client's request for the CreateGrant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateGrant for more information on using the CreateGrant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateGrantRequest method. +// req, resp := client.CreateGrantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant +func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, output *CreateGrantOutput) { + op := &request.Operation{ + Name: opCreateGrant, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateGrantInput{} + } + + output = &CreateGrantOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateGrant API operation for AWS Key Management Service. +// +// Adds a grant to a customer master key (CMK). The grant allows the grantee +// principal to use the CMK when the conditions specified in the grant are met. +// When setting permissions, grants are an alternative to key policies. +// +// To create a grant that allows a cryptographic operation only when the encryption +// context in the operation request matches or includes a specified encryption +// context, use the Constraints parameter. For details, see GrantConstraints. +// +// To perform this operation on a CMK in a different AWS account, specify the +// key ARN in the value of the KeyId parameter. For more information about grants, +// see Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the AWS Key Management Service Developer Guide. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateGrant for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeLimitExceededException "LimitExceededException" +// The request was rejected because a limit was exceeded. For more information, +// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant +func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) { + req, out := c.CreateGrantRequest(input) + return out, req.Send() +} + +// CreateGrantWithContext is the same as CreateGrant with the addition of +// the ability to pass a context and additional request options. +// +// See CreateGrant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateGrantWithContext(ctx aws.Context, input *CreateGrantInput, opts ...request.Option) (*CreateGrantOutput, error) { + req, out := c.CreateGrantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opCreateKey = "CreateKey" + +// CreateKeyRequest generates a "aws/request.Request" representing the +// client's request for the CreateKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateKey for more information on using the CreateKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateKeyRequest method. +// req, resp := client.CreateKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey +func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, output *CreateKeyOutput) { + op := &request.Operation{ + Name: opCreateKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateKeyInput{} + } + + output = &CreateKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateKey API operation for AWS Key Management Service. +// +// Creates a customer managed customer master key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) +// (CMK) in your AWS account. +// +// You can use a CMK to encrypt small amounts of data (up to 4096 bytes) directly. +// But CMKs are more commonly used to encrypt the data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) +// that are used to encrypt data. +// +// To create a CMK for imported key material, use the Origin parameter with +// a value of EXTERNAL. +// +// To create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// use the CustomKeyStoreId parameter to specify the custom key store. You must +// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM +// cluster that is associated with the custom key store must have at least two +// active HSMs in different Availability Zones in the AWS Region. +// +// You cannot use this operation to create a CMK in a different AWS account. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation CreateKey for usage and error information. +// +// Returned Error Codes: +// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocumentException" +// The request was rejected because the specified policy is not syntactically +// or semantically correct. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeLimitExceededException "LimitExceededException" +// The request was rejected because a limit was exceeded. For more information, +// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeTagException "TagException" +// The request was rejected because one or more tags are not valid. +// +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. +// +// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, +// the AWS CloudHSM cluster must have at least two active HSMs, each in a +// different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey +func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) { + req, out := c.CreateKeyRequest(input) + return out, req.Send() +} + +// CreateKeyWithContext is the same as CreateKey with the addition of +// the ability to pass a context and additional request options. +// +// See CreateKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) CreateKeyWithContext(ctx aws.Context, input *CreateKeyInput, opts ...request.Option) (*CreateKeyOutput, error) { + req, out := c.CreateKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDecrypt = "Decrypt" + +// DecryptRequest generates a "aws/request.Request" representing the +// client's request for the Decrypt operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Decrypt for more information on using the Decrypt +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DecryptRequest method. +// req, resp := client.DecryptRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt +func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output *DecryptOutput) { + op := &request.Operation{ + Name: opDecrypt, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DecryptInput{} + } + + output = &DecryptOutput{} + req = c.newRequest(op, input, output) + return +} + +// Decrypt API operation for AWS Key Management Service. +// +// Decrypts ciphertext. Ciphertext is plaintext that has been previously encrypted +// by using any of the following operations: +// +// * GenerateDataKey +// +// * GenerateDataKeyWithoutPlaintext +// +// * Encrypt +// +// Whenever possible, use key policies to give users permission to call the +// Decrypt operation on the CMK, instead of IAM policies. Otherwise, you might +// create an IAM user policy that gives the user Decrypt permission on all CMKs. +// This user could decrypt ciphertext that was encrypted by CMKs in other accounts +// if the key policy for the cross-account CMK permits it. If you must use an +// IAM policy for Decrypt permissions, limit the user to particular CMKs or +// particular trusted accounts. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation Decrypt for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeInvalidCiphertextException "InvalidCiphertextException" +// The request was rejected because the specified ciphertext, or additional +// authenticated data incorporated into the ciphertext, such as the encryption +// context, is corrupted, missing, or otherwise invalid. +// +// * ErrCodeKeyUnavailableException "KeyUnavailableException" +// The request was rejected because the specified CMK was not available. The +// request can be retried. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt +func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) { + req, out := c.DecryptRequest(input) + return out, req.Send() +} + +// DecryptWithContext is the same as Decrypt with the addition of +// the ability to pass a context and additional request options. +// +// See Decrypt for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DecryptWithContext(ctx aws.Context, input *DecryptInput, opts ...request.Option) (*DecryptOutput, error) { + req, out := c.DecryptRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteAlias = "DeleteAlias" + +// DeleteAliasRequest generates a "aws/request.Request" representing the +// client's request for the DeleteAlias operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteAlias for more information on using the DeleteAlias +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteAliasRequest method. +// req, resp := client.DeleteAliasRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias +func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, output *DeleteAliasOutput) { + op := &request.Operation{ + Name: opDeleteAlias, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteAliasInput{} + } + + output = &DeleteAliasOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DeleteAlias API operation for AWS Key Management Service. +// +// Deletes the specified alias. You cannot perform this operation on an alias +// in a different AWS account. +// +// Because an alias is not a property of a CMK, you can delete and change the +// aliases of a CMK without affecting the CMK. Also, aliases do not appear in +// the response from the DescribeKey operation. To get the aliases of all CMKs, +// use the ListAliases operation. +// +// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias +// to delete the current alias and CreateAlias to create a new alias. To associate +// an existing alias with a different customer master key (CMK), call UpdateAlias. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DeleteAlias for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias +func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) { + req, out := c.DeleteAliasRequest(input) + return out, req.Send() +} + +// DeleteAliasWithContext is the same as DeleteAlias with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteAlias for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DeleteAliasWithContext(ctx aws.Context, input *DeleteAliasInput, opts ...request.Option) (*DeleteAliasOutput, error) { + req, out := c.DeleteAliasRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteCustomKeyStore = "DeleteCustomKeyStore" + +// DeleteCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the DeleteCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteCustomKeyStore for more information on using the DeleteCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteCustomKeyStoreRequest method. +// req, resp := client.DeleteCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore +func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req *request.Request, output *DeleteCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opDeleteCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteCustomKeyStoreInput{} + } + + output = &DeleteCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DeleteCustomKeyStore API operation for AWS Key Management Service. +// +// Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// This operation does not delete the AWS CloudHSM cluster that is associated +// with the custom key store, or affect any users or keys in the cluster. +// +// The custom key store that you delete cannot contain any AWS KMS customer +// master keys (CMKs) (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). +// Before deleting the key store, verify that you will never need to use any +// of the CMKs in the key store for any cryptographic operations. Then, use +// ScheduleKeyDeletion to delete the AWS KMS customer master keys (CMKs) from +// the key store. When the scheduled waiting period expires, the ScheduleKeyDeletion +// operation deletes the CMKs. Then it makes a best effort to delete the key +// material from the associated cluster. However, you might need to manually +// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) +// from the cluster and its backups. +// +// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to +// disconnect the key store from AWS KMS. Then, you can delete the custom key +// store. +// +// Instead of deleting the custom key store, consider using DisconnectCustomKeyStore +// to disconnect it from AWS KMS. While the key store is disconnected, you cannot +// create or use the CMKs in the key store. But, you do not need to delete CMKs +// and you can reconnect a disconnected custom key store at any time. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DeleteCustomKeyStore for usage and error information. +// +// Returned Error Codes: +// * ErrCodeCustomKeyStoreHasCMKsException "CustomKeyStoreHasCMKsException" +// The request was rejected because the custom key store contains AWS KMS customer +// master keys (CMKs). After verifying that you do not need to use the CMKs, +// use the ScheduleKeyDeletion operation to delete the CMKs. After they are +// deleted, you can delete the custom key store. +// +// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteCustomKeyStore +func (c *KMS) DeleteCustomKeyStore(input *DeleteCustomKeyStoreInput) (*DeleteCustomKeyStoreOutput, error) { + req, out := c.DeleteCustomKeyStoreRequest(input) + return out, req.Send() +} + +// DeleteCustomKeyStoreWithContext is the same as DeleteCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DeleteCustomKeyStoreWithContext(ctx aws.Context, input *DeleteCustomKeyStoreInput, opts ...request.Option) (*DeleteCustomKeyStoreOutput, error) { + req, out := c.DeleteCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDeleteImportedKeyMaterial = "DeleteImportedKeyMaterial" + +// DeleteImportedKeyMaterialRequest generates a "aws/request.Request" representing the +// client's request for the DeleteImportedKeyMaterial operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteImportedKeyMaterial for more information on using the DeleteImportedKeyMaterial +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteImportedKeyMaterialRequest method. +// req, resp := client.DeleteImportedKeyMaterialRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial +func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialInput) (req *request.Request, output *DeleteImportedKeyMaterialOutput) { + op := &request.Operation{ + Name: opDeleteImportedKeyMaterial, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteImportedKeyMaterialInput{} + } + + output = &DeleteImportedKeyMaterialOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DeleteImportedKeyMaterial API operation for AWS Key Management Service. +// +// Deletes key material that you previously imported. This operation makes the +// specified customer master key (CMK) unusable. For more information about +// importing key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide. You cannot perform this +// operation on a CMK in a different AWS account. +// +// When the specified CMK is in the PendingDeletion state, this operation does +// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport. +// +// After you delete key material, you can use ImportKeyMaterial to reimport +// the same key material into the CMK. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DeleteImportedKeyMaterial for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial +func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) { + req, out := c.DeleteImportedKeyMaterialRequest(input) + return out, req.Send() +} + +// DeleteImportedKeyMaterialWithContext is the same as DeleteImportedKeyMaterial with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteImportedKeyMaterial for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *DeleteImportedKeyMaterialInput, opts ...request.Option) (*DeleteImportedKeyMaterialOutput, error) { + req, out := c.DeleteImportedKeyMaterialRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDescribeCustomKeyStores = "DescribeCustomKeyStores" + +// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the +// client's request for the DescribeCustomKeyStores operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeCustomKeyStores for more information on using the DescribeCustomKeyStores +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeCustomKeyStoresRequest method. +// req, resp := client.DescribeCustomKeyStoresRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores +func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput) (req *request.Request, output *DescribeCustomKeyStoresOutput) { + op := &request.Operation{ + Name: opDescribeCustomKeyStores, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DescribeCustomKeyStoresInput{} + } + + output = &DescribeCustomKeyStoresOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeCustomKeyStores API operation for AWS Key Management Service. +// +// Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// in the account and region. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// By default, this operation returns information about all custom key stores +// in the account and region. To get only information about a particular custom +// key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter +// (but not both). +// +// To determine whether the custom key store is connected to its AWS CloudHSM +// cluster, use the ConnectionState element in the response. If an attempt to +// connect the custom key store failed, the ConnectionState value is FAILED +// and the ConnectionErrorCode element in the response indicates the cause of +// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. +// +// Custom key stores have a DISCONNECTED connection state if the key store has +// never been connected or you use the DisconnectCustomKeyStore operation to +// disconnect it. If your custom key store state is CONNECTED but you are having +// trouble using it, make sure that its associated AWS CloudHSM cluster is active +// and contains the minimum number of HSMs required for the operation, if any. +// +// For help repairing your custom key store, see the Troubleshooting Custom +// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) +// topic in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DescribeCustomKeyStores for usage and error information. +// +// Returned Error Codes: +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeCustomKeyStores +func (c *KMS) DescribeCustomKeyStores(input *DescribeCustomKeyStoresInput) (*DescribeCustomKeyStoresOutput, error) { + req, out := c.DescribeCustomKeyStoresRequest(input) + return out, req.Send() +} + +// DescribeCustomKeyStoresWithContext is the same as DescribeCustomKeyStores with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeCustomKeyStores for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DescribeCustomKeyStoresWithContext(ctx aws.Context, input *DescribeCustomKeyStoresInput, opts ...request.Option) (*DescribeCustomKeyStoresOutput, error) { + req, out := c.DescribeCustomKeyStoresRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDescribeKey = "DescribeKey" + +// DescribeKeyRequest generates a "aws/request.Request" representing the +// client's request for the DescribeKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeKey for more information on using the DescribeKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeKeyRequest method. +// req, resp := client.DescribeKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey +func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, output *DescribeKeyOutput) { + op := &request.Operation{ + Name: opDescribeKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DescribeKeyInput{} + } + + output = &DescribeKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeKey API operation for AWS Key Management Service. +// +// Provides detailed information about the specified customer master key (CMK). +// +// You can use DescribeKey on a predefined AWS alias, that is, an AWS alias +// with no key ID. When you do, AWS KMS associates the alias with an AWS managed +// CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) +// and returns its KeyId and Arn in the response. +// +// To perform this operation on a CMK in a different AWS account, specify the +// key ARN or alias ARN in the value of the KeyId parameter. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DescribeKey for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DescribeKey +func (c *KMS) DescribeKey(input *DescribeKeyInput) (*DescribeKeyOutput, error) { + req, out := c.DescribeKeyRequest(input) + return out, req.Send() +} + +// DescribeKeyWithContext is the same as DescribeKey with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DescribeKeyWithContext(ctx aws.Context, input *DescribeKeyInput, opts ...request.Option) (*DescribeKeyOutput, error) { + req, out := c.DescribeKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDisableKey = "DisableKey" + +// DisableKeyRequest generates a "aws/request.Request" representing the +// client's request for the DisableKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisableKey for more information on using the DisableKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisableKeyRequest method. +// req, resp := client.DisableKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey +func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, output *DisableKeyOutput) { + op := &request.Operation{ + Name: opDisableKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisableKeyInput{} + } + + output = &DisableKeyOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DisableKey API operation for AWS Key Management Service. +// +// Sets the state of a customer master key (CMK) to disabled, thereby preventing +// its use for cryptographic operations. You cannot perform this operation on +// a CMK in a different AWS account. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects the Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DisableKey for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey +func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) { + req, out := c.DisableKeyRequest(input) + return out, req.Send() +} + +// DisableKeyWithContext is the same as DisableKey with the addition of +// the ability to pass a context and additional request options. +// +// See DisableKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DisableKeyWithContext(ctx aws.Context, input *DisableKeyInput, opts ...request.Option) (*DisableKeyOutput, error) { + req, out := c.DisableKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDisableKeyRotation = "DisableKeyRotation" + +// DisableKeyRotationRequest generates a "aws/request.Request" representing the +// client's request for the DisableKeyRotation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisableKeyRotation for more information on using the DisableKeyRotation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisableKeyRotationRequest method. +// req, resp := client.DisableKeyRotationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation +func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *request.Request, output *DisableKeyRotationOutput) { + op := &request.Operation{ + Name: opDisableKeyRotation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisableKeyRotationInput{} + } + + output = &DisableKeyRotationOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DisableKeyRotation API operation for AWS Key Management Service. +// +// Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) +// for the specified customer master key (CMK). You cannot perform this operation +// on a CMK in a different AWS account. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DisableKeyRotation for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKeyRotation +func (c *KMS) DisableKeyRotation(input *DisableKeyRotationInput) (*DisableKeyRotationOutput, error) { + req, out := c.DisableKeyRotationRequest(input) + return out, req.Send() +} + +// DisableKeyRotationWithContext is the same as DisableKeyRotation with the addition of +// the ability to pass a context and additional request options. +// +// See DisableKeyRotation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DisableKeyRotationWithContext(ctx aws.Context, input *DisableKeyRotationInput, opts ...request.Option) (*DisableKeyRotationOutput, error) { + req, out := c.DisableKeyRotationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opDisconnectCustomKeyStore = "DisconnectCustomKeyStore" + +// DisconnectCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the DisconnectCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisconnectCustomKeyStore for more information on using the DisconnectCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisconnectCustomKeyStoreRequest method. +// req, resp := client.DisconnectCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore +func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInput) (req *request.Request, output *DisconnectCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opDisconnectCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisconnectCustomKeyStoreInput{} + } + + output = &DisconnectCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// DisconnectCustomKeyStore API operation for AWS Key Management Service. +// +// Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// from its associated AWS CloudHSM cluster. While a custom key store is disconnected, +// you can manage the custom key store and its customer master keys (CMKs), +// but you cannot create or use CMKs in the custom key store. You can reconnect +// the custom key store at any time. +// +// While a custom key store is disconnected, all attempts to create customer +// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic +// operations will fail. This action can prevent users from storing and accessing +// sensitive data. +// +// To find the connection state of a custom key store, use the DescribeCustomKeyStoresoperation. To reconnect a custom key store, use the ConnectCustomKeyStoreoperation. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation DisconnectCustomKeyStore for usage and error information. +// +// Returned Error Codes: +// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisconnectCustomKeyStore +func (c *KMS) DisconnectCustomKeyStore(input *DisconnectCustomKeyStoreInput) (*DisconnectCustomKeyStoreOutput, error) { + req, out := c.DisconnectCustomKeyStoreRequest(input) + return out, req.Send() +} + +// DisconnectCustomKeyStoreWithContext is the same as DisconnectCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See DisconnectCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) DisconnectCustomKeyStoreWithContext(ctx aws.Context, input *DisconnectCustomKeyStoreInput, opts ...request.Option) (*DisconnectCustomKeyStoreOutput, error) { + req, out := c.DisconnectCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opEnableKey = "EnableKey" + +// EnableKeyRequest generates a "aws/request.Request" representing the +// client's request for the EnableKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See EnableKey for more information on using the EnableKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EnableKeyRequest method. +// req, resp := client.EnableKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey +func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, output *EnableKeyOutput) { + op := &request.Operation{ + Name: opEnableKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EnableKeyInput{} + } + + output = &EnableKeyOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// EnableKey API operation for AWS Key Management Service. +// +// Sets the key state of a customer master key (CMK) to enabled. This allows +// you to use the CMK for cryptographic operations. You cannot perform this +// operation on a CMK in a different AWS account. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation EnableKey for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeLimitExceededException "LimitExceededException" +// The request was rejected because a limit was exceeded. For more information, +// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey +func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) { + req, out := c.EnableKeyRequest(input) + return out, req.Send() +} + +// EnableKeyWithContext is the same as EnableKey with the addition of +// the ability to pass a context and additional request options. +// +// See EnableKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) EnableKeyWithContext(ctx aws.Context, input *EnableKeyInput, opts ...request.Option) (*EnableKeyOutput, error) { + req, out := c.EnableKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opEnableKeyRotation = "EnableKeyRotation" + +// EnableKeyRotationRequest generates a "aws/request.Request" representing the +// client's request for the EnableKeyRotation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See EnableKeyRotation for more information on using the EnableKeyRotation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EnableKeyRotationRequest method. +// req, resp := client.EnableKeyRotationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation +func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *request.Request, output *EnableKeyRotationOutput) { + op := &request.Operation{ + Name: opEnableKeyRotation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EnableKeyRotationInput{} + } + + output = &EnableKeyRotationOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// EnableKeyRotation API operation for AWS Key Management Service. +// +// Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) +// for the specified customer master key (CMK). You cannot perform this operation +// on a CMK in a different AWS account. +// +// You cannot enable automatic rotation of CMKs with imported key material or +// CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation EnableKeyRotation for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKeyRotation +func (c *KMS) EnableKeyRotation(input *EnableKeyRotationInput) (*EnableKeyRotationOutput, error) { + req, out := c.EnableKeyRotationRequest(input) + return out, req.Send() +} + +// EnableKeyRotationWithContext is the same as EnableKeyRotation with the addition of +// the ability to pass a context and additional request options. +// +// See EnableKeyRotation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) EnableKeyRotationWithContext(ctx aws.Context, input *EnableKeyRotationInput, opts ...request.Option) (*EnableKeyRotationOutput, error) { + req, out := c.EnableKeyRotationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opEncrypt = "Encrypt" + +// EncryptRequest generates a "aws/request.Request" representing the +// client's request for the Encrypt operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See Encrypt for more information on using the Encrypt +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EncryptRequest method. +// req, resp := client.EncryptRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt +func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output *EncryptOutput) { + op := &request.Operation{ + Name: opEncrypt, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EncryptInput{} + } + + output = &EncryptOutput{} + req = c.newRequest(op, input, output) + return +} + +// Encrypt API operation for AWS Key Management Service. +// +// Encrypts plaintext into ciphertext by using a customer master key (CMK). +// The Encrypt operation has two primary use cases: +// +// * You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such +// as an RSA key, a database password, or other sensitive information. +// +// * You can use the Encrypt operation to move encrypted data from one AWS +// region to another. In the first region, generate a data key and use the +// plaintext key to encrypt the data. Then, in the new region, call the Encrypt +// method on same plaintext data key. Now, you can safely move the encrypted +// data and encrypted data key to the new region, and decrypt in the new +// region when necessary. +// +// You don't need use this operation to encrypt a data key within a region. +// The GenerateDataKey and GenerateDataKeyWithoutPlaintext operations return +// an encrypted data key. +// +// Also, you don't need to use this operation to encrypt data in your application. +// You can use the plaintext and encrypted data keys that the GenerateDataKey +// operation returns. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// To perform this operation on a CMK in a different AWS account, specify the +// key ARN or alias ARN in the value of the KeyId parameter. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation Encrypt for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeKeyUnavailableException "KeyUnavailableException" +// The request was rejected because the specified CMK was not available. The +// request can be retried. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" +// The request was rejected because the specified KeySpec value is not valid. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt +func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) { + req, out := c.EncryptRequest(input) + return out, req.Send() +} + +// EncryptWithContext is the same as Encrypt with the addition of +// the ability to pass a context and additional request options. +// +// See Encrypt for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) EncryptWithContext(ctx aws.Context, input *EncryptInput, opts ...request.Option) (*EncryptOutput, error) { + req, out := c.EncryptRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateDataKey = "GenerateDataKey" + +// GenerateDataKeyRequest generates a "aws/request.Request" representing the +// client's request for the GenerateDataKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateDataKey for more information on using the GenerateDataKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateDataKeyRequest method. +// req, resp := client.GenerateDataKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey +func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.Request, output *GenerateDataKeyOutput) { + op := &request.Operation{ + Name: opGenerateDataKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateDataKeyInput{} + } + + output = &GenerateDataKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateDataKey API operation for AWS Key Management Service. +// +// Generates a unique data key. This operation returns a plaintext copy of the +// data key and a copy that is encrypted under a customer master key (CMK) that +// you specify. You can use the plaintext key to encrypt your data outside of +// KMS and store the encrypted data key with the encrypted data. +// +// GenerateDataKey returns a unique data key for each request. The bytes in +// the key are not related to the caller or CMK that is used to encrypt the +// data key. +// +// To generate a data key, you need to specify the customer master key (CMK) +// that will be used to encrypt the data key. You must also specify the length +// of the data key using either the KeySpec or NumberOfBytes field (but not +// both). For common key lengths (128-bit and 256-bit symmetric keys), we recommend +// that you use KeySpec. To perform this operation on a CMK in a different AWS +// account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// +// You will find the plaintext copy of the data key in the Plaintext field of +// the response, and the encrypted copy of the data key in the CiphertextBlob +// field. +// +// We recommend that you use the following pattern to encrypt data locally in +// your application: +// +// Use the GenerateDataKey operation to get a data encryption key. +// +// Use the plaintext data key (returned in the Plaintext field of the response) +// to encrypt data locally, then erase the plaintext data key from memory. +// +// Store the encrypted data key (returned in the CiphertextBlob field of the +// response) alongside the locally encrypted data. +// +// To decrypt data locally: +// +// Use the Decrypt operation to decrypt the encrypted data key. The operation +// returns a plaintext copy of the data key. +// +// Use the plaintext data key to decrypt data locally, then erase the plaintext +// data key from memory. +// +// To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. +// To get a cryptographically secure random byte string, use GenerateRandom. +// +// You can use the optional encryption context to add additional security to +// your encryption operation. When you specify an EncryptionContext in the GenerateDataKey +// operation, you must specify the same encryption context (a case-sensitive +// exact match) in your request to Decrypt the data key. Otherwise, the request +// to decrypt fails with an InvalidCiphertextException. For more information, +// see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// in the AWS Key Management Service Developer Guide. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateDataKey for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeKeyUnavailableException "KeyUnavailableException" +// The request was rejected because the specified CMK was not available. The +// request can be retried. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" +// The request was rejected because the specified KeySpec value is not valid. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey +func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) { + req, out := c.GenerateDataKeyRequest(input) + return out, req.Send() +} + +// GenerateDataKeyWithContext is the same as GenerateDataKey with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateDataKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateDataKeyWithContext(ctx aws.Context, input *GenerateDataKeyInput, opts ...request.Option) (*GenerateDataKeyOutput, error) { + req, out := c.GenerateDataKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" + +// GenerateDataKeyWithoutPlaintextRequest generates a "aws/request.Request" representing the +// client's request for the GenerateDataKeyWithoutPlaintext operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateDataKeyWithoutPlaintext for more information on using the GenerateDataKeyWithoutPlaintext +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateDataKeyWithoutPlaintextRequest method. +// req, resp := client.GenerateDataKeyWithoutPlaintextRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext +func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWithoutPlaintextInput) (req *request.Request, output *GenerateDataKeyWithoutPlaintextOutput) { + op := &request.Operation{ + Name: opGenerateDataKeyWithoutPlaintext, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateDataKeyWithoutPlaintextInput{} + } + + output = &GenerateDataKeyWithoutPlaintextOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service. +// +// Generates a unique data key. This operation returns a data key that is encrypted +// under a customer master key (CMK) that you specify. GenerateDataKeyWithoutPlaintext +// is identical to GenerateDataKey except that returns only the encrypted copy +// of the data key. +// +// Like GenerateDataKey, GenerateDataKeyWithoutPlaintext returns a unique data +// key for each request. The bytes in the key are not related to the caller +// or CMK that is used to encrypt the data key. +// +// This operation is useful for systems that need to encrypt data at some point, +// but not immediately. When you need to encrypt the data, you call the Decrypt +// operation on the encrypted copy of the key. +// +// It's also useful in distributed systems with different levels of trust. For +// example, you might store encrypted data in containers. One component of your +// system creates new containers and stores an encrypted data key with each +// container. Then, a different component puts the data into the containers. +// That component first decrypts the data key, uses the plaintext data key to +// encrypt data, puts the encrypted data into the container, and then destroys +// the plaintext data key. In this system, the component that creates the containers +// never sees the plaintext data key. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateDataKeyWithoutPlaintext for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeKeyUnavailableException "KeyUnavailableException" +// The request was rejected because the specified CMK was not available. The +// request can be retried. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" +// The request was rejected because the specified KeySpec value is not valid. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext +func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) { + req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) + return out, req.Send() +} + +// GenerateDataKeyWithoutPlaintextWithContext is the same as GenerateDataKeyWithoutPlaintext with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateDataKeyWithoutPlaintext for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateDataKeyWithoutPlaintextWithContext(ctx aws.Context, input *GenerateDataKeyWithoutPlaintextInput, opts ...request.Option) (*GenerateDataKeyWithoutPlaintextOutput, error) { + req, out := c.GenerateDataKeyWithoutPlaintextRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGenerateRandom = "GenerateRandom" + +// GenerateRandomRequest generates a "aws/request.Request" representing the +// client's request for the GenerateRandom operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GenerateRandom for more information on using the GenerateRandom +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GenerateRandomRequest method. +// req, resp := client.GenerateRandomRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom +func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Request, output *GenerateRandomOutput) { + op := &request.Operation{ + Name: opGenerateRandom, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GenerateRandomInput{} + } + + output = &GenerateRandomOutput{} + req = c.newRequest(op, input, output) + return +} + +// GenerateRandom API operation for AWS Key Management Service. +// +// Returns a random byte string that is cryptographically secure. +// +// By default, the random byte string is generated in AWS KMS. To generate the +// byte string in the AWS CloudHSM cluster that is associated with a custom +// key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// specify the custom key store ID. +// +// For more information about entropy and random number generation, see the +// AWS Key Management Service Cryptographic Details (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf) +// whitepaper. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GenerateRandom for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateRandom +func (c *KMS) GenerateRandom(input *GenerateRandomInput) (*GenerateRandomOutput, error) { + req, out := c.GenerateRandomRequest(input) + return out, req.Send() +} + +// GenerateRandomWithContext is the same as GenerateRandom with the addition of +// the ability to pass a context and additional request options. +// +// See GenerateRandom for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GenerateRandomWithContext(ctx aws.Context, input *GenerateRandomInput, opts ...request.Option) (*GenerateRandomOutput, error) { + req, out := c.GenerateRandomRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetKeyPolicy = "GetKeyPolicy" + +// GetKeyPolicyRequest generates a "aws/request.Request" representing the +// client's request for the GetKeyPolicy operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetKeyPolicy for more information on using the GetKeyPolicy +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetKeyPolicyRequest method. +// req, resp := client.GetKeyPolicyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy +func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Request, output *GetKeyPolicyOutput) { + op := &request.Operation{ + Name: opGetKeyPolicy, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetKeyPolicyInput{} + } + + output = &GetKeyPolicyOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetKeyPolicy API operation for AWS Key Management Service. +// +// Gets a key policy attached to the specified customer master key (CMK). You +// cannot perform this operation on a CMK in a different AWS account. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetKeyPolicy for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy +func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) { + req, out := c.GetKeyPolicyRequest(input) + return out, req.Send() +} + +// GetKeyPolicyWithContext is the same as GetKeyPolicy with the addition of +// the ability to pass a context and additional request options. +// +// See GetKeyPolicy for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetKeyPolicyWithContext(ctx aws.Context, input *GetKeyPolicyInput, opts ...request.Option) (*GetKeyPolicyOutput, error) { + req, out := c.GetKeyPolicyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetKeyRotationStatus = "GetKeyRotationStatus" + +// GetKeyRotationStatusRequest generates a "aws/request.Request" representing the +// client's request for the GetKeyRotationStatus operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetKeyRotationStatus for more information on using the GetKeyRotationStatus +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetKeyRotationStatusRequest method. +// req, resp := client.GetKeyRotationStatusRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus +func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req *request.Request, output *GetKeyRotationStatusOutput) { + op := &request.Operation{ + Name: opGetKeyRotationStatus, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetKeyRotationStatusInput{} + } + + output = &GetKeyRotationStatusOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetKeyRotationStatus API operation for AWS Key Management Service. +// +// Gets a Boolean value that indicates whether automatic rotation of the key +// material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) +// is enabled for the specified customer master key (CMK). +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * Disabled: The key rotation status does not change when you disable a +// CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing +// key. +// +// * Pending deletion: While a CMK is pending deletion, its key rotation +// status is false and AWS KMS does not rotate the backing key. If you cancel +// the deletion, the original key rotation status is restored. +// +// To perform this operation on a CMK in a different AWS account, specify the +// key ARN in the value of the KeyId parameter. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetKeyRotationStatus for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyRotationStatus +func (c *KMS) GetKeyRotationStatus(input *GetKeyRotationStatusInput) (*GetKeyRotationStatusOutput, error) { + req, out := c.GetKeyRotationStatusRequest(input) + return out, req.Send() +} + +// GetKeyRotationStatusWithContext is the same as GetKeyRotationStatus with the addition of +// the ability to pass a context and additional request options. +// +// See GetKeyRotationStatus for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetKeyRotationStatusWithContext(ctx aws.Context, input *GetKeyRotationStatusInput, opts ...request.Option) (*GetKeyRotationStatusOutput, error) { + req, out := c.GetKeyRotationStatusRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opGetParametersForImport = "GetParametersForImport" + +// GetParametersForImportRequest generates a "aws/request.Request" representing the +// client's request for the GetParametersForImport operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetParametersForImport for more information on using the GetParametersForImport +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetParametersForImportRequest method. +// req, resp := client.GetParametersForImportRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport +func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) (req *request.Request, output *GetParametersForImportOutput) { + op := &request.Operation{ + Name: opGetParametersForImport, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetParametersForImportInput{} + } + + output = &GetParametersForImportOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetParametersForImport API operation for AWS Key Management Service. +// +// Returns the items you need in order to import key material into AWS KMS from +// your existing key management infrastructure. For more information about importing +// key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// You must specify the key ID of the customer master key (CMK) into which you +// will import key material. This CMK's Origin must be EXTERNAL. You must also +// specify the wrapping algorithm and type of wrapping key (public key) that +// you will use to encrypt the key material. You cannot perform this operation +// on a CMK in a different AWS account. +// +// This operation returns a public key and an import token. Use the public key +// to encrypt the key material. Store the import token to send with a subsequent +// ImportKeyMaterial request. The public key and import token from the same +// response must be used together. These items are valid for 24 hours. When +// they expire, they cannot be used for a subsequent ImportKeyMaterial request. +// To get new ones, send another GetParametersForImport request. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation GetParametersForImport for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport +func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) { + req, out := c.GetParametersForImportRequest(input) + return out, req.Send() +} + +// GetParametersForImportWithContext is the same as GetParametersForImport with the addition of +// the ability to pass a context and additional request options. +// +// See GetParametersForImport for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) GetParametersForImportWithContext(ctx aws.Context, input *GetParametersForImportInput, opts ...request.Option) (*GetParametersForImportOutput, error) { + req, out := c.GetParametersForImportRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opImportKeyMaterial = "ImportKeyMaterial" + +// ImportKeyMaterialRequest generates a "aws/request.Request" representing the +// client's request for the ImportKeyMaterial operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ImportKeyMaterial for more information on using the ImportKeyMaterial +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ImportKeyMaterialRequest method. +// req, resp := client.ImportKeyMaterialRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial +func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *request.Request, output *ImportKeyMaterialOutput) { + op := &request.Operation{ + Name: opImportKeyMaterial, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ImportKeyMaterialInput{} + } + + output = &ImportKeyMaterialOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// ImportKeyMaterial API operation for AWS Key Management Service. +// +// Imports key material into an existing AWS KMS customer master key (CMK) that +// was created without key material. You cannot perform this operation on a +// CMK in a different AWS account. For more information about creating CMKs +// with no key material and then importing key material, see Importing Key Material +// (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// Before using this operation, call GetParametersForImport. Its response includes +// a public key and an import token. Use the public key to encrypt the key material. +// Then, submit the import token from the same GetParametersForImport response. +// +// When calling this operation, you must specify the following values: +// +// * The key ID or key ARN of a CMK with no key material. Its Origin must +// be EXTERNAL. +// +// To create a CMK with no key material, call CreateKey and set the value of +// its Origin parameter to EXTERNAL. To get the Origin of a CMK, call DescribeKey.) +// +// * The encrypted key material. To get the public key to encrypt the key +// material, call GetParametersForImport. +// +// * The import token that GetParametersForImport returned. This token and +// the public key used to encrypt the key material must have come from the +// same response. +// +// * Whether the key material expires and if so, when. If you set an expiration +// date, you can change it only by reimporting the same key material and +// specifying a new expiration date. If the key material expires, AWS KMS +// deletes the key material and the CMK becomes unusable. To use the CMK +// again, you must reimport the same key material. +// +// When this operation is successful, the key state of the CMK changes from +// PendingImport to Enabled, and you can use the CMK. After you successfully +// import key material into a CMK, you can reimport the same key material into +// that CMK, but you cannot import different key material. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ImportKeyMaterial for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeInvalidCiphertextException "InvalidCiphertextException" +// The request was rejected because the specified ciphertext, or additional +// authenticated data incorporated into the ciphertext, such as the encryption +// context, is corrupted, missing, or otherwise invalid. +// +// * ErrCodeIncorrectKeyMaterialException "IncorrectKeyMaterialException" +// The request was rejected because the provided key material is invalid or +// is not the same key material that was previously imported into this customer +// master key (CMK). +// +// * ErrCodeExpiredImportTokenException "ExpiredImportTokenException" +// The request was rejected because the provided import token is expired. Use +// GetParametersForImport to get a new import token and public key, use the +// new public key to encrypt the key material, and then try the request again. +// +// * ErrCodeInvalidImportTokenException "InvalidImportTokenException" +// The request was rejected because the provided import token is invalid or +// is associated with a different customer master key (CMK). +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial +func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) { + req, out := c.ImportKeyMaterialRequest(input) + return out, req.Send() +} + +// ImportKeyMaterialWithContext is the same as ImportKeyMaterial with the addition of +// the ability to pass a context and additional request options. +// +// See ImportKeyMaterial for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ImportKeyMaterialWithContext(ctx aws.Context, input *ImportKeyMaterialInput, opts ...request.Option) (*ImportKeyMaterialOutput, error) { + req, out := c.ImportKeyMaterialRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opListAliases = "ListAliases" + +// ListAliasesRequest generates a "aws/request.Request" representing the +// client's request for the ListAliases operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListAliases for more information on using the ListAliases +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListAliasesRequest method. +// req, resp := client.ListAliasesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases +func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, output *ListAliasesOutput) { + op := &request.Operation{ + Name: opListAliases, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListAliasesInput{} + } + + output = &ListAliasesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListAliases API operation for AWS Key Management Service. +// +// Gets a list of aliases in the caller's AWS account and region. You cannot +// list aliases in other accounts. For more information about aliases, see CreateAlias. +// +// By default, the ListAliases command returns all aliases in the account and +// region. To get only the aliases that point to a particular customer master +// key (CMK), use the KeyId parameter. +// +// The ListAliases response can include aliases that you created and associated +// with your customer managed CMKs, and aliases that AWS created and associated +// with AWS managed CMKs in your account. You can recognize AWS aliases because +// their names have the format aws/, such as aws/dynamodb. +// +// The response might also include aliases that have no TargetKeyId field. These +// are predefined aliases that AWS has created but has not yet associated with +// a CMK. Aliases that AWS creates in your account, including predefined aliases, +// do not count against your AWS KMS aliases limit (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListAliases for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidMarkerException "InvalidMarkerException" +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListAliases +func (c *KMS) ListAliases(input *ListAliasesInput) (*ListAliasesOutput, error) { + req, out := c.ListAliasesRequest(input) + return out, req.Send() +} + +// ListAliasesWithContext is the same as ListAliases with the addition of +// the ability to pass a context and additional request options. +// +// See ListAliases for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListAliasesWithContext(ctx aws.Context, input *ListAliasesInput, opts ...request.Option) (*ListAliasesOutput, error) { + req, out := c.ListAliasesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListAliasesPages iterates over the pages of a ListAliases operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListAliases method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListAliases operation. +// pageNum := 0 +// err := client.ListAliasesPages(params, +// func(page *ListAliasesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListAliasesPages(input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool) error { + return c.ListAliasesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListAliasesPagesWithContext same as ListAliasesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListAliasesPagesWithContext(ctx aws.Context, input *ListAliasesInput, fn func(*ListAliasesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListAliasesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListAliasesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + cont := true + for p.Next() && cont { + cont = fn(p.Page().(*ListAliasesOutput), !p.HasNextPage()) + } + return p.Err() +} + +const opListGrants = "ListGrants" + +// ListGrantsRequest generates a "aws/request.Request" representing the +// client's request for the ListGrants operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListGrants for more information on using the ListGrants +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListGrantsRequest method. +// req, resp := client.ListGrantsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants +func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, output *ListGrantsResponse) { + op := &request.Operation{ + Name: opListGrants, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListGrantsInput{} + } + + output = &ListGrantsResponse{} + req = c.newRequest(op, input, output) + return +} + +// ListGrants API operation for AWS Key Management Service. +// +// Gets a list of all grants for the specified customer master key (CMK). +// +// To perform this operation on a CMK in a different AWS account, specify the +// key ARN in the value of the KeyId parameter. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListGrants for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidMarkerException "InvalidMarkerException" +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants +func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) { + req, out := c.ListGrantsRequest(input) + return out, req.Send() +} + +// ListGrantsWithContext is the same as ListGrants with the addition of +// the ability to pass a context and additional request options. +// +// See ListGrants for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListGrantsWithContext(ctx aws.Context, input *ListGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { + req, out := c.ListGrantsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListGrantsPages iterates over the pages of a ListGrants operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListGrants method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListGrants operation. +// pageNum := 0 +// err := client.ListGrantsPages(params, +// func(page *ListGrantsResponse, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListGrantsPages(input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool) error { + return c.ListGrantsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListGrantsPagesWithContext same as ListGrantsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListGrantsPagesWithContext(ctx aws.Context, input *ListGrantsInput, fn func(*ListGrantsResponse, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListGrantsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListGrantsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + cont := true + for p.Next() && cont { + cont = fn(p.Page().(*ListGrantsResponse), !p.HasNextPage()) + } + return p.Err() +} + +const opListKeyPolicies = "ListKeyPolicies" + +// ListKeyPoliciesRequest generates a "aws/request.Request" representing the +// client's request for the ListKeyPolicies operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListKeyPolicies for more information on using the ListKeyPolicies +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListKeyPoliciesRequest method. +// req, resp := client.ListKeyPoliciesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies +func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request.Request, output *ListKeyPoliciesOutput) { + op := &request.Operation{ + Name: opListKeyPolicies, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListKeyPoliciesInput{} + } + + output = &ListKeyPoliciesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListKeyPolicies API operation for AWS Key Management Service. +// +// Gets the names of the key policies that are attached to a customer master +// key (CMK). This operation is designed to get policy names that you can use +// in a GetKeyPolicy operation. However, the only valid policy name is default. +// You cannot perform this operation on a CMK in a different AWS account. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListKeyPolicies for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies +func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) { + req, out := c.ListKeyPoliciesRequest(input) + return out, req.Send() +} + +// ListKeyPoliciesWithContext is the same as ListKeyPolicies with the addition of +// the ability to pass a context and additional request options. +// +// See ListKeyPolicies for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeyPoliciesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, opts ...request.Option) (*ListKeyPoliciesOutput, error) { + req, out := c.ListKeyPoliciesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListKeyPoliciesPages iterates over the pages of a ListKeyPolicies operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListKeyPolicies method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListKeyPolicies operation. +// pageNum := 0 +// err := client.ListKeyPoliciesPages(params, +// func(page *ListKeyPoliciesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListKeyPoliciesPages(input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool) error { + return c.ListKeyPoliciesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListKeyPoliciesPagesWithContext same as ListKeyPoliciesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeyPoliciesPagesWithContext(ctx aws.Context, input *ListKeyPoliciesInput, fn func(*ListKeyPoliciesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListKeyPoliciesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListKeyPoliciesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + cont := true + for p.Next() && cont { + cont = fn(p.Page().(*ListKeyPoliciesOutput), !p.HasNextPage()) + } + return p.Err() +} + +const opListKeys = "ListKeys" + +// ListKeysRequest generates a "aws/request.Request" representing the +// client's request for the ListKeys operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListKeys for more information on using the ListKeys +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListKeysRequest method. +// req, resp := client.ListKeysRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys +func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, output *ListKeysOutput) { + op := &request.Operation{ + Name: opListKeys, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"Marker"}, + OutputTokens: []string{"NextMarker"}, + LimitToken: "Limit", + TruncationToken: "Truncated", + }, + } + + if input == nil { + input = &ListKeysInput{} + } + + output = &ListKeysOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListKeys API operation for AWS Key Management Service. +// +// Gets a list of all customer master keys (CMKs) in the caller's AWS account +// and region. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListKeys for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidMarkerException "InvalidMarkerException" +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeys +func (c *KMS) ListKeys(input *ListKeysInput) (*ListKeysOutput, error) { + req, out := c.ListKeysRequest(input) + return out, req.Send() +} + +// ListKeysWithContext is the same as ListKeys with the addition of +// the ability to pass a context and additional request options. +// +// See ListKeys for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeysWithContext(ctx aws.Context, input *ListKeysInput, opts ...request.Option) (*ListKeysOutput, error) { + req, out := c.ListKeysRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListKeysPages iterates over the pages of a ListKeys operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListKeys method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListKeys operation. +// pageNum := 0 +// err := client.ListKeysPages(params, +// func(page *ListKeysOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *KMS) ListKeysPages(input *ListKeysInput, fn func(*ListKeysOutput, bool) bool) error { + return c.ListKeysPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListKeysPagesWithContext same as ListKeysPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListKeysPagesWithContext(ctx aws.Context, input *ListKeysInput, fn func(*ListKeysOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListKeysInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListKeysRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + cont := true + for p.Next() && cont { + cont = fn(p.Page().(*ListKeysOutput), !p.HasNextPage()) + } + return p.Err() +} + +const opListResourceTags = "ListResourceTags" + +// ListResourceTagsRequest generates a "aws/request.Request" representing the +// client's request for the ListResourceTags operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListResourceTags for more information on using the ListResourceTags +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListResourceTagsRequest method. +// req, resp := client.ListResourceTagsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags +func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *request.Request, output *ListResourceTagsOutput) { + op := &request.Operation{ + Name: opListResourceTags, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ListResourceTagsInput{} + } + + output = &ListResourceTagsOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListResourceTags API operation for AWS Key Management Service. +// +// Returns a list of all tags for the specified customer master key (CMK). +// +// You cannot perform this operation on a CMK in a different AWS account. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListResourceTags for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInvalidMarkerException "InvalidMarkerException" +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListResourceTags +func (c *KMS) ListResourceTags(input *ListResourceTagsInput) (*ListResourceTagsOutput, error) { + req, out := c.ListResourceTagsRequest(input) + return out, req.Send() +} + +// ListResourceTagsWithContext is the same as ListResourceTags with the addition of +// the ability to pass a context and additional request options. +// +// See ListResourceTags for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListResourceTagsWithContext(ctx aws.Context, input *ListResourceTagsInput, opts ...request.Option) (*ListResourceTagsOutput, error) { + req, out := c.ListResourceTagsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opListRetirableGrants = "ListRetirableGrants" + +// ListRetirableGrantsRequest generates a "aws/request.Request" representing the +// client's request for the ListRetirableGrants operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListRetirableGrants for more information on using the ListRetirableGrants +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ListRetirableGrantsRequest method. +// req, resp := client.ListRetirableGrantsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants +func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req *request.Request, output *ListGrantsResponse) { + op := &request.Operation{ + Name: opListRetirableGrants, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ListRetirableGrantsInput{} + } + + output = &ListGrantsResponse{} + req = c.newRequest(op, input, output) + return +} + +// ListRetirableGrants API operation for AWS Key Management Service. +// +// Returns a list of all grants for which the grant's RetiringPrincipal matches +// the one specified. +// +// A typical use is to list all grants that you are able to retire. To retire +// a grant, use RetireGrant. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ListRetirableGrants for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidMarkerException "InvalidMarkerException" +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListRetirableGrants +func (c *KMS) ListRetirableGrants(input *ListRetirableGrantsInput) (*ListGrantsResponse, error) { + req, out := c.ListRetirableGrantsRequest(input) + return out, req.Send() +} + +// ListRetirableGrantsWithContext is the same as ListRetirableGrants with the addition of +// the ability to pass a context and additional request options. +// +// See ListRetirableGrants for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ListRetirableGrantsWithContext(ctx aws.Context, input *ListRetirableGrantsInput, opts ...request.Option) (*ListGrantsResponse, error) { + req, out := c.ListRetirableGrantsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opPutKeyPolicy = "PutKeyPolicy" + +// PutKeyPolicyRequest generates a "aws/request.Request" representing the +// client's request for the PutKeyPolicy operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See PutKeyPolicy for more information on using the PutKeyPolicy +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the PutKeyPolicyRequest method. +// req, resp := client.PutKeyPolicyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy +func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Request, output *PutKeyPolicyOutput) { + op := &request.Operation{ + Name: opPutKeyPolicy, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &PutKeyPolicyInput{} + } + + output = &PutKeyPolicyOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// PutKeyPolicy API operation for AWS Key Management Service. +// +// Attaches a key policy to the specified customer master key (CMK). You cannot +// perform this operation on a CMK in a different AWS account. +// +// For more information about key policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation PutKeyPolicy for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocumentException" +// The request was rejected because the specified policy is not syntactically +// or semantically correct. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeUnsupportedOperationException "UnsupportedOperationException" +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeLimitExceededException "LimitExceededException" +// The request was rejected because a limit was exceeded. For more information, +// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy +func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) { + req, out := c.PutKeyPolicyRequest(input) + return out, req.Send() +} + +// PutKeyPolicyWithContext is the same as PutKeyPolicy with the addition of +// the ability to pass a context and additional request options. +// +// See PutKeyPolicy for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) PutKeyPolicyWithContext(ctx aws.Context, input *PutKeyPolicyInput, opts ...request.Option) (*PutKeyPolicyOutput, error) { + req, out := c.PutKeyPolicyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opReEncrypt = "ReEncrypt" + +// ReEncryptRequest generates a "aws/request.Request" representing the +// client's request for the ReEncrypt operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ReEncrypt for more information on using the ReEncrypt +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ReEncryptRequest method. +// req, resp := client.ReEncryptRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt +func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, output *ReEncryptOutput) { + op := &request.Operation{ + Name: opReEncrypt, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ReEncryptInput{} + } + + output = &ReEncryptOutput{} + req = c.newRequest(op, input, output) + return +} + +// ReEncrypt API operation for AWS Key Management Service. +// +// Encrypts data on the server side with a new customer master key (CMK) without +// exposing the plaintext of the data on the client side. The data is first +// decrypted and then reencrypted. You can also use this operation to change +// the encryption context of a ciphertext. +// +// You can reencrypt data using CMKs in different AWS accounts. +// +// Unlike other operations, ReEncrypt is authorized twice, once as ReEncryptFrom +// on the source CMK and once as ReEncryptTo on the destination CMK. We recommend +// that you include the "kms:ReEncrypt*" permission in your key policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) +// to permit reencryption from or to the CMK. This permission is automatically +// included in the key policy when you create a CMK through the console. But +// you must include it manually when you create a CMK programmatically or when +// you set a key policy with the PutKeyPolicy operation. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ReEncrypt for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDisabledException "DisabledException" +// The request was rejected because the specified CMK is not enabled. +// +// * ErrCodeInvalidCiphertextException "InvalidCiphertextException" +// The request was rejected because the specified ciphertext, or additional +// authenticated data incorporated into the ciphertext, such as the encryption +// context, is corrupted, missing, or otherwise invalid. +// +// * ErrCodeKeyUnavailableException "KeyUnavailableException" +// The request was rejected because the specified CMK was not available. The +// request can be retried. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidKeyUsageException "InvalidKeyUsageException" +// The request was rejected because the specified KeySpec value is not valid. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt +func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) { + req, out := c.ReEncryptRequest(input) + return out, req.Send() +} + +// ReEncryptWithContext is the same as ReEncrypt with the addition of +// the ability to pass a context and additional request options. +// +// See ReEncrypt for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts ...request.Option) (*ReEncryptOutput, error) { + req, out := c.ReEncryptRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opRetireGrant = "RetireGrant" + +// RetireGrantRequest generates a "aws/request.Request" representing the +// client's request for the RetireGrant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See RetireGrant for more information on using the RetireGrant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the RetireGrantRequest method. +// req, resp := client.RetireGrantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant +func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, output *RetireGrantOutput) { + op := &request.Operation{ + Name: opRetireGrant, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &RetireGrantInput{} + } + + output = &RetireGrantOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// RetireGrant API operation for AWS Key Management Service. +// +// Retires a grant. To clean up, you can retire a grant when you're done using +// it. You should revoke a grant when you intend to actively deny operations +// that depend on it. The following are permitted to call this API: +// +// * The AWS account (root user) under which the grant was created +// +// * The RetiringPrincipal, if present in the grant +// +// * The GranteePrincipal, if RetireGrant is an operation specified in the +// grant +// +// You must identify the grant to retire by its grant token or by a combination +// of the grant ID and the Amazon Resource Name (ARN) of the customer master +// key (CMK). A grant token is a unique variable-length base64-encoded string. +// A grant ID is a 64 character unique identifier of a grant. The CreateGrant +// operation returns both. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation RetireGrant for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInvalidGrantTokenException "InvalidGrantTokenException" +// The request was rejected because the specified grant token is not valid. +// +// * ErrCodeInvalidGrantIdException "InvalidGrantIdException" +// The request was rejected because the specified GrantId is not valid. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant +func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) { + req, out := c.RetireGrantRequest(input) + return out, req.Send() +} + +// RetireGrantWithContext is the same as RetireGrant with the addition of +// the ability to pass a context and additional request options. +// +// See RetireGrant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) RetireGrantWithContext(ctx aws.Context, input *RetireGrantInput, opts ...request.Option) (*RetireGrantOutput, error) { + req, out := c.RetireGrantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opRevokeGrant = "RevokeGrant" + +// RevokeGrantRequest generates a "aws/request.Request" representing the +// client's request for the RevokeGrant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See RevokeGrant for more information on using the RevokeGrant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the RevokeGrantRequest method. +// req, resp := client.RevokeGrantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant +func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, output *RevokeGrantOutput) { + op := &request.Operation{ + Name: opRevokeGrant, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &RevokeGrantInput{} + } + + output = &RevokeGrantOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// RevokeGrant API operation for AWS Key Management Service. +// +// Revokes the specified grant for the specified customer master key (CMK). +// You can revoke a grant to actively deny operations that depend on it. +// +// To perform this operation on a CMK in a different AWS account, specify the +// key ARN in the value of the KeyId parameter. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation RevokeGrant for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInvalidGrantIdException "InvalidGrantIdException" +// The request was rejected because the specified GrantId is not valid. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant +func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) { + req, out := c.RevokeGrantRequest(input) + return out, req.Send() +} + +// RevokeGrantWithContext is the same as RevokeGrant with the addition of +// the ability to pass a context and additional request options. +// +// See RevokeGrant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) RevokeGrantWithContext(ctx aws.Context, input *RevokeGrantInput, opts ...request.Option) (*RevokeGrantOutput, error) { + req, out := c.RevokeGrantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opScheduleKeyDeletion = "ScheduleKeyDeletion" + +// ScheduleKeyDeletionRequest generates a "aws/request.Request" representing the +// client's request for the ScheduleKeyDeletion operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ScheduleKeyDeletion for more information on using the ScheduleKeyDeletion +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ScheduleKeyDeletionRequest method. +// req, resp := client.ScheduleKeyDeletionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion +func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req *request.Request, output *ScheduleKeyDeletionOutput) { + op := &request.Operation{ + Name: opScheduleKeyDeletion, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ScheduleKeyDeletionInput{} + } + + output = &ScheduleKeyDeletionOutput{} + req = c.newRequest(op, input, output) + return +} + +// ScheduleKeyDeletion API operation for AWS Key Management Service. +// +// Schedules the deletion of a customer master key (CMK). You may provide a +// waiting period, specified in days, before deletion occurs. If you do not +// provide a waiting period, the default period of 30 days is used. When this +// operation is successful, the key state of the CMK changes to PendingDeletion. +// Before the waiting period ends, you can use CancelKeyDeletion to cancel the +// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK +// and all AWS KMS data associated with it, including all aliases that refer +// to it. +// +// Deleting a CMK is a destructive and potentially dangerous operation. When +// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. +// To prevent the use of a CMK without deleting it, use DisableKey. +// +// If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from +// AWS KMS. Then AWS KMS makes a best effort to delete the key material from +// the associated AWS CloudHSM cluster. However, you might need to manually +// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) +// from the cluster and its backups. +// +// You cannot perform this operation on a CMK in a different AWS account. +// +// For more information about scheduling a CMK for deletion, see Deleting Customer +// Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) +// in the AWS Key Management Service Developer Guide. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ScheduleKeyDeletion for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion +func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) { + req, out := c.ScheduleKeyDeletionRequest(input) + return out, req.Send() +} + +// ScheduleKeyDeletionWithContext is the same as ScheduleKeyDeletion with the addition of +// the ability to pass a context and additional request options. +// +// See ScheduleKeyDeletion for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ScheduleKeyDeletionWithContext(ctx aws.Context, input *ScheduleKeyDeletionInput, opts ...request.Option) (*ScheduleKeyDeletionOutput, error) { + req, out := c.ScheduleKeyDeletionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opTagResource = "TagResource" + +// TagResourceRequest generates a "aws/request.Request" representing the +// client's request for the TagResource operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See TagResource for more information on using the TagResource +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the TagResourceRequest method. +// req, resp := client.TagResourceRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource +func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, output *TagResourceOutput) { + op := &request.Operation{ + Name: opTagResource, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &TagResourceInput{} + } + + output = &TagResourceOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// TagResource API operation for AWS Key Management Service. +// +// Adds or edits tags for a customer master key (CMK). You cannot perform this +// operation on a CMK in a different AWS account. +// +// Each tag consists of a tag key and a tag value. Tag keys and tag values are +// both required, but tag values can be empty (null) strings. +// +// You can only use a tag key once for each CMK. If you use the tag key again, +// AWS KMS replaces the current tag value with the specified value. +// +// For information about the rules that apply to tag keys and tag values, see +// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) +// in the AWS Billing and Cost Management User Guide. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation TagResource for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeLimitExceededException "LimitExceededException" +// The request was rejected because a limit was exceeded. For more information, +// see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeTagException "TagException" +// The request was rejected because one or more tags are not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/TagResource +func (c *KMS) TagResource(input *TagResourceInput) (*TagResourceOutput, error) { + req, out := c.TagResourceRequest(input) + return out, req.Send() +} + +// TagResourceWithContext is the same as TagResource with the addition of +// the ability to pass a context and additional request options. +// +// See TagResource for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) TagResourceWithContext(ctx aws.Context, input *TagResourceInput, opts ...request.Option) (*TagResourceOutput, error) { + req, out := c.TagResourceRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUntagResource = "UntagResource" + +// UntagResourceRequest generates a "aws/request.Request" representing the +// client's request for the UntagResource operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UntagResource for more information on using the UntagResource +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UntagResourceRequest method. +// req, resp := client.UntagResourceRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource +func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Request, output *UntagResourceOutput) { + op := &request.Operation{ + Name: opUntagResource, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UntagResourceInput{} + } + + output = &UntagResourceOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UntagResource API operation for AWS Key Management Service. +// +// Removes the specified tags from the specified customer master key (CMK). +// You cannot perform this operation on a CMK in a different AWS account. +// +// To remove a tag, specify the tag key. To change the tag value of an existing +// tag key, use TagResource. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UntagResource for usage and error information. +// +// Returned Error Codes: +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// * ErrCodeTagException "TagException" +// The request was rejected because one or more tags are not valid. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UntagResource +func (c *KMS) UntagResource(input *UntagResourceInput) (*UntagResourceOutput, error) { + req, out := c.UntagResourceRequest(input) + return out, req.Send() +} + +// UntagResourceWithContext is the same as UntagResource with the addition of +// the ability to pass a context and additional request options. +// +// See UntagResource for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInput, opts ...request.Option) (*UntagResourceOutput, error) { + req, out := c.UntagResourceRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUpdateAlias = "UpdateAlias" + +// UpdateAliasRequest generates a "aws/request.Request" representing the +// client's request for the UpdateAlias operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdateAlias for more information on using the UpdateAlias +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdateAliasRequest method. +// req, resp := client.UpdateAliasRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias +func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, output *UpdateAliasOutput) { + op := &request.Operation{ + Name: opUpdateAlias, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdateAliasInput{} + } + + output = &UpdateAliasOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdateAlias API operation for AWS Key Management Service. +// +// Associates an existing alias with a different customer master key (CMK). +// Each CMK can have multiple aliases, but the aliases must be unique within +// the account and region. You cannot perform this operation on an alias in +// a different AWS account. +// +// This operation works only on existing aliases. To change the alias of a CMK +// to a new value, use CreateAlias to create a new alias and DeleteAlias to +// delete the old alias. +// +// Because an alias is not a property of a CMK, you can create, update, and +// delete the aliases of a CMK without affecting the CMK. Also, aliases do not +// appear in the response from the DescribeKey operation. To get the aliases +// of all CMKs in the account, use the ListAliases operation. +// +// The alias name must begin with alias/ followed by a name, such as alias/ExampleAlias. +// It can contain only alphanumeric characters, forward slashes (/), underscores +// (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ +// prefix is reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdateAlias for usage and error information. +// +// Returned Error Codes: +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias +func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) { + req, out := c.UpdateAliasRequest(input) + return out, req.Send() +} + +// UpdateAliasWithContext is the same as UpdateAlias with the addition of +// the ability to pass a context and additional request options. +// +// See UpdateAlias for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdateAliasWithContext(ctx aws.Context, input *UpdateAliasInput, opts ...request.Option) (*UpdateAliasOutput, error) { + req, out := c.UpdateAliasRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUpdateCustomKeyStore = "UpdateCustomKeyStore" + +// UpdateCustomKeyStoreRequest generates a "aws/request.Request" representing the +// client's request for the UpdateCustomKeyStore operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdateCustomKeyStore for more information on using the UpdateCustomKeyStore +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdateCustomKeyStoreRequest method. +// req, resp := client.UpdateCustomKeyStoreRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore +func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req *request.Request, output *UpdateCustomKeyStoreOutput) { + op := &request.Operation{ + Name: opUpdateCustomKeyStore, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdateCustomKeyStoreInput{} + } + + output = &UpdateCustomKeyStoreOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdateCustomKeyStore API operation for AWS Key Management Service. +// +// Changes the properties of a custom key store. Use the CustomKeyStoreId parameter +// to identify the custom key store you want to edit. Use the remaining parameters +// to change the properties of the custom key store. +// +// You can only update a custom key store that is disconnected. To disconnect +// the custom key store, use DisconnectCustomKeyStore. To reconnect the custom +// key store after the update completes, use ConnectCustomKeyStore. To find +// the connection state of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// Use the parameters of UpdateCustomKeyStore to edit your keystore settings. +// +// * Use the NewCustomKeyStoreName parameter to change the friendly name +// of the custom key store to the value that you specify. +// +// * Use the KeyStorePassword parameter tell AWS KMS the current password +// of the kmsuser (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) +// crypto user (CU) in the associated AWS CloudHSM cluster. You can use this +// parameter to fix connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password) +// that occur when AWS KMS cannot log into the associated cluster because +// the kmsuser password has changed. This value does not change the password +// in the AWS CloudHSM cluster. +// +// * Use the CloudHsmClusterId parameter to associate the custom key store +// with a different, but related, AWS CloudHSM cluster. You can use this +// parameter to repair a custom key store if its AWS CloudHSM cluster becomes +// corrupted or is deleted, or when you need to create or restore a cluster +// from a backup. +// +// If the operation succeeds, it returns a JSON object with no properties. +// +// This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// feature in AWS KMS, which combines the convenience and extensive integration +// of AWS KMS with the isolation and control of a single-tenant key store. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdateCustomKeyStore for usage and error information. +// +// Returned Error Codes: +// * ErrCodeCustomKeyStoreNotFoundException "CustomKeyStoreNotFoundException" +// The request was rejected because AWS KMS cannot find a custom key store with +// the specified key store name or ID. +// +// * ErrCodeCloudHsmClusterNotFoundException "CloudHsmClusterNotFoundException" +// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster +// with the specified cluster ID. Retry the request with a different cluster +// ID. +// +// * ErrCodeCloudHsmClusterNotRelatedException "CloudHsmClusterNotRelatedException" +// The request was rejected because the specified AWS CloudHSM cluster has a +// different cluster certificate than the original cluster. You cannot use the +// operation to specify an unrelated cluster. +// +// Specify a cluster that shares a backup history with the original cluster. +// This includes clusters that were created from a backup of the current cluster, +// and clusters that were created from the same backup that produced the current +// cluster. +// +// Clusters that share a backup history have the same cluster certificate. To +// view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) +// operation. +// +// * ErrCodeCustomKeyStoreInvalidStateException "CustomKeyStoreInvalidStateException" +// The request was rejected because of the ConnectionState of the custom key +// store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores +// operation. +// +// This exception is thrown under the following conditions: +// +// * You requested the CreateKey or GenerateRandom operation in a custom +// key store that is not connected. These operations are valid only when +// the custom key store ConnectionState is CONNECTED. +// +// * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation +// on a custom key store that is not disconnected. This operation is valid +// only when the custom key store ConnectionState is DISCONNECTED. +// +// * You requested the ConnectCustomKeyStore operation on a custom key store +// with a ConnectionState of DISCONNECTING or FAILED. This operation is valid +// for all other ConnectionState values. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeCloudHsmClusterNotActiveException "CloudHsmClusterNotActiveException" +// The request was rejected because the AWS CloudHSM cluster that is associated +// with the custom key store is not active. Initialize and activate the cluster +// and try the command again. For detailed instructions, see Getting Started +// (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) +// in the AWS CloudHSM User Guide. +// +// * ErrCodeCloudHsmClusterInvalidConfigurationException "CloudHsmClusterInvalidConfigurationException" +// The request was rejected because the associated AWS CloudHSM cluster did +// not meet the configuration requirements for a custom key store. +// +// * The cluster must be configured with private subnets in at least two +// different Availability Zones in the Region. +// +// * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// (cloudhsm-cluster--sg) must include inbound rules and outbound +// rules that allow TCP traffic on ports 2223-2225. The Source in the inbound +// rules and the Destination in the outbound rules must match the security +// group ID. These rules are set by default when you create the cluster. +// Do not delete or change them. To get information about a particular security +// group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) +// operation. +// +// * The cluster must contain at least as many HSMs as the operation requires. +// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// operation. +// +// For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, +// the AWS CloudHSM cluster must have at least two active HSMs, each in a +// different Availability Zone. For the ConnectCustomKeyStore operation, +// the AWS CloudHSM must contain at least one active HSM. +// +// For information about the requirements for an AWS CloudHSM cluster that is +// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the AWS Key Management Service Developer Guide. For information about +// creating a private subnet for an AWS CloudHSM cluster, see Create a Private +// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the AWS CloudHSM User Guide. For information about cluster security groups, +// see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) +// in the AWS CloudHSM User Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore +func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) { + req, out := c.UpdateCustomKeyStoreRequest(input) + return out, req.Send() +} + +// UpdateCustomKeyStoreWithContext is the same as UpdateCustomKeyStore with the addition of +// the ability to pass a context and additional request options. +// +// See UpdateCustomKeyStore for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdateCustomKeyStoreWithContext(ctx aws.Context, input *UpdateCustomKeyStoreInput, opts ...request.Option) (*UpdateCustomKeyStoreOutput, error) { + req, out := c.UpdateCustomKeyStoreRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opUpdateKeyDescription = "UpdateKeyDescription" + +// UpdateKeyDescriptionRequest generates a "aws/request.Request" representing the +// client's request for the UpdateKeyDescription operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdateKeyDescription for more information on using the UpdateKeyDescription +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdateKeyDescriptionRequest method. +// req, resp := client.UpdateKeyDescriptionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription +func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req *request.Request, output *UpdateKeyDescriptionOutput) { + op := &request.Operation{ + Name: opUpdateKeyDescription, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdateKeyDescriptionInput{} + } + + output = &UpdateKeyDescriptionOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdateKeyDescription API operation for AWS Key Management Service. +// +// Updates the description of a customer master key (CMK). To see the description +// of a CMK, use DescribeKey. +// +// You cannot perform this operation on a CMK in a different AWS account. +// +// The result of this operation varies with the key state of the CMK. For details, +// see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdateKeyDescription for usage and error information. +// +// Returned Error Codes: +// * ErrCodeNotFoundException "NotFoundException" +// The request was rejected because the specified entity or resource could not +// be found. +// +// * ErrCodeInvalidArnException "InvalidArnException" +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * ErrCodeDependencyTimeoutException "DependencyTimeoutException" +// The system timed out while trying to fulfill the request. The request can +// be retried. +// +// * ErrCodeInternalException "KMSInternalException" +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * ErrCodeInvalidStateException "KMSInvalidStateException" +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription +func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) { + req, out := c.UpdateKeyDescriptionRequest(input) + return out, req.Send() +} + +// UpdateKeyDescriptionWithContext is the same as UpdateKeyDescription with the addition of +// the ability to pass a context and additional request options. +// +// See UpdateKeyDescription for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyDescriptionInput, opts ...request.Option) (*UpdateKeyDescriptionOutput, error) { + req, out := c.UpdateKeyDescriptionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// Contains information about an alias. +type AliasListEntry struct { + _ struct{} `type:"structure"` + + // String that contains the key ARN. + AliasArn *string `min:"20" type:"string"` + + // String that contains the alias. This value begins with alias/. + AliasName *string `min:"1" type:"string"` + + // String that contains the key identifier referred to by the alias. + TargetKeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s AliasListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AliasListEntry) GoString() string { + return s.String() +} + +// SetAliasArn sets the AliasArn field's value. +func (s *AliasListEntry) SetAliasArn(v string) *AliasListEntry { + s.AliasArn = &v + return s +} + +// SetAliasName sets the AliasName field's value. +func (s *AliasListEntry) SetAliasName(v string) *AliasListEntry { + s.AliasName = &v + return s +} + +// SetTargetKeyId sets the TargetKeyId field's value. +func (s *AliasListEntry) SetTargetKeyId(v string) *AliasListEntry { + s.TargetKeyId = &v + return s +} + +type CancelKeyDeletionInput struct { + _ struct{} `type:"structure"` + + // The unique identifier for the customer master key (CMK) for which to cancel + // deletion. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s CancelKeyDeletionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CancelKeyDeletionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CancelKeyDeletionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CancelKeyDeletionInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *CancelKeyDeletionInput) SetKeyId(v string) *CancelKeyDeletionInput { + s.KeyId = &v + return s +} + +type CancelKeyDeletionOutput struct { + _ struct{} `type:"structure"` + + // The unique identifier of the master key for which deletion is canceled. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CancelKeyDeletionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CancelKeyDeletionOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput { + s.KeyId = &v + return s +} + +type ConnectCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Enter the key store ID of the custom key store that you want to connect. + // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s ConnectCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ConnectCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ConnectCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ConnectCustomKeyStoreInput"} + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *ConnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *ConnectCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +type ConnectCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s ConnectCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ConnectCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type CreateAliasInput struct { + _ struct{} `type:"structure"` + + // Specifies the alias name. This value must begin with alias/ followed by a + // name, such as alias/ExampleAlias. The alias name cannot begin with alias/aws/. + // The alias/aws/ prefix is reserved for AWS managed CMKs. + // + // AliasName is a required field + AliasName *string `min:"1" type:"string" required:"true"` + + // Identifies the CMK to which the alias refers. Specify the key ID or the Amazon + // Resource Name (ARN) of the CMK. You cannot specify another alias. For help + // finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) + // in the AWS Key Management Service Developer Guide. + // + // TargetKeyId is a required field + TargetKeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s CreateAliasInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateAliasInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateAliasInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateAliasInput"} + if s.AliasName == nil { + invalidParams.Add(request.NewErrParamRequired("AliasName")) + } + if s.AliasName != nil && len(*s.AliasName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) + } + if s.TargetKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) + } + if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAliasName sets the AliasName field's value. +func (s *CreateAliasInput) SetAliasName(v string) *CreateAliasInput { + s.AliasName = &v + return s +} + +// SetTargetKeyId sets the TargetKeyId field's value. +func (s *CreateAliasInput) SetTargetKeyId(v string) *CreateAliasInput { + s.TargetKeyId = &v + return s +} + +type CreateAliasOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s CreateAliasOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateAliasOutput) GoString() string { + return s.String() +} + +type CreateCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster + // ID of any active AWS CloudHSM cluster that is not already associated with + // a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + // + // CloudHsmClusterId is a required field + CloudHsmClusterId *string `min:"19" type:"string" required:"true"` + + // Specifies a friendly name for the custom key store. The name must be unique + // in your AWS account. + // + // CustomKeyStoreName is a required field + CustomKeyStoreName *string `min:"1" type:"string" required:"true"` + + // Enter the password of the kmsuser (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) + // crypto user (CU) account in the specified AWS CloudHSM cluster. AWS KMS logs + // into the cluster as this user to manage key material on your behalf. + // + // This parameter tells AWS KMS the kmsuser account password; it does not change + // the password in the AWS CloudHSM cluster. + // + // KeyStorePassword is a required field + KeyStorePassword *string `min:"1" type:"string" required:"true" sensitive:"true"` + + // Enter the content of the trust anchor certificate for the cluster. This is + // the content of the customerCA.crt file that you created when you initialized + // the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html). + // + // TrustAnchorCertificate is a required field + TrustAnchorCertificate *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s CreateCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateCustomKeyStoreInput"} + if s.CloudHsmClusterId == nil { + invalidParams.Add(request.NewErrParamRequired("CloudHsmClusterId")) + } + if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { + invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) + } + if s.CustomKeyStoreName == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreName")) + } + if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) + } + if s.KeyStorePassword == nil { + invalidParams.Add(request.NewErrParamRequired("KeyStorePassword")) + } + if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 1)) + } + if s.TrustAnchorCertificate == nil { + invalidParams.Add(request.NewErrParamRequired("TrustAnchorCertificate")) + } + if s.TrustAnchorCertificate != nil && len(*s.TrustAnchorCertificate) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TrustAnchorCertificate", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *CreateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *CreateCustomKeyStoreInput { + s.CloudHsmClusterId = &v + return s +} + +// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. +func (s *CreateCustomKeyStoreInput) SetCustomKeyStoreName(v string) *CreateCustomKeyStoreInput { + s.CustomKeyStoreName = &v + return s +} + +// SetKeyStorePassword sets the KeyStorePassword field's value. +func (s *CreateCustomKeyStoreInput) SetKeyStorePassword(v string) *CreateCustomKeyStoreInput { + s.KeyStorePassword = &v + return s +} + +// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. +func (s *CreateCustomKeyStoreInput) SetTrustAnchorCertificate(v string) *CreateCustomKeyStoreInput { + s.TrustAnchorCertificate = &v + return s +} + +type CreateCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the new custom key store. + CustomKeyStoreId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CreateCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateCustomKeyStoreOutput) GoString() string { + return s.String() +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustomKeyStoreOutput { + s.CustomKeyStoreId = &v + return s +} + +type CreateGrantInput struct { + _ struct{} `type:"structure"` + + // Allows a cryptographic operation only when the encryption context matches + // or includes the encryption context specified in this structure. For more + // information about encryption context, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + Constraints *GrantConstraints `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // The principal that is given permission to perform the operations that the + // grant permits. + // + // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM + // users, IAM roles, federated users, and assumed role users. For examples of + // the ARN syntax to use for specifying a principal, see AWS Identity and Access + // Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the AWS General Reference. + // + // GranteePrincipal is a required field + GranteePrincipal *string `min:"1" type:"string" required:"true"` + + // The unique identifier for the customer master key (CMK) that the grant applies + // to. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // A friendly name for identifying the grant. Use this value to prevent the + // unintended creation of duplicate grants when retrying this request. + // + // When this value is absent, all CreateGrant requests result in a new grant + // with a unique GrantId even if all the supplied parameters are identical. + // This can result in unintended duplicates when you retry the CreateGrant request. + // + // When this value is present, you can retry a CreateGrant request with identical + // parameters; if the grant already exists, the original GrantId is returned + // without creating a new grant. Note that the returned grant token is unique + // with every CreateGrant request, even when a duplicate GrantId is returned. + // All grant tokens obtained in this way can be used interchangeably. + Name *string `min:"1" type:"string"` + + // A list of operations that the grant permits. + // + // Operations is a required field + Operations []*string `type:"list" required:"true"` + + // The principal that is given permission to retire the grant by using RetireGrant + // operation. + // + // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM + // users, federated users, and assumed role users. For examples of the ARN syntax + // to use for specifying a principal, see AWS Identity and Access Management + // (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the AWS General Reference. + RetiringPrincipal *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CreateGrantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateGrantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateGrantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateGrantInput"} + if s.GranteePrincipal == nil { + invalidParams.Add(request.NewErrParamRequired("GranteePrincipal")) + } + if s.GranteePrincipal != nil && len(*s.GranteePrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GranteePrincipal", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Name != nil && len(*s.Name) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Name", 1)) + } + if s.Operations == nil { + invalidParams.Add(request.NewErrParamRequired("Operations")) + } + if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetConstraints sets the Constraints field's value. +func (s *CreateGrantInput) SetConstraints(v *GrantConstraints) *CreateGrantInput { + s.Constraints = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *CreateGrantInput) SetGrantTokens(v []*string) *CreateGrantInput { + s.GrantTokens = v + return s +} + +// SetGranteePrincipal sets the GranteePrincipal field's value. +func (s *CreateGrantInput) SetGranteePrincipal(v string) *CreateGrantInput { + s.GranteePrincipal = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *CreateGrantInput) SetKeyId(v string) *CreateGrantInput { + s.KeyId = &v + return s +} + +// SetName sets the Name field's value. +func (s *CreateGrantInput) SetName(v string) *CreateGrantInput { + s.Name = &v + return s +} + +// SetOperations sets the Operations field's value. +func (s *CreateGrantInput) SetOperations(v []*string) *CreateGrantInput { + s.Operations = v + return s +} + +// SetRetiringPrincipal sets the RetiringPrincipal field's value. +func (s *CreateGrantInput) SetRetiringPrincipal(v string) *CreateGrantInput { + s.RetiringPrincipal = &v + return s +} + +type CreateGrantOutput struct { + _ struct{} `type:"structure"` + + // The unique identifier for the grant. + // + // You can use the GrantId in a subsequent RetireGrant or RevokeGrant operation. + GrantId *string `min:"1" type:"string"` + + // The grant token. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantToken *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CreateGrantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateGrantOutput) GoString() string { + return s.String() +} + +// SetGrantId sets the GrantId field's value. +func (s *CreateGrantOutput) SetGrantId(v string) *CreateGrantOutput { + s.GrantId = &v + return s +} + +// SetGrantToken sets the GrantToken field's value. +func (s *CreateGrantOutput) SetGrantToken(v string) *CreateGrantOutput { + s.GrantToken = &v + return s +} + +type CreateKeyInput struct { + _ struct{} `type:"structure"` + + // A flag to indicate whether to bypass the key policy lockout safety check. + // + // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Do not set this value to true indiscriminately. + // + // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section in the AWS Key Management Service Developer Guide. + // + // Use this parameter only when you include a policy in the request and you + // intend to prevent the principal that is making the request from making a + // subsequent PutKeyPolicy request on the CMK. + // + // The default value is false. + BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` + + // Creates the CMK in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and the key material in its associated AWS CloudHSM cluster. To create a + // CMK in a custom key store, you must also specify the Origin parameter with + // a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with + // the custom key store must have at least two active HSMs, each in a different + // Availability Zone in the Region. + // + // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. + // + // The response includes the custom key store ID and the ID of the AWS CloudHSM + // cluster. + // + // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // feature in AWS KMS, which combines the convenience and extensive integration + // of AWS KMS with the isolation and control of a single-tenant key store. + CustomKeyStoreId *string `min:"1" type:"string"` + + // A description of the CMK. + // + // Use a description that helps you decide whether the CMK is appropriate for + // a task. + Description *string `type:"string"` + + // The cryptographic operations for which you can use the CMK. The only valid + // value is ENCRYPT_DECRYPT, which means you can use the CMK to encrypt and + // decrypt data. + KeyUsage *string `type:"string" enum:"KeyUsageType"` + + // The source of the key material for the CMK. You cannot change the origin + // after you create the CMK. + // + // The default is AWS_KMS, which means AWS KMS creates the key material in its + // own key store. + // + // When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material + // so that you can import key material from your existing key management infrastructure. + // For more information about importing key material into AWS KMS, see Importing + // Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) + // in the AWS Key Management Service Developer Guide. + // + // When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS + // KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and creates its key material in the associated AWS CloudHSM cluster. You + // must also use the CustomKeyStoreId parameter to identify the custom key store. + Origin *string `type:"string" enum:"OriginType"` + + // The key policy to attach to the CMK. + // + // If you provide a key policy, it must meet the following criteria: + // + // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy + // must allow the principal that is making the CreateKey request to make + // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that + // the CMK becomes unmanageable. For more information, refer to the scenario + // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the AWS Key Management Service Developer Guide. + // + // * Each statement in the key policy must contain one or more principals. + // The principals in the key policy must exist and be visible to AWS KMS. + // When you create a new AWS principal (for example, an IAM user or role), + // you might need to enforce a delay before including the new principal in + // a key policy because the new principal might not be immediately visible + // to AWS KMS. For more information, see Changes that I make are not always + // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the AWS Identity and Access Management User Guide. + // + // If you do not provide a key policy, AWS KMS attaches a default key policy + // to the CMK. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) + // in the AWS Key Management Service Developer Guide. + // + // The key policy size limit is 32 kilobytes (32768 bytes). + Policy *string `min:"1" type:"string"` + + // One or more tags. Each tag consists of a tag key and a tag value. Tag keys + // and tag values are both required, but tag values can be empty (null) strings. + // + // Use this parameter to tag the CMK when it is created. Alternately, you can + // omit this parameter and instead tag the CMK after it is created using TagResource. + Tags []*Tag `type:"list"` +} + +// String returns the string representation +func (s CreateKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateKeyInput"} + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. +func (s *CreateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *CreateKeyInput { + s.BypassPolicyLockoutSafetyCheck = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *CreateKeyInput) SetCustomKeyStoreId(v string) *CreateKeyInput { + s.CustomKeyStoreId = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput { + s.Description = &v + return s +} + +// SetKeyUsage sets the KeyUsage field's value. +func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput { + s.KeyUsage = &v + return s +} + +// SetOrigin sets the Origin field's value. +func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput { + s.Origin = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *CreateKeyInput) SetPolicy(v string) *CreateKeyInput { + s.Policy = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput { + s.Tags = v + return s +} + +type CreateKeyOutput struct { + _ struct{} `type:"structure"` + + // Metadata associated with the CMK. + KeyMetadata *KeyMetadata `type:"structure"` +} + +// String returns the string representation +func (s CreateKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateKeyOutput) GoString() string { + return s.String() +} + +// SetKeyMetadata sets the KeyMetadata field's value. +func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput { + s.KeyMetadata = v + return s +} + +// Contains information about each custom key store in the custom key store +// list. +type CustomKeyStoresListEntry struct { + _ struct{} `type:"structure"` + + // A unique identifier for the AWS CloudHSM cluster that is associated with + // the custom key store. + CloudHsmClusterId *string `min:"19" type:"string"` + + // Describes the connection error. Valid values are: + // + // * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with + // the specified cluster ID. + // + // * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does + // not contain any active HSMs. To connect a custom key store to its AWS + // CloudHSM cluster, the cluster must contain at least one active HSM. + // + // * INTERNAL_ERROR - AWS KMS could not complete the request due to an internal + // error. Retry the request. For ConnectCustomKeyStore requests, disconnect + // the custom key store before trying to connect again. + // + // * INVALID_CREDENTIALS - AWS KMS does not have the correct password for + // the kmsuser crypto user in the AWS CloudHSM cluster. + // + // * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting + // to the custom key store. + // + // * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated + // AWS CloudHSM cluster due to too many failed password attempts. Before + // you can connect your custom key store to its AWS CloudHSM cluster, you + // must change the kmsuser account password and update the password value + // for the custom key store. + // + // For help with connection failures, see Troubleshooting Custom Key Stores + // (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) + // in the AWS Key Management Service Developer Guide. + ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"` + + // Indicates whether the custom key store is connected to its AWS CloudHSM cluster. + // + // You can create and use CMKs in your custom key stores only when its connection + // state is CONNECTED. + // + // The value is DISCONNECTED if the key store has never been connected or you + // use the DisconnectCustomKeyStore operation to disconnect it. If the value + // is CONNECTED but you are having trouble using the custom key store, make + // sure that its associated AWS CloudHSM cluster is active and contains at least + // one active HSM. + // + // A value of FAILED indicates that an attempt to connect was unsuccessful. + // For help resolving a connection failure, see Troubleshooting a Custom Key + // Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) + // in the AWS Key Management Service Developer Guide. + ConnectionState *string `type:"string" enum:"ConnectionStateType"` + + // The date and time when the custom key store was created. + CreationDate *time.Time `type:"timestamp"` + + // A unique identifier for the custom key store. + CustomKeyStoreId *string `min:"1" type:"string"` + + // The user-specified friendly name for the custom key store. + CustomKeyStoreName *string `min:"1" type:"string"` + + // The trust anchor certificate of the associated AWS CloudHSM cluster. When + // you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), + // you create this certificate and save it in the customerCA.crt file. + TrustAnchorCertificate *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s CustomKeyStoresListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CustomKeyStoresListEntry) GoString() string { + return s.String() +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *CustomKeyStoresListEntry) SetCloudHsmClusterId(v string) *CustomKeyStoresListEntry { + s.CloudHsmClusterId = &v + return s +} + +// SetConnectionErrorCode sets the ConnectionErrorCode field's value. +func (s *CustomKeyStoresListEntry) SetConnectionErrorCode(v string) *CustomKeyStoresListEntry { + s.ConnectionErrorCode = &v + return s +} + +// SetConnectionState sets the ConnectionState field's value. +func (s *CustomKeyStoresListEntry) SetConnectionState(v string) *CustomKeyStoresListEntry { + s.ConnectionState = &v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *CustomKeyStoresListEntry) SetCreationDate(v time.Time) *CustomKeyStoresListEntry { + s.CreationDate = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *CustomKeyStoresListEntry) SetCustomKeyStoreId(v string) *CustomKeyStoresListEntry { + s.CustomKeyStoreId = &v + return s +} + +// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. +func (s *CustomKeyStoresListEntry) SetCustomKeyStoreName(v string) *CustomKeyStoresListEntry { + s.CustomKeyStoreName = &v + return s +} + +// SetTrustAnchorCertificate sets the TrustAnchorCertificate field's value. +func (s *CustomKeyStoresListEntry) SetTrustAnchorCertificate(v string) *CustomKeyStoresListEntry { + s.TrustAnchorCertificate = &v + return s +} + +type DecryptInput struct { + _ struct{} `type:"structure"` + + // Ciphertext to be decrypted. The blob includes metadata. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + // + // CiphertextBlob is a required field + CiphertextBlob []byte `min:"1" type:"blob" required:"true"` + + // The encryption context. If this was specified in the Encrypt function, it + // must be specified here or the decryption operation will fail. For more information, + // see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` +} + +// String returns the string representation +func (s DecryptInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DecryptInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DecryptInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DecryptInput"} + if s.CiphertextBlob == nil { + invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) + } + if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *DecryptInput) SetCiphertextBlob(v []byte) *DecryptInput { + s.CiphertextBlob = v + return s +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *DecryptInput) SetEncryptionContext(v map[string]*string) *DecryptInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *DecryptInput) SetGrantTokens(v []*string) *DecryptInput { + s.GrantTokens = v + return s +} + +type DecryptOutput struct { + _ struct{} `type:"structure"` + + // ARN of the key used to perform the decryption. This value is returned if + // no errors are encountered during the operation. + KeyId *string `min:"1" type:"string"` + + // Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not encoded. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + Plaintext []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s DecryptOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DecryptOutput) GoString() string { + return s.String() +} + +// SetKeyId sets the KeyId field's value. +func (s *DecryptOutput) SetKeyId(v string) *DecryptOutput { + s.KeyId = &v + return s +} + +// SetPlaintext sets the Plaintext field's value. +func (s *DecryptOutput) SetPlaintext(v []byte) *DecryptOutput { + s.Plaintext = v + return s +} + +type DeleteAliasInput struct { + _ struct{} `type:"structure"` + + // The alias to be deleted. The alias name must begin with alias/ followed by + // the alias name, such as alias/ExampleAlias. + // + // AliasName is a required field + AliasName *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteAliasInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteAliasInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteAliasInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteAliasInput"} + if s.AliasName == nil { + invalidParams.Add(request.NewErrParamRequired("AliasName")) + } + if s.AliasName != nil && len(*s.AliasName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAliasName sets the AliasName field's value. +func (s *DeleteAliasInput) SetAliasName(v string) *DeleteAliasInput { + s.AliasName = &v + return s +} + +type DeleteAliasOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DeleteAliasOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteAliasOutput) GoString() string { + return s.String() +} + +type DeleteCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Enter the ID of the custom key store you want to delete. To find the ID of + // a custom key store, use the DescribeCustomKeyStores operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteCustomKeyStoreInput"} + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *DeleteCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DeleteCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +type DeleteCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DeleteCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type DeleteImportedKeyMaterialInput struct { + _ struct{} `type:"structure"` + + // Identifies the CMK from which you are deleting imported key material. The + // Origin of the CMK must be EXTERNAL. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteImportedKeyMaterialInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteImportedKeyMaterialInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteImportedKeyMaterialInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteImportedKeyMaterialInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *DeleteImportedKeyMaterialInput) SetKeyId(v string) *DeleteImportedKeyMaterialInput { + s.KeyId = &v + return s +} + +type DeleteImportedKeyMaterialOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DeleteImportedKeyMaterialOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteImportedKeyMaterialOutput) GoString() string { + return s.String() +} + +type DescribeCustomKeyStoresInput struct { + _ struct{} `type:"structure"` + + // Gets only information about the specified custom key store. Enter the key + // store ID. + // + // By default, this operation gets information about all custom key stores in + // the account and region. To limit the output to a particular custom key store, + // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, + // but not both. + CustomKeyStoreId *string `min:"1" type:"string"` + + // Gets only information about the specified custom key store. Enter the friendly + // name of the custom key store. + // + // By default, this operation gets information about all custom key stores in + // the account and region. To limit the output to a particular custom key store, + // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, + // but not both. + CustomKeyStoreName *string `min:"1" type:"string"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s DescribeCustomKeyStoresInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeCustomKeyStoresInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeCustomKeyStoresInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeCustomKeyStoresInput"} + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.CustomKeyStoreName != nil && len(*s.CustomKeyStoreName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreName", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreId(v string) *DescribeCustomKeyStoresInput { + s.CustomKeyStoreId = &v + return s +} + +// SetCustomKeyStoreName sets the CustomKeyStoreName field's value. +func (s *DescribeCustomKeyStoresInput) SetCustomKeyStoreName(v string) *DescribeCustomKeyStoresInput { + s.CustomKeyStoreName = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *DescribeCustomKeyStoresInput) SetLimit(v int64) *DescribeCustomKeyStoresInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *DescribeCustomKeyStoresInput) SetMarker(v string) *DescribeCustomKeyStoresInput { + s.Marker = &v + return s +} + +type DescribeCustomKeyStoresOutput struct { + _ struct{} `type:"structure"` + + // Contains metadata about each custom key store. + CustomKeyStores []*CustomKeyStoresListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s DescribeCustomKeyStoresOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeCustomKeyStoresOutput) GoString() string { + return s.String() +} + +// SetCustomKeyStores sets the CustomKeyStores field's value. +func (s *DescribeCustomKeyStoresOutput) SetCustomKeyStores(v []*CustomKeyStoresListEntry) *DescribeCustomKeyStoresOutput { + s.CustomKeyStores = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *DescribeCustomKeyStoresOutput) SetNextMarker(v string) *DescribeCustomKeyStoresOutput { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *DescribeCustomKeyStoresOutput) SetTruncated(v bool) *DescribeCustomKeyStoresOutput { + s.Truncated = &v + return s +} + +type DescribeKeyInput struct { + _ struct{} `type:"structure"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Describes the specified customer master key (CMK). + // + // If you specify a predefined AWS alias (an AWS alias with no key ID), KMS + // associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) + // and returns its KeyId and Arn in the response. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DescribeKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *DescribeKeyInput) SetGrantTokens(v []*string) *DescribeKeyInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *DescribeKeyInput) SetKeyId(v string) *DescribeKeyInput { + s.KeyId = &v + return s +} + +type DescribeKeyOutput struct { + _ struct{} `type:"structure"` + + // Metadata associated with the key. + KeyMetadata *KeyMetadata `type:"structure"` +} + +// String returns the string representation +func (s DescribeKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeKeyOutput) GoString() string { + return s.String() +} + +// SetKeyMetadata sets the KeyMetadata field's value. +func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput { + s.KeyMetadata = v + return s +} + +type DisableKeyInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DisableKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisableKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisableKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *DisableKeyInput) SetKeyId(v string) *DisableKeyInput { + s.KeyId = &v + return s +} + +type DisableKeyOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DisableKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyOutput) GoString() string { + return s.String() +} + +type DisableKeyRotationInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DisableKeyRotationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyRotationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisableKeyRotationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisableKeyRotationInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *DisableKeyRotationInput) SetKeyId(v string) *DisableKeyRotationInput { + s.KeyId = &v + return s +} + +type DisableKeyRotationOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DisableKeyRotationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableKeyRotationOutput) GoString() string { + return s.String() +} + +type DisconnectCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Enter the ID of the custom key store you want to disconnect. To find the + // ID of a custom key store, use the DescribeCustomKeyStores operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s DisconnectCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisconnectCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisconnectCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisconnectCustomKeyStoreInput"} + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *DisconnectCustomKeyStoreInput) SetCustomKeyStoreId(v string) *DisconnectCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +type DisconnectCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s DisconnectCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisconnectCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type EnableKeyInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s EnableKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EnableKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EnableKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *EnableKeyInput) SetKeyId(v string) *EnableKeyInput { + s.KeyId = &v + return s +} + +type EnableKeyOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s EnableKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyOutput) GoString() string { + return s.String() +} + +type EnableKeyRotationInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s EnableKeyRotationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyRotationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EnableKeyRotationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EnableKeyRotationInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *EnableKeyRotationInput) SetKeyId(v string) *EnableKeyRotationInput { + s.KeyId = &v + return s +} + +type EnableKeyRotationOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s EnableKeyRotationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableKeyRotationOutput) GoString() string { + return s.String() +} + +type EncryptInput struct { + _ struct{} `type:"structure"` + + // Name-value pair that specifies the encryption context to be used for authenticated + // encryption. If used here, the same value must be supplied to the Decrypt + // API or decryption will fail. For more information, see Encryption Context + // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // A unique identifier for the customer master key (CMK). + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Data to be encrypted. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + // + // Plaintext is a required field + Plaintext []byte `min:"1" type:"blob" required:"true" sensitive:"true"` +} + +// String returns the string representation +func (s EncryptInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EncryptInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EncryptInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EncryptInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Plaintext == nil { + invalidParams.Add(request.NewErrParamRequired("Plaintext")) + } + if s.Plaintext != nil && len(s.Plaintext) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Plaintext", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *EncryptInput) SetEncryptionContext(v map[string]*string) *EncryptInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *EncryptInput) SetGrantTokens(v []*string) *EncryptInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *EncryptInput) SetKeyId(v string) *EncryptInput { + s.KeyId = &v + return s +} + +// SetPlaintext sets the Plaintext field's value. +func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput { + s.Plaintext = v + return s +} + +type EncryptOutput struct { + _ struct{} `type:"structure"` + + // The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The ID of the key used during encryption. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s EncryptOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EncryptOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *EncryptOutput) SetCiphertextBlob(v []byte) *EncryptOutput { + s.CiphertextBlob = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *EncryptOutput) SetKeyId(v string) *EncryptOutput { + s.KeyId = &v + return s +} + +type GenerateDataKeyInput struct { + _ struct{} `type:"structure"` + + // A set of key-value pairs that represents additional authenticated data. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // An identifier for the CMK that encrypts the data key. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The length of the data key. Use AES_128 to generate a 128-bit symmetric key, + // or AES_256 to generate a 256-bit symmetric key. + KeySpec *string `type:"string" enum:"DataKeySpec"` + + // The length of the data key in bytes. For example, use the value 64 to generate + // a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit + // and 256-bit symmetric keys), we recommend that you use the KeySpec field + // instead of this one. + NumberOfBytes *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s GenerateDataKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateDataKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { + invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *GenerateDataKeyInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GenerateDataKeyInput) SetGrantTokens(v []*string) *GenerateDataKeyInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyInput) SetKeyId(v string) *GenerateDataKeyInput { + s.KeyId = &v + return s +} + +// SetKeySpec sets the KeySpec field's value. +func (s *GenerateDataKeyInput) SetKeySpec(v string) *GenerateDataKeyInput { + s.KeySpec = &v + return s +} + +// SetNumberOfBytes sets the NumberOfBytes field's value. +func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput { + s.NumberOfBytes = &v + return s +} + +type GenerateDataKeyOutput struct { + _ struct{} `type:"structure"` + + // The encrypted copy of the data key. When you use the HTTP API or the AWS + // CLI, the value is Base64-encoded. Otherwise, it is not encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The identifier of the CMK that encrypted the data key. + KeyId *string `min:"1" type:"string"` + + // The plaintext data key. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not encoded. Use this data key to encrypt + // your data outside of KMS. Then, remove it from memory as soon as possible. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + Plaintext []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s GenerateDataKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *GenerateDataKeyOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyOutput { + s.CiphertextBlob = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyOutput) SetKeyId(v string) *GenerateDataKeyOutput { + s.KeyId = &v + return s +} + +// SetPlaintext sets the Plaintext field's value. +func (s *GenerateDataKeyOutput) SetPlaintext(v []byte) *GenerateDataKeyOutput { + s.Plaintext = v + return s +} + +type GenerateDataKeyWithoutPlaintextInput struct { + _ struct{} `type:"structure"` + + // A set of key-value pairs that represents additional authenticated data. + // + // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide. + EncryptionContext map[string]*string `type:"map"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // The identifier of the customer master key (CMK) that encrypts the data key. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The length of the data key. Use AES_128 to generate a 128-bit symmetric key, + // or AES_256 to generate a 256-bit symmetric key. + KeySpec *string `type:"string" enum:"DataKeySpec"` + + // The length of the data key in bytes. For example, use the value 64 to generate + // a 512-bit data key (64 bytes is 512 bits). For common key lengths (128-bit + // and 256-bit symmetric keys), we recommend that you use the KeySpec field + // instead of this one. + NumberOfBytes *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s GenerateDataKeyWithoutPlaintextInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyWithoutPlaintextInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateDataKeyWithoutPlaintextInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateDataKeyWithoutPlaintextInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { + invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptionContext sets the EncryptionContext field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetEncryptionContext(v map[string]*string) *GenerateDataKeyWithoutPlaintextInput { + s.EncryptionContext = v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetGrantTokens(v []*string) *GenerateDataKeyWithoutPlaintextInput { + s.GrantTokens = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextInput { + s.KeyId = &v + return s +} + +// SetKeySpec sets the KeySpec field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetKeySpec(v string) *GenerateDataKeyWithoutPlaintextInput { + s.KeySpec = &v + return s +} + +// SetNumberOfBytes sets the NumberOfBytes field's value. +func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *GenerateDataKeyWithoutPlaintextInput { + s.NumberOfBytes = &v + return s +} + +type GenerateDataKeyWithoutPlaintextOutput struct { + _ struct{} `type:"structure"` + + // The encrypted data key. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // The identifier of the CMK that encrypted the data key. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s GenerateDataKeyWithoutPlaintextOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateDataKeyWithoutPlaintextOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *GenerateDataKeyWithoutPlaintextOutput) SetCiphertextBlob(v []byte) *GenerateDataKeyWithoutPlaintextOutput { + s.CiphertextBlob = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateDataKeyWithoutPlaintextOutput { + s.KeyId = &v + return s +} + +type GenerateRandomInput struct { + _ struct{} `type:"structure"` + + // Generates the random byte string in the AWS CloudHSM cluster that is associated + // with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. + CustomKeyStoreId *string `min:"1" type:"string"` + + // The length of the byte string. + NumberOfBytes *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s GenerateRandomInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateRandomInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GenerateRandomInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GenerateRandomInput"} + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.NumberOfBytes != nil && *s.NumberOfBytes < 1 { + invalidParams.Add(request.NewErrParamMinValue("NumberOfBytes", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *GenerateRandomInput) SetCustomKeyStoreId(v string) *GenerateRandomInput { + s.CustomKeyStoreId = &v + return s +} + +// SetNumberOfBytes sets the NumberOfBytes field's value. +func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput { + s.NumberOfBytes = &v + return s +} + +type GenerateRandomOutput struct { + _ struct{} `type:"structure"` + + // The random byte string. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not encoded. + // + // Plaintext is automatically base64 encoded/decoded by the SDK. + Plaintext []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s GenerateRandomOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GenerateRandomOutput) GoString() string { + return s.String() +} + +// SetPlaintext sets the Plaintext field's value. +func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput { + s.Plaintext = v + return s +} + +type GetKeyPolicyInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Specifies the name of the key policy. The only valid name is default. To + // get the names of key policies, use ListKeyPolicies. + // + // PolicyName is a required field + PolicyName *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetKeyPolicyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyPolicyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetKeyPolicyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetKeyPolicyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.PolicyName == nil { + invalidParams.Add(request.NewErrParamRequired("PolicyName")) + } + if s.PolicyName != nil && len(*s.PolicyName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *GetKeyPolicyInput) SetKeyId(v string) *GetKeyPolicyInput { + s.KeyId = &v + return s +} + +// SetPolicyName sets the PolicyName field's value. +func (s *GetKeyPolicyInput) SetPolicyName(v string) *GetKeyPolicyInput { + s.PolicyName = &v + return s +} + +type GetKeyPolicyOutput struct { + _ struct{} `type:"structure"` + + // A key policy document in JSON format. + Policy *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s GetKeyPolicyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyPolicyOutput) GoString() string { + return s.String() +} + +// SetPolicy sets the Policy field's value. +func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput { + s.Policy = &v + return s +} + +type GetKeyRotationStatusInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s GetKeyRotationStatusInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyRotationStatusInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetKeyRotationStatusInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetKeyRotationStatusInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *GetKeyRotationStatusInput) SetKeyId(v string) *GetKeyRotationStatusInput { + s.KeyId = &v + return s +} + +type GetKeyRotationStatusOutput struct { + _ struct{} `type:"structure"` + + // A Boolean value that specifies whether key rotation is enabled. + KeyRotationEnabled *bool `type:"boolean"` +} + +// String returns the string representation +func (s GetKeyRotationStatusOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetKeyRotationStatusOutput) GoString() string { + return s.String() +} + +// SetKeyRotationEnabled sets the KeyRotationEnabled field's value. +func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotationStatusOutput { + s.KeyRotationEnabled = &v + return s +} + +type GetParametersForImportInput struct { + _ struct{} `type:"structure"` + + // The identifier of the CMK into which you will import key material. The CMK's + // Origin must be EXTERNAL. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The algorithm you will use to encrypt the key material before importing it + // with ImportKeyMaterial. For more information, see Encrypt the Key Material + // (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html) + // in the AWS Key Management Service Developer Guide. + // + // WrappingAlgorithm is a required field + WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"` + + // The type of wrapping key (public key) to return in the response. Only 2048-bit + // RSA public keys are supported. + // + // WrappingKeySpec is a required field + WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"` +} + +// String returns the string representation +func (s GetParametersForImportInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetParametersForImportInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetParametersForImportInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetParametersForImportInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.WrappingAlgorithm == nil { + invalidParams.Add(request.NewErrParamRequired("WrappingAlgorithm")) + } + if s.WrappingKeySpec == nil { + invalidParams.Add(request.NewErrParamRequired("WrappingKeySpec")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *GetParametersForImportInput) SetKeyId(v string) *GetParametersForImportInput { + s.KeyId = &v + return s +} + +// SetWrappingAlgorithm sets the WrappingAlgorithm field's value. +func (s *GetParametersForImportInput) SetWrappingAlgorithm(v string) *GetParametersForImportInput { + s.WrappingAlgorithm = &v + return s +} + +// SetWrappingKeySpec sets the WrappingKeySpec field's value. +func (s *GetParametersForImportInput) SetWrappingKeySpec(v string) *GetParametersForImportInput { + s.WrappingKeySpec = &v + return s +} + +type GetParametersForImportOutput struct { + _ struct{} `type:"structure"` + + // The import token to send in a subsequent ImportKeyMaterial request. + // + // ImportToken is automatically base64 encoded/decoded by the SDK. + ImportToken []byte `min:"1" type:"blob"` + + // The identifier of the CMK to use in a subsequent ImportKeyMaterial request. + // This is the same CMK specified in the GetParametersForImport request. + KeyId *string `min:"1" type:"string"` + + // The time at which the import token and public key are no longer valid. After + // this time, you cannot use them to make an ImportKeyMaterial request and you + // must send another GetParametersForImport request to get new ones. + ParametersValidTo *time.Time `type:"timestamp"` + + // The public key to use to encrypt the key material before importing it with + // ImportKeyMaterial. + // + // PublicKey is automatically base64 encoded/decoded by the SDK. + PublicKey []byte `min:"1" type:"blob" sensitive:"true"` +} + +// String returns the string representation +func (s GetParametersForImportOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetParametersForImportOutput) GoString() string { + return s.String() +} + +// SetImportToken sets the ImportToken field's value. +func (s *GetParametersForImportOutput) SetImportToken(v []byte) *GetParametersForImportOutput { + s.ImportToken = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GetParametersForImportOutput) SetKeyId(v string) *GetParametersForImportOutput { + s.KeyId = &v + return s +} + +// SetParametersValidTo sets the ParametersValidTo field's value. +func (s *GetParametersForImportOutput) SetParametersValidTo(v time.Time) *GetParametersForImportOutput { + s.ParametersValidTo = &v + return s +} + +// SetPublicKey sets the PublicKey field's value. +func (s *GetParametersForImportOutput) SetPublicKey(v []byte) *GetParametersForImportOutput { + s.PublicKey = v + return s +} + +// Use this structure to allow cryptographic operations in the grant only when +// the operation request includes the specified encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). +// +// AWS KMS applies the grant constraints only when the grant allows a cryptographic +// operation that accepts an encryption context as input, such as the following. +// +// * Encrypt +// +// * Decrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyWithoutPlaintext +// +// * ReEncrypt +// +// AWS KMS does not apply the grant constraints to other operations, such as +// DescribeKey or ScheduleKeyDeletion. +// +// In a cryptographic operation, the encryption context in the decryption operation +// must be an exact, case-sensitive match for the keys and values in the encryption +// context of the encryption operation. Only the order of the pairs can vary. +// +// However, in a grant constraint, the key in each key-value pair is not case +// sensitive, but the value is case sensitive. +// +// To avoid confusion, do not use multiple encryption context pairs that differ +// only by case. To require a fully case-sensitive encryption context, use the +// kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM +// or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) +// in the AWS Key Management Service Developer Guide. +type GrantConstraints struct { + _ struct{} `type:"structure"` + + // A list of key-value pairs that must match the encryption context in the cryptographic + // operation request. The grant allows the operation only when the encryption + // context in the request is the same as the encryption context specified in + // this constraint. + EncryptionContextEquals map[string]*string `type:"map"` + + // A list of key-value pairs that must be included in the encryption context + // of the cryptographic operation request. The grant allows the cryptographic + // operation only when the encryption context in the request includes the key-value + // pairs specified in this constraint, although it can include additional key-value + // pairs. + EncryptionContextSubset map[string]*string `type:"map"` +} + +// String returns the string representation +func (s GrantConstraints) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GrantConstraints) GoString() string { + return s.String() +} + +// SetEncryptionContextEquals sets the EncryptionContextEquals field's value. +func (s *GrantConstraints) SetEncryptionContextEquals(v map[string]*string) *GrantConstraints { + s.EncryptionContextEquals = v + return s +} + +// SetEncryptionContextSubset sets the EncryptionContextSubset field's value. +func (s *GrantConstraints) SetEncryptionContextSubset(v map[string]*string) *GrantConstraints { + s.EncryptionContextSubset = v + return s +} + +// Contains information about an entry in a list of grants. +type GrantListEntry struct { + _ struct{} `type:"structure"` + + // A list of key-value pairs that must be present in the encryption context + // of certain subsequent operations that the grant allows. + Constraints *GrantConstraints `type:"structure"` + + // The date and time when the grant was created. + CreationDate *time.Time `type:"timestamp"` + + // The unique identifier for the grant. + GrantId *string `min:"1" type:"string"` + + // The principal that receives the grant's permissions. + GranteePrincipal *string `min:"1" type:"string"` + + // The AWS account under which the grant was issued. + IssuingAccount *string `min:"1" type:"string"` + + // The unique identifier for the customer master key (CMK) to which the grant + // applies. + KeyId *string `min:"1" type:"string"` + + // The friendly name that identifies the grant. If a name was provided in the + // CreateGrant request, that name is returned. Otherwise this value is null. + Name *string `min:"1" type:"string"` + + // The list of operations permitted by the grant. + Operations []*string `type:"list"` + + // The principal that can retire the grant. + RetiringPrincipal *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s GrantListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GrantListEntry) GoString() string { + return s.String() +} + +// SetConstraints sets the Constraints field's value. +func (s *GrantListEntry) SetConstraints(v *GrantConstraints) *GrantListEntry { + s.Constraints = v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *GrantListEntry) SetCreationDate(v time.Time) *GrantListEntry { + s.CreationDate = &v + return s +} + +// SetGrantId sets the GrantId field's value. +func (s *GrantListEntry) SetGrantId(v string) *GrantListEntry { + s.GrantId = &v + return s +} + +// SetGranteePrincipal sets the GranteePrincipal field's value. +func (s *GrantListEntry) SetGranteePrincipal(v string) *GrantListEntry { + s.GranteePrincipal = &v + return s +} + +// SetIssuingAccount sets the IssuingAccount field's value. +func (s *GrantListEntry) SetIssuingAccount(v string) *GrantListEntry { + s.IssuingAccount = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *GrantListEntry) SetKeyId(v string) *GrantListEntry { + s.KeyId = &v + return s +} + +// SetName sets the Name field's value. +func (s *GrantListEntry) SetName(v string) *GrantListEntry { + s.Name = &v + return s +} + +// SetOperations sets the Operations field's value. +func (s *GrantListEntry) SetOperations(v []*string) *GrantListEntry { + s.Operations = v + return s +} + +// SetRetiringPrincipal sets the RetiringPrincipal field's value. +func (s *GrantListEntry) SetRetiringPrincipal(v string) *GrantListEntry { + s.RetiringPrincipal = &v + return s +} + +type ImportKeyMaterialInput struct { + _ struct{} `type:"structure"` + + // The encrypted key material to import. It must be encrypted with the public + // key that you received in the response to a previous GetParametersForImport + // request, using the wrapping algorithm that you specified in that request. + // + // EncryptedKeyMaterial is automatically base64 encoded/decoded by the SDK. + // + // EncryptedKeyMaterial is a required field + EncryptedKeyMaterial []byte `min:"1" type:"blob" required:"true"` + + // Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES, + // in which case you must include the ValidTo parameter. When this parameter + // is set to KEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter. + ExpirationModel *string `type:"string" enum:"ExpirationModelType"` + + // The import token that you received in the response to a previous GetParametersForImport + // request. It must be from the same response that contained the public key + // that you used to encrypt the key material. + // + // ImportToken is automatically base64 encoded/decoded by the SDK. + // + // ImportToken is a required field + ImportToken []byte `min:"1" type:"blob" required:"true"` + + // The identifier of the CMK to import the key material into. The CMK's Origin + // must be EXTERNAL. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The time at which the imported key material expires. When the key material + // expires, AWS KMS deletes the key material and the CMK becomes unusable. You + // must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. + // Otherwise it is required. + ValidTo *time.Time `type:"timestamp"` +} + +// String returns the string representation +func (s ImportKeyMaterialInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ImportKeyMaterialInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ImportKeyMaterialInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterialInput"} + if s.EncryptedKeyMaterial == nil { + invalidParams.Add(request.NewErrParamRequired("EncryptedKeyMaterial")) + } + if s.EncryptedKeyMaterial != nil && len(s.EncryptedKeyMaterial) < 1 { + invalidParams.Add(request.NewErrParamMinLen("EncryptedKeyMaterial", 1)) + } + if s.ImportToken == nil { + invalidParams.Add(request.NewErrParamRequired("ImportToken")) + } + if s.ImportToken != nil && len(s.ImportToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ImportToken", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEncryptedKeyMaterial sets the EncryptedKeyMaterial field's value. +func (s *ImportKeyMaterialInput) SetEncryptedKeyMaterial(v []byte) *ImportKeyMaterialInput { + s.EncryptedKeyMaterial = v + return s +} + +// SetExpirationModel sets the ExpirationModel field's value. +func (s *ImportKeyMaterialInput) SetExpirationModel(v string) *ImportKeyMaterialInput { + s.ExpirationModel = &v + return s +} + +// SetImportToken sets the ImportToken field's value. +func (s *ImportKeyMaterialInput) SetImportToken(v []byte) *ImportKeyMaterialInput { + s.ImportToken = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ImportKeyMaterialInput) SetKeyId(v string) *ImportKeyMaterialInput { + s.KeyId = &v + return s +} + +// SetValidTo sets the ValidTo field's value. +func (s *ImportKeyMaterialInput) SetValidTo(v time.Time) *ImportKeyMaterialInput { + s.ValidTo = &v + return s +} + +type ImportKeyMaterialOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s ImportKeyMaterialOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ImportKeyMaterialOutput) GoString() string { + return s.String() +} + +// Contains information about each entry in the key list. +type KeyListEntry struct { + _ struct{} `type:"structure"` + + // ARN of the key. + KeyArn *string `min:"20" type:"string"` + + // Unique identifier of the key. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s KeyListEntry) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KeyListEntry) GoString() string { + return s.String() +} + +// SetKeyArn sets the KeyArn field's value. +func (s *KeyListEntry) SetKeyArn(v string) *KeyListEntry { + s.KeyArn = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry { + s.KeyId = &v + return s +} + +// Contains metadata about a customer master key (CMK). +// +// This data type is used as a response element for the CreateKey and DescribeKey +// operations. +type KeyMetadata struct { + _ struct{} `type:"structure"` + + // The twelve-digit account ID of the AWS account that owns the CMK. + AWSAccountId *string `type:"string"` + + // The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management + // Service (AWS KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) + // in the Example ARNs section of the AWS General Reference. + Arn *string `min:"20" type:"string"` + + // The cluster ID of the AWS CloudHSM cluster that contains the key material + // for the CMK. When you create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), + // AWS KMS creates the key material for the CMK in the associated AWS CloudHSM + // cluster. This value is present only when the CMK is created in a custom key + // store. + CloudHsmClusterId *string `min:"19" type:"string"` + + // The date and time when the CMK was created. + CreationDate *time.Time `type:"timestamp"` + + // A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // that contains the CMK. This value is present only when the CMK is created + // in a custom key store. + CustomKeyStoreId *string `min:"1" type:"string"` + + // The date and time after which AWS KMS deletes the CMK. This value is present + // only when KeyState is PendingDeletion. + DeletionDate *time.Time `type:"timestamp"` + + // The description of the CMK. + Description *string `type:"string"` + + // Specifies whether the CMK is enabled. When KeyState is Enabled this value + // is true, otherwise it is false. + Enabled *bool `type:"boolean"` + + // Specifies whether the CMK's key material expires. This value is present only + // when Origin is EXTERNAL, otherwise this value is omitted. + ExpirationModel *string `type:"string" enum:"ExpirationModelType"` + + // The globally unique identifier for the CMK. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The manager of the CMK. CMKs in your AWS account are either customer managed + // or AWS managed. For more information about the difference, see Customer Master + // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) + // in the AWS Key Management Service Developer Guide. + KeyManager *string `type:"string" enum:"KeyManagerType"` + + // The state of the CMK. + // + // For more information about how key state affects the use of a CMK, see How + // Key State Affects the Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the AWS Key Management Service Developer Guide. + KeyState *string `type:"string" enum:"KeyState"` + + // The cryptographic operations for which you can use the CMK. The only valid + // value is ENCRYPT_DECRYPT, which means you can use the CMK to encrypt and + // decrypt data. + KeyUsage *string `type:"string" enum:"KeyUsageType"` + + // The source of the CMK's key material. When this value is AWS_KMS, AWS KMS + // created the key material. When this value is EXTERNAL, the key material was + // imported from your existing key management infrastructure or the CMK lacks + // key material. When this value is AWS_CLOUDHSM, the key material was created + // in the AWS CloudHSM cluster associated with a custom key store. + Origin *string `type:"string" enum:"OriginType"` + + // The time at which the imported key material expires. When the key material + // expires, AWS KMS deletes the key material and the CMK becomes unusable. This + // value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel + // is KEY_MATERIAL_EXPIRES, otherwise this value is omitted. + ValidTo *time.Time `type:"timestamp"` +} + +// String returns the string representation +func (s KeyMetadata) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KeyMetadata) GoString() string { + return s.String() +} + +// SetAWSAccountId sets the AWSAccountId field's value. +func (s *KeyMetadata) SetAWSAccountId(v string) *KeyMetadata { + s.AWSAccountId = &v + return s +} + +// SetArn sets the Arn field's value. +func (s *KeyMetadata) SetArn(v string) *KeyMetadata { + s.Arn = &v + return s +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *KeyMetadata) SetCloudHsmClusterId(v string) *KeyMetadata { + s.CloudHsmClusterId = &v + return s +} + +// SetCreationDate sets the CreationDate field's value. +func (s *KeyMetadata) SetCreationDate(v time.Time) *KeyMetadata { + s.CreationDate = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *KeyMetadata) SetCustomKeyStoreId(v string) *KeyMetadata { + s.CustomKeyStoreId = &v + return s +} + +// SetDeletionDate sets the DeletionDate field's value. +func (s *KeyMetadata) SetDeletionDate(v time.Time) *KeyMetadata { + s.DeletionDate = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *KeyMetadata) SetDescription(v string) *KeyMetadata { + s.Description = &v + return s +} + +// SetEnabled sets the Enabled field's value. +func (s *KeyMetadata) SetEnabled(v bool) *KeyMetadata { + s.Enabled = &v + return s +} + +// SetExpirationModel sets the ExpirationModel field's value. +func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata { + s.ExpirationModel = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata { + s.KeyId = &v + return s +} + +// SetKeyManager sets the KeyManager field's value. +func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata { + s.KeyManager = &v + return s +} + +// SetKeyState sets the KeyState field's value. +func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata { + s.KeyState = &v + return s +} + +// SetKeyUsage sets the KeyUsage field's value. +func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata { + s.KeyUsage = &v + return s +} + +// SetOrigin sets the Origin field's value. +func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata { + s.Origin = &v + return s +} + +// SetValidTo sets the ValidTo field's value. +func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata { + s.ValidTo = &v + return s +} + +type ListAliasesInput struct { + _ struct{} `type:"structure"` + + // Lists only aliases that refer to the specified CMK. The value of this parameter + // can be the ID or Amazon Resource Name (ARN) of a CMK in the caller's account + // and region. You cannot use an alias name or alias ARN in this value. + // + // This parameter is optional. If you omit it, ListAliases returns all aliases + // in the account and region. + KeyId *string `min:"1" type:"string"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 100, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListAliasesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAliasesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListAliasesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListAliasesInput"} + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListAliasesInput) SetKeyId(v string) *ListAliasesInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListAliasesInput) SetLimit(v int64) *ListAliasesInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListAliasesInput) SetMarker(v string) *ListAliasesInput { + s.Marker = &v + return s +} + +type ListAliasesOutput struct { + _ struct{} `type:"structure"` + + // A list of aliases. + Aliases []*AliasListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListAliasesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListAliasesOutput) GoString() string { + return s.String() +} + +// SetAliases sets the Aliases field's value. +func (s *ListAliasesOutput) SetAliases(v []*AliasListEntry) *ListAliasesOutput { + s.Aliases = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListAliasesOutput) SetNextMarker(v string) *ListAliasesOutput { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListAliasesOutput) SetTruncated(v bool) *ListAliasesOutput { + s.Truncated = &v + return s +} + +type ListGrantsInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 100, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListGrantsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListGrantsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListGrantsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListGrantsInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListGrantsInput) SetKeyId(v string) *ListGrantsInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListGrantsInput) SetLimit(v int64) *ListGrantsInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListGrantsInput) SetMarker(v string) *ListGrantsInput { + s.Marker = &v + return s +} + +type ListGrantsResponse struct { + _ struct{} `type:"structure"` + + // A list of grants. + Grants []*GrantListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListGrantsResponse) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListGrantsResponse) GoString() string { + return s.String() +} + +// SetGrants sets the Grants field's value. +func (s *ListGrantsResponse) SetGrants(v []*GrantListEntry) *ListGrantsResponse { + s.Grants = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListGrantsResponse) SetNextMarker(v string) *ListGrantsResponse { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse { + s.Truncated = &v + return s +} + +type ListKeyPoliciesInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 1000, inclusive. If you do not include a value, it defaults to 100. + // + // Only one policy can be attached to a key. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListKeyPoliciesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeyPoliciesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListKeyPoliciesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListKeyPoliciesInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListKeyPoliciesInput) SetKeyId(v string) *ListKeyPoliciesInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListKeyPoliciesInput) SetLimit(v int64) *ListKeyPoliciesInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListKeyPoliciesInput) SetMarker(v string) *ListKeyPoliciesInput { + s.Marker = &v + return s +} + +type ListKeyPoliciesOutput struct { + _ struct{} `type:"structure"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A list of key policy names. The only valid value is default. + PolicyNames []*string `type:"list"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListKeyPoliciesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeyPoliciesOutput) GoString() string { + return s.String() +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListKeyPoliciesOutput) SetNextMarker(v string) *ListKeyPoliciesOutput { + s.NextMarker = &v + return s +} + +// SetPolicyNames sets the PolicyNames field's value. +func (s *ListKeyPoliciesOutput) SetPolicyNames(v []*string) *ListKeyPoliciesOutput { + s.PolicyNames = v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListKeyPoliciesOutput) SetTruncated(v bool) *ListKeyPoliciesOutput { + s.Truncated = &v + return s +} + +type ListKeysInput struct { + _ struct{} `type:"structure"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 1000, inclusive. If you do not include a value, it defaults to 100. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListKeysInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeysInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListKeysInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListKeysInput"} + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetLimit sets the Limit field's value. +func (s *ListKeysInput) SetLimit(v int64) *ListKeysInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListKeysInput) SetMarker(v string) *ListKeysInput { + s.Marker = &v + return s +} + +type ListKeysOutput struct { + _ struct{} `type:"structure"` + + // A list of customer master keys (CMKs). + Keys []*KeyListEntry `type:"list"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + NextMarker *string `min:"1" type:"string"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListKeysOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListKeysOutput) GoString() string { + return s.String() +} + +// SetKeys sets the Keys field's value. +func (s *ListKeysOutput) SetKeys(v []*KeyListEntry) *ListKeysOutput { + s.Keys = v + return s +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListKeysOutput) SetNextMarker(v string) *ListKeysOutput { + s.NextMarker = &v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput { + s.Truncated = &v + return s +} + +type ListResourceTagsInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 50, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + // + // Do not attempt to construct this value. Use only the value of NextMarker + // from the truncated response you just received. + Marker *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ListResourceTagsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListResourceTagsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListResourceTagsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListResourceTagsInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ListResourceTagsInput) SetKeyId(v string) *ListResourceTagsInput { + s.KeyId = &v + return s +} + +// SetLimit sets the Limit field's value. +func (s *ListResourceTagsInput) SetLimit(v int64) *ListResourceTagsInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListResourceTagsInput) SetMarker(v string) *ListResourceTagsInput { + s.Marker = &v + return s +} + +type ListResourceTagsOutput struct { + _ struct{} `type:"structure"` + + // When Truncated is true, this element is present and contains the value to + // use for the Marker parameter in a subsequent request. + // + // Do not assume or infer any information from this value. + NextMarker *string `min:"1" type:"string"` + + // A list of tags. Each tag consists of a tag key and a tag value. + Tags []*Tag `type:"list"` + + // A flag that indicates whether there are more items in the list. When this + // value is true, the list in this response is truncated. To get more items, + // pass the value of the NextMarker element in thisresponse to the Marker parameter + // in a subsequent request. + Truncated *bool `type:"boolean"` +} + +// String returns the string representation +func (s ListResourceTagsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListResourceTagsOutput) GoString() string { + return s.String() +} + +// SetNextMarker sets the NextMarker field's value. +func (s *ListResourceTagsOutput) SetNextMarker(v string) *ListResourceTagsOutput { + s.NextMarker = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *ListResourceTagsOutput) SetTags(v []*Tag) *ListResourceTagsOutput { + s.Tags = v + return s +} + +// SetTruncated sets the Truncated field's value. +func (s *ListResourceTagsOutput) SetTruncated(v bool) *ListResourceTagsOutput { + s.Truncated = &v + return s +} + +type ListRetirableGrantsInput struct { + _ struct{} `type:"structure"` + + // Use this parameter to specify the maximum number of items to return. When + // this value is present, AWS KMS does not return more than the specified number + // of items, but it might return fewer. + // + // This value is optional. If you include a value, it must be between 1 and + // 100, inclusive. If you do not include a value, it defaults to 50. + Limit *int64 `min:"1" type:"integer"` + + // Use this parameter in a subsequent request after you receive a response with + // truncated results. Set it to the value of NextMarker from the truncated response + // you just received. + Marker *string `min:"1" type:"string"` + + // The retiring principal for which to list grants. + // + // To specify the retiring principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM + // users, federated users, and assumed role users. For examples of the ARN syntax + // for specifying a principal, see AWS Identity and Access Management (IAM) + // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the Amazon Web Services General Reference. + // + // RetiringPrincipal is a required field + RetiringPrincipal *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s ListRetirableGrantsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ListRetirableGrantsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListRetirableGrantsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListRetirableGrantsInput"} + if s.Limit != nil && *s.Limit < 1 { + invalidParams.Add(request.NewErrParamMinValue("Limit", 1)) + } + if s.Marker != nil && len(*s.Marker) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Marker", 1)) + } + if s.RetiringPrincipal == nil { + invalidParams.Add(request.NewErrParamRequired("RetiringPrincipal")) + } + if s.RetiringPrincipal != nil && len(*s.RetiringPrincipal) < 1 { + invalidParams.Add(request.NewErrParamMinLen("RetiringPrincipal", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetLimit sets the Limit field's value. +func (s *ListRetirableGrantsInput) SetLimit(v int64) *ListRetirableGrantsInput { + s.Limit = &v + return s +} + +// SetMarker sets the Marker field's value. +func (s *ListRetirableGrantsInput) SetMarker(v string) *ListRetirableGrantsInput { + s.Marker = &v + return s +} + +// SetRetiringPrincipal sets the RetiringPrincipal field's value. +func (s *ListRetirableGrantsInput) SetRetiringPrincipal(v string) *ListRetirableGrantsInput { + s.RetiringPrincipal = &v + return s +} + +type PutKeyPolicyInput struct { + _ struct{} `type:"structure"` + + // A flag to indicate whether to bypass the key policy lockout safety check. + // + // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Do not set this value to true indiscriminately. + // + // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section in the AWS Key Management Service Developer Guide. + // + // Use this parameter only when you intend to prevent the principal that is + // making the request from making a subsequent PutKeyPolicy request on the CMK. + // + // The default value is false. + BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The key policy to attach to the CMK. + // + // The key policy must meet the following criteria: + // + // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy + // must allow the principal that is making the PutKeyPolicy request to make + // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that + // the CMK becomes unmanageable. For more information, refer to the scenario + // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the AWS Key Management Service Developer Guide. + // + // * Each statement in the key policy must contain one or more principals. + // The principals in the key policy must exist and be visible to AWS KMS. + // When you create a new AWS principal (for example, an IAM user or role), + // you might need to enforce a delay before including the new principal in + // a key policy because the new principal might not be immediately visible + // to AWS KMS. For more information, see Changes that I make are not always + // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the AWS Identity and Access Management User Guide. + // + // The key policy size limit is 32 kilobytes (32768 bytes). + // + // Policy is a required field + Policy *string `min:"1" type:"string" required:"true"` + + // The name of the key policy. The only valid value is default. + // + // PolicyName is a required field + PolicyName *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s PutKeyPolicyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PutKeyPolicyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *PutKeyPolicyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "PutKeyPolicyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Policy == nil { + invalidParams.Add(request.NewErrParamRequired("Policy")) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.PolicyName == nil { + invalidParams.Add(request.NewErrParamRequired("PolicyName")) + } + if s.PolicyName != nil && len(*s.PolicyName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("PolicyName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. +func (s *PutKeyPolicyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *PutKeyPolicyInput { + s.BypassPolicyLockoutSafetyCheck = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *PutKeyPolicyInput) SetKeyId(v string) *PutKeyPolicyInput { + s.KeyId = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *PutKeyPolicyInput) SetPolicy(v string) *PutKeyPolicyInput { + s.Policy = &v + return s +} + +// SetPolicyName sets the PolicyName field's value. +func (s *PutKeyPolicyInput) SetPolicyName(v string) *PutKeyPolicyInput { + s.PolicyName = &v + return s +} + +type PutKeyPolicyOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s PutKeyPolicyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s PutKeyPolicyOutput) GoString() string { + return s.String() +} + +type ReEncryptInput struct { + _ struct{} `type:"structure"` + + // Ciphertext of the data to reencrypt. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + // + // CiphertextBlob is a required field + CiphertextBlob []byte `min:"1" type:"blob" required:"true"` + + // Encryption context to use when the data is reencrypted. + DestinationEncryptionContext map[string]*string `type:"map"` + + // A unique identifier for the CMK that is used to reencrypt the data. + // + // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, + // or alias ARN. When using an alias name, prefix it with "alias/". To specify + // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Alias name: alias/ExampleAlias + // + // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To + // get the alias name and alias ARN, use ListAliases. + // + // DestinationKeyId is a required field + DestinationKeyId *string `min:"1" type:"string" required:"true"` + + // A list of grant tokens. + // + // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // in the AWS Key Management Service Developer Guide. + GrantTokens []*string `type:"list"` + + // Encryption context used to encrypt and decrypt the data specified in the + // CiphertextBlob parameter. + SourceEncryptionContext map[string]*string `type:"map"` +} + +// String returns the string representation +func (s ReEncryptInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReEncryptInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ReEncryptInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ReEncryptInput"} + if s.CiphertextBlob == nil { + invalidParams.Add(request.NewErrParamRequired("CiphertextBlob")) + } + if s.CiphertextBlob != nil && len(s.CiphertextBlob) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CiphertextBlob", 1)) + } + if s.DestinationKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("DestinationKeyId")) + } + if s.DestinationKeyId != nil && len(*s.DestinationKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("DestinationKeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *ReEncryptInput) SetCiphertextBlob(v []byte) *ReEncryptInput { + s.CiphertextBlob = v + return s +} + +// SetDestinationEncryptionContext sets the DestinationEncryptionContext field's value. +func (s *ReEncryptInput) SetDestinationEncryptionContext(v map[string]*string) *ReEncryptInput { + s.DestinationEncryptionContext = v + return s +} + +// SetDestinationKeyId sets the DestinationKeyId field's value. +func (s *ReEncryptInput) SetDestinationKeyId(v string) *ReEncryptInput { + s.DestinationKeyId = &v + return s +} + +// SetGrantTokens sets the GrantTokens field's value. +func (s *ReEncryptInput) SetGrantTokens(v []*string) *ReEncryptInput { + s.GrantTokens = v + return s +} + +// SetSourceEncryptionContext sets the SourceEncryptionContext field's value. +func (s *ReEncryptInput) SetSourceEncryptionContext(v map[string]*string) *ReEncryptInput { + s.SourceEncryptionContext = v + return s +} + +type ReEncryptOutput struct { + _ struct{} `type:"structure"` + + // The reencrypted data. When you use the HTTP API or the AWS CLI, the value + // is Base64-encoded. Otherwise, it is not encoded. + // + // CiphertextBlob is automatically base64 encoded/decoded by the SDK. + CiphertextBlob []byte `min:"1" type:"blob"` + + // Unique identifier of the CMK used to reencrypt the data. + KeyId *string `min:"1" type:"string"` + + // Unique identifier of the CMK used to originally encrypt the data. + SourceKeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ReEncryptOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReEncryptOutput) GoString() string { + return s.String() +} + +// SetCiphertextBlob sets the CiphertextBlob field's value. +func (s *ReEncryptOutput) SetCiphertextBlob(v []byte) *ReEncryptOutput { + s.CiphertextBlob = v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ReEncryptOutput) SetKeyId(v string) *ReEncryptOutput { + s.KeyId = &v + return s +} + +// SetSourceKeyId sets the SourceKeyId field's value. +func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput { + s.SourceKeyId = &v + return s +} + +type RetireGrantInput struct { + _ struct{} `type:"structure"` + + // Unique identifier of the grant to retire. The grant ID is returned in the + // response to a CreateGrant operation. + // + // * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123 + GrantId *string `min:"1" type:"string"` + + // Token that identifies the grant to be retired. + GrantToken *string `min:"1" type:"string"` + + // The Amazon Resource Name (ARN) of the CMK associated with the grant. + // + // For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s RetireGrantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RetireGrantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *RetireGrantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "RetireGrantInput"} + if s.GrantId != nil && len(*s.GrantId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) + } + if s.GrantToken != nil && len(*s.GrantToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantToken", 1)) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantId sets the GrantId field's value. +func (s *RetireGrantInput) SetGrantId(v string) *RetireGrantInput { + s.GrantId = &v + return s +} + +// SetGrantToken sets the GrantToken field's value. +func (s *RetireGrantInput) SetGrantToken(v string) *RetireGrantInput { + s.GrantToken = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *RetireGrantInput) SetKeyId(v string) *RetireGrantInput { + s.KeyId = &v + return s +} + +type RetireGrantOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s RetireGrantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RetireGrantOutput) GoString() string { + return s.String() +} + +type RevokeGrantInput struct { + _ struct{} `type:"structure"` + + // Identifier of the grant to be revoked. + // + // GrantId is a required field + GrantId *string `min:"1" type:"string" required:"true"` + + // A unique identifier for the customer master key associated with the grant. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify + // a CMK in a different AWS account, you must use the key ARN. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s RevokeGrantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RevokeGrantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *RevokeGrantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "RevokeGrantInput"} + if s.GrantId == nil { + invalidParams.Add(request.NewErrParamRequired("GrantId")) + } + if s.GrantId != nil && len(*s.GrantId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrantId", 1)) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetGrantId sets the GrantId field's value. +func (s *RevokeGrantInput) SetGrantId(v string) *RevokeGrantInput { + s.GrantId = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *RevokeGrantInput) SetKeyId(v string) *RevokeGrantInput { + s.KeyId = &v + return s +} + +type RevokeGrantOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s RevokeGrantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s RevokeGrantOutput) GoString() string { + return s.String() +} + +type ScheduleKeyDeletionInput struct { + _ struct{} `type:"structure"` + + // The unique identifier of the customer master key (CMK) to delete. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The waiting period, specified in number of days. After the waiting period + // ends, AWS KMS deletes the customer master key (CMK). + // + // This value is optional. If you include a value, it must be between 7 and + // 30, inclusive. If you do not include a value, it defaults to 30. + PendingWindowInDays *int64 `min:"1" type:"integer"` +} + +// String returns the string representation +func (s ScheduleKeyDeletionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ScheduleKeyDeletionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ScheduleKeyDeletionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ScheduleKeyDeletionInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.PendingWindowInDays != nil && *s.PendingWindowInDays < 1 { + invalidParams.Add(request.NewErrParamMinValue("PendingWindowInDays", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *ScheduleKeyDeletionInput) SetKeyId(v string) *ScheduleKeyDeletionInput { + s.KeyId = &v + return s +} + +// SetPendingWindowInDays sets the PendingWindowInDays field's value. +func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionInput { + s.PendingWindowInDays = &v + return s +} + +type ScheduleKeyDeletionOutput struct { + _ struct{} `type:"structure"` + + // The date and time after which AWS KMS deletes the customer master key (CMK). + DeletionDate *time.Time `type:"timestamp"` + + // The unique identifier of the customer master key (CMK) for which deletion + // is scheduled. + KeyId *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s ScheduleKeyDeletionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ScheduleKeyDeletionOutput) GoString() string { + return s.String() +} + +// SetDeletionDate sets the DeletionDate field's value. +func (s *ScheduleKeyDeletionOutput) SetDeletionDate(v time.Time) *ScheduleKeyDeletionOutput { + s.DeletionDate = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutput { + s.KeyId = &v + return s +} + +// A key-value pair. A tag consists of a tag key and a tag value. Tag keys and +// tag values are both required, but tag values can be empty (null) strings. +// +// For information about the rules that apply to tag keys and tag values, see +// User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) +// in the AWS Billing and Cost Management User Guide. +type Tag struct { + _ struct{} `type:"structure"` + + // The key of the tag. + // + // TagKey is a required field + TagKey *string `min:"1" type:"string" required:"true"` + + // The value of the tag. + // + // TagValue is a required field + TagValue *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s Tag) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Tag) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *Tag) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "Tag"} + if s.TagKey == nil { + invalidParams.Add(request.NewErrParamRequired("TagKey")) + } + if s.TagKey != nil && len(*s.TagKey) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TagKey", 1)) + } + if s.TagValue == nil { + invalidParams.Add(request.NewErrParamRequired("TagValue")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetTagKey sets the TagKey field's value. +func (s *Tag) SetTagKey(v string) *Tag { + s.TagKey = &v + return s +} + +// SetTagValue sets the TagValue field's value. +func (s *Tag) SetTagValue(v string) *Tag { + s.TagValue = &v + return s +} + +type TagResourceInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the CMK you are tagging. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // One or more tags. Each tag consists of a tag key and a tag value. + // + // Tags is a required field + Tags []*Tag `type:"list" required:"true"` +} + +// String returns the string representation +func (s TagResourceInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TagResourceInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *TagResourceInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "TagResourceInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Tags == nil { + invalidParams.Add(request.NewErrParamRequired("Tags")) + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *TagResourceInput) SetKeyId(v string) *TagResourceInput { + s.KeyId = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *TagResourceInput) SetTags(v []*Tag) *TagResourceInput { + s.Tags = v + return s +} + +type TagResourceOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s TagResourceOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TagResourceOutput) GoString() string { + return s.String() +} + +type UntagResourceInput struct { + _ struct{} `type:"structure"` + + // A unique identifier for the CMK from which you are removing tags. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // One or more tag keys. Specify only the tag keys, not the tag values. + // + // TagKeys is a required field + TagKeys []*string `type:"list" required:"true"` +} + +// String returns the string representation +func (s UntagResourceInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UntagResourceInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UntagResourceInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UntagResourceInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.TagKeys == nil { + invalidParams.Add(request.NewErrParamRequired("TagKeys")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *UntagResourceInput) SetKeyId(v string) *UntagResourceInput { + s.KeyId = &v + return s +} + +// SetTagKeys sets the TagKeys field's value. +func (s *UntagResourceInput) SetTagKeys(v []*string) *UntagResourceInput { + s.TagKeys = v + return s +} + +type UntagResourceOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UntagResourceOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UntagResourceOutput) GoString() string { + return s.String() +} + +type UpdateAliasInput struct { + _ struct{} `type:"structure"` + + // Specifies the name of the alias to change. This value must begin with alias/ + // followed by the alias name, such as alias/ExampleAlias. + // + // AliasName is a required field + AliasName *string `min:"1" type:"string" required:"true"` + + // Unique identifier of the customer master key (CMK) to be mapped to the alias. + // When the update operation completes, the alias will point to this CMK. + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // To verify that the alias is mapped to the correct CMK, use ListAliases. + // + // TargetKeyId is a required field + TargetKeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s UpdateAliasInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateAliasInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdateAliasInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdateAliasInput"} + if s.AliasName == nil { + invalidParams.Add(request.NewErrParamRequired("AliasName")) + } + if s.AliasName != nil && len(*s.AliasName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AliasName", 1)) + } + if s.TargetKeyId == nil { + invalidParams.Add(request.NewErrParamRequired("TargetKeyId")) + } + if s.TargetKeyId != nil && len(*s.TargetKeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("TargetKeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAliasName sets the AliasName field's value. +func (s *UpdateAliasInput) SetAliasName(v string) *UpdateAliasInput { + s.AliasName = &v + return s +} + +// SetTargetKeyId sets the TargetKeyId field's value. +func (s *UpdateAliasInput) SetTargetKeyId(v string) *UpdateAliasInput { + s.TargetKeyId = &v + return s +} + +type UpdateAliasOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdateAliasOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateAliasOutput) GoString() string { + return s.String() +} + +type UpdateCustomKeyStoreInput struct { + _ struct{} `type:"structure"` + + // Associates the custom key store with a related AWS CloudHSM cluster. + // + // Enter the cluster ID of the cluster that you used to create the custom key + // store or a cluster that shares a backup history and has the same cluster + // certificate as the original cluster. You cannot use this parameter to associate + // a custom key store with an unrelated cluster. In addition, the replacement + // cluster must fulfill the requirements (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) + // for a cluster associated with a custom key store. To view the cluster certificate + // of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + CloudHsmClusterId *string `min:"19" type:"string"` + + // Identifies the custom key store that you want to update. Enter the ID of + // the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores + // operation. + // + // CustomKeyStoreId is a required field + CustomKeyStoreId *string `min:"1" type:"string" required:"true"` + + // Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM + // cluster that is associated with the custom key store. + // + // This parameter tells AWS KMS the current password of the kmsuser crypto user + // (CU). It does not set or change the password of any users in the AWS CloudHSM + // cluster. + KeyStorePassword *string `min:"1" type:"string" sensitive:"true"` + + // Changes the friendly name of the custom key store to the value that you specify. + // The custom key store name must be unique in the AWS account. + NewCustomKeyStoreName *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s UpdateCustomKeyStoreInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateCustomKeyStoreInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdateCustomKeyStoreInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdateCustomKeyStoreInput"} + if s.CloudHsmClusterId != nil && len(*s.CloudHsmClusterId) < 19 { + invalidParams.Add(request.NewErrParamMinLen("CloudHsmClusterId", 19)) + } + if s.CustomKeyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("CustomKeyStoreId")) + } + if s.CustomKeyStoreId != nil && len(*s.CustomKeyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("CustomKeyStoreId", 1)) + } + if s.KeyStorePassword != nil && len(*s.KeyStorePassword) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyStorePassword", 1)) + } + if s.NewCustomKeyStoreName != nil && len(*s.NewCustomKeyStoreName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("NewCustomKeyStoreName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCloudHsmClusterId sets the CloudHsmClusterId field's value. +func (s *UpdateCustomKeyStoreInput) SetCloudHsmClusterId(v string) *UpdateCustomKeyStoreInput { + s.CloudHsmClusterId = &v + return s +} + +// SetCustomKeyStoreId sets the CustomKeyStoreId field's value. +func (s *UpdateCustomKeyStoreInput) SetCustomKeyStoreId(v string) *UpdateCustomKeyStoreInput { + s.CustomKeyStoreId = &v + return s +} + +// SetKeyStorePassword sets the KeyStorePassword field's value. +func (s *UpdateCustomKeyStoreInput) SetKeyStorePassword(v string) *UpdateCustomKeyStoreInput { + s.KeyStorePassword = &v + return s +} + +// SetNewCustomKeyStoreName sets the NewCustomKeyStoreName field's value. +func (s *UpdateCustomKeyStoreInput) SetNewCustomKeyStoreName(v string) *UpdateCustomKeyStoreInput { + s.NewCustomKeyStoreName = &v + return s +} + +type UpdateCustomKeyStoreOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdateCustomKeyStoreOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateCustomKeyStoreOutput) GoString() string { + return s.String() +} + +type UpdateKeyDescriptionInput struct { + _ struct{} `type:"structure"` + + // New description for the CMK. + // + // Description is a required field + Description *string `type:"string" required:"true"` + + // A unique identifier for the customer master key (CMK). + // + // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // + // For example: + // + // * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s UpdateKeyDescriptionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateKeyDescriptionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdateKeyDescriptionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdateKeyDescriptionInput"} + if s.Description == nil { + invalidParams.Add(request.NewErrParamRequired("Description")) + } + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDescription sets the Description field's value. +func (s *UpdateKeyDescriptionInput) SetDescription(v string) *UpdateKeyDescriptionInput { + s.Description = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *UpdateKeyDescriptionInput) SetKeyId(v string) *UpdateKeyDescriptionInput { + s.KeyId = &v + return s +} + +type UpdateKeyDescriptionOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdateKeyDescriptionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdateKeyDescriptionOutput) GoString() string { + return s.String() +} + +const ( + // AlgorithmSpecRsaesPkcs1V15 is a AlgorithmSpec enum value + AlgorithmSpecRsaesPkcs1V15 = "RSAES_PKCS1_V1_5" + + // AlgorithmSpecRsaesOaepSha1 is a AlgorithmSpec enum value + AlgorithmSpecRsaesOaepSha1 = "RSAES_OAEP_SHA_1" + + // AlgorithmSpecRsaesOaepSha256 is a AlgorithmSpec enum value + AlgorithmSpecRsaesOaepSha256 = "RSAES_OAEP_SHA_256" +) + +const ( + // ConnectionErrorCodeTypeInvalidCredentials is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeInvalidCredentials = "INVALID_CREDENTIALS" + + // ConnectionErrorCodeTypeClusterNotFound is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeClusterNotFound = "CLUSTER_NOT_FOUND" + + // ConnectionErrorCodeTypeNetworkErrors is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeNetworkErrors = "NETWORK_ERRORS" + + // ConnectionErrorCodeTypeInternalError is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeInternalError = "INTERNAL_ERROR" + + // ConnectionErrorCodeTypeInsufficientCloudhsmHsms is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeInsufficientCloudhsmHsms = "INSUFFICIENT_CLOUDHSM_HSMS" + + // ConnectionErrorCodeTypeUserLockedOut is a ConnectionErrorCodeType enum value + ConnectionErrorCodeTypeUserLockedOut = "USER_LOCKED_OUT" +) + +const ( + // ConnectionStateTypeConnected is a ConnectionStateType enum value + ConnectionStateTypeConnected = "CONNECTED" + + // ConnectionStateTypeConnecting is a ConnectionStateType enum value + ConnectionStateTypeConnecting = "CONNECTING" + + // ConnectionStateTypeFailed is a ConnectionStateType enum value + ConnectionStateTypeFailed = "FAILED" + + // ConnectionStateTypeDisconnected is a ConnectionStateType enum value + ConnectionStateTypeDisconnected = "DISCONNECTED" + + // ConnectionStateTypeDisconnecting is a ConnectionStateType enum value + ConnectionStateTypeDisconnecting = "DISCONNECTING" +) + +const ( + // DataKeySpecAes256 is a DataKeySpec enum value + DataKeySpecAes256 = "AES_256" + + // DataKeySpecAes128 is a DataKeySpec enum value + DataKeySpecAes128 = "AES_128" +) + +const ( + // ExpirationModelTypeKeyMaterialExpires is a ExpirationModelType enum value + ExpirationModelTypeKeyMaterialExpires = "KEY_MATERIAL_EXPIRES" + + // ExpirationModelTypeKeyMaterialDoesNotExpire is a ExpirationModelType enum value + ExpirationModelTypeKeyMaterialDoesNotExpire = "KEY_MATERIAL_DOES_NOT_EXPIRE" +) + +const ( + // GrantOperationDecrypt is a GrantOperation enum value + GrantOperationDecrypt = "Decrypt" + + // GrantOperationEncrypt is a GrantOperation enum value + GrantOperationEncrypt = "Encrypt" + + // GrantOperationGenerateDataKey is a GrantOperation enum value + GrantOperationGenerateDataKey = "GenerateDataKey" + + // GrantOperationGenerateDataKeyWithoutPlaintext is a GrantOperation enum value + GrantOperationGenerateDataKeyWithoutPlaintext = "GenerateDataKeyWithoutPlaintext" + + // GrantOperationReEncryptFrom is a GrantOperation enum value + GrantOperationReEncryptFrom = "ReEncryptFrom" + + // GrantOperationReEncryptTo is a GrantOperation enum value + GrantOperationReEncryptTo = "ReEncryptTo" + + // GrantOperationCreateGrant is a GrantOperation enum value + GrantOperationCreateGrant = "CreateGrant" + + // GrantOperationRetireGrant is a GrantOperation enum value + GrantOperationRetireGrant = "RetireGrant" + + // GrantOperationDescribeKey is a GrantOperation enum value + GrantOperationDescribeKey = "DescribeKey" +) + +const ( + // KeyManagerTypeAws is a KeyManagerType enum value + KeyManagerTypeAws = "AWS" + + // KeyManagerTypeCustomer is a KeyManagerType enum value + KeyManagerTypeCustomer = "CUSTOMER" +) + +const ( + // KeyStateEnabled is a KeyState enum value + KeyStateEnabled = "Enabled" + + // KeyStateDisabled is a KeyState enum value + KeyStateDisabled = "Disabled" + + // KeyStatePendingDeletion is a KeyState enum value + KeyStatePendingDeletion = "PendingDeletion" + + // KeyStatePendingImport is a KeyState enum value + KeyStatePendingImport = "PendingImport" + + // KeyStateUnavailable is a KeyState enum value + KeyStateUnavailable = "Unavailable" +) + +const ( + // KeyUsageTypeEncryptDecrypt is a KeyUsageType enum value + KeyUsageTypeEncryptDecrypt = "ENCRYPT_DECRYPT" +) + +const ( + // OriginTypeAwsKms is a OriginType enum value + OriginTypeAwsKms = "AWS_KMS" + + // OriginTypeExternal is a OriginType enum value + OriginTypeExternal = "EXTERNAL" + + // OriginTypeAwsCloudhsm is a OriginType enum value + OriginTypeAwsCloudhsm = "AWS_CLOUDHSM" +) + +const ( + // WrappingKeySpecRsa2048 is a WrappingKeySpec enum value + WrappingKeySpecRsa2048 = "RSA_2048" +) diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go new file mode 100644 index 00000000..c4c21250 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go @@ -0,0 +1,98 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +// Package kms provides the client and types for making API +// requests to AWS Key Management Service. +// +// AWS Key Management Service (AWS KMS) is an encryption and key management +// web service. This guide describes the AWS KMS operations that you can call +// programmatically. For general information about AWS KMS, see the AWS Key +// Management Service Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/). +// +// AWS provides SDKs that consist of libraries and sample code for various programming +// languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs +// provide a convenient way to create programmatic access to AWS KMS and other +// AWS services. For example, the SDKs take care of tasks such as signing requests +// (see below), managing errors, and retrying requests automatically. For more +// information about the AWS SDKs, including how to download and install them, +// see Tools for Amazon Web Services (http://aws.amazon.com/tools/). +// +// We recommend that you use the AWS SDKs to make programmatic API calls to +// AWS KMS. +// +// Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS +// 1.2. Clients must also support cipher suites with Perfect Forward Secrecy +// (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral +// Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support +// these modes. +// +// Signing Requests +// +// Requests must be signed by using an access key ID and a secret access key. +// We strongly recommend that you do not use your AWS account (root) access +// key ID and secret key for everyday work with AWS KMS. Instead, use the access +// key ID and secret access key for an IAM user. You can also use the AWS Security +// Token Service to generate temporary security credentials that you can use +// to sign requests. +// +// All AWS KMS operations require Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). +// +// Logging API Requests +// +// AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related +// events for your AWS account and delivers them to an Amazon S3 bucket that +// you specify. By using the information collected by CloudTrail, you can determine +// what requests were made to AWS KMS, who made the request, when it was made, +// and so on. To learn more about CloudTrail, including how to turn it on and +// find your log files, see the AWS CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). +// +// Additional Resources +// +// For more information about credentials and request signing, see the following: +// +// * AWS Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) +// - This topic provides general information about the types of credentials +// used for accessing AWS. +// +// * Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +// - This section of the IAM User Guide describes how to create and use temporary +// security credentials. +// +// * Signature Version 4 Signing Process (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) +// - This set of topics walks you through the process of signing a request +// using an access key ID and a secret access key. +// +// Commonly Used API Operations +// +// Of the API operations discussed in this guide, the following will prove the +// most useful for most applications. You will likely perform operations other +// than these, such as creating keys and assigning policies, by using the console. +// +// * Encrypt +// +// * Decrypt +// +// * GenerateDataKey +// +// * GenerateDataKeyWithoutPlaintext +// +// See https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01 for more information on this service. +// +// See kms package documentation for more information. +// https://docs.aws.amazon.com/sdk-for-go/api/service/kms/ +// +// Using the Client +// +// To contact AWS Key Management Service with the SDK use the New function to create +// a new service client. With that client you can make API requests to the service. +// These clients are safe to use concurrently. +// +// See the SDK's documentation for more information on how to use the SDK. +// https://docs.aws.amazon.com/sdk-for-go/api/ +// +// See aws.Config documentation for more information on configuring SDK clients. +// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config +// +// See the AWS Key Management Service client KMS for more +// information on creating client for this service. +// https://docs.aws.amazon.com/sdk-for-go/api/service/kms/#New +package kms diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go new file mode 100644 index 00000000..b2513484 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go @@ -0,0 +1,297 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package kms + +const ( + + // ErrCodeAlreadyExistsException for service response error code + // "AlreadyExistsException". + // + // The request was rejected because it attempted to create a resource that already + // exists. + ErrCodeAlreadyExistsException = "AlreadyExistsException" + + // ErrCodeCloudHsmClusterInUseException for service response error code + // "CloudHsmClusterInUseException". + // + // The request was rejected because the specified AWS CloudHSM cluster is already + // associated with a custom key store or it shares a backup history with a cluster + // that is associated with a custom key store. Each custom key store must be + // associated with a different AWS CloudHSM cluster. + // + // Clusters that share a backup history have the same cluster certificate. To + // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + ErrCodeCloudHsmClusterInUseException = "CloudHsmClusterInUseException" + + // ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code + // "CloudHsmClusterInvalidConfigurationException". + // + // The request was rejected because the associated AWS CloudHSM cluster did + // not meet the configuration requirements for a custom key store. + // + // * The cluster must be configured with private subnets in at least two + // different Availability Zones in the Region. + // + // * The security group for the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) + // (cloudhsm-cluster--sg) must include inbound rules and outbound + // rules that allow TCP traffic on ports 2223-2225. The Source in the inbound + // rules and the Destination in the outbound rules must match the security + // group ID. These rules are set by default when you create the cluster. + // Do not delete or change them. To get information about a particular security + // group, use the DescribeSecurityGroups (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html) + // operation. + // + // * The cluster must contain at least as many HSMs as the operation requires. + // To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) + // operation. + // + // For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, + // the AWS CloudHSM cluster must have at least two active HSMs, each in a + // different Availability Zone. For the ConnectCustomKeyStore operation, + // the AWS CloudHSM must contain at least one active HSM. + // + // For information about the requirements for an AWS CloudHSM cluster that is + // associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) + // in the AWS Key Management Service Developer Guide. For information about + // creating a private subnet for an AWS CloudHSM cluster, see Create a Private + // Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) + // in the AWS CloudHSM User Guide. For information about cluster security groups, + // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) + // in the AWS CloudHSM User Guide. + ErrCodeCloudHsmClusterInvalidConfigurationException = "CloudHsmClusterInvalidConfigurationException" + + // ErrCodeCloudHsmClusterNotActiveException for service response error code + // "CloudHsmClusterNotActiveException". + // + // The request was rejected because the AWS CloudHSM cluster that is associated + // with the custom key store is not active. Initialize and activate the cluster + // and try the command again. For detailed instructions, see Getting Started + // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) + // in the AWS CloudHSM User Guide. + ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException" + + // ErrCodeCloudHsmClusterNotFoundException for service response error code + // "CloudHsmClusterNotFoundException". + // + // The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster + // with the specified cluster ID. Retry the request with a different cluster + // ID. + ErrCodeCloudHsmClusterNotFoundException = "CloudHsmClusterNotFoundException" + + // ErrCodeCloudHsmClusterNotRelatedException for service response error code + // "CloudHsmClusterNotRelatedException". + // + // The request was rejected because the specified AWS CloudHSM cluster has a + // different cluster certificate than the original cluster. You cannot use the + // operation to specify an unrelated cluster. + // + // Specify a cluster that shares a backup history with the original cluster. + // This includes clusters that were created from a backup of the current cluster, + // and clusters that were created from the same backup that produced the current + // cluster. + // + // Clusters that share a backup history have the same cluster certificate. To + // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // operation. + ErrCodeCloudHsmClusterNotRelatedException = "CloudHsmClusterNotRelatedException" + + // ErrCodeCustomKeyStoreHasCMKsException for service response error code + // "CustomKeyStoreHasCMKsException". + // + // The request was rejected because the custom key store contains AWS KMS customer + // master keys (CMKs). After verifying that you do not need to use the CMKs, + // use the ScheduleKeyDeletion operation to delete the CMKs. After they are + // deleted, you can delete the custom key store. + ErrCodeCustomKeyStoreHasCMKsException = "CustomKeyStoreHasCMKsException" + + // ErrCodeCustomKeyStoreInvalidStateException for service response error code + // "CustomKeyStoreInvalidStateException". + // + // The request was rejected because of the ConnectionState of the custom key + // store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores + // operation. + // + // This exception is thrown under the following conditions: + // + // * You requested the CreateKey or GenerateRandom operation in a custom + // key store that is not connected. These operations are valid only when + // the custom key store ConnectionState is CONNECTED. + // + // * You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation + // on a custom key store that is not disconnected. This operation is valid + // only when the custom key store ConnectionState is DISCONNECTED. + // + // * You requested the ConnectCustomKeyStore operation on a custom key store + // with a ConnectionState of DISCONNECTING or FAILED. This operation is valid + // for all other ConnectionState values. + ErrCodeCustomKeyStoreInvalidStateException = "CustomKeyStoreInvalidStateException" + + // ErrCodeCustomKeyStoreNameInUseException for service response error code + // "CustomKeyStoreNameInUseException". + // + // The request was rejected because the specified custom key store name is already + // assigned to another custom key store in the account. Try again with a custom + // key store name that is unique in the account. + ErrCodeCustomKeyStoreNameInUseException = "CustomKeyStoreNameInUseException" + + // ErrCodeCustomKeyStoreNotFoundException for service response error code + // "CustomKeyStoreNotFoundException". + // + // The request was rejected because AWS KMS cannot find a custom key store with + // the specified key store name or ID. + ErrCodeCustomKeyStoreNotFoundException = "CustomKeyStoreNotFoundException" + + // ErrCodeDependencyTimeoutException for service response error code + // "DependencyTimeoutException". + // + // The system timed out while trying to fulfill the request. The request can + // be retried. + ErrCodeDependencyTimeoutException = "DependencyTimeoutException" + + // ErrCodeDisabledException for service response error code + // "DisabledException". + // + // The request was rejected because the specified CMK is not enabled. + ErrCodeDisabledException = "DisabledException" + + // ErrCodeExpiredImportTokenException for service response error code + // "ExpiredImportTokenException". + // + // The request was rejected because the provided import token is expired. Use + // GetParametersForImport to get a new import token and public key, use the + // new public key to encrypt the key material, and then try the request again. + ErrCodeExpiredImportTokenException = "ExpiredImportTokenException" + + // ErrCodeIncorrectKeyMaterialException for service response error code + // "IncorrectKeyMaterialException". + // + // The request was rejected because the provided key material is invalid or + // is not the same key material that was previously imported into this customer + // master key (CMK). + ErrCodeIncorrectKeyMaterialException = "IncorrectKeyMaterialException" + + // ErrCodeIncorrectTrustAnchorException for service response error code + // "IncorrectTrustAnchorException". + // + // The request was rejected because the trust anchor certificate in the request + // is not the trust anchor certificate for the specified AWS CloudHSM cluster. + // + // When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), + // you create the trust anchor certificate and save it in the customerCA.crt + // file. + ErrCodeIncorrectTrustAnchorException = "IncorrectTrustAnchorException" + + // ErrCodeInternalException for service response error code + // "KMSInternalException". + // + // The request was rejected because an internal exception occurred. The request + // can be retried. + ErrCodeInternalException = "KMSInternalException" + + // ErrCodeInvalidAliasNameException for service response error code + // "InvalidAliasNameException". + // + // The request was rejected because the specified alias name is not valid. + ErrCodeInvalidAliasNameException = "InvalidAliasNameException" + + // ErrCodeInvalidArnException for service response error code + // "InvalidArnException". + // + // The request was rejected because a specified ARN, or an ARN in a key policy, + // is not valid. + ErrCodeInvalidArnException = "InvalidArnException" + + // ErrCodeInvalidCiphertextException for service response error code + // "InvalidCiphertextException". + // + // The request was rejected because the specified ciphertext, or additional + // authenticated data incorporated into the ciphertext, such as the encryption + // context, is corrupted, missing, or otherwise invalid. + ErrCodeInvalidCiphertextException = "InvalidCiphertextException" + + // ErrCodeInvalidGrantIdException for service response error code + // "InvalidGrantIdException". + // + // The request was rejected because the specified GrantId is not valid. + ErrCodeInvalidGrantIdException = "InvalidGrantIdException" + + // ErrCodeInvalidGrantTokenException for service response error code + // "InvalidGrantTokenException". + // + // The request was rejected because the specified grant token is not valid. + ErrCodeInvalidGrantTokenException = "InvalidGrantTokenException" + + // ErrCodeInvalidImportTokenException for service response error code + // "InvalidImportTokenException". + // + // The request was rejected because the provided import token is invalid or + // is associated with a different customer master key (CMK). + ErrCodeInvalidImportTokenException = "InvalidImportTokenException" + + // ErrCodeInvalidKeyUsageException for service response error code + // "InvalidKeyUsageException". + // + // The request was rejected because the specified KeySpec value is not valid. + ErrCodeInvalidKeyUsageException = "InvalidKeyUsageException" + + // ErrCodeInvalidMarkerException for service response error code + // "InvalidMarkerException". + // + // The request was rejected because the marker that specifies where pagination + // should next begin is not valid. + ErrCodeInvalidMarkerException = "InvalidMarkerException" + + // ErrCodeInvalidStateException for service response error code + // "KMSInvalidStateException". + // + // The request was rejected because the state of the specified resource is not + // valid for this request. + // + // For more information about how key state affects the use of a CMK, see How + // Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the AWS Key Management Service Developer Guide. + ErrCodeInvalidStateException = "KMSInvalidStateException" + + // ErrCodeKeyUnavailableException for service response error code + // "KeyUnavailableException". + // + // The request was rejected because the specified CMK was not available. The + // request can be retried. + ErrCodeKeyUnavailableException = "KeyUnavailableException" + + // ErrCodeLimitExceededException for service response error code + // "LimitExceededException". + // + // The request was rejected because a limit was exceeded. For more information, + // see Limits (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) + // in the AWS Key Management Service Developer Guide. + ErrCodeLimitExceededException = "LimitExceededException" + + // ErrCodeMalformedPolicyDocumentException for service response error code + // "MalformedPolicyDocumentException". + // + // The request was rejected because the specified policy is not syntactically + // or semantically correct. + ErrCodeMalformedPolicyDocumentException = "MalformedPolicyDocumentException" + + // ErrCodeNotFoundException for service response error code + // "NotFoundException". + // + // The request was rejected because the specified entity or resource could not + // be found. + ErrCodeNotFoundException = "NotFoundException" + + // ErrCodeTagException for service response error code + // "TagException". + // + // The request was rejected because one or more tags are not valid. + ErrCodeTagException = "TagException" + + // ErrCodeUnsupportedOperationException for service response error code + // "UnsupportedOperationException". + // + // The request was rejected because a specified parameter is not supported or + // a specified resource is not valid for this operation. + ErrCodeUnsupportedOperationException = "UnsupportedOperationException" +) diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/service.go b/vendor/github.com/aws/aws-sdk-go/service/kms/service.go new file mode 100644 index 00000000..6d062f32 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/service.go @@ -0,0 +1,97 @@ +// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. + +package kms + +import ( + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/client" + "github.com/aws/aws-sdk-go/aws/client/metadata" + "github.com/aws/aws-sdk-go/aws/request" + "github.com/aws/aws-sdk-go/aws/signer/v4" + "github.com/aws/aws-sdk-go/private/protocol/jsonrpc" +) + +// KMS provides the API operation methods for making requests to +// AWS Key Management Service. See this package's package overview docs +// for details on the service. +// +// KMS methods are safe to use concurrently. It is not safe to +// modify mutate any of the struct's properties though. +type KMS struct { + *client.Client +} + +// Used for custom client initialization logic +var initClient func(*client.Client) + +// Used for custom request initialization logic +var initRequest func(*request.Request) + +// Service information constants +const ( + ServiceName = "kms" // Name of service. + EndpointsID = ServiceName // ID to lookup a service endpoint with. + ServiceID = "KMS" // ServiceID is a unique identifer of a specific service. +) + +// New creates a new instance of the KMS client with a session. +// If additional configuration is needed for the client instance use the optional +// aws.Config parameter to add your extra config. +// +// Example: +// // Create a KMS client from just a session. +// svc := kms.New(mySession) +// +// // Create a KMS client with additional configuration +// svc := kms.New(mySession, aws.NewConfig().WithRegion("us-west-2")) +func New(p client.ConfigProvider, cfgs ...*aws.Config) *KMS { + c := p.ClientConfig(EndpointsID, cfgs...) + return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName) +} + +// newClient creates, initializes and returns a new service client instance. +func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *KMS { + svc := &KMS{ + Client: client.New( + cfg, + metadata.ClientInfo{ + ServiceName: ServiceName, + ServiceID: ServiceID, + SigningName: signingName, + SigningRegion: signingRegion, + Endpoint: endpoint, + APIVersion: "2014-11-01", + JSONVersion: "1.1", + TargetPrefix: "TrentService", + }, + handlers, + ), + } + + // Handlers + svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler) + svc.Handlers.Build.PushBackNamed(jsonrpc.BuildHandler) + svc.Handlers.Unmarshal.PushBackNamed(jsonrpc.UnmarshalHandler) + svc.Handlers.UnmarshalMeta.PushBackNamed(jsonrpc.UnmarshalMetaHandler) + svc.Handlers.UnmarshalError.PushBackNamed(jsonrpc.UnmarshalErrorHandler) + + // Run custom client initialization if present + if initClient != nil { + initClient(svc.Client) + } + + return svc +} + +// newRequest creates a new request for a KMS operation and runs any +// custom request initialization. +func (c *KMS) newRequest(op *request.Operation, params, data interface{}) *request.Request { + req := c.NewRequest(op, params, data) + + // Run custom request initialization if present + if initRequest != nil { + initRequest(req) + } + + return req +}