Upload File

aws key management service - docs.aws. · pdf fileaws kms, see the aws key management service...

  • Home
  • Documents
  • AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through
158
AWS Key Management Service API Reference API Version 2014-11-01

Upload: duongquynh

Post on 30-Mar-2018

229 views

Category:

Documents


5 download

Report

TRANSCRIPT

Page 1: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management ServiceAPI Reference

API Version 2014-11-01

Page 2: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

AWS Key Management Service: API ReferenceCopyright © 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored byAmazon.

Page 3: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Table of ContentsWelcome .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Actions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

CancelKeyDeletion .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

CreateAlias ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

CreateGrant .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

CreateKey .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Decrypt .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

DeleteAlias ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

DeleteImportedKeyMaterial ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

API Version 2014-11-01iii

Page 4: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29DescribeKey .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

DisableKey .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

DisableKeyRotation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

EnableKey .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

EnableKeyRotation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Encrypt .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

GenerateDataKey .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

GenerateDataKeyWithoutPlaintext ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

API Version 2014-11-01iv

Page 5: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

GenerateRandom ..... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

GetKeyPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

GetKeyRotationStatus .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

GetParametersForImport ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

ImportKeyMaterial ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

ListAliases .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

ListGrants .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

API Version 2014-11-01v

Page 6: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

ListKeyPolicies ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

ListKeys .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

ListResourceTags .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

ListRetirableGrants .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

PutKeyPolicy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

ReEncrypt .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

RetireGrant .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

RevokeGrant .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

API Version 2014-11-01vi

Page 7: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

ScheduleKeyDeletion .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Response Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

TagResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

UntagResource .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

UpdateAlias ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

UpdateKeyDescription .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Request Syntax .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Request Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Response Elements .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Data Types .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137AliasListEntry .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

GrantConstraints ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

GrantListEntry .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

KeyListEntry .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

KeyMetadata .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

API Version 2014-11-01vii

Page 8: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Tag .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Contents .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146See Also .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Common Parameters ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Common Errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

API Version 2014-11-01viii

Page 9: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

WelcomeAWS Key Management Service (AWS KMS) is an encryption and key management web service. This guidedescribes the AWS KMS operations that you can call programmatically. For general information aboutAWS KMS, see the AWS Key Management Service Developer Guide.

NoteAWS provides SDKs that consist of libraries and sample code for various programminglanguages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide aconvenient way to create programmatic access to AWS KMS and other AWS services. Forexample, the SDKs take care of tasks such as signing requests (see below), managing errors, andretrying requests automatically. For more information about the AWS SDKs, including how todownload and install them, see Tools for Amazon Web Services.

We recommend that you use the AWS SDKs to make programmatic API calls to AWS KMS.

Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must alsosupport cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) orElliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later supportthese modes.

Signing Requests

Requests must be signed by using an access key ID and a secret access key. We strongly recommend thatyou do not use your AWS account (root) access key ID and secret key for everyday work with AWS KMS.Instead, use the access key ID and secret access key for an IAM user, or you can use the AWS SecurityToken Service to generate temporary security credentials that you can use to sign requests.

All AWS KMS operations require Signature Version 4.

Logging API Requests

AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related events for your AWSaccount and delivers them to an Amazon S3 bucket that you specify. By using the information collectedby CloudTrail, you can determine what requests were made to AWS KMS, who made the request, when itwas made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files,see the AWS CloudTrail User Guide.

Additional Resources

For more information about credentials and request signing, see the following:

• AWS Security Credentials - This topic provides general information about the types of credentials usedfor accessing AWS.

• Temporary Security Credentials - This section of the IAM User Guide describes how to create and usetemporary security credentials.

• Signature Version 4 Signing Process - This set of topics walks you through the process of signing arequest using an access key ID and a secret access key.

Commonly Used APIs

Of the APIs discussed in this guide, the following will prove the most useful for most applications. Youwill likely perform actions other than these, such as creating keys and assigning policies, by using theconsole.

API Version 2014-11-011

https://docs.aws.amazon.com/kms/latest/developerguide/
http://aws.amazon.com/tools/
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/
https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Page 10: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

• Encrypt (p. 46)• Decrypt (p. 20)• GenerateDataKey (p. 51)• GenerateDataKeyWithoutPlaintext (p. 56)

This document was last published on May 24, 2018.

API Version 2014-11-012

Page 11: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

ActionsThe following actions are supported:

• CancelKeyDeletion (p. 4)• CreateAlias (p. 7)• CreateGrant (p. 10)• CreateKey (p. 15)• Decrypt (p. 20)• DeleteAlias (p. 24)• DeleteImportedKeyMaterial (p. 27)• DescribeKey (p. 30)• DisableKey (p. 34)• DisableKeyRotation (p. 37)• EnableKey (p. 40)• EnableKeyRotation (p. 43)• Encrypt (p. 46)• GenerateDataKey (p. 51)• GenerateDataKeyWithoutPlaintext (p. 56)• GenerateRandom (p. 61)• GetKeyPolicy (p. 64)• GetKeyRotationStatus (p. 67)• GetParametersForImport (p. 70)• ImportKeyMaterial (p. 75)• ListAliases (p. 80)• ListGrants (p. 84)• ListKeyPolicies (p. 89)• ListKeys (p. 93)• ListResourceTags (p. 97)• ListRetirableGrants (p. 101)• PutKeyPolicy (p. 105)• ReEncrypt (p. 110)• RetireGrant (p. 115)• RevokeGrant (p. 118)• ScheduleKeyDeletion (p. 121)• TagResource (p. 125)• UntagResource (p. 128)• UpdateAlias (p. 131)• UpdateKeyDescription (p. 134)

API Version 2014-11-013

Page 12: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceCancelKeyDeletion

CancelKeyDeletionCancels the deletion of a customer master key (CMK). When this operation is successful, the CMK is set tothe Disabled state. To enable a CMK, use EnableKey (p. 40). You cannot perform this operation on aCMK in a different AWS account.

For more information about scheduling and canceling deletion of a CMK, see Deleting Customer MasterKeys in the AWS Key Management Service Developer Guide.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax

{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 4)

The unique identifier for the customer master key (CMK) for which to cancel deletion.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response Syntax

{ "KeyId": "string"}

API Version 2014-11-014

https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 13: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

KeyId (p. 4)

The unique identifier of the master key for which deletion is canceled.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.com

API Version 2014-11-015

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 14: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Content-Length: 48X-Amz-Target: TrentService.CancelKeyDeletionX-Amz-Date: 20161025T182658ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161025/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=1a600d3edf52b2c14bd6fb6fa44c6ca591bdcb02931fd9cac2e8aa66bd52e3bf

{"KeyId":"1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Tue, 25 Oct 2016 18:27:01 GMTContent-Type: application/x-amz-json-1.1Content-Length: 87Connection: keep-alivex-amzn-RequestId: 9f3b3cb8-9ae0-11e6-ac6b-03478315fc57

{"KeyId":"arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-016

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CancelKeyDeletion
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/CancelKeyDeletion
Page 15: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceCreateAlias

CreateAliasCreates a display name for a customer master key (CMK). You can use an alias to identify a CMK inselected operations, such as Encrypt (p. 46) and GenerateDataKey (p. 51).

Each CMK can have multiple aliases, but each alias points to only one CMK. The alias name must beunique in the AWS account and region. To simplify code that runs in multiple regions, use the same aliasname, but point it to a different CMK in each region.

Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK withoutaffecting the CMK. Also, aliases do not appear in the response from the DescribeKey (p. 30) operation.To get the aliases of all CMKs, use the ListAliases (p. 80) operation.

An alias must start with the word alias followed by a forward slash (alias/). The alias name cancontain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias namescannot begin with aws; that alias name prefix is reserved by Amazon Web Services (AWS).

The alias and the CMK it is mapped to must be in the same AWS account and the same region. Youcannot perform this operation on an alias in a different AWS account.

To map an existing alias to a different CMK, call UpdateAlias (p. 131).

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "AliasName": "string", "TargetKeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

AliasName (p. 7)

String that contains the display name. The name must start with the word "alias" followed by aforward slash (alias/). Aliases that begin with "alias/AWS" are reserved.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_-]+$

Required: YesTargetKeyId (p. 7)

Identifies the CMK for which you are creating the alias. This value cannot be an alias.

API Version 2014-11-017

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 16: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

AlreadyExistsException

The request was rejected because it attempted to create a resource that already exists.

HTTP Status Code: 400DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidAliasNameException

The request was rejected because the specified alias name is not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400LimitExceededException

The request was rejected because a limit was exceeded. For more information, see Limits in the AWSKey Management Service Developer Guide.

HTTP Status Code: 400

API Version 2014-11-018

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Page 17: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-west-2.amazonaws.comContent-Length: 87X-Amz-Target: TrentService.CreateAliasX-Amz-Date: 20160517T204220ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20160517/us-west-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=ca7bcf1e8d5364dc3f0d881c05bdadf36f498c6c6a8b576a060142d9b2199123

{ "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "AliasName": "alias/ExampleAlias"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Tue, 17 May 2016 20:42:25 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: dcb07ca7-1c6f-11e6-8540-77c363708b91

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-019

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateAlias
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/CreateAlias
Page 18: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceCreateGrant

CreateGrantAdds a grant to a customer master key (CMK). The grant specifies who can use the CMK and under whatconditions. When setting permissions, grants are an alternative to key policies.

To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of theKeyId parameter. For more information about grants, see Grants in the AWS Key Management ServiceDeveloper Guide.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "Constraints": { "EncryptionContextEquals": { "string" : "string" }, "EncryptionContextSubset": { "string" : "string" } }, "GranteePrincipal": "string", "GrantTokens": [ "string" ], "KeyId": "string", "Name": "string", "Operations": [ "string" ], "RetiringPrincipal": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

GranteePrincipal (p. 10)

The principal that is given permission to perform the operations that the grant permits.

To specify the principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWSprincipals include AWS accounts (root), IAM users, IAM roles, federated users, and assumed roleusers. For examples of the ARN syntax to use for specifying a principal, see AWS Identity and AccessManagement (IAM) in the Example ARNs section of the AWS General Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: YesKeyId (p. 10)

The unique identifier for the customer master key (CMK) that the grant applies to.

API Version 2014-11-0110

https://docs.aws.amazon.com/kms/latest/developerguide/grants.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
Page 19: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceRequest Parameters

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a differentAWS account, you must use the key ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesOperations (p. 10)

A list of operations that the grant permits.

Type: Array of strings

Valid Values: Decrypt | Encrypt | GenerateDataKey |GenerateDataKeyWithoutPlaintext | ReEncryptFrom | ReEncryptTo | CreateGrant| RetireGrant | DescribeKey

Required: YesConstraints (p. 10)

A structure that you can use to allow certain operations in the grant only when the desiredencryption context is present. For more information about encryption context, see EncryptionContext in the AWS Key Management Service Developer Guide.

Type: GrantConstraints (p. 139) object

Required: NoGrantTokens (p. 10)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: NoName (p. 10)

A friendly name for identifying the grant. Use this value to prevent unintended creation of duplicategrants when retrying this request.

When this value is absent, all CreateGrant requests result in a new grant with a unique GrantIdeven if all the supplied parameters are identical. This can result in unintended duplicates when youretry the CreateGrant request.

When this value is present, you can retry a CreateGrant request with identical parameters; if thegrant already exists, the original GrantId is returned without creating a new grant. Note that the

API Version 2014-11-0111

https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 20: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

returned grant token is unique with every CreateGrant request, even when a duplicate GrantId isreturned. All grant tokens obtained in this way can be used interchangeably.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_-]+$

Required: No

RetiringPrincipal (p. 10)

The principal that is given permission to retire the grant by using RetireGrant (p. 115) operation.

To specify the principal, use the Amazon Resource Name (ARN) of an AWS principal. Valid AWSprincipals include AWS accounts (root), IAM users, federated users, and assumed role users.For examples of the ARN syntax to use for specifying a principal, see AWS Identity and AccessManagement (IAM) in the Example ARNs section of the AWS General Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

Response Syntax{ "GrantId": "string", "GrantToken": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

GrantId (p. 12)

The unique identifier for the grant.

You can use the GrantId in a subsequent RetireGrant (p. 115) or RevokeGrant (p. 118) operation.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

GrantToken (p. 12)

The grant token.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 8192.

API Version 2014-11-0112

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 21: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400LimitExceededException

The request was rejected because a limit was exceeded. For more information, see Limits in the AWSKey Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1

API Version 2014-11-0113

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Page 22: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Host: kms.us-east-2.amazonaws.comContent-Length: 176X-Amz-Target: TrentService.CreateGrantX-Amz-Date: 20161031T202851ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161031/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=84a2b3b8eb50b9bf34ba844cd5e59649fb315a16b447357ae49bf8b87774c8f7

{ "Operations": [ "Encrypt", "Decrypt" ], "GranteePrincipal": "arn:aws:iam::111122223333:role/ExampleRole", "KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 31 Oct 2016 20:28:51 GMTContent-Type: application/x-amz-json-1.1Content-Length: 585Connection: keep-alivex-amzn-RequestId: a2d8d452-9fa8-11e6-b30c-dbb8ea4d97c5

{ "GrantId": "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60", "GrantToken": "AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW__MSrqnre1HIN0Grt00ViSSuUjhqOC8OT3YAAADfMIHcBgkqhkiG9w0BBwaggc4wgcsCAQAwgcUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmqLyBTAegIn9XlK5AgEQgIGXZQjkBcl1dykDdqZBUQ6L1OfUivQy7JVYO2-ZJP7m6f1g8GzV47HX5phdtONAP7K_HQIflcgpkoCqd_fUnE114mSmiagWkbQ5sqAVV3ov-VeqgrvMe5ZFEWLMSluvBAqdjHEdMIkHMlhlj4ENZbzBfo9Wxk8b8SnwP4kc4gGivedzFXo-dwN8fxjjq_ZZ9JFOj2ijIbj5FyogDCN0drOfi8RORSEuCEmPvjFRMFAwcmwFkN2NPp89amA"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0114

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateGrant
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/CreateGrant
Page 23: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceCreateKey

CreateKeyCreates a customer master key (CMK) in the caller's AWS account.

You can use a CMK to encrypt small amounts of data (4 KiB or less) directly, but CMKs are morecommonly used to encrypt data encryption keys (DEKs), which are used to encrypt raw data. For moreinformation about DEKs and the difference between CMKs and DEKs, see the following:

• The GenerateDataKey (p. 51) operation• AWS Key Management Service Concepts in the AWS Key Management Service Developer Guide

You cannot use this operation to create a CMK in a different AWS account.

Request Syntax{ "BypassPolicyLockoutSafetyCheck": boolean, "Description": "string", "KeyUsage": "string", "Origin": "string", "Policy": "string", "Tags": [ { "TagKey": "string", "TagValue": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

BypassPolicyLockoutSafetyCheck (p. 15)

A flag to indicate whether to bypass the key policy lockout safety check.

ImportantSetting this value to true increases the risk that the CMK becomes unmanageable. Do notset this value to true indiscriminately.For more information, refer to the scenario in the Default Key Policy section in the AWS KeyManagement Service Developer Guide.

Use this parameter only when you include a policy in the request and you intend to prevent theprincipal that is making the request from making a subsequent PutKeyPolicy (p. 105) request onthe CMK.

The default value is false.

Type: Boolean

Required: No

API Version 2014-11-0115

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
Page 24: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceRequest Parameters

Description (p. 15)

A description of the CMK.

Use a description that helps you decide whether the CMK is appropriate for a task.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 8192.

Required: NoKeyUsage (p. 15)

The intended use of the CMK.

You can use CMKs only for symmetric encryption and decryption.

Type: String

Valid Values: ENCRYPT_DECRYPT

Required: NoOrigin (p. 15)

The source of the CMK's key material.

The default is AWS_KMS, which means AWS KMS creates the key material. When this parameter is setto EXTERNAL, the request creates a CMK without key material so that you can import key materialfrom your existing key management infrastructure. For more information about importing keymaterial into AWS KMS, see Importing Key Material in the AWS Key Management Service DeveloperGuide.

The CMK's Origin is immutable and is set when the CMK is created.

Type: String

Valid Values: AWS_KMS | EXTERNAL

Required: NoPolicy (p. 15)

The key policy to attach to the CMK.

If you provide a key policy, it must meet the following criteria:• If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow the

principal that is making the CreateKey request to make a subsequent PutKeyPolicy (p. 105)request on the CMK. This reduces the risk that the CMK becomes unmanageable. For moreinformation, refer to the scenario in the Default Key Policy section of the AWS Key ManagementService Developer Guide.

• Each statement in the key policy must contain one or more principals. The principals in the keypolicy must exist and be visible to AWS KMS. When you create a new AWS principal (for example,an IAM user or role), you might need to enforce a delay before including the new principal in akey policy because the new principal might not be immediately visible to AWS KMS. For moreinformation, see Changes that I make are not always immediately visible in the AWS Identity andAccess Management User Guide.

If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK. For moreinformation, see Default Key Policy in the AWS Key Management Service Developer Guide.

API Version 2014-11-0116

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
Page 25: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

The key policy size limit is 32 kilobytes (32768 bytes).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32768.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: NoTags (p. 15)

One or more tags. Each tag consists of a tag key and a tag value. Tag keys and tag values are bothrequired, but tag values can be empty (null) strings.

Use this parameter to tag the CMK when it is created. Alternately, you can omit this parameter andinstead tag the CMK after it is created using TagResource (p. 125).

Type: Array of Tag (p. 146) objects

Required: No

Response Syntax{ "KeyMetadata": { "Arn": "string", "AWSAccountId": "string", "CreationDate": number, "DeletionDate": number, "Description": "string", "Enabled": boolean, "ExpirationModel": "string", "KeyId": "string", "KeyManager": "string", "KeyState": "string", "KeyUsage": "string", "Origin": "string", "ValidTo": number }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

KeyMetadata (p. 17)

Metadata associated with the CMK.

Type: KeyMetadata (p. 143) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

API Version 2014-11-0117

Page 26: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400LimitExceededException

The request was rejected because a limit was exceeded. For more information, see Limits in the AWSKey Management Service Developer Guide.

HTTP Status Code: 400MalformedPolicyDocumentException

The request was rejected because the specified policy is not syntactically or semantically correct.

HTTP Status Code: 400TagException

The request was rejected because one or more tags are not valid.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20170705/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=8fb59aa17854a97df47aae69f560b66178ed0b5e1ebe334be516c4f3f59acedcX-Amz-Target: TrentService.CreateKeyX-Amz-Date: 20170705T210455ZContent-Length: 62

{ "Tags": [{ "TagValue": "ExampleUser",

API Version 2014-11-0118

https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Page 27: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"TagKey": "CreatedBy" }]}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Wed, 05 Jul 2017 21:04:55 GMTContent-Type: application/x-amz-json-1.1Content-Length: 335Connection: keep-alivex-amzn-RequestId: 98b2de61-61c5-11e7-bd87-9fc4a74e147b

{ "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1.499288695918E9, "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS" }}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0119

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/CreateKey
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/CreateKey
Page 28: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceDecrypt

DecryptDecrypts ciphertext. Ciphertext is plaintext that has been previously encrypted by using any of thefollowing operations:

• GenerateDataKey (p. 51)• GenerateDataKeyWithoutPlaintext (p. 56)• Encrypt (p. 46)

Note that if a caller has been granted access permissions to all keys (through, for example, IAM userpolicies that grant Decrypt permission on all resources), then ciphertext encrypted by using keysin other accounts where the key grants access to the caller can be decrypted. To remedy this, werecommend that you do not grant Decrypt access in an IAM user policy. Instead grant Decrypt accessonly in key policies. If you must grant Decrypt access in an IAM user policy, you should scope theresource to specific keys or to specific trusted accounts.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "CiphertextBlob": blob, "EncryptionContext": { "string" : "string" }, "GrantTokens": [ "string" ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

CiphertextBlob (p. 20)

Ciphertext to be decrypted. The blob includes metadata.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: YesEncryptionContext (p. 20)

The encryption context. If this was specified in the Encrypt (p. 46) function, it must be specifiedhere or the decryption operation will fail. For more information, see Encryption Context.

Type: String to string map

Required: No

API Version 2014-11-0120

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
Page 29: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

GrantTokens (p. 20)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: No

Response Syntax{ "KeyId": "string", "Plaintext": blob}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

KeyId (p. 21)

ARN of the key used to perform the decryption. This value is returned if no errors are encounteredduring the operation.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.Plaintext (p. 21)

Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 4096.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

API Version 2014-11-0121

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 30: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 400InvalidCiphertextException

The request was rejected because the specified ciphertext, or additional authenticated dataincorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwiseinvalid.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400KeyUnavailableException

The request was rejected because the specified CMK was not available. The request can be retried.

HTTP Status Code: 500KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-west-2.amazonaws.comContent-Length: 293X-Amz-Target: TrentService.DecryptX-Amz-Date: 20160517T204035ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20160517/us-west-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=545b0c3bfd9223b8ef7e6293ef3ccac37a83d415ee3112d2e5c70727d2a49c46

{"CiphertextBlob": "CiDPoCH188S65r5Cy7pAhIFJMXDlU7mewhSlYUpuQIVBrhKmAQEBAgB4z6Ah9fPEuua+Qsu6QISBSTFw5VO5nsIUpWFKbkCFQa4AAAB9MHsGCSqGSIb3DQEHBqBuMGwCAQAwZwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxLc9b6QThC9jB/ZjYCARCAOt8la8qXLO5wB3JH2NlwWWzWRU2RKqpO9A/0psE5UWwkK6CnwoeC3Zj9Q0A66apZkbRglFfY1lTY+Tc="}

API Version 2014-11-0122

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 31: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Example Response

HTTP/1.1 200 OKServer: ServerDate: Tue, 17 May 2016 20:40:40 GMTContent-Type: application/x-amz-json-1.1Content-Length: 146Connection: keep-alivex-amzn-RequestId: 9e02f41f-1c6f-11e6-af63-ab8791945da7

{ "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Plaintext": "VGhpcyBpcyBEYXkgMSBmb3IgdGhlIEludGVybmV0Cg=="}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0123

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Decrypt
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/Decrypt
Page 32: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceDeleteAlias

DeleteAliasDeletes the specified alias. You cannot perform this operation on an alias in a different AWS account.

Because an alias is not a property of a CMK, you can delete and change the aliases of a CMK withoutaffecting the CMK. Also, aliases do not appear in the response from the DescribeKey (p. 30) operation.To get the aliases of all CMKs, use the ListAliases (p. 80) operation.

Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias (p. 24) to deletethe current alias and CreateAlias (p. 7) to create a new alias. To associate an existing alias with a differentcustomer master key (CMK), call UpdateAlias (p. 131).

Request Syntax{ "AliasName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

AliasName (p. 24)

The alias to be deleted. The name must start with the word "alias" followed by a forward slash(alias/). Aliases that begin with "alias/aws" are reserved.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_-]+$

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

API Version 2014-11-0124

Page 33: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 34X-Amz-Target: TrentService.DeleteAliasX-Amz-Date: 20161104T183415ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161104/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=a57d9c76f60733ea93fe92ac4fa90ca82058a72913e4b8e52c262ffc96704d53

{"AliasName": "alias/ExampleAlias"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Fri, 04 Nov 2016 18:34:15 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 4a2313ae-a2bd-11e6-aea3-9bf897a0ae69

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++

API Version 2014-11-0125

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/DeleteAlias
Page 34: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0126

https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DeleteAlias
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/DeleteAlias
Page 35: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceDeleteImportedKeyMaterial

DeleteImportedKeyMaterialDeletes key material that you previously imported. This operation makes the specified customer masterkey (CMK) unusable. For more information about importing key material into AWS KMS, see ImportingKey Material in the AWS Key Management Service Developer Guide. You cannot perform this operation ona CMK in a different AWS account.

When the specified CMK is in the PendingDeletion state, this operation does not change the CMK'sstate. Otherwise, it changes the CMK's state to PendingImport.

After you delete key material, you can use ImportKeyMaterial (p. 75) to reimport the same keymaterial into the CMK.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 27)

The identifier of the CMK whose key material to delete. The CMK's Origin must be EXTERNAL.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

API Version 2014-11-0127

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 36: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 48X-Amz-Target: TrentService.DeleteImportedKeyMaterialX-Amz-Date: 20161107T213532ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161107/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=2cea34fe55d5858295a377448a1e053d0edd45ce571da7cf69b202905759f272

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

API Version 2014-11-0128

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 37: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 07 Nov 2016 21:35:35 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 1e76aa81-a532-11e6-a265-d3aef78e1a90

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0129

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DeleteImportedKeyMaterial
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/DeleteImportedKeyMaterial
Page 38: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceDescribeKey

DescribeKeyProvides detailed information about the specified customer master key (CMK).

If you use DescribeKey on a predefined AWS alias, that is, an AWS alias with no key ID, AWS KMSassociates the alias with an AWS managed CMK and returns its KeyId and Arn in the response.

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in thevalue of the KeyId parameter.

Request Syntax{ "GrantTokens": [ "string" ], "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 30)

Describes the specified customer master key (CMK).

If you specify a predefined AWS alias (an AWS alias with no key ID), KMS associates the alias with anAWS managed CMK and returns its KeyId and Arn in the response.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When usingan alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use thekey ARN or alias ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30). To get thealias name and alias ARN, use ListAliases (p. 80).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesGrantTokens (p. 30)

A list of grant tokens.

API Version 2014-11-0130

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
Page 39: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: No

Response Syntax{ "KeyMetadata": { "Arn": "string", "AWSAccountId": "string", "CreationDate": number, "DeletionDate": number, "Description": "string", "Enabled": boolean, "ExpirationModel": "string", "KeyId": "string", "KeyManager": "string", "KeyState": "string", "KeyUsage": "string", "Origin": "string", "ValidTo": number }}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

KeyMetadata (p. 31)

Metadata associated with the key.

Type: KeyMetadata (p. 143) object

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400

API Version 2014-11-0131

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 40: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 49X-Amz-Target: TrentService.DescribeKeyX-Amz-Date: 20170705T211529ZAuthorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20170705/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=6bcb6a5ef9ee7585d83955e8a5c3f6d47cf581596208fc0e436fa1de26ef3f6aContent-Type: application/x-amz-json-1.1

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Wed, 05 Jul 2017 21:15:30 GMTContent-Type: application/x-amz-json-1.1Content-Length: 335Connection: keep-alivex-amzn-RequestId: 13230ddb-61c7-11e7-af6f-c5b105d7a982

{ "KeyMetadata": { "AWSAccountId": "111122223333", "Arn": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1.499288695918E9, "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_KMS" }}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

API Version 2014-11-0132

Page 41: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0133

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DescribeKey
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/DescribeKey
Page 42: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceDisableKey

DisableKeySets the state of a customer master key (CMK) to disabled, thereby preventing its use for cryptographicoperations. You cannot perform this operation on a CMK in a different AWS account.

For more information about how key state affects the use of a CMK, see How Key State Affects the Use ofa Customer Master Key in the AWS Key Management Service Developer Guide.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 34)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

API Version 2014-11-0134

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 43: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 48X-Amz-Target: TrentService.DisableKeyX-Amz-Date: 20161107T221459ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161107/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=de4ddbea732953d60c07d835a5dde9037c484ee3bec9313cbecd1d9420b41a7a

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 07 Nov 2016 22:14:59 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 9f5f3560-a537-11e6-8185-8df6f2682323

API Version 2014-11-0135

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 44: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0136

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DisableKey
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/DisableKey
Page 45: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceDisableKeyRotation

DisableKeyRotationDisables automatic rotation of the key material for the specified customer master key (CMK). You cannotperform this operation on a CMK in a different AWS account.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 37)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

API Version 2014-11-0137

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 46: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 48X-Amz-Target: TrentService.DisableKeyRotationX-Amz-Date: 20161107T222236ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161107/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=2304622be05af2afa8c75bf784fb87b280c194746418b05d7af947c8c2bd8f04

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

API Version 2014-11-0138

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 47: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

HTTP/1.1 200 OKServer: ServerDate: Mon, 07 Nov 2016 22:22:36 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: afd1c328-a538-11e6-861b-ad130425efbf

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0139

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/DisableKeyRotation
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/DisableKeyRotation
Page 48: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceEnableKey

EnableKeySets the state of a customer master key (CMK) to enabled, thereby permitting its use for cryptographicoperations. You cannot perform this operation on a CMK in a different AWS account.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 40)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

API Version 2014-11-0140

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 49: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400LimitExceededException

The request was rejected because a limit was exceeded. For more information, see Limits in the AWSKey Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 48X-Amz-Target: TrentService.EnableKeyX-Amz-Date: 20161107T221800ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161107/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=74d02e36580c1759255dfef66f1e51f3542e469de8c7c8fa5fb21c042e518295

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 07 Nov 2016 22:18:00 GMTContent-Type: application/x-amz-json-1.1

API Version 2014-11-0141

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Page 50: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Content-Length: 0Connection: keep-alivex-amzn-RequestId: 0b588162-a538-11e6-b4ed-059c103e7a90

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0142

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKey
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/EnableKey
Page 51: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceEnableKeyRotation

EnableKeyRotationEnables automatic rotation of the key material for the specified customer master key (CMK). You cannotperform this operation on a CMK in a different AWS account.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 43)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

API Version 2014-11-0143

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 52: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 48X-Amz-Target: TrentService.EnableKeyRotationX-Amz-Date: 20161107T221835ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161107/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=4783e177036ca78627fe0cda9dcfdaf4ad7c8312d0e7c3d71d814b0c4cff1c0b

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

API Version 2014-11-0144

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 53: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

HTTP/1.1 200 OKServer: ServerDate: Mon, 07 Nov 2016 22:18:36 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 2077c3bf-a538-11e6-b6fb-794e83344f84

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0145

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/EnableKeyRotation
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/EnableKeyRotation
Page 54: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceEncrypt

EncryptEncrypts plaintext into ciphertext by using a customer master key (CMK). The Encrypt operation hastwo primary use cases:

• You can encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a databasepassword, or other sensitive information.

• To move encrypted data from one AWS region to another, you can use this operation to encrypt inthe new region the plaintext data key that was used to encrypt the data in the original region. Thisprovides you with an encrypted copy of the data key that can be decrypted in the new region and usedthere to decrypt the encrypted data.

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in thevalue of the KeyId parameter.

Unless you are moving encrypted data from one region to another, you don't use this operation toencrypt a generated data key within a region. To get data keys that are already encrypted, call theGenerateDataKey (p. 51) or GenerateDataKeyWithoutPlaintext (p. 56) operation. Data keys don'tneed to be encrypted again by calling Encrypt.

To encrypt data locally in your application, use the GenerateDataKey (p. 51) operation to return aplaintext data encryption key and a copy of the key encrypted under the CMK of your choosing.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "EncryptionContext": { "string" : "string" }, "GrantTokens": [ "string" ], "KeyId": "string", "Plaintext": blob}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 46)

A unique identifier for the customer master key (CMK).

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When usingan alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use thekey ARN or alias ARN.

For example:

API Version 2014-11-0146

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 55: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30). To get thealias name and alias ARN, use ListAliases (p. 80).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesPlaintext (p. 46)

Data to be encrypted.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 4096.

Required: YesEncryptionContext (p. 46)

Name-value pair that specifies the encryption context to be used for authenticated encryption. Ifused here, the same value must be supplied to the Decrypt API or decryption will fail. For moreinformation, see Encryption Context.

Type: String to string map

Required: NoGrantTokens (p. 46)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: No

Response Syntax{ "CiphertextBlob": blob, "KeyId": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

API Version 2014-11-0147

https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 56: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

The following data is returned in JSON format by the service.

CiphertextBlob (p. 47)

The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded.Otherwise, it is not encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.KeyId (p. 47)

The ID of the key used during encryption.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400InvalidKeyUsageException

The request was rejected because the specified KeySpec value is not valid.

HTTP Status Code: 400KeyUnavailableException

The request was rejected because the specified CMK was not available. The request can be retried.

HTTP Status Code: 500KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

API Version 2014-11-0148

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 57: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-west-2.amazonaws.comContent-Length: 107X-Amz-Target: TrentService.EncryptX-Amz-Date: 20160517T203825ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20160517/us-west-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=67ccaa73c1af7fe83973ce8139104d55f3bdcebee323d2f2e65996d99015ace2

{ "Plaintext": "VGhpcyBpcyBEYXkgMSBmb3IgdGhlIEludGVybmV0Cg==", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Tue, 17 May 2016 20:38:30 GMTContent-Type: application/x-amz-json-1.1Content-Length: 379Connection: keep-alivex-amzn-RequestId: 50a0c603-1c6f-11e6-bb9e-3fadde80ce75

{ "CiphertextBlob": "CiDPoCH188S65r5Cy7pAhIFJMXDlU7mewhSlYUpuQIVBrhKmAQEBAgB4z6Ah9fPEuua+Qsu6QISBSTFw5VO5nsIUpWFKbkCFQa4AAAB9MHsGCSqGSIb3DQEHBqBuMGwCAQAwZwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxLc9b6QThC9jB/ZjYCARCAOt8la8qXLO5wB3JH2NlwWWzWRU2RKqpO9A/0psE5UWwkK6CnwoeC3Zj9Q0A66apZkbRglFfY1lTY+Tc=", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java

API Version 2014-11-0149

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/Encrypt
Page 58: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0150

https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/Encrypt
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/Encrypt
Page 59: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGenerateDataKey

GenerateDataKeyReturns a data encryption key that you can use in your application to encrypt data locally.

You must specify the customer master key (CMK) under which to generate the data key. You must alsospecify the length of the data key using either the KeySpec or NumberOfBytes field. You must specifyone field or the other, but not both. For common key lengths (128-bit and 256-bit symmetric keys), werecommend that you use KeySpec. To perform this operation on a CMK in a different AWS account,specify the key ARN or alias ARN in the value of the KeyId parameter.

This operation returns a plaintext copy of the data key in the Plaintext field of the response, and anencrypted copy of the data key in the CiphertextBlob field. The data key is encrypted under the CMKspecified in the KeyId field of the request.

We recommend that you use the following pattern to encrypt data locally in your application:

1. Use this operation (GenerateDataKey) to get a data encryption key.

2. Use the plaintext data encryption key (returned in the Plaintext field of the response) to encryptdata locally, then erase the plaintext data key from memory.

3. Store the encrypted data key (returned in the CiphertextBlob field of the response) alongside thelocally encrypted data.

To decrypt data locally:

1. Use the Decrypt (p. 20) operation to decrypt the encrypted data key into a plaintext copy of the datakey.

2. Use the plaintext data key to decrypt data locally, then erase the plaintext data key from memory.

To return only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext (p. 56). Toreturn a random byte string that is cryptographically secure, use GenerateRandom (p. 61).

If you use the optional EncryptionContext field, you must store at least enough information to beable to reconstruct the full encryption context when you later send the ciphertext to the Decrypt (p. 20)operation. It is a good practice to choose an encryption context that you can reconstruct on the fly tobetter secure the ciphertext. For more information, see Encryption Context in the AWS Key ManagementService Developer Guide.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax

{ "EncryptionContext": { "string" : "string" }, "GrantTokens": [ "string" ], "KeyId": "string", "KeySpec": "string", "NumberOfBytes": number}

API Version 2014-11-0151

https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 60: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceRequest Parameters

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 51)

The identifier of the CMK under which to generate and encrypt the data encryption key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When usingan alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use thekey ARN or alias ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30). To get thealias name and alias ARN, use ListAliases (p. 80).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesEncryptionContext (p. 51)

A set of key-value pairs that represents additional authenticated data.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Type: String to string map

Required: NoGrantTokens (p. 51)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: NoKeySpec (p. 51)

The length of the data encryption key. Use AES_128 to generate a 128-bit symmetric key, orAES_256 to generate a 256-bit symmetric key.

API Version 2014-11-0152

https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 61: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

Type: String

Valid Values: AES_256 | AES_128

Required: No

NumberOfBytes (p. 51)

The length of the data encryption key in bytes. For example, use the value 64 to generate a 512-bitdata key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), werecommend that you use the KeySpec field instead of this one.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1024.

Required: No

Response Syntax{ "CiphertextBlob": blob, "KeyId": "string", "Plaintext": blob}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CiphertextBlob (p. 53)

The encrypted data encryption key. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.

KeyId (p. 53)

The identifier of the CMK under which the data encryption key was generated and encrypted.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Plaintext (p. 53)

The data encryption key. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded.Otherwise, it is not encoded. Use this data key for local encryption and decryption, then remove itfrom memory as soon as possible.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 4096.

API Version 2014-11-0153

Page 62: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400InvalidKeyUsageException

The request was rejected because the specified KeySpec value is not valid.

HTTP Status Code: 400KeyUnavailableException

The request was rejected because the specified CMK was not available. The request can be retried.

HTTP Status Code: 500KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.com

API Version 2014-11-0154

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 63: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Content-Length: 50X-Amz-Target: TrentService.GenerateDataKeyX-Amz-Date: 20161112T000940ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161112/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=815ac4ccbb5c53b8ca015f979704c7953bb0068bf53f4e0b7c6886ed5b0a8fe4

{ "KeyId": "alias/ExampleAlias", "KeySpec": "AES_256"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Sat, 12 Nov 2016 00:09:40 GMTContent-Type: application/x-amz-json-1.1Content-Length: 390Connection: keep-alivex-amzn-RequestId: 4e6fc242-a86c-11e6-aff0-8333261e2fbd

{ "CiphertextBlob": "AQEDAHjRYf5WytIc0C857tFSnBaPn2F8DgfmThbJlGfR8P3WlwAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDEFogLqPWZconQhwHAIBEIA7d9AC7GeJJM34njQvg4Wf1d5sw0NIo1MrBqZa+YdhV8MrkBQPeac0ReRVNDt9qleAt+SHgIRF8P0H+7U=", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Plaintext": "VdzKNHGzUAzJeRBVY+uUmofUGGiDzyB3+i9fVkh3piw="}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0155

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GenerateDataKey
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GenerateDataKey
Page 64: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGenerateDataKeyWithoutPlaintext

GenerateDataKeyWithoutPlaintextReturns a data encryption key encrypted under a customer master key (CMK). This operation is identicalto GenerateDataKey (p. 51) but returns only the encrypted copy of the data key.

To perform this operation on a CMK in a different AWS account, specify the key ARN or alias ARN in thevalue of the KeyId parameter.

This operation is useful in a system that has multiple components with different degrees of trust.For example, consider a system that stores encrypted data in containers. Each container storesthe encrypted data and an encrypted copy of the data key. One component of the system, calledthe control plane, creates new containers. When it creates a new container, it uses this operation(GenerateDataKeyWithoutPlaintext) to get an encrypted data key and then stores it in thecontainer. Later, a different component of the system, called the data plane, puts encrypted data into thecontainers. To do this, it passes the encrypted data key to the Decrypt (p. 20) operation, then uses thereturned plaintext data key to encrypt data, and finally stores the encrypted data in the container. In thissystem, the control plane never sees the plaintext data key.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "EncryptionContext": { "string" : "string" }, "GrantTokens": [ "string" ], "KeyId": "string", "KeySpec": "string", "NumberOfBytes": number}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 56)

The identifier of the customer master key (CMK) under which to generate and encrypt the dataencryption key.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When usingan alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use thekey ARN or alias ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias

API Version 2014-11-0156

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 65: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30). To get thealias name and alias ARN, use ListAliases (p. 80).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesEncryptionContext (p. 56)

A set of key-value pairs that represents additional authenticated data.

For more information, see Encryption Context in the AWS Key Management Service Developer Guide.

Type: String to string map

Required: NoGrantTokens (p. 56)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: NoKeySpec (p. 56)

The length of the data encryption key. Use AES_128 to generate a 128-bit symmetric key, orAES_256 to generate a 256-bit symmetric key.

Type: String

Valid Values: AES_256 | AES_128

Required: NoNumberOfBytes (p. 56)

The length of the data encryption key in bytes. For example, use the value 64 to generate a 512-bitdata key (64 bytes is 512 bits). For common key lengths (128-bit and 256-bit symmetric keys), werecommend that you use the KeySpec field instead of this one.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1024.

Required: No

Response Syntax{ "CiphertextBlob": blob, "KeyId": "string"

API Version 2014-11-0157

https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 66: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CiphertextBlob (p. 57)

The encrypted data encryption key. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded. Otherwise, it is not encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.KeyId (p. 57)

The identifier of the CMK under which the data encryption key was generated and encrypted.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400InvalidKeyUsageException

The request was rejected because the specified KeySpec value is not valid.

HTTP Status Code: 400KeyUnavailableException

The request was rejected because the specified CMK was not available. The request can be retried.

HTTP Status Code: 500KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400

API Version 2014-11-0158

Page 67: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 50X-Amz-Target: TrentService.GenerateDataKeyWithoutPlaintextX-Amz-Date: 20161112T001941ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161112/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=c86e7fc0218461e537c0d06ac29d865d94dba6fbfad00a844f61200e651df483

{ "KeyId": "alias/ExampleAlias", "KeySpec": "AES_256"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Sat, 12 Nov 2016 00:19:41 GMTContent-Type: application/x-amz-json-1.1Content-Length: 331Connection: keep-alivex-amzn-RequestId: b4ca7ee7-a86d-11e6-8a4e-2f341b963ed6

{ "CiphertextBlob": "AQEDAHjRYf5WytIc0C857tFSnBaPn2F8DgfmThbJlGfR8P3WlwAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDEvihQE/ntdQTL16wQIBEIA7BE/3LB7F1meU8z4e1vEKBGZgXPwMvkZXbKnf3wxCD9lB4hU29lii4euOqxp8pESb+7oCN9f1R75ac3s=", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

API Version 2014-11-0159

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 68: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0160

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GenerateDataKeyWithoutPlaintext
Page 69: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGenerateRandom

GenerateRandomReturns a random byte string that is cryptographically secure.

For more information about entropy and random number generation, see the AWS Key ManagementService Cryptographic Details whitepaper.

Request Syntax{ "NumberOfBytes": number}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

NumberOfBytes (p. 61)

The length of the byte string.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1024.

Required: No

Response Syntax{ "Plaintext": blob}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Plaintext (p. 61)

The random byte string. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded.Otherwise, it is not encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 4096.

API Version 2014-11-0161

https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
Page 70: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 21X-Amz-Target: TrentService.GenerateRandomX-Amz-Date: 20161114T215101ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161114/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=e3a0cfdbfb71fae5c89e422ad8322b6a44aed85bf68e3d11f3f315bbaa82ad22

{"NumberOfBytes": 32}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 14 Nov 2016 21:51:02 GMTContent-Type: application/x-amz-json-1.1Content-Length: 60Connection: keep-alivex-amzn-RequestId: 6f79b0ad-aab4-11e6-971f-0f7b7e5b6782

{"Plaintext":"+Q2hxK6OBuU6K6ZIIBucFMCW2NJkhiSWDySSQyWp9zA="}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go

API Version 2014-11-0162

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GenerateRandom
Page 71: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0163

https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GenerateRandom
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GenerateRandom
Page 72: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGetKeyPolicy

GetKeyPolicyGets a key policy attached to the specified customer master key (CMK). You cannot perform thisoperation on a CMK in a different AWS account.

Request Syntax{ "KeyId": "string", "PolicyName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 64)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesPolicyName (p. 64)

Specifies the name of the key policy. The only valid name is default. To get the names of keypolicies, use ListKeyPolicies (p. 89).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w]+

Required: Yes

Response Syntax{

API Version 2014-11-0164

Page 73: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

"Policy": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Policy (p. 64)

A key policy document in JSON format.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 131072.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

API Version 2014-11-0165

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 74: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 74X-Amz-Target: TrentService.GetKeyPolicyX-Amz-Date: 20161114T225546ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161114/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=a88e20eebfbea3bf62d1512d0d2987e2d233becc7631a442237d3661df623a40

{ "PolicyName": "default", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 14 Nov 2016 22:55:47 GMTContent-Type: application/x-amz-json-1.1Content-Length: 326Connection: keep-alivex-amzn-RequestId: 7b105e7b-aabd-11e6-8039-3123b558b719

{"Policy":"{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-default-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Enable IAM User Permissions\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"arn:aws:iam::111122223333:root\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0166

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GetKeyPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GetKeyPolicy
Page 75: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGetKeyRotationStatus

GetKeyRotationStatusGets a Boolean value that indicates whether automatic rotation of the key material is enabled for thespecified customer master key (CMK).

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

• Disabled: The key rotation status does not change when you disable a CMK. However, while the CMK isdisabled, AWS KMS does not rotate the backing key.

• Pending deletion: While a CMK is pending deletion, its key rotation status is false and AWS KMS doesnot rotate the backing key. If you cancel the deletion, the original key rotation status is restored.

To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of theKeyId parameter.

Request Syntax{ "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 67)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a differentAWS account, you must use the key ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response Syntax{

API Version 2014-11-0167

https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 76: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

"KeyRotationEnabled": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

KeyRotationEnabled (p. 67)

A Boolean value that specifies whether key rotation is enabled.

Type: Boolean

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400

KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400

NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

API Version 2014-11-0168

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 77: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 49X-Amz-Target: TrentService.GetKeyRotationStatusX-Amz-Date: 20161115T005817ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161115/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=282cb3a4a5d10684ff6c363300c34569a0707c4d503b88778e78cc51ea52f9be

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Tue, 15 Nov 2016 00:58:18 GMTContent-Type: application/x-amz-json-1.1Content-Length: 28Connection: keep-alivex-amzn-RequestId: 98b59330-aace-11e6-aff0-8333261e2fbd

{"KeyRotationEnabled":false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0169

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GetKeyRotationStatus
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GetKeyRotationStatus
Page 78: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGetParametersForImport

GetParametersForImportReturns the items you need in order to import key material into AWS KMS from your existing keymanagement infrastructure. For more information about importing key material into AWS KMS, seeImporting Key Material in the AWS Key Management Service Developer Guide.

You must specify the key ID of the customer master key (CMK) into which you will import key material.This CMK's Origin must be EXTERNAL. You must also specify the wrapping algorithm and type ofwrapping key (public key) that you will use to encrypt the key material. You cannot perform thisoperation on a CMK in a different AWS account.

This operation returns a public key and an import token. Use the public key to encrypt the key material.Store the import token to send with a subsequent ImportKeyMaterial (p. 75) request. The public keyand import token from the same response must be used together. These items are valid for 24 hours.When they expire, they cannot be used for a subsequent ImportKeyMaterial (p. 75) request. To getnew ones, send another GetParametersForImport request.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string", "WrappingAlgorithm": "string", "WrappingKeySpec": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 70)

The identifier of the CMK into which you will import key material. The CMK's Origin must beEXTERNAL.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

API Version 2014-11-0170

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 79: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

WrappingAlgorithm (p. 70)

The algorithm you will use to encrypt the key material before importing it withImportKeyMaterial (p. 75). For more information, see Encrypt the Key Material in the AWS KeyManagement Service Developer Guide.

Type: String

Valid Values: RSAES_PKCS1_V1_5 | RSAES_OAEP_SHA_1 | RSAES_OAEP_SHA_256

Required: YesWrappingKeySpec (p. 70)

The type of wrapping key (public key) to return in the response. Only 2048-bit RSA public keys aresupported.

Type: String

Valid Values: RSA_2048

Required: Yes

Response Syntax{ "ImportToken": blob, "KeyId": "string", "ParametersValidTo": number, "PublicKey": blob}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

ImportToken (p. 71)

The import token to send in a subsequent ImportKeyMaterial (p. 75) request.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.KeyId (p. 71)

The identifier of the CMK to use in a subsequent ImportKeyMaterial (p. 75) request. This is thesame CMK specified in the GetParametersForImport request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.ParametersValidTo (p. 71)

The time at which the import token and public key are no longer valid. After this time, youcannot use them to make an ImportKeyMaterial (p. 75) request and you must send anotherGetParametersForImport request to get new ones.

API Version 2014-11-0171

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html
Page 80: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

Type: TimestampPublicKey (p. 71)

The public key to use to encrypt the key material before importing it withImportKeyMaterial (p. 75).

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 4096.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1

API Version 2014-11-0172

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 81: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

Host: kms.us-east-2.amazonaws.comContent-Length: 121X-Amz-Target: TrentService.GetParametersForImportX-Amz-Date: 20161130T225216ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161130/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=5bcc8e7669b6de719091ad27ae0145daa319f881010958208e960329341421d5

{ "WrappingAlgorithm": "RSAES_OAEP_SHA_1", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "WrappingKeySpec": "RSA_2048"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Wed, 30 Nov 2016 22:52:17 GMTContent-Type: application/x-amz-json-1.1Content-Length: 2892Connection: keep-alivex-amzn-RequestId: a46d61e0-b74f-11e6-b0c0-3343f53dee45

{ "ImportToken": "AQECAHgybIx2X9LNs5ADpvmFm5Sv//daUB9ZeCKoiJxmiw09YQAABrQwggawBgkqhkiG9w0BBwagggahMIIGnQIBADCCBpYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMv9Fgs/U4Wg2Vw+RMAgEQgIIGZ/wOYGszlrjopP6BW63jlYYn+gd7jpdpx0dxPmPC5Ka6uuUomx1yMKVdgtMiX85jHr8or7RoLISwsyQH+CRD33V+pQs+Rm0+XkinHj5Zl371ibHytqM1DwhCs5FdQJM+8kLau7EXTcar7XLQj86DWJRj/dQW0nDdkQXgXvz7GFWkbYs3IELvTAc5lHOLHgkXeoXom3NtHMvbR2V34tYwaT86gdira9Qj0FDouNaTesEOJN/QjBedXcnuWumwOzK+w/OL+MD4tR8/B1jDjeafRv7YSMxiADr2FsfDL0ELhgXhFVC0Wz42oM0jYnoYjZuXx6fQxEmADjBMPjk6W+SFs4sWOuHs0U8npsWBNOnLAZPqXskqSuPZzb3XMG59s+2ZUcbeARQjYv97861ohWgwzjxur2+wSlaGNYAb+Xh7EV34n2KSLuJ1lSrZrEWlU1Pato6zzN1x0VHJgU3sMCJMQz1uch8ZGHbI7vvBvvvqTJT/+087IA8thTTCRLAYTjr81sSEofug71twBrhct3pzKswaNQVmWMptBe54HWiWWZz1peNuIAIJtX9qtNzeuYEJyqfVBera0B5tK1vCOrwyct+E4AQcSin0AWERUK9LY3BNM2svFrrl2tPWURtUPokMVI0i4NLw2fsHtLw1CXqwjGuzEGKvRfiaat3WGzAtMao5sSFQz/XSCB9Ab5OsddOTArBr/ShuX1WYuPIL2+zQP+gadWjAfTgmx9Q4K2MxQUpS72bqUJmfzXqpVi63sKL43tOwJ+2Bt8Z5JA9xaPkPwiYE5q7dWL4J57cr+Ty/GLXAhat9xIUsTjG5E3FIHLywKiBwlVjH/T5FXxk+T0TXV/61UPGaxPX2HkFTirq/D2Uhz45pFwwH46nbhJe9NoRodjot+uAblfuAqxz0YElCRt/gIMr87l4AF7X48JHfvqmZAYGdhJ1bUhSw8VfTOPkHpUV2k6Eq9DvcSRDsww1FI5+fVf0ZpDEf0W2itRz5Hq+cRkQL9EZqLICNF0QrhEuEJNBXf3oSckvS1tqPnHaRIRmG71BONqwc7fSU7zmXa+O95GV3gIgfvnQ3HJy5EHR2dgkjQdP+hfdw7BcC9NT7ZyO9XefAI5GEr623hrzn6yom4JIiyUjjCQPK8mS75rIgazvyTp0WQKpSSKeJOZswYLNgip8Xv/UBcehAKwRL0QhbOGhUbZvoRNS8c1FbrCUlcBc4W4aWzA4e7cepqy38/jfwRoh0UvN/bbaDh8FC+jZyXhyXSTIPvM25HVVrxsDbsN8LkCabokXFlkhiawm3PqVm6QgWWKcpR2Td+ty+Bdl2tRmGHDsPcHN0WaUEq2AjE7kzL0dv7Jd9OemBNTZSlEoQ8U5+sKbvmSrtFvPIj7zWDpDT9bkZFHcCvwlIE6AflbgBS8z0+xllVgbZHjbNE4f1vaW5mB7Eny19GZrh0f7Gt4bWaPdelyZoWBHDARNLnAh7RKQjRVF/phBgaiRlDQdDmJmGD1yl+dxnIcoPs14xlcIwBdpw/M+lvUuX8K4tqLMKzi1MOE0heBhGL0uEebYSkSQSUXUTTCk9hEkqslw0VXgwpgnGBXAOnVtYdUaqFMx5RIVxW471bnU0CYW5MrTTJ7o2jY3HW87Toear3HscuBt020tIdoITFY3Ftu0cx0lxZg5CNx3F0a0hnqeRdbuPBA8QYR9dNf5spiCWLSUQQM3W/H4KrdRPdvevc8kTG6I8fdK/ArYCvTk/yYL3L6YZbeqbActUTADX0iBijX/T5QYz/Dd4H1eX4abHV70CnxftxCHuLMnwR8DpJVnkouQAqb4N7Ap6JIYkvNKFWb8HBlygq5kKcg5dTMAMiPRz80qsQm/IwGG9JVbKeyhqlKtQOIerspm8J99lcn5s0aB180LKrtXAaFD1AyO3nDZxB3I71QKvOulr1BZ6K4meBKkEw3VqW4PpmxmBKnQVUK1jqwQUGF3AWHpU+2ytZAdDox9zLT7YW457esjUQC6zibfBwb8G97leh704m37Stq6Z752u46frBNSPQlypGuSbqCw1peKeqf/AVehk+j8RKBegOQSCvEja4KPmQrayXVzu3h1tDktA1/Wj21ercJaW20fcZ1KQG/GPHuScFgBsWawQf1spqKwZyHAHPaWZCymD9Fo2yHBHi+/ARPwM02iuqDLi9Tqv/g0=", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "ParametersValidTo": 1.480632737044E9, "PublicKey": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvH3Yj0wbkLEpUl95Cv1cJVjsVNSjwGq3tCLnzXfhVwVvmzGN8pYj3U8nKwgouaHbBWNJYjP5VutbbkKS4Kv4GojwZBJyHN17kmxo8yTjRmjR15SKIQ8cqRA2uaERMLnpztIXdZp232PQPbWGxDyXYJ0aJ5EFSag+iSK341kr2kFTpINN7T1ZaX9vfXBdGR+VtkRKMWoHQeWzHrPZ+3irvpXNCKxGUxmPNsJSjPUhuSXT5+0VrY/LEYLQ5lUTrhU6z5/OK0kzaCc66DXc5ipSloS4Xyg+QcYSMxe9xuqO5HtzFImUSKBm1W6eDT6lHnSbpi7vXzNbIX7pWxKw9nmQvQIDAQAB"

API Version 2014-11-0173

Page 82: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0174

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/GetParametersForImport
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GetParametersForImport
Page 83: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceImportKeyMaterial

ImportKeyMaterialImports key material into an existing AWS KMS customer master key (CMK) that was created without keymaterial. You cannot perform this operation on a CMK in a different AWS account. For more informationabout creating CMKs with no key material and then importing key material, see Importing Key Materialin the AWS Key Management Service Developer Guide.

Before using this operation, call GetParametersForImport (p. 70). Its response includes a public key andan import token. Use the public key to encrypt the key material. Then, submit the import token from thesame GetParametersForImport response.

When calling this operation, you must specify the following values:

• The key ID or key ARN of a CMK with no key material. Its Origin must be EXTERNAL.

To create a CMK with no key material, call CreateKey (p. 15) and set the value of its Origin parameterto EXTERNAL. To get the Origin of a CMK, call DescribeKey (p. 30).)

• The encrypted key material. To get the public key to encrypt the key material, callGetParametersForImport (p. 70).

• The import token that GetParametersForImport (p. 70) returned. This token and the public key used toencrypt the key material must have come from the same response.

• Whether the key material expires and if so, when. If you set an expiration date, you can change it onlyby reimporting the same key material and specifying a new expiration date. If the key material expires,AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you mustreimport the same key material.

When this operation is successful, the CMK's key state changes from PendingImport to Enabled, andyou can use the CMK. After you successfully import key material into a CMK, you can reimport the samekey material into that CMK, but you cannot import different key material.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax

{ "EncryptedKeyMaterial": blob, "ExpirationModel": "string", "ImportToken": blob, "KeyId": "string", "ValidTo": number}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

API Version 2014-11-0175

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 84: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceRequest Parameters

EncryptedKeyMaterial (p. 75)

The encrypted key material to import. It must be encrypted with the public key that you received inthe response to a previous GetParametersForImport (p. 70) request, using the wrapping algorithmthat you specified in that request.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: YesImportToken (p. 75)

The import token that you received in the response to a previous GetParametersForImport (p. 70)request. It must be from the same response that contained the public key that you used to encryptthe key material.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: YesKeyId (p. 75)

The identifier of the CMK to import the key material into. The CMK's Origin must be EXTERNAL.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesExpirationModel (p. 75)

Specifies whether the key material expires. The default is KEY_MATERIAL_EXPIRES,in which case you must include the ValidTo parameter. When this parameter is set toKEY_MATERIAL_DOES_NOT_EXPIRE, you must omit the ValidTo parameter.

Type: String

Valid Values: KEY_MATERIAL_EXPIRES | KEY_MATERIAL_DOES_NOT_EXPIRE

Required: NoValidTo (p. 75)

The time at which the imported key material expires. When the key material expires, AWS KMSdeletes the key material and the CMK becomes unusable. You must omit this parameter whenthe ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. Otherwise it isrequired.

Type: Timestamp

API Version 2014-11-0176

Page 85: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

Required: No

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500ExpiredImportTokenException

The request was rejected because the provided import token is expired. UseGetParametersForImport (p. 70) to get a new import token and public key, use the new public key toencrypt the key material, and then try the request again.

HTTP Status Code: 400IncorrectKeyMaterialException

The request was rejected because the provided key material is invalid or is not the same key materialthat was previously imported into this customer master key (CMK).

HTTP Status Code: 400InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidCiphertextException

The request was rejected because the specified ciphertext, or additional authenticated dataincorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwiseinvalid.

HTTP Status Code: 400InvalidImportTokenException

The request was rejected because the provided import token is invalid or is associated with adifferent customer master key (CMK).

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

API Version 2014-11-0177

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 86: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 2835X-Amz-Target: TrentService.ImportKeyMaterialX-Amz-Date: 20161201T212609ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161201/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=dda4e269d4fd93decf1401aeb651e49c206c412c609141f6c743f146e1afb4e3

{ "ExpirationModel": "KEY_MATERIAL_DOES_NOT_EXPIRE", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "ImportToken": "AQECAHgybIx2X9LNs5ADpvmFm5Sv//daUB9ZeCKoiJxmiw09YQAABrQwggawBgkqhkiG9w0BBwagggahMIIGnQIBADCCBpYGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMv9Fgs/U4Wg2Vw+RMAgEQgIIGZ/wOYGszlrjopP6BW63jlYYn+gd7jpdpx0dxPmPC5Ka6uuUomx1yMKVdgtMiX85jHr8or7RoLISwsyQH+CRD33V+pQs+Rm0+XkinHj5Zl371ibHytqM1DwhCs5FdQJM+8kLau7EXTcar7XLQj86DWJRj/dQW0nDdkQXgXvz7GFWkbYs3IELvTAc5lHOLHgkXeoXom3NtHMvbR2V34tYwaT86gdira9Qj0FDouNaTesEOJN/QjBedXcnuWumwOzK+w/OL+MD4tR8/B1jDjeafRv7YSMxiADr2FsfDL0ELhgXhFVC0Wz42oM0jYnoYjZuXx6fQxEmADjBMPjk6W+SFs4sWOuHs0U8npsWBNOnLAZPqXskqSuPZzb3XMG59s+2ZUcbeARQjYv97861ohWgwzjxur2+wSlaGNYAb+Xh7EV34n2KSLuJ1lSrZrEWlU1Pato6zzN1x0VHJgU3sMCJMQz1uch8ZGHbI7vvBvvvqTJT/+087IA8thTTCRLAYTjr81sSEofug71twBrhct3pzKswaNQVmWMptBe54HWiWWZz1peNuIAIJtX9qtNzeuYEJyqfVBera0B5tK1vCOrwyct+E4AQcSin0AWERUK9LY3BNM2svFrrl2tPWURtUPokMVI0i4NLw2fsHtLw1CXqwjGuzEGKvRfiaat3WGzAtMao5sSFQz/XSCB9Ab5OsddOTArBr/ShuX1WYuPIL2+zQP+gadWjAfTgmx9Q4K2MxQUpS72bqUJmfzXqpVi63sKL43tOwJ+2Bt8Z5JA9xaPkPwiYE5q7dWL4J57cr+Ty/GLXAhat9xIUsTjG5E3FIHLywKiBwlVjH/T5FXxk+T0TXV/61UPGaxPX2HkFTirq/D2Uhz45pFwwH46nbhJe9NoRodjot+uAblfuAqxz0YElCRt/gIMr87l4AF7X48JHfvqmZAYGdhJ1bUhSw8VfTOPkHpUV2k6Eq9DvcSRDsww1FI5+fVf0ZpDEf0W2itRz5Hq+cRkQL9EZqLICNF0QrhEuEJNBXf3oSckvS1tqPnHaRIRmG71BONqwc7fSU7zmXa+O95GV3gIgfvnQ3HJy5EHR2dgkjQdP+hfdw7BcC9NT7ZyO9XefAI5GEr623hrzn6yom4JIiyUjjCQPK8mS75rIgazvyTp0WQKpSSKeJOZswYLNgip8Xv/UBcehAKwRL0QhbOGhUbZvoRNS8c1FbrCUlcBc4W4aWzA4e7cepqy38/jfwRoh0UvN/bbaDh8FC+jZyXhyXSTIPvM25HVVrxsDbsN8LkCabokXFlkhiawm3PqVm6QgWWKcpR2Td+ty+Bdl2tRmGHDsPcHN0WaUEq2AjE7kzL0dv7Jd9OemBNTZSlEoQ8U5+sKbvmSrtFvPIj7zWDpDT9bkZFHcCvwlIE6AflbgBS8z0+xllVgbZHjbNE4f1vaW5mB7Eny19GZrh0f7Gt4bWaPdelyZoWBHDARNLnAh7RKQjRVF/phBgaiRlDQdDmJmGD1yl+dxnIcoPs14xlcIwBdpw/M+lvUuX8K4tqLMKzi1MOE0heBhGL0uEebYSkSQSUXUTTCk9hEkqslw0VXgwpgnGBXAOnVtYdUaqFMx5RIVxW471bnU0CYW5MrTTJ7o2jY3HW87Toear3HscuBt020tIdoITFY3Ftu0cx0lxZg5CNx3F0a0hnqeRdbuPBA8QYR9dNf5spiCWLSUQQM3W/H4KrdRPdvevc8kTG6I8fdK/ArYCvTk/yYL3L6YZbeqbActUTADX0iBijX/T5QYz/Dd4H1eX4abHV70CnxftxCHuLMnwR8DpJVnkouQAqb4N7Ap6JIYkvNKFWb8HBlygq5kKcg5dTMAMiPRz80qsQm/IwGG9JVbKeyhqlKtQOIerspm8J99lcn5s0aB180LKrtXAaFD1AyO3nDZxB3I71QKvOulr1BZ6K4meBKkEw3VqW4PpmxmBKnQVUK1jqwQUGF3AWHpU+2ytZAdDox9zLT7YW457esjUQC6zibfBwb8G97leh704m37Stq6Z752u46frBNSPQlypGuSbqCw1peKeqf/

API Version 2014-11-0178

Page 87: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

AVehk+j8RKBegOQSCvEja4KPmQrayXVzu3h1tDktA1/Wj21ercJaW20fcZ1KQG/GPHuScFgBsWawQf1spqKwZyHAHPaWZCymD9Fo2yHBHi+/ARPwM02iuqDLi9Tqv/g0=", "EncryptedKeyMaterial": "CubeyZ4cm/xMEA0UG5jP1iBzh/0E+uUg407JDcXhIC+iuMm+wPgITaEby+Y3nM/e6gjUls5vy9TdBRFv4+JtksvB5hW4Znb2lUQhTUv+SSAZpaI14kAgTq/jC2GTLkaC6Vf5zJx2xaLrOKGV2Xu4YgONIGslubHNffTC3aL/YBJ/FXTXaVu7rS2phOFCrZ+ATittS03w4DiCVoNwo2v0QE0+dVoUNjXNQC1veWxhPlC7FezfK7AIsBSSXotJfANxRkybg8KcmkSoYdzr3N0L0v7oMorgbTgaTvdrLXu/PzphK6RWJGJig4tk+lxUT8hV7xiLkFskGjIHFmp6Xbon8w=="}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Thu, 01 Dec 2016 21:26:10 GMTContent-Type: application/x-amz-json-1.1Content-Length: 2Connection: keep-alivex-amzn-RequestId: c72fb6ff-b80c-11e6-ae07-61b14fe11739

{}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0179

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ImportKeyMaterial
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ImportKeyMaterial
Page 88: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceListAliases

ListAliasesGets a list of all aliases in the caller's AWS account and region. You cannot list aliases in other accounts.For more information about aliases, see CreateAlias (p. 7).

The response might include several aliases that do not have a TargetKeyId field because they arenot associated with a CMK. These predefined aliases are reserved for CMKs that are managed by AWSservices. Aliases that AWS creates in your account, including predefined aliases, do not count againstyour AWS KMS aliases limit.

Request Syntax{ "Limit": number, "Marker": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

Limit (p. 80)

Use this parameter to specify the maximum number of items to return. When this value is present,AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do notinclude a value, it defaults to 50.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoMarker (p. 80)

Use this parameter in a subsequent request after you receive a response with truncated results. Set itto the value of NextMarker from the truncated response you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax{

API Version 2014-11-0180

https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit
Page 89: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

"Aliases": [ { "AliasArn": "string", "AliasName": "string", "TargetKeyId": "string" } ], "NextMarker": "string", "Truncated": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Aliases (p. 80)

A list of aliases.

Type: Array of AliasListEntry (p. 138) objectsNextMarker (p. 80)

When Truncated is true, this element is present and contains the value to use for the Markerparameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*Truncated (p. 80)

A flag that indicates whether there are more items in the list. When this value is true, the list inthis response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

Type: Boolean

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidMarkerException

The request was rejected because the marker that specifies where pagination should next begin isnot valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

API Version 2014-11-0181

Page 90: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 2X-Amz-Target: TrentService.ListAliasesX-Amz-Date: 20161203T011453ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161203/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=c2867e5f45167bf713e8f2c9998772ad72a20958db2cc0ef46bfba1632ca4d62

{}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Sat, 03 Dec 2016 01:14:55 GMTContent-Type: application/x-amz-json-1.1Content-Length: 2874Connection: keep-alivex-amzn-RequestId: e6196175-b8f5-11e6-b404-15dcd0a7add5

{ "Aliases": [ { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/aws/acm", "AliasName": "alias/aws/acm", "TargetKeyId": "da03f6f7-d279-427a-9cae-de48d07e5b66" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/aws/ebs", "AliasName": "alias/aws/ebs", "TargetKeyId": "25a217e7-7170-4b8c-8bf6-045ea5f70e5b" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/aws/rds", "AliasName": "alias/aws/rds", "TargetKeyId": "7ec3104e-c3f2-4b5c-bf42-bfc4772c6685" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/aws/redshift", "AliasName": "alias/aws/redshift", "TargetKeyId": "08f7a25a-69e2-4fb5-8f10-393db27326fa" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/aws/s3", "AliasName": "alias/aws/s3", "TargetKeyId": "d2b0f1a3-580d-4f79-b836-bc983be8cfa5" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/example1",

API Version 2014-11-0182

Page 91: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"AliasName": "alias/example1", "TargetKeyId": "4da1e216-62d0-46c5-a7c0-5f3a3d2f8046" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/example2", "AliasName": "alias/example2", "TargetKeyId": "f32fef59-2cc2-445b-8573-2d73328acbee" }, { "AliasArn": "arn:aws:kms:us-east-2:111122223333:alias/example3", "AliasName": "alias/example3", "TargetKeyId": "1374ef38-d34e-4d5f-b2c9-4e0daee38855" } ], "Truncated": false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0183

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListAliases
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ListAliases
Page 92: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceListGrants

ListGrantsGets a list of all grants for the specified customer master key (CMK).

To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of theKeyId parameter.

Request Syntax{ "KeyId": "string", "Limit": number, "Marker": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 84)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a differentAWS account, you must use the key ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesLimit (p. 84)

Use this parameter to specify the maximum number of items to return. When this value is present,AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do notinclude a value, it defaults to 50.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: No

API Version 2014-11-0184

Page 93: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

Marker (p. 84)

Use this parameter in a subsequent request after you receive a response with truncated results. Set itto the value of NextMarker from the truncated response you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax{ "Grants": [ { "Constraints": { "EncryptionContextEquals": { "string" : "string" }, "EncryptionContextSubset": { "string" : "string" } }, "CreationDate": number, "GranteePrincipal": "string", "GrantId": "string", "IssuingAccount": "string", "KeyId": "string", "Name": "string", "Operations": [ "string" ], "RetiringPrincipal": "string" } ], "NextMarker": "string", "Truncated": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Grants (p. 85)

A list of grants.

Type: Array of GrantListEntry (p. 140) objectsNextMarker (p. 85)

When Truncated is true, this element is present and contains the value to use for the Markerparameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

API Version 2014-11-0185

Page 94: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

Pattern: [\u0020-\u00FF]*Truncated (p. 85)

A flag that indicates whether there are more items in the list. When this value is true, the list inthis response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

Type: Boolean

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidMarkerException

The request was rejected because the marker that specifies where pagination should next begin isnot valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1

API Version 2014-11-0186

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 95: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

Host: kms.us-east-2.amazonaws.comContent-Length: 49X-Amz-Target: TrentService.ListGrantsX-Amz-Date: 20161206T231134ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161206/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=157e1dd2ef1992e70e403e96c9f7122c5eb18bf82e4e5a71a83d63dcbc1c681b

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Tue, 06 Dec 2016 23:11:34 GMTContent-Type: application/x-amz-json-1.1Content-Length: 1652Connection: keep-alivex-amzn-RequestId: 54ee4e2f-bc09-11e6-8073-89d6c33fcd1f

{ "Grants": [ { "CreationDate": 1.477431461E9, "GrantId": "91ad875e49b04a9d1f3bdeb84d821f9db6ea95e1098813f6d47f0c65fbe2a172", "GranteePrincipal": "acm.us-east-2.amazonaws.com", "IssuingAccount": "arn:aws:iam::111122223333:root", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "Operations": [ "Encrypt", "ReEncryptFrom", "ReEncryptTo" ], "RetiringPrincipal": "acm.us-east-2.amazonaws.com" }, { "CreationDate": 1.477431461E9, "GrantId": "a5d67d3e207a8fc1f4928749ee3e52eb0440493a8b9cf05bbfad91655b056200", "GranteePrincipal": "acm.us-east-2.amazonaws.com", "IssuingAccount": "arn:aws:iam::111122223333:root", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "Operations": [ "ReEncryptFrom", "ReEncryptTo" ], "RetiringPrincipal": "acm.us-east-2.amazonaws.com" }, { "CreationDate": 1.477431461E9, "GrantId": "c541aaf05d90cb78846a73b346fc43e65be28b7163129488c738e0c9e0628f4f", "GranteePrincipal": "acm.us-east-2.amazonaws.com", "IssuingAccount": "arn:aws:iam::111122223333:root", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "Operations": [ "Encrypt", "ReEncryptFrom",

API Version 2014-11-0187

Page 96: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"ReEncryptTo" ], "RetiringPrincipal": "acm.us-east-2.amazonaws.com" }, { "CreationDate": 1.477431461E9, "GrantId": "dd2052c67b4c76ee45caf1dc6a1e2d24e8dc744a51b36ae2f067dc540ce0105c", "GranteePrincipal": "acm.us-east-2.amazonaws.com", "IssuingAccount": "arn:aws:iam::111122223333:root", "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "Operations": [ "Encrypt", "ReEncryptFrom", "ReEncryptTo" ], "RetiringPrincipal": "acm.us-east-2.amazonaws.com" } ], "Truncated": false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0188

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListGrants
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ListGrants
Page 97: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceListKeyPolicies

ListKeyPoliciesGets the names of the key policies that are attached to a customer master key (CMK). This operation isdesigned to get policy names that you can use in a GetKeyPolicy (p. 64) operation. However, the onlyvalid policy name is default. You cannot perform this operation on a CMK in a different AWS account.

Request Syntax{ "KeyId": "string", "Limit": number, "Marker": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 89)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Limit (p. 89)

Use this parameter to specify the maximum number of items to return. When this value is present,AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 1000, inclusive. If you do notinclude a value, it defaults to 100.

Currently only 1 policy can be attached to a key.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

API Version 2014-11-0189

Page 98: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

Required: No

Marker (p. 89)

Use this parameter in a subsequent request after you receive a response with truncated results. Set itto the value of NextMarker from the truncated response you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax{ "NextMarker": "string", "PolicyNames": [ "string" ], "Truncated": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextMarker (p. 90)

When Truncated is true, this element is present and contains the value to use for the Markerparameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

PolicyNames (p. 90)

A list of key policy names. Currently, there is only one key policy per CMK and it is always nameddefault.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w]+

Truncated (p. 90)

A flag that indicates whether there are more items in the list. When this value is true, the list inthis response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

Type: Boolean

API Version 2014-11-0190

Page 99: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 49X-Amz-Target: TrentService.ListKeyPoliciesX-Amz-Date: 20161206T235923ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161206/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=82fe067c53d0dfff36793b8b6ef2d82d8adf0f1c05016bf4b4d6c50563ec7033

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: Server

API Version 2014-11-0191

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 100: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Date: Tue, 06 Dec 2016 23:59:24 GMTContent-Type: application/x-amz-json-1.1Content-Length: 45Connection: keep-alivex-amzn-RequestId: 036f8e4b-bc10-11e6-b60b-ffb5eb2d1d15

{ "PolicyNames": ["default"], "Truncated": false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0192

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeyPolicies
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ListKeyPolicies
Page 101: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceListKeys

ListKeysGets a list of all customer master keys (CMKs) in the caller's AWS account and region.

Request Syntax{ "Limit": number, "Marker": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

Limit (p. 93)

Use this parameter to specify the maximum number of items to return. When this value is present,AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 1000, inclusive. If you do notinclude a value, it defaults to 100.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: No

Marker (p. 93)

Use this parameter in a subsequent request after you receive a response with truncated results. Set itto the value of NextMarker from the truncated response you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax{ "Keys": [ { "KeyArn": "string", "KeyId": "string"

API Version 2014-11-0193

Page 102: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

} ], "NextMarker": "string", "Truncated": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Keys (p. 93)

A list of customer master keys (CMKs).

Type: Array of KeyListEntry (p. 142) objects

NextMarker (p. 93)

When Truncated is true, this element is present and contains the value to use for the Markerparameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Truncated (p. 93)

A flag that indicates whether there are more items in the list. When this value is true, the list inthis response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

Type: Boolean

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

InvalidMarkerException

The request was rejected because the marker that specifies where pagination should next begin isnot valid.

HTTP Status Code: 400

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400

API Version 2014-11-0194

Page 103: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 2X-Amz-Target: TrentService.ListKeysX-Amz-Date: 20161207T003550ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161207/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=2196a20c1a139ae8f6fe070881f41954616c775bb5a484814c35f8ee35cfa448

{}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Wed, 07 Dec 2016 00:35:50 GMTContent-Type: application/x-amz-json-1.1Content-Length: 980Connection: keep-alivex-amzn-RequestId: 1a5f0a53-bc15-11e6-82b3-e9e4af764a06

{ "Keys": [ { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/0d990263-018e-4e65-a703-eff731de951e", "KeyId": "0d990263-018e-4e65-a703-eff731de951e" }, { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/144be297-0ae1-44ac-9c8f-93cd8c82f841", "KeyId": "144be297-0ae1-44ac-9c8f-93cd8c82f841" }, { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/21184251-b765-428e-b852-2c7353e72571", "KeyId": "21184251-b765-428e-b852-2c7353e72571" }, { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/214fe92f-5b03-4ae1-b350-db2a45dbe10c", "KeyId": "214fe92f-5b03-4ae1-b350-db2a45dbe10c" }, { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/339963f2-e523-49d3-af24-a0fe752aa458", "KeyId": "339963f2-e523-49d3-af24-a0fe752aa458" }, { "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/b776a44b-df37-4438-9be4-a27494e4271a", "KeyId": "b776a44b-df37-4438-9be4-a27494e4271a" },

API Version 2014-11-0195

Page 104: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

{ "KeyArn": "arn:aws:kms:us-east-2:111122223333:key/deaf6c9e-cf2c-46a6-bf6d-0b6d487cffbb", "KeyId": "deaf6c9e-cf2c-46a6-bf6d-0b6d487cffbb" } ], "Truncated": false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-0196

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListKeys
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ListKeys
Page 105: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceListResourceTags

ListResourceTagsReturns a list of all tags for the specified customer master key (CMK).

You cannot perform this operation on a CMK in a different AWS account.

Request Syntax{ "KeyId": "string", "Limit": number, "Marker": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 97)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Limit (p. 97)

Use this parameter to specify the maximum number of items to return. When this value is present,AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 50, inclusive. If you do notinclude a value, it defaults to 50.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 1000.

Required: No

API Version 2014-11-0197

Page 106: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

Marker (p. 97)

Use this parameter in a subsequent request after you receive a response with truncated results. Set itto the value of NextMarker from the truncated response you just received.

Do not attempt to construct this value. Use only the value of NextMarker from the truncatedresponse you just received.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax{ "NextMarker": "string", "Tags": [ { "TagKey": "string", "TagValue": "string" } ], "Truncated": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

NextMarker (p. 98)

When Truncated is true, this element is present and contains the value to use for the Markerparameter in a subsequent request.

Do not assume or infer any information from this value.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*Tags (p. 98)

A list of tags. Each tag consists of a tag key and a tag value.

Type: Array of Tag (p. 146) objectsTruncated (p. 98)

A flag that indicates whether there are more items in the list. When this value is true, the list inthis response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

API Version 2014-11-0198

Page 107: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

Type: Boolean

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidMarkerException

The request was rejected because the marker that specifies where pagination should next begin isnot valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 49X-Amz-Target: TrentService.ListResourceTagsX-Amz-Date: 20170109T200421ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20170109/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=17706fce40fda00c6768b3297355c353490c1dfdf3b3a9591193612961cd2cb4

{"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 09 Jan 2017 20:04:22 GMTContent-Type: application/x-amz-json-1.1Content-Length: 158Connection: keep-alive

API Version 2014-11-0199

Page 108: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

x-amzn-RequestId: cfb46544-d6a6-11e6-a164-b5365990e84e

{ "Tags": [{ "TagKey": "CostCenter", "TagValue": "87654" }, { "TagKey": "CreatedBy", "TagValue": "ExampleUser" }, { "TagKey": "Purpose", "TagValue": "Test" }], "Truncated": false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01100

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListResourceTags
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ListResourceTags
Page 109: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceListRetirableGrants

ListRetirableGrantsReturns a list of all grants for which the grant's RetiringPrincipal matches the one specified.

A typical use is to list all grants that you are able to retire. To retire a grant, use RetireGrant (p. 115).

Request Syntax{ "Limit": number, "Marker": "string", "RetiringPrincipal": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

RetiringPrincipal (p. 101)

The retiring principal for which to list grants.

To specify the retiring principal, use the Amazon Resource Name (ARN) of an AWS principal. ValidAWS principals include AWS accounts (root), IAM users, federated users, and assumed role users. Forexamples of the ARN syntax for specifying a principal, see AWS Identity and Access Management(IAM) in the Example ARNs section of the Amazon Web Services General Reference.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: YesLimit (p. 101)

Use this parameter to specify the maximum number of items to return. When this value is present,AWS KMS does not return more than the specified number of items, but it might return fewer.

This value is optional. If you include a value, it must be between 1 and 100, inclusive. If you do notinclude a value, it defaults to 50.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: NoMarker (p. 101)

Use this parameter in a subsequent request after you receive a response with truncated results. Set itto the value of NextMarker from the truncated response you just received.

Type: String

API Version 2014-11-01101

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam
Page 110: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*

Required: No

Response Syntax{ "Grants": [ { "Constraints": { "EncryptionContextEquals": { "string" : "string" }, "EncryptionContextSubset": { "string" : "string" } }, "CreationDate": number, "GranteePrincipal": "string", "GrantId": "string", "IssuingAccount": "string", "KeyId": "string", "Name": "string", "Operations": [ "string" ], "RetiringPrincipal": "string" } ], "NextMarker": "string", "Truncated": boolean}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

Grants (p. 102)

A list of grants.

Type: Array of GrantListEntry (p. 140) objectsNextMarker (p. 102)

When Truncated is true, this element is present and contains the value to use for the Markerparameter in a subsequent request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: [\u0020-\u00FF]*Truncated (p. 102)

A flag that indicates whether there are more items in the list. When this value is true, the list inthis response is truncated. To get more items, pass the value of the NextMarker element in thisresponse to the Marker parameter in a subsequent request.

API Version 2014-11-01102

Page 111: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

Type: Boolean

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidMarkerException

The request was rejected because the marker that specifies where pagination should next begin isnot valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 61X-Amz-Target: TrentService.ListRetirableGrantsX-Amz-Date: 20161207T191040ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161207/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=d5e43f0cfd75a3251f40bc27e76f83b3110b33e3d972142ae118b2b3c0f67b39

{"RetiringPrincipal": "arn:aws:iam::111122223333:role/ExampleRole"}

Example Response

HTTP/1.1 200 OK

API Version 2014-11-01103

Page 112: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Server: ServerDate: Wed, 07 Dec 2016 19:10:41 GMTContent-Type: application/x-amz-json-1.1Content-Length: 436Connection: keep-alivex-amzn-RequestId: d86125dc-bcb0-11e6-82b3-e9e4af764a06

{ "Grants": [ { "CreationDate": 1.481137775E9, "GrantId": "0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60", "GranteePrincipal": "arn:aws:iam::111122223333:role/ExampleRole", "IssuingAccount": "arn:aws:iam::444455556666:root", "KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "", "Operations": [ "Decrypt", "Encrypt" ], "RetiringPrincipal": "arn:aws:iam::111122223333:role/ExampleRole" } ], "Truncated": false}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01104

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ListRetirableGrants
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ListRetirableGrants
Page 113: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferencePutKeyPolicy

PutKeyPolicyAttaches a key policy to the specified customer master key (CMK). You cannot perform this operation ona CMK in a different AWS account.

For more information about key policies, see Key Policies in the AWS Key Management Service DeveloperGuide.

Request Syntax{ "BypassPolicyLockoutSafetyCheck": boolean, "KeyId": "string", "Policy": "string", "PolicyName": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 105)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Policy (p. 105)

The key policy to attach to the CMK.

The key policy must meet the following criteria:

• If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy must allow theprincipal that is making the PutKeyPolicy request to make a subsequent PutKeyPolicyrequest on the CMK. This reduces the risk that the CMK becomes unmanageable. For moreinformation, refer to the scenario in the Default Key Policy section of the AWS Key ManagementService Developer Guide.

API Version 2014-11-01105

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
Page 114: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

• Each statement in the key policy must contain one or more principals. The principals in the keypolicy must exist and be visible to AWS KMS. When you create a new AWS principal (for example,an IAM user or role), you might need to enforce a delay before including the new principal in akey policy because the new principal might not be immediately visible to AWS KMS. For moreinformation, see Changes that I make are not always immediately visible in the AWS Identity andAccess Management User Guide.

The key policy size limit is 32 kilobytes (32768 bytes).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32768.

Pattern: [\u0009\u000A\u000D\u0020-\u00FF]+

Required: YesPolicyName (p. 105)

The name of the key policy. The only valid value is default.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [\w]+

Required: YesBypassPolicyLockoutSafetyCheck (p. 105)

A flag to indicate whether to bypass the key policy lockout safety check.

ImportantSetting this value to true increases the risk that the CMK becomes unmanageable. Do notset this value to true indiscriminately.For more information, refer to the scenario in the Default Key Policy section in the AWS KeyManagement Service Developer Guide.

Use this parameter only when you intend to prevent the principal that is making the request frommaking a subsequent PutKeyPolicy request on the CMK.

The default value is false.

Type: Boolean

Required: No

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500

API Version 2014-11-01106

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
Page 115: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400LimitExceededException

The request was rejected because a limit was exceeded. For more information, see Limits in the AWSKey Management Service Developer Guide.

HTTP Status Code: 400MalformedPolicyDocumentException

The request was rejected because the specified policy is not syntactically or semantically correct.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400UnsupportedOperationException

The request was rejected because a specified parameter is not supported or a specified resource isnot valid for this operation.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 2396X-Amz-Target: TrentService.PutKeyPolicyX-Amz-Date: 20161207T203023ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161207/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=e58ea91db06afc1bc7a1f204769cf6bc4d003ee090095a13caef361c69739ede

API Version 2014-11-01107

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Page 116: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

{ "Policy": "{ \"Version\": \"2012-10-17\", \"Id\": \"custom-policy-2016-12-07\", \"Statement\": [ { \"Sid\": \"Enable IAM User Permissions\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:root\" }, \"Action\": \"kms:*\", \"Resource\": \"*\" }, { \"Sid\": \"Allow access for Key Administrators\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": [ \"arn:aws:iam::111122223333:user/ExampleAdminUser\", \"arn:aws:iam::111122223333:role/ExampleAdminRole\" ] }, \"Action\": [ \"kms:Create*\", \"kms:Describe*\", \"kms:Enable*\", \"kms:List*\", \"kms:Put*\", \"kms:Update*\", \"kms:Revoke*\", \"kms:Disable*\", \"kms:Get*\", \"kms:Delete*\", \"kms:ScheduleKeyDeletion\", \"kms:CancelKeyDeletion\" ], \"Resource\": \"*\" }, { \"Sid\": \"Allow use of the key\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:role/ExamplePowerUserRole\" }, \"Action\": [ \"kms:Encrypt\", \"kms:Decrypt\", \"kms:ReEncrypt*\", \"kms:GenerateDataKey*\", \"kms:DescribeKey\" ], \"Resource\": \"*\" }, { \"Sid\": \"Allow attachment of persistent resources\", \"Effect\": \"Allow\", \"Principal\": { \"AWS\": \"arn:aws:iam::111122223333:role/ExamplePowerUserRole\" }, \"Action\": [ \"kms:CreateGrant\", \"kms:ListGrants\", \"kms:RevokeGrant\" ],

API Version 2014-11-01108

Page 117: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

\"Resource\": \"*\", \"Condition\": { \"Bool\": { \"kms:GrantIsForAWSResource\": \"true\" } } } ] }", "PolicyName": "default", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Wed, 07 Dec 2016 20:30:23 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: fb114d4c-bcbb-11e6-82b3-e9e4af764a06

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01109

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/PutKeyPolicy
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/PutKeyPolicy
Page 118: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceReEncrypt

ReEncryptEncrypts data on the server side with a new customer master key (CMK) without exposing the plaintextof the data on the client side. The data is first decrypted and then reencrypted. You can also use thisoperation to change the encryption context of a ciphertext.

You can reencrypt data using CMKs in different AWS accounts.

Unlike other operations, ReEncrypt is authorized twice, once as ReEncryptFrom on the sourceCMK and once as ReEncryptTo on the destination CMK. We recommend that you include the"kms:ReEncrypt*" permission in your key policies to permit reencryption from or to the CMK. Thispermission is automatically included in the key policy when you create a CMK through the console, butyou must include it manually when you create a CMK programmatically or when you set a key policy withthe PutKeyPolicy (p. 105) operation.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "CiphertextBlob": blob, "DestinationEncryptionContext": { "string" : "string" }, "DestinationKeyId": "string", "GrantTokens": [ "string" ], "SourceEncryptionContext": { "string" : "string" }}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

CiphertextBlob (p. 110)

Ciphertext of the data to reencrypt.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.

Required: YesDestinationKeyId (p. 110)

A unique identifier for the CMK that is used to reencrypt the data.

To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, or alias ARN. When usingan alias name, prefix it with "alias/". To specify a CMK in a different AWS account, you must use thekey ARN or alias ARN.

API Version 2014-11-01110

https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 119: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

• Alias name: alias/ExampleAlias• Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30). To get the aliasname and alias ARN, use ListAliases (p. 80).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesDestinationEncryptionContext (p. 110)

Encryption context to use when the data is reencrypted.

Type: String to string map

Required: NoGrantTokens (p. 110)

A list of grant tokens.

For more information, see Grant Tokens in the AWS Key Management Service Developer Guide.

Type: Array of strings

Array Members: Minimum number of 0 items. Maximum number of 10 items.

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: NoSourceEncryptionContext (p. 110)

Encryption context used to encrypt and decrypt the data specified in the CiphertextBlobparameter.

Type: String to string map

Required: No

Response Syntax{ "CiphertextBlob": blob, "KeyId": "string", "SourceKeyId": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

API Version 2014-11-01111

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token
Page 120: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

CiphertextBlob (p. 111)

The reencrypted data. When you use the HTTP API or the AWS CLI, the value is Base64-encdoded.Otherwise, it is not encoded.

Type: Base64-encoded binary data object

Length Constraints: Minimum length of 1. Maximum length of 6144.KeyId (p. 111)

Unique identifier of the CMK used to reencrypt the data.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.SourceKeyId (p. 111)

Unique identifier of the CMK used to originally encrypt the data.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500DisabledException

The request was rejected because the specified CMK is not enabled.

HTTP Status Code: 400InvalidCiphertextException

The request was rejected because the specified ciphertext, or additional authenticated dataincorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwiseinvalid.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400InvalidKeyUsageException

The request was rejected because the specified KeySpec value is not valid.

HTTP Status Code: 400KeyUnavailableException

The request was rejected because the specified CMK was not available. The request can be retried.

HTTP Status Code: 500

API Version 2014-11-01112

Page 121: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 306X-Amz-Target: TrentService.ReEncryptX-Amz-Date: 20161207T225816ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161207/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=7afd339e2a680e0726592ddf687aabe48e1d8a7933a60ebbdc0154b8e2936ef2

{ "DestinationKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "CiphertextBlob": "AQECAHj/M9MyvNsMT8kW+K5DVkMfunTHr0w6V6crnuAGw80uRwAAAH0wewYJKoZIhvcNAQcGoG4wbAIBADBnBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDPXExREUtnnGy1wC3wIBEIA6LvpU7BRMW+FSkUmNmmE0H0aHHRYRD6XqUnaCNnzAuhhq4VTGBfii6oWtjVU83pGmradvUawxE/tbCg=="}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Wed, 07 Dec 2016 22:58:17 GMTContent-Type: application/x-amz-json-1.1Content-Length: 423Connection: keep-alivex-amzn-RequestId: a434eca2-bcd0-11e6-b60b-ffb5eb2d1d15

{ "CiphertextBlob": "AQECAHjRYf5WytIc0C857tFSnBaPn2F8DgfmThbJlGfR8P3WlwAAAH0wewYJKoZIhvcNAQcGoG4wbAIBADBnBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDIwicafp/vwjXjPBhQIBEIA6wjfzufQPhuU+nVqa3Kj4nqSTdhDw1PTkImKCUEuvQDui6qsooyB4Qxe8OOBqciRNC7ENQN8lKaEijg==",

API Version 2014-11-01113

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 122: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"KeyId": "arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "SourceKeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01114

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ReEncrypt
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ReEncrypt
Page 123: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceRetireGrant

RetireGrantRetires a grant. To clean up, you can retire a grant when you're done using it. You should revoke a grantwhen you intend to actively deny operations that depend on it. The following are permitted to call thisAPI:

• The AWS account (root user) under which the grant was created

• The RetiringPrincipal, if present in the grant

• The GranteePrincipal, if RetireGrant is an operation specified in the grant

You must identify the grant to retire by its grant token or by a combination of the grant ID andthe Amazon Resource Name (ARN) of the customer master key (CMK). A grant token is a uniquevariable-length base64-encoded string. A grant ID is a 64 character unique identifier of a grant. TheCreateGrant (p. 10) operation returns both.

Request Syntax{ "GrantId": "string", "GrantToken": "string", "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

GrantId (p. 115)

Unique identifier of the grant to retire. The grant ID is returned in the response to a CreateGrantoperation.

• Grant ID Example -0123456789012345678901234567890123456789012345678901234567890123

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: No

GrantToken (p. 115)

Token that identifies the grant to be retired.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 8192.

Required: No

API Version 2014-11-01115

Page 124: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

KeyId (p. 115)

The Amazon Resource Name (ARN) of the CMK associated with the grant.

For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidGrantIdException

The request was rejected because the specified GrantId is not valid.

HTTP Status Code: 400InvalidGrantTokenException

The request was rejected because the specified grant token is not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

API Version 2014-11-01116

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 125: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 167X-Amz-Target: TrentService.RetireGrantX-Amz-Date: 20161208T233237ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161208/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=e463f010eb7d997b4f89ae836288a67f362b0afd762fcf242a3f76ba282448dc

{ "KeyId": "arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab", "GrantId": "1ea8e6c7d4d49ecf7e4461c792f6a27651d7ff0ee13a724c19e730337faa26b1"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Thu, 08 Dec 2016 23:32:38 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 9ad2b038-bd9e-11e6-ace2-6fb96f685e31

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01117

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RetireGrant
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/RetireGrant
Page 126: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceRevokeGrant

RevokeGrantRevokes the specified grant for the specified customer master key (CMK). You can revoke a grant toactively deny operations that depend on it.

To perform this operation on a CMK in a different AWS account, specify the key ARN in the value of theKeyId parameter.

Request Syntax{ "GrantId": "string", "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

GrantId (p. 118)

Identifier of the grant to be revoked.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: YesKeyId (p. 118)

A unique identifier for the customer master key associated with the grant.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a differentAWS account, you must use the key ARN.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

API Version 2014-11-01118

Page 127: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceErrors

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400InvalidGrantIdException

The request was rejected because the specified GrantId is not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-west-2.amazonaws.comContent-Length: 128X-Amz-Target: TrentService.RevokeGrantX-Amz-Date: 20161210T000739ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161210/us-west-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=3f4073c96c38c8bc006b3a74a67fb2108cfe2d6ff23f96f09047924919806a7d

{ "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",

API Version 2014-11-01119

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 128: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"GrantId": "f271e8328717f8bde5d03f4981f06a6b3fc18bcae2da12ac38bd9186e7925d11"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Sat, 10 Dec 2016 00:07:40 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: aa49887b-be6c-11e6-b749-7394871b1b43

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01120

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/RevokeGrant
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/RevokeGrant
Page 129: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceScheduleKeyDeletion

ScheduleKeyDeletionSchedules the deletion of a customer master key (CMK). You may provide a waiting period, specifiedin days, before deletion occurs. If you do not provide a waiting period, the default period of 30 days isused. When this operation is successful, the state of the CMK changes to PendingDeletion. Before thewaiting period ends, you can use CancelKeyDeletion (p. 4) to cancel the deletion of the CMK. After thewaiting period ends, AWS KMS deletes the CMK and all AWS KMS data associated with it, including allaliases that refer to it.

You cannot perform this operation on a CMK in a different AWS account.

ImportantDeleting a CMK is a destructive and potentially dangerous operation. When a CMK is deleted, alldata that was encrypted under the CMK is rendered unrecoverable. To restrict the use of a CMKwithout deleting it, use DisableKey (p. 34).

For more information about scheduling a CMK for deletion, see Deleting Customer Master Keys in theAWS Key Management Service Developer Guide.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string", "PendingWindowInDays": number}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 121)

The unique identifier of the customer master key (CMK) to delete.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

API Version 2014-11-01121

https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 130: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Syntax

PendingWindowInDays (p. 121)

The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes thecustomer master key (CMK).

This value is optional. If you include a value, it must be between 7 and 30, inclusive. If you do notinclude a value, it defaults to 30.

Type: Integer

Valid Range: Minimum value of 7. Maximum value of 30.

Required: No

Response Syntax{ "DeletionDate": number, "KeyId": "string"}

Response ElementsIf the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

DeletionDate (p. 122)

The date and time after which AWS KMS deletes the customer master key (CMK).

Type: TimestampKeyId (p. 122)

The unique identifier of the customer master key (CMK) for which deletion is scheduled.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

API Version 2014-11-01122

Page 131: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceExamples

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesThe following examples are formatted for legibility.

Example Request

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 75X-Amz-Target: TrentService.ScheduleKeyDeletionX-Amz-Date: 20161210T003358ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161210/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=c42c52cf0e4057e004b73a905b0e5da215f63dd33117e7316f760e6223433abb

{ "PendingWindowInDays": 7, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Sat, 10 Dec 2016 00:33:58 GMTContent-Type: application/x-amz-json-1.1Content-Length: 114Connection: keep-alivex-amzn-RequestId: 5704ddf7-be70-11e6-b0c0-3343f53dee45

{ "DeletionDate": 1.4820192E9, "KeyId": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"}

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

API Version 2014-11-01123

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/ScheduleKeyDeletion
Page 132: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01124

https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/ScheduleKeyDeletion
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/ScheduleKeyDeletion
Page 133: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceTagResource

TagResourceAdds or edits tags for a customer master key (CMK). You cannot perform this operation on a CMK in adifferent AWS account.

Each tag consists of a tag key and a tag value. Tag keys and tag values are both required, but tag valuescan be empty (null) strings.

You can only use a tag key once for each CMK. If you use the tag key again, AWS KMS replaces thecurrent tag value with the specified value.

For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictionsin the AWS Billing and Cost Management User Guide.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string", "Tags": [ { "TagKey": "string", "TagValue": "string" } ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 125)

A unique identifier for the CMK you are tagging.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

API Version 2014-11-01125

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 134: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

Tags (p. 125)

One or more tags. Each tag consists of a tag key and a tag value.

Type: Array of Tag (p. 146) objects

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400LimitExceededException

The request was rejected because a limit was exceeded. For more information, see Limits in the AWSKey Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400TagException

The request was rejected because one or more tags are not valid.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

API Version 2014-11-01126

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
Page 135: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 102X-Amz-Target: TrentService.TagResourceX-Amz-Date: 20170109T200202ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20170109/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=5a5e6b9950567ea2b9ead41df706fd8f3e4a900553957c5c7f1992daaa67b8ff

{ "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Tags": [{ "TagKey": "Purpose", "TagValue": "Test" }]}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 09 Jan 2017 20:02:03 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 7ce02bcb-d6a6-11e6-bfed-ebe31947a596

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01127

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/TagResource
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/TagResource
Page 136: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceUntagResource

UntagResourceRemoves the specified tags from the specified customer master key (CMK). You cannot perform thisoperation on a CMK in a different AWS account.

To remove a tag, specify the tag key. To change the tag value of an existing tag key, useTagResource (p. 125).

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "KeyId": "string", "TagKeys": [ "string" ]}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

KeyId (p. 128)

A unique identifier for the CMK from which you are removing tags.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

TagKeys (p. 128)

One or more tag keys. Specify only the tag keys, not the tag values.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: Yes

API Version 2014-11-01128

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 137: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400TagException

The request was rejected because one or more tags are not valid.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 87X-Amz-Target: TrentService.UntagResourceX-Amz-Date: 20170109T200704ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20170109/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=f1c9c01e545fa02e2dba096b66d5f697800a1b8e06a1776058206dc393b8d1b4

{ "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",

API Version 2014-11-01129

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 138: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"TagKeys": [ "Purpose", "CostCenter" ]}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 09 Jan 2017 20:07:04 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 30b417a1-d6a7-11e6-a164-b5365990e84e

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01130

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/UntagResource
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/UntagResource
Page 139: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceUpdateAlias

UpdateAliasAssociates an existing alias with a different customer master key (CMK). Each CMK can have multiplealiases, but the aliases must be unique within the account and region. You cannot perform this operationon an alias in a different AWS account.

This operation works only on existing aliases. To change the alias of a CMK to a new value, useCreateAlias (p. 7) to create a new alias and DeleteAlias (p. 24) to delete the old alias.

Because an alias is not a property of a CMK, you can create, update, and delete the aliases of a CMKwithout affecting the CMK. Also, aliases do not appear in the response from the DescribeKey (p. 30)operation. To get the aliases of all CMKs in the account, use the ListAliases (p. 80) operation.

An alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes(-). An alias must start with the word alias followed by a forward slash (alias/). The alias name cancontain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias namescannot begin with aws; that alias name prefix is reserved by Amazon Web Services (AWS).

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax{ "AliasName": "string", "TargetKeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

AliasName (p. 131)

String that contains the name of the alias to be modified. The name must start with the word "alias"followed by a forward slash (alias/). Aliases that begin with "alias/aws" are reserved.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_-]+$

Required: YesTargetKeyId (p. 131)

Unique identifier of the customer master key to be mapped to the alias.

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

API Version 2014-11-01131

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 140: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

To verify that the alias is mapped to the correct CMK, use ListAliases (p. 80).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

ExamplesExample RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 90

API Version 2014-11-01132

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 141: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

X-Amz-Target: TrentService.UpdateAliasX-Amz-Date: 20161212T193252ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161212/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=3d6375048a5917aff38f25b92e66bceb16b29562193f7ab7f869b4c53f115c20

{ "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "AliasName": "alias/ExampleAlias"}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 12 Dec 2016 19:32:53 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: c64706c8-c0a1-11e6-b0c0-3343f53dee45

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01133

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/UpdateAlias
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/UpdateAlias
Page 142: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceUpdateKeyDescription

UpdateKeyDescriptionUpdates the description of a customer master key (CMK). To see the decription of a CMK, useDescribeKey (p. 30).

You cannot perform this operation on a CMK in a different AWS account.

The result of this operation varies with the key state of the CMK. For details, see How Key State AffectsUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Request Syntax

{ "Description": "string", "KeyId": "string"}

Request ParametersFor information about the parameters that are common to all actions, see CommonParameters (p. 147).

The request accepts the following data in JSON format.

NoteIn the following list, the required parameters are described first.

Description (p. 134)

New description for the CMK.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 8192.

Required: Yes

KeyId (p. 134)

A unique identifier for the customer master key (CMK).

Specify the key ID or the Amazon Resource Name (ARN) of the CMK.

For example:

• Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

• Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys (p. 93) or DescribeKey (p. 30).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: Yes

API Version 2014-11-01134

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 143: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceResponse Elements

Response ElementsIf the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

ErrorsFor information about the errors that are common to all actions, see Common Errors (p. 149).

DependencyTimeoutException

The system timed out while trying to fulfill the request. The request can be retried.

HTTP Status Code: 500InvalidArnException

The request was rejected because a specified ARN was not valid.

HTTP Status Code: 400KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 400KMSInvalidStateException

The request was rejected because the state of the specified resource is not valid for this request.

For more information about how key state affects the use of a CMK, see How Key State Affects Useof a Customer Master Key in the AWS Key Management Service Developer Guide.

HTTP Status Code: 400NotFoundException

The request was rejected because the specified entity or resource could not be found.

HTTP Status Code: 400

Examples

Example RequestThe following example is formatted for legibility.

POST / HTTP/1.1Host: kms.us-east-2.amazonaws.comContent-Length: 150X-Amz-Target: TrentService.UpdateKeyDescriptionX-Amz-Date: 20161212T201249ZContent-Type: application/x-amz-json-1.1Authorization: AWS4-HMAC-SHA256\ Credential=AKIAI44QH8DHBEXAMPLE/20161212/us-east-2/kms/aws4_request,\ SignedHeaders=content-type;host;x-amz-date;x-amz-target,\ Signature=cd81d09965e5df1156eb0416ec8b2e3f9dea9dbc4ca9285b472c319bcbbaec71

{ "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",

API Version 2014-11-01135

https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 144: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

"Description": "Example description that explains what this CMK is used for."}

Example Response

HTTP/1.1 200 OKServer: ServerDate: Mon, 12 Dec 2016 20:12:50 GMTContent-Type: application/x-amz-json-1.1Content-Length: 0Connection: keep-alivex-amzn-RequestId: 5b089880-c0a7-11e6-89c4-3d6791a06780

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface• AWS SDK for .NET• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for JavaScript• AWS SDK for PHP V3• AWS SDK for Python• AWS SDK for Ruby V2

API Version 2014-11-01136

https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/DotNetSDKV3/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/SdkForPHPV3/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/boto3/kms-2014-11-01/UpdateKeyDescription
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/UpdateKeyDescription
Page 145: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Data TypesThe AWS Key Management Service API contains several data types that various actions use. This sectiondescribes each data type in detail.

NoteThe order of each element in a data type structure is not guaranteed. Applications should notassume a particular order.

The following data types are supported:

• AliasListEntry (p. 138)• GrantConstraints (p. 139)• GrantListEntry (p. 140)• KeyListEntry (p. 142)• KeyMetadata (p. 143)• Tag (p. 146)

API Version 2014-11-01137

Page 146: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceAliasListEntry

AliasListEntryContains information about an alias.

ContentsNoteIn the following list, the required parameters are described first.

AliasArn

String that contains the key ARN.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: NoAliasName

String that contains the alias.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_-]+$

Required: NoTargetKeyId

String that contains the key identifier referred to by the alias.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V2

API Version 2014-11-01138

https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/AliasListEntry
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/AliasListEntry
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/AliasListEntry
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/AliasListEntry
Page 147: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGrantConstraints

GrantConstraintsA structure that you can use to allow certain operations in the grant only when the desired encryptioncontext is present. For more information about encryption context, see Encryption Context in the AWSKey Management Service Developer Guide.

Grant constraints apply only to operations that accept encryption context as input. For example,the DescribeKey (p. 30) operation does not accept encryption context as input. A grant thatallows the DescribeKey operation does so regardless of the grant constraints. In constrast, the Encrypt (p. 46) operation accepts encryption context as input. A grant that allows the Encryptoperation does so only when the encryption context of the Encrypt operation satisfies the grantconstraints.

ContentsNoteIn the following list, the required parameters are described first.

EncryptionContextEquals

A list of key-value pairs that must be present in the encryption context of certain subsequentoperations that the grant allows. When certain subsequent operations allowed by the grant includeencryption context that matches this list, the grant allows the operation. Otherwise, the grant doesnot allow the operation.

Type: String to string map

Required: NoEncryptionContextSubset

A list of key-value pairs, all of which must be present in the encryption context of certainsubsequent operations that the grant allows. When certain subsequent operations allowed by thegrant include encryption context that matches this list or is a superset of this list, the grant allowsthe operation. Otherwise, the grant does not allow the operation.

Type: String to string map

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V2

API Version 2014-11-01139

https://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GrantConstraints
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GrantConstraints
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GrantConstraints
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GrantConstraints
Page 148: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceGrantListEntry

GrantListEntryContains information about an entry in a list of grants.

ContentsNoteIn the following list, the required parameters are described first.

Constraints

A list of key-value pairs that must be present in the encryption context of certain subsequentoperations that the grant allows.

Type: GrantConstraints (p. 139) object

Required: NoCreationDate

The date and time when the grant was created.

Type: Timestamp

Required: NoGranteePrincipal

The principal that receives the grant's permissions.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: NoGrantId

The unique identifier for the grant.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: NoIssuingAccount

The AWS account under which the grant was issued.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: NoKeyId

The unique identifier for the customer master key (CMK) to which the grant applies.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

API Version 2014-11-01140

Page 149: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Required: NoName

The friendly name that identifies the grant. If a name was provided in the CreateGrant (p. 10)request, that name is returned. Otherwise this value is null.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_-]+$

Required: NoOperations

The list of operations permitted by the grant.

Type: Array of strings

Valid Values: Decrypt | Encrypt | GenerateDataKey |GenerateDataKeyWithoutPlaintext | ReEncryptFrom | ReEncryptTo | CreateGrant| RetireGrant | DescribeKey

Required: NoRetiringPrincipal

The principal that can retire the grant.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V2

API Version 2014-11-01141

https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/GrantListEntry
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/GrantListEntry
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/GrantListEntry
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/GrantListEntry
Page 150: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceKeyListEntry

KeyListEntryContains information about each entry in the key list.

ContentsNoteIn the following list, the required parameters are described first.

KeyArn

ARN of the key.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: NoKeyId

Unique identifier of the key.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V2

API Version 2014-11-01142

https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/KeyListEntry
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/KeyListEntry
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/KeyListEntry
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/KeyListEntry
Page 151: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceKeyMetadata

KeyMetadataContains metadata about a customer master key (CMK).

This data type is used as a response element for the CreateKey (p. 15) and DescribeKey (p. 30)operations.

ContentsNoteIn the following list, the required parameters are described first.

KeyId

The globally unique identifier for the CMK.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: YesArn

The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management Service(AWS KMS) in the Example ARNs section of the AWS General Reference.

Type: String

Length Constraints: Minimum length of 20. Maximum length of 2048.

Required: NoAWSAccountId

The twelve-digit account ID of the AWS account that owns the CMK.

Type: String

Required: NoCreationDate

The date and time when the CMK was created.

Type: Timestamp

Required: NoDeletionDate

The date and time after which AWS KMS deletes the CMK. This value is present only when KeyStateis PendingDeletion, otherwise this value is omitted.

Type: Timestamp

Required: NoDescription

The description of the CMK.

Type: String

API Version 2014-11-01143

https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms
Page 152: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceContents

Length Constraints: Minimum length of 0. Maximum length of 8192.

Required: NoEnabled

Specifies whether the CMK is enabled. When KeyState is Enabled this value is true, otherwise it isfalse.

Type: Boolean

Required: NoExpirationModel

Specifies whether the CMK's key material expires. This value is present only when Origin isEXTERNAL, otherwise this value is omitted.

Type: String

Valid Values: KEY_MATERIAL_EXPIRES | KEY_MATERIAL_DOES_NOT_EXPIRE

Required: NoKeyManager

The CMK's manager. CMKs are either customer-managed or AWS-managed. For more informationabout the difference, see Customer Master Keys in the AWS Key Management Service Developer Guide.

Type: String

Valid Values: AWS | CUSTOMER

Required: NoKeyState

The state of the CMK.

For more information about how key state affects the use of a CMK, see How Key State Affects theUse of a Customer Master Key in the AWS Key Management Service Developer Guide.

Type: String

Valid Values: Enabled | Disabled | PendingDeletion | PendingImport

Required: NoKeyUsage

The cryptographic operations for which you can use the CMK. Currently the only allowed value isENCRYPT_DECRYPT, which means you can use the CMK for the Encrypt (p. 46) and Decrypt (p. 20)operations.

Type: String

Valid Values: ENCRYPT_DECRYPT

Required: NoOrigin

The source of the CMK's key material. When this value is AWS_KMS, AWS KMS created the keymaterial. When this value is EXTERNAL, the key material was imported from your existing keymanagement infrastructure or the CMK lacks key material.

API Version 2014-11-01144

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
Page 153: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceSee Also

Type: String

Valid Values: AWS_KMS | EXTERNAL

Required: NoValidTo

The time at which the imported key material expires. When the key material expires, AWS KMSdeletes the key material and the CMK becomes unusable. This value is present only for CMKs whoseOrigin is EXTERNAL and whose ExpirationModel is KEY_MATERIAL_EXPIRES, otherwise thisvalue is omitted.

Type: Timestamp

Required: No

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V2

API Version 2014-11-01145

https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/KeyMetadata
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/KeyMetadata
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/KeyMetadata
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/KeyMetadata
Page 154: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API ReferenceTag

TagA key-value pair. A tag consists of a tag key and a tag value. Tag keys and tag values are both required,but tag values can be empty (null) strings.

For information about the rules that apply to tag keys and tag values, see User-Defined Tag Restrictionsin the AWS Billing and Cost Management User Guide.

ContentsNoteIn the following list, the required parameters are described first.

TagKey

The key of the tag.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: YesTagValue

The value of the tag.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 256.

Required: Yes

See AlsoFor more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++• AWS SDK for Go• AWS SDK for Java• AWS SDK for Ruby V2

API Version 2014-11-01146

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html
https://docs.aws.amazon.com/goto/SdkForCpp/kms-2014-11-01/Tag
https://docs.aws.amazon.com/goto/SdkForGoV1/kms-2014-11-01/Tag
https://docs.aws.amazon.com/goto/SdkForJava/kms-2014-11-01/Tag
https://docs.aws.amazon.com/goto/SdkForRubyV2/kms-2014-11-01/Tag
Page 155: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Common ParametersThe following list contains the parameters that all actions use for signing Signature Version 4 requestswith a query string. Any action-specific parameters are listed in the topic for that action. For moreinformation about Signature Version 4, see Signature Version 4 Signing Process in the Amazon WebServices General Reference.

Action

The action to be performed.

Type: string

Required: YesVersion

The API version that the request is written for, expressed in the format YYYY-MM-DD.

Type: string

Required: YesX-Amz-Algorithm

The hash algorithm that you used to create the request signature.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Valid Values: AWS4-HMAC-SHA256

Required: ConditionalX-Amz-Credential

The credential scope value, which is a string that includes your access key, the date, the region youare targeting, the service you are requesting, and a termination string ("aws4_request"). The value isexpressed in the following format: access_key/YYYYMMDD/region/service/aws4_request.

For more information, see Task 2: Create a String to Sign for Signature Version 4 in the Amazon WebServices General Reference.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-Date

The date that is used to create the signature. The format must be ISO 8601 basic format(YYYYMMDD'T'HHMMSS'Z'). For example, the following date time is a valid X-Amz-Date value:20120325T120000Z.

Condition: X-Amz-Date is optional for all requests; it can be used to override the date used forsigning requests. If the Date header is specified in the ISO 8601 basic format, X-Amz-Date is

API Version 2014-11-01147

http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
Page 156: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

not required. When X-Amz-Date is used, it always overrides the value of the Date header. Formore information, see Handling Dates in Signature Version 4 in the Amazon Web Services GeneralReference.

Type: string

Required: ConditionalX-Amz-Security-Token

The temporary security token that was obtained through a call to AWS Security Token Service (AWSSTS). For a list of services that support temporary security credentials from AWS Security TokenService, go to AWS Services That Work with IAM in the IAM User Guide.

Condition: If you're using temporary security credentials from the AWS Security Token Service, youmust include the security token.

Type: string

Required: ConditionalX-Amz-Signature

Specifies the hex-encoded signature that was calculated from the string to sign and the derivedsigning key.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: ConditionalX-Amz-SignedHeaders

Specifies all the HTTP headers that were included as part of the canonical request. For moreinformation about specifying signed headers, see Task 1: Create a Canonical Request For SignatureVersion 4 in the Amazon Web Services General Reference.

Condition: Specify this parameter when you include authentication information in a query stringinstead of in the HTTP authorization header.

Type: string

Required: Conditional

API Version 2014-11-01148

http://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Page 157: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

Common ErrorsThis section lists the errors common to the API actions of all AWS services. For errors specific to an APIaction for this service, see the topic for that API action.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400IncompleteSignature

The request signature does not conform to AWS standards.

HTTP Status Code: 400InternalFailure

The request processing has failed because of an unknown error, exception or failure.

HTTP Status Code: 500InvalidAction

The action or operation requested is invalid. Verify that the action is typed correctly.

HTTP Status Code: 400InvalidClientTokenId

The X.509 certificate or AWS access key ID provided does not exist in our records.

HTTP Status Code: 403InvalidParameterCombination

Parameters that must not be used together were used together.

HTTP Status Code: 400InvalidParameterValue

An invalid or out-of-range value was supplied for the input parameter.

HTTP Status Code: 400InvalidQueryParameter

The AWS query string is malformed or does not adhere to AWS standards.

HTTP Status Code: 400MalformedQueryString

The query string contains a syntax error.

HTTP Status Code: 404MissingAction

The request is missing an action or a required parameter.

HTTP Status Code: 400

API Version 2014-11-01149

Page 158: AWS Key Management Service - docs.aws. · PDF fileAWS KMS, see the AWS Key Management Service Developer Guide. ... • AWS Security Credentials ... This set of topics walks you through

AWS Key Management Service API Reference

MissingAuthenticationToken

The request must contain either a valid (registered) AWS access key ID or X.509 certificate.

HTTP Status Code: 403MissingParameter

A required parameter for the specified action is not supplied.

HTTP Status Code: 400OptInRequired

The AWS access key ID needs a subscription for the service.

HTTP Status Code: 403RequestExpired

The request reached the service more than 15 minutes after the date stamp on the request or morethan 15 minutes after the request expiration date (such as for pre-signed URLs), or the date stampon the request is more than 15 minutes in the future.

HTTP Status Code: 400ServiceUnavailable

The request has failed due to a temporary failure of the server.

HTTP Status Code: 503ThrottlingException

The request was denied due to request throttling.

HTTP Status Code: 400ValidationError

The input fails to satisfy the constraints specified by an AWS service.

HTTP Status Code: 400

API Version 2014-11-01150


MASTER APP - AWS · PDF fileAWS MEMBERSHIP APPLICATION 4 Easy Ways to Join or Renew: E) Mail this form, along with your payment, to AWS ... Vol. 2) Welding Handbook (9th Ed., Vol

AWS Database Migration Service User Guide · PDF fileAWS Database Migration Service User Guide Version API Version 2016-01-01

AWS Toolkit for Eclipse - docs.aws. · PDF fileAssociate Private Keys with Your Amazon EC2 Key Pairs ... • AWS Toolkit for Eclipse Core (in the AWS Core Management Tools section)

Amazon Web Services - docs.aws. · PDF fileAmazon Mechanical Turk ... Límites de Amazon Machine Learning (Amazon ML)..... 232 Límites de AWS Elemental MediaConvert

CODE CLINIC - · PDF fileAWS Code Clinic Reference Manual—AWS D1.1/D1.1M: 2010 FOREWORD AWS Education Services publishes the AWS Code Clinic Workbook to guide and assist

AWS CodeBuild - User Guide · PDF fileAWS CodeBuild User Guide How to Run AWS CodeBuild What Is AWS CodeBuild? AWS CodeBuild is a fully managed build service in the cloud. AWS CodeBuild

Specification for AWS Certification of Robotic Arc Welding ... · PDF fileAWS D8.8, Specification for Automotive and Light Truck Weld Quality: Arc Welding AWS D16.2, Standard for Components

AWS Directory Service · PDF fileAWS Directory Service Administration Guide Which to Choose What Is AWS Directory Service? AWS Directory Service provides multiple ways to use Amazon

AWS CodeStar - User Guide · PDF fileAWS CodeStar User Guide How Do I Get Started with AWS CodeStar? In this example, a project pipeline in AWS CodePipeline ensures that each code

AWS X-Ray - API Reference · PDF fileAWS X-Ray API Reference Welcome AWS X-Ray provides APIs for managing debug traces and retrieving service maps and other data created by processing

Standard for AWS Certification of Welding Inspectors · PDF fileAWS Certification of Welding Inspectors Supersedes AWS QC1-96 Prepared by the American Welding Society ... and Certified

ERIKS - Böhler Welding Catalogue | ERIKS · PDF fileAWS A5.1-04: E6013 BÖHLER Standard EN AWS Welding process Typical mechanical properties

Product Advertising API - docs.aws. · PDF fileManaging your Existing AWS Security Credentials for the Product Advertising API ... Use Your Associate Tag in Product Advertising API

img0. · PDF fileAWS WELDING ELECTRODE CLASSIFICATIONS Classification: AWS A5.9 ER308, ER308H, ER308L, ER308LSi, ER309, ... Welding

AWS DEVELOPER ASSOCIATE LEVEL REVISION · PDF fileaws developer associate level revision notes for associate level aws developer associate level revision notes revision notes for preparing

Understanding AWS Storage Options - · PDF fileAWS Foundation Services AWS FoundationServices Compute Storage Database Networking AWS Global Infrastructure Regions AvailabilityZones

AWS IoT Developer Guide - GitHub · PDF fileAWS IoT Developer Guide How AWS IoT Works. Quickstart for AWS IoT In this e xercise , you will use the A WS CLI to connect a thing to A

Standardized Architecture for CJIS-based Assurance ... · PDF fileAWS Compliance Standardized Architecture for CJIS-based Assurance Frameworks in the AWS Cloud Quick Start Reference

AWS WAF and AWS Shield Advanced - Developer Guide · PDF fileAWS WAF and AWS Shield Advanced Developer Guide AWS Shield WAF and your other AWS services. For added protection against

AWS SDK for - Cloud Storage — AWS - s3.cn-north-1 ... · PDF fileAWS SDK for .NET Developer Guide The AWS SDK for .NET is a single downloadable package that includes Visual Studio

AWS Mobile SDK - AWS Documentation · PDF fileAWS Mobile SDK Xamarin Developer Guide Table of Contents What is the AWS Mobile SDK for .NET and Xamarin

AWS Public Sector Jerusalem | 19 Nov 2014 AWS Service ... · PDF fileAWS Public Sector Jerusalem | 19 Nov 2014! AWS Service Drill ... • Can use to create RAID configuration for

Cost Management AWS Billing and - docs.aws. · PDF fileAWS Billing and Cost Management Guia do usuário Table of Contents O que é AWS Billing and Cost Management

AWS Database Migration Service - docs.aws. Database Migration Service API Reference Table of Contents ... • AWS SDK for Ruby V2 API Version 2016-01-01 5. AWS Database Migration Service

AWS Managed Service Program - · PDF fileAWS Managed Service Program Partner Validation Checklist ... AWS Certified Solutions Architect – Professional; AWS Certified SysOps Administrator

HPC on AWS - mdx2.plm. · PDF fileAWS. ut those did not satisfy HGST’s requirement. ₋CIO Steve Phillpott recommended AWS for HPC. He had much experience of HPC on AWS at life-science

AWS Welding/Fabrication Quality Manual Sample · PDF fileAWS Welding/Fabrication Quality Manual Sample ... 5 Welding standards AWS B2.1/B2.1M Specification for Welding Procedure and

AWS User Guide to Financial Services Regulations ... · PDF fileAWS User Guide to Financial Services Regulations & Guidelines in ... standards. This code of practice ... AWS User Guide

AWS IoT - 开发人员指南 · PDF fileaws iot 开发人员指南 创建 aws iot 规则

AWS Snowball - Developer Guide · PDF fileAWS Snowball Developer Guide Manual Data Validation for Snowball Edge After Import into Amazon S3 ..... 88

AWS and Quality Assurance in Architectural · PDF fileAWS and Quality Assurance in Architectural Woodwork William A. Munyan, AIA, ... (AWS) Design Solutions ... (Architect/GC/Owner)

CODE CLINIC - AWS Bookstore · PDF fileAWS Code Clinic Reference Manual—AWS D1.1/D1.1M: 2010 FOREWORD AWS Education Services publishes the AWS Code Clinic Workbook to guide and assist

AWS Solutions Architect (Associate) Exam Course · PDF fileAWS Solutions Architect (Associate) Exam Course Manual The Orion Papers Enter

AWS Criminal Justice Information Services (CJIS) Workbook · PDF fileAWS . Criminal Justice Information Services (CJIS) Workbook November 2015 (CJIS Security Policy Version 5.4)

AWS Lambda - Developer Guide · PDF fileAWS Lambda Developer Guide When should I Use Lambda? What Is AWS Lambda? AWS Lambda is a compute service that lets you run code without provisioning