New API Documentation - Developer Preview Available
We are excited to announce the developer preview of our new API documentation for AWS SDK for JavaScript v3. Please follow instructions on the landing page to leave us your feedback.
Changes the properties of a custom key store. You can use this operation to change the
properties of an CloudHSM key store or an external key store.
Use the required CustomKeyStoreId parameter to identify the custom key store.
Use the remaining optional parameters to change its properties. This operation does not return
any property values. To verify the updated property values, use the DescribeCustomKeyStores operation.
This operation is part of the custom key stores feature in KMS, which
combines the convenience and extensive integration of KMS with the isolation and control of a
key store that you own and manage.
When updating the properties of an external key store, verify that the updated settings
connect your key store, via the external key store proxy, to the same external key manager
as the previous settings, or to a backup or snapshot of the external key manager with the
same cryptographic keys. If the updated connection settings fail, you can fix them and
retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS
permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is
unrecoverable.
For external key stores:
Some external key managers provide a simpler method for updating an external key store.
For details, see your external key manager documentation.
When updating an external key store in the KMS console, you can upload a JSON-based
proxy configuration file with the desired values. You cannot upload the proxy configuration
file to the UpdateCustomKeyStore operation. However, you can use the file to
help you determine the correct values for the UpdateCustomKeyStore
parameters.
For an CloudHSM key store, you can use this operation to change the custom key store friendly
name (NewCustomKeyStoreName), to tell KMS about a change to the
kmsuser crypto user password (KeyStorePassword), or to associate
the custom key store with a different, but related, CloudHSM cluster
(CloudHsmClusterId). To update any property of an CloudHSM key store, the
ConnectionState of the CloudHSM key store must be DISCONNECTED.
For an external key store, you can use this operation to change the custom key store
friendly name (NewCustomKeyStoreName), or to tell KMS about a change to the
external key store proxy authentication credentials
(XksProxyAuthenticationCredential), connection method
(XksProxyConnectivity), external proxy endpoint
(XksProxyUriEndpoint) and path (XksProxyUriPath). For external key
stores with an XksProxyConnectivity of VPC_ENDPOINT_SERVICE, you can
also update the Amazon VPC endpoint service name (XksProxyVpcEndpointServiceName). To
update most properties of an external key store, the ConnectionState of the
external key store must be DISCONNECTED. However, you can update the
CustomKeyStoreName, XksProxyAuthenticationCredential, and
XksProxyUriPath of an external key store when it is in the CONNECTED or
DISCONNECTED state.
If your update requires a DISCONNECTED state, before using
UpdateCustomKeyStore, use the DisconnectCustomKeyStore
operation to disconnect the custom key store. After the UpdateCustomKeyStore
operation completes, use the ConnectCustomKeyStore to reconnect the custom
key store. To find the ConnectionState of the custom key store, use the DescribeCustomKeyStores operation.
Before updating the custom key store, verify that the new values allow KMS to connect
the custom key store to its backing key store. For example, before you change the
XksProxyUriPath value, verify that the external key store proxy is reachable at
the new path.
If the operation succeeds, it returns a JSON object with no
properties.
Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
The request was rejected because the associated CloudHSM cluster did not meet the
configuration requirements for an CloudHSM key store.
The CloudHSM cluster must be configured with private subnets in at least two different
Availability Zones in the Region.
The security group for
the cluster (cloudhsm-cluster--sg) must
include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
Source in the inbound rules and the Destination in the outbound rules must match the security group
ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
change them. To get information about a particular security group, use the DescribeSecurityGroups operation.
The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add
HSMs, use the CloudHSM CreateHsm operation.
For information about the requirements for an CloudHSM cluster that is associated with an
CloudHSM key store, see Assemble the Prerequisites
in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster,
see Create a Private
Subnet in the CloudHSM User Guide. For information about cluster security groups, see
Configure a Default Security
Group in the CloudHSM User Guide.
The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is
not active. Initialize and activate the cluster and try the command again. For detailed
instructions, see Getting
Started in the CloudHSM User Guide.
The request was rejected because the specified CloudHSM cluster has a different cluster
certificate than the original cluster. You cannot use the operation to specify an unrelated
cluster for an CloudHSM key store.
Specify an CloudHSM cluster that shares a backup history with the original cluster. This
includes clusters that were created from a backup of the current cluster, and clusters that
were created from the same backup that produced the current cluster.
CloudHSM clusters that share a backup history have the same cluster certificate. To view the
cluster certificate of an CloudHSM cluster, use the DescribeClusters operation.
The request was rejected because of the ConnectionState of the custom key
store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.
This exception is thrown under the following conditions:
You requested the ConnectCustomKeyStore operation on a custom key
store with a ConnectionState of DISCONNECTING or
FAILED. This operation is valid for all other ConnectionState
values. To reconnect a custom key store in a FAILED state, disconnect it
(DisconnectCustomKeyStore), then connect it
(ConnectCustomKeyStore).
You requested the CreateKey operation in a custom key store that is
not connected. This operations is valid only when the custom key store
ConnectionState is CONNECTED.
You requested the DisconnectCustomKeyStore operation on a custom key
store with a ConnectionState of DISCONNECTING or
DISCONNECTED. This operation is valid for all other
ConnectionState values.
You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not
disconnected. This operation is valid only when the custom key store
ConnectionState is DISCONNECTED.
You requested the GenerateRandom operation in an CloudHSM key store
that is not connected. This operation is valid only when the CloudHSM key store
ConnectionState is CONNECTED.
The request was rejected because the specified custom key store name is already assigned
to another custom key store in the account. Try again with a custom key store name that is
unique in the account.
The request was rejected because the proxy credentials failed to authenticate to the
specified external key store proxy. The specified external key store proxy rejected a status
request from KMS due to invalid credentials. This can indicate an error in the credentials
or in the identification of the external key store proxy.
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
the requirements for an external key store proxy. For details, see the exception
message.
KMS cannot interpret the response it received from the external key store proxy. The
problem might be a poorly constructed response, but it could also be a transient network
issue. If you see this error repeatedly, report it to the proxy vendor.
The request was rejected because the concatenation of the XksProxyUriEndpoint
is already associated with an external key store in the Amazon Web Services account and Region. Each
external key store in an account and Region must use a unique external key store proxy
address.
The request was rejected because the concatenation of the XksProxyUriEndpoint
and XksProxyUriPath is already associated with an external key store in the
Amazon Web Services account and Region. Each external key store in an account and Region must use a unique
external key store proxy API address.
KMS was unable to reach the specified XksProxyUriPath. The path must be
reachable before you create the external key store or update its settings.
This exception is also thrown when the external key store proxy response to a GetHealthStatus
request indicates that all external key manager instances are unavailable.
The request was rejected because the specified Amazon VPC endpoint service is already
associated with an external key store in the Amazon Web Services account and Region. Each external key store
in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill
the requirements for an external key store proxy. For details, see the exception message and
review the requirements for Amazon VPC endpoint service connectivity for an external key
store.
The request was rejected because KMS could not find the specified VPC endpoint service.
Use DescribeCustomKeyStores to verify the VPC endpoint service name for the
external key store. Also, confirm that the Allow principals list for the VPC
endpoint service includes the KMS service principal for the Region, such as
cks.kms.us-east-1.amazonaws.com.
Base exception class for all service exceptions from KMS service.
Example
To edit the friendly name of a custom key store
// This example changes the friendly name of the AWS KMS custom key store to the name that you specify. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation. constinput = { "CustomKeyStoreId":"cks-1234567890abcdef0", "NewCustomKeyStoreName":"DevelopmentKeys" }; constcommand = newUpdateCustomKeyStoreCommand(input); awaitclient.send(command); // example id: to-edit-the-friendly-name-of-a-custom-key-store-1
Example
To edit the password of an AWS CloudHSM key store
// This example tells AWS KMS the password for the kmsuser crypto user in the AWS CloudHSM cluster that is associated with the AWS KMS custom key store. (It does not change the password in the CloudHSM cluster.) This operation does not return any data. constinput = { "CustomKeyStoreId":"cks-1234567890abcdef0", "KeyStorePassword":"ExamplePassword" }; constcommand = newUpdateCustomKeyStoreCommand(input); awaitclient.send(command); // example id: to-edit-the-properties-of-an-aws-cloudhsm-key-store-2
Example
To associate the custom key store with a different, but related, AWS CloudHSM cluster.
// This example changes the AWS CloudHSM cluster that is associated with an AWS CloudHSM key store to a related cluster, such as a different backup of the same cluster. This operation does not return any data. To verify that the operation worked, use the DescribeCustomKeyStores operation. constinput = { "CloudHsmClusterId":"cluster-234abcdefABC", "CustomKeyStoreId":"cks-1234567890abcdef0" }; constcommand = newUpdateCustomKeyStoreCommand(input); awaitclient.send(command); // example id: to-associate-the-custom-key-store-with-a-different-but-related-aws-cloudhsm-cluster-3
Example
To update the proxy authentication credential of an external key store
// To update the proxy authentication credential for your external key store, specify both the <code>RawSecretAccessKey</code> and the <code>AccessKeyId</code>, even if you are changing only one of the values. You can use this feature to fix an invalid credential or to change the credential when the external key store proxy rotates it. constinput = { "CustomKeyStoreId":"cks-1234567890abcdef0", "XksProxyAuthenticationCredential": { "AccessKeyId":"ABCDE12345670EXAMPLE", "RawSecretAccessKey":"DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo=" } }; constcommand = newUpdateCustomKeyStoreCommand(input); awaitclient.send(command); // example id: to-update-the-proxy-authentication-credential-of-an-external-key-store-4
Example
To edit the proxy URI path of an external key store.
// This example updates the proxy URI path for an external key store constinput = { "CustomKeyStoreId":"cks-1234567890abcdef0", "XksProxyUriPath":"/new-path/kms/xks/v1" }; constcommand = newUpdateCustomKeyStoreCommand(input); awaitclient.send(command); // example id: to-update-the-xks-proxy-api-path-of-an-external-key-store-5
Example
To update the proxy connectivity of an external key store to VPC_ENDPOINT_SERVICE
// To change the external key store proxy connectivity option from public endpoint connectivity to VPC endpoint service connectivity, in addition to changing the <code>XksProxyConnectivity</code> value, you must change the <code>XksProxyUriEndpoint</code> value to reflect the private DNS name associated with the VPC endpoint service. You must also add an <code>XksProxyVpcEndpointServiceName</code> value. constinput = { "CustomKeyStoreId":"cks-1234567890abcdef0", "XksProxyConnectivity":"VPC_ENDPOINT_SERVICE", "XksProxyUriEndpoint":"https://myproxy-private.xks.example.com", "XksProxyVpcEndpointServiceName":"com.amazonaws.vpce.us-east-1.vpce-svc-example" }; constcommand = newUpdateCustomKeyStoreCommand(input); awaitclient.send(command); // example id: to-update-the-proxy-connectivity-of-an-external-key-store-to-vpc_endpoint_service-6
Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM key store or an external key store.
Use the required
CustomKeyStoreId
parameter to identify the custom key store. Use the remaining optional parameters to change its properties. This operation does not return any property values. To verify the updated property values, use the DescribeCustomKeyStores operation.This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.
When updating the properties of an external key store, verify that the updated settings connect your key store, via the external key store proxy, to the same external key manager as the previous settings, or to a backup or snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable.
For external key stores:
Some external key managers provide a simpler method for updating an external key store. For details, see your external key manager documentation.
When updating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with the desired values. You cannot upload the proxy configuration file to the
UpdateCustomKeyStore
operation. However, you can use the file to help you determine the correct values for theUpdateCustomKeyStore
parameters.For an CloudHSM key store, you can use this operation to change the custom key store friendly name (
NewCustomKeyStoreName
), to tell KMS about a change to thekmsuser
crypto user password (KeyStorePassword
), or to associate the custom key store with a different, but related, CloudHSM cluster (CloudHsmClusterId
). To update any property of an CloudHSM key store, theConnectionState
of the CloudHSM key store must beDISCONNECTED
.For an external key store, you can use this operation to change the custom key store friendly name (
NewCustomKeyStoreName
), or to tell KMS about a change to the external key store proxy authentication credentials (XksProxyAuthenticationCredential
), connection method (XksProxyConnectivity
), external proxy endpoint (XksProxyUriEndpoint
) and path (XksProxyUriPath
). For external key stores with anXksProxyConnectivity
ofVPC_ENDPOINT_SERVICE
, you can also update the Amazon VPC endpoint service name (XksProxyVpcEndpointServiceName
). To update most properties of an external key store, theConnectionState
of the external key store must beDISCONNECTED
. However, you can update theCustomKeyStoreName
,XksProxyAuthenticationCredential
, andXksProxyUriPath
of an external key store when it is in the CONNECTED or DISCONNECTED state.If your update requires a
DISCONNECTED
state, before usingUpdateCustomKeyStore
, use the DisconnectCustomKeyStore operation to disconnect the custom key store. After theUpdateCustomKeyStore
operation completes, use the ConnectCustomKeyStore to reconnect the custom key store. To find theConnectionState
of the custom key store, use the DescribeCustomKeyStores operation.Before updating the custom key store, verify that the new values allow KMS to connect the custom key store to its backing key store. For example, before you change the
XksProxyUriPath
value, verify that the external key store proxy is reachable at the new path.If the operation succeeds, it returns a JSON object with no properties.
Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
Required permissions: kms:UpdateCustomKeyStore (IAM policy)
Related operations:
ConnectCustomKeyStore
CreateCustomKeyStore
DeleteCustomKeyStore
DescribeCustomKeyStores
DisconnectCustomKeyStore
Example
Use a bare-bones client and the command you need to make an API call.
Param
UpdateCustomKeyStoreCommandInput
Returns
UpdateCustomKeyStoreCommandOutput
See
input
shape.response
shape.config
shape.Throws
CloudHsmClusterInvalidConfigurationException (client fault)
The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.
The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.
The security group for the cluster (cloudhsm-cluster- -sg) must
include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The
Source in the inbound rules and the Destination in the outbound rules must match the security group
ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or
change them. To get information about a particular security group, use the DescribeSecurityGroups operation.
The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation.
For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.
For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide .
Throws
CloudHsmClusterNotActiveException (client fault)
The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide.
Throws
CloudHsmClusterNotFoundException (client fault)
The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.
Throws
CloudHsmClusterNotRelatedException (client fault)
The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key store.
Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.
CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters operation.
Throws
CustomKeyStoreInvalidStateException (client fault)
The request was rejected because of the
ConnectionState
of the custom key store. To get theConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.This exception is thrown under the following conditions:
You requested the ConnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orFAILED
. This operation is valid for all otherConnectionState
values. To reconnect a custom key store in aFAILED
state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore
).You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store
ConnectionState
isCONNECTED
.You requested the DisconnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orDISCONNECTED
. This operation is valid for all otherConnectionState
values.You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store
ConnectionState
isDISCONNECTED
.You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store
ConnectionState
isCONNECTED
.Throws
CustomKeyStoreNameInUseException (client fault)
The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.
Throws
CustomKeyStoreNotFoundException (client fault)
The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.
Throws
KMSInternalException (server fault)
The request was rejected because an internal exception occurred. The request can be retried.
Throws
XksProxyIncorrectAuthenticationCredentialException (client fault)
The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy.
Throws
XksProxyInvalidConfigurationException (client fault)
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store proxy. For details, see the exception message.
Throws
XksProxyInvalidResponseException (client fault)
KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor.
Throws
XksProxyUriEndpointInUseException (client fault)
The request was rejected because the concatenation of the
XksProxyUriEndpoint
is already associated with an external key store in the Amazon Web Services account and Region. Each external key store in an account and Region must use a unique external key store proxy address.Throws
XksProxyUriInUseException (client fault)
The request was rejected because the concatenation of the
XksProxyUriEndpoint
andXksProxyUriPath
is already associated with an external key store in the Amazon Web Services account and Region. Each external key store in an account and Region must use a unique external key store proxy API address.Throws
XksProxyUriUnreachableException (client fault)
KMS was unable to reach the specified
XksProxyUriPath
. The path must be reachable before you create the external key store or update its settings.This exception is also thrown when the external key store proxy response to a
GetHealthStatus
request indicates that all external key manager instances are unavailable.Throws
XksProxyVpcEndpointServiceInUseException (client fault)
The request was rejected because the specified Amazon VPC endpoint service is already associated with an external key store in the Amazon Web Services account and Region. Each external key store in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.
Throws
XksProxyVpcEndpointServiceInvalidConfigurationException (client fault)
The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store proxy. For details, see the exception message and review the requirements for Amazon VPC endpoint service connectivity for an external key store.
Throws
XksProxyVpcEndpointServiceNotFoundException (client fault)
The request was rejected because KMS could not find the specified VPC endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint service name for the external key store. Also, confirm that the
Allow principals
list for the VPC endpoint service includes the KMS service principal for the Region, such ascks.kms.us-east-1.amazonaws.com
.Throws
KMSServiceException
Base exception class for all service exceptions from KMS service.
Example
To edit the friendly name of a custom key store
Example
To edit the password of an AWS CloudHSM key store
Example
To associate the custom key store with a different, but related, AWS CloudHSM cluster.
Example
To update the proxy authentication credential of an external key store
Example
To edit the proxy URI path of an external key store.
Example
To update the proxy connectivity of an external key store to VPC_ENDPOINT_SERVICE