Jump to Content

New API Documentation - Developer Preview Available

We are excited to announce the developer preview of our new API documentation for AWS SDK for JavaScript v3. Please follow instructions on the landing page to leave us your feedback.

Class ReplicateKeyCommandProtected

Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, use the CreateKey operation.

This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.

A replica key is a fully-functional KMS key that can be used independently of its primary and peer replica keys. A primary key and its replica keys share properties that make them interoperable. They have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. KMS automatically synchronizes these shared properties among related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each primary key and replica key.

When this operation completes, the new replica key has a transient key state of Creating. This key state changes to Enabled (or PendingImport) after a few seconds when the process of creating the new replica key is complete. While the key state is Creating, you can manage key, but you cannot yet use it in cryptographic operations. If you are creating and using the replica key programmatically, retry on KMSInvalidStateException or call DescribeKey to check its KeyState value before using it. For details about the Creating key state, see Key states of KMS keys in the Key Management Service Developer Guide.

You cannot create more than one replica of a primary key in any Region. If the Region already includes a replica of the key you're trying to replicate, ReplicateKey returns an AlreadyExistsException error. If the key state of the existing replica is PendingDeletion, you can cancel the scheduled key deletion (CancelKeyDeletion) or wait for the key to be deleted. The new replica key you create will have the same shared properties as the original replica key.

The CloudTrail log of a ReplicateKey operation records a ReplicateKey operation in the primary key's Region and a CreateKey operation in the replica key's Region.

If you replicate a multi-Region primary key with imported key material, the replica key is created with no key material. You must import the same key material that you imported into the primary key. For details, see Importing key material into multi-Region keys in the Key Management Service Developer Guide.

To convert a replica key to a primary key, use the UpdatePrimaryRegion operation.

ReplicateKey uses different default values for the KeyPolicy and Tags parameters than those used in the KMS console. For details, see the parameter descriptions.

Cross-account use: No. You cannot use this operation to create a replica key in a different Amazon Web Services account.

Required permissions:

  • kms:ReplicateKey on the primary key (in the primary key's Region). Include this permission in the primary key's key policy.

  • kms:CreateKey in an IAM policy in the replica Region.

  • To use the Tags parameter, kms:TagResource in an IAM policy in the replica Region.

Related operations

Example

Use a bare-bones client and the command you need to make an API call.

import { KMSClient, ReplicateKeyCommand } from "@aws-sdk/client-kms"; // ES Modules import
// const { KMSClient, ReplicateKeyCommand } = require("@aws-sdk/client-kms"); // CommonJS import
const client = new KMSClient(config);
const input = { // ReplicateKeyRequest
  KeyId: "STRING_VALUE", // required
  ReplicaRegion: "STRING_VALUE", // required
  Policy: "STRING_VALUE",
  BypassPolicyLockoutSafetyCheck: true || false,
  Description: "STRING_VALUE",
  Tags: [ // TagList
    { // Tag
      TagKey: "STRING_VALUE", // required
      TagValue: "STRING_VALUE", // required
    },
  ],
};
const command = new ReplicateKeyCommand(input);
const response = await client.send(command);
// { // ReplicateKeyResponse
//   ReplicaKeyMetadata: { // KeyMetadata
//     AWSAccountId: "STRING_VALUE",
//     KeyId: "STRING_VALUE", // required
//     Arn: "STRING_VALUE",
//     CreationDate: new Date("TIMESTAMP"),
//     Enabled: true || false,
//     Description: "STRING_VALUE",
//     KeyUsage: "SIGN_VERIFY" || "ENCRYPT_DECRYPT" || "GENERATE_VERIFY_MAC",
//     KeyState: "Creating" || "Enabled" || "Disabled" || "PendingDeletion" || "PendingImport" || "PendingReplicaDeletion" || "Unavailable" || "Updating",
//     DeletionDate: new Date("TIMESTAMP"),
//     ValidTo: new Date("TIMESTAMP"),
//     Origin: "AWS_KMS" || "EXTERNAL" || "AWS_CLOUDHSM" || "EXTERNAL_KEY_STORE",
//     CustomKeyStoreId: "STRING_VALUE",
//     CloudHsmClusterId: "STRING_VALUE",
//     ExpirationModel: "KEY_MATERIAL_EXPIRES" || "KEY_MATERIAL_DOES_NOT_EXPIRE",
//     KeyManager: "AWS" || "CUSTOMER",
//     CustomerMasterKeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
//     KeySpec: "RSA_2048" || "RSA_3072" || "RSA_4096" || "ECC_NIST_P256" || "ECC_NIST_P384" || "ECC_NIST_P521" || "ECC_SECG_P256K1" || "SYMMETRIC_DEFAULT" || "HMAC_224" || "HMAC_256" || "HMAC_384" || "HMAC_512" || "SM2",
//     EncryptionAlgorithms: [ // EncryptionAlgorithmSpecList
//       "SYMMETRIC_DEFAULT" || "RSAES_OAEP_SHA_1" || "RSAES_OAEP_SHA_256" || "SM2PKE",
//     ],
//     SigningAlgorithms: [ // SigningAlgorithmSpecList
//       "RSASSA_PSS_SHA_256" || "RSASSA_PSS_SHA_384" || "RSASSA_PSS_SHA_512" || "RSASSA_PKCS1_V1_5_SHA_256" || "RSASSA_PKCS1_V1_5_SHA_384" || "RSASSA_PKCS1_V1_5_SHA_512" || "ECDSA_SHA_256" || "ECDSA_SHA_384" || "ECDSA_SHA_512" || "SM2DSA",
//     ],
//     MultiRegion: true || false,
//     MultiRegionConfiguration: { // MultiRegionConfiguration
//       MultiRegionKeyType: "PRIMARY" || "REPLICA",
//       PrimaryKey: { // MultiRegionKey
//         Arn: "STRING_VALUE",
//         Region: "STRING_VALUE",
//       },
//       ReplicaKeys: [ // MultiRegionKeyList
//         {
//           Arn: "STRING_VALUE",
//           Region: "STRING_VALUE",
//         },
//       ],
//     },
//     PendingDeletionWindowInDays: Number("int"),
//     MacAlgorithms: [ // MacAlgorithmSpecList
//       "HMAC_SHA_224" || "HMAC_SHA_256" || "HMAC_SHA_384" || "HMAC_SHA_512",
//     ],
//     XksKeyConfiguration: { // XksKeyConfigurationType
//       Id: "STRING_VALUE",
//     },
//   },
//   ReplicaPolicy: "STRING_VALUE",
//   ReplicaTags: [ // TagList
//     { // Tag
//       TagKey: "STRING_VALUE", // required
//       TagValue: "STRING_VALUE", // required
//     },
//   ],
// };

Param

ReplicateKeyCommandInput

Returns

ReplicateKeyCommandOutput

See

Throws

AlreadyExistsException (client fault)

The request was rejected because it attempted to create a resource that already exists.

Throws

DisabledException (client fault)

The request was rejected because the specified KMS key is not enabled.

Throws

InvalidArnException (client fault)

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

Throws

KMSInternalException (server fault)

The request was rejected because an internal exception occurred. The request can be retried.

Throws

KMSInvalidStateException (client fault)

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

  • The key state of the KMS key is not compatible with the operation.

    To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

  • For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Throws

LimitExceededException (client fault)

The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

Throws

MalformedPolicyDocumentException (client fault)

The request was rejected because the specified policy is not syntactically or semantically correct.

Throws

NotFoundException (client fault)

The request was rejected because the specified entity or resource could not be found.

Throws

TagException (client fault)

The request was rejected because one or more tags are not valid.

Throws

UnsupportedOperationException (client fault)

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

Throws

KMSServiceException

Base exception class for all service exceptions from KMS service.

Example

To replicate a multi-Region key in a different AWS Region

// This example creates a multi-Region replica key in us-west-2 of a multi-Region primary key in us-east-1.
const input = {
  "KeyId": "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
  "ReplicaRegion": "us-west-2"
};
const command = new ReplicateKeyCommand(input);
const response = await client.send(command);
/* response ==
{
  "ReplicaKeyMetadata": {
    "AWSAccountId": "111122223333",
    "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
    "CreationDate": 1607472987.918,
    "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
    "Description": "",
    "Enabled": true,
    "EncryptionAlgorithms": [
      "SYMMETRIC_DEFAULT"
    ],
    "KeyId": "mrk-1234abcd12ab34cd56ef1234567890ab",
    "KeyManager": "CUSTOMER",
    "KeyState": "Enabled",
    "KeyUsage": "ENCRYPT_DECRYPT",
    "MultiRegion": true,
    "MultiRegionConfiguration": {
      "MultiRegionKeyType": "REPLICA",
      "PrimaryKey": {
        "Arn": "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
        "Region": "us-east-1"
      },
      "ReplicaKeys": [
        {
          "Arn": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
          "Region": "us-west-2"
        }
      ]
    },
    "Origin": "AWS_KMS"
  },
  "ReplicaPolicy": "{\n  \"Version\" : \"2012-10-17\",\n  \"Id\" : \"key-default-1\",...}",
  "ReplicaTags": []
}
*/
// example id: to-replicate-a-multi-region-key-in-a-different-aws-region-1628622402887

Hierarchy

Constructors

constructor

Properties

input middlewareStack

Methods

getEndpointParameterInstructions

Constructors

constructor

Properties

Readonly input

input: ReplicateKeyCommandInput

Readonly middlewareStack

middlewareStack: MiddlewareStack<ReplicateKeyCommandInput, ReplicateKeyCommandOutput>

Methods

Static getEndpointParameterInstructions

Settings

Member Visibility

Theme