CancelKeyDeletion

$result = $client->cancelKeyDeletion([/* ... */]);
$promise = $client->cancelKeyDeletionAsync([/* ... */]);

Cancels the deletion of a KMS key. When this operation succeeds, the key state of the KMS key is Disabled. To enable the KMS key, use EnableKey.

For more information about scheduling and canceling deletion of a KMS key, see Deleting KMS keys in the Key Management Service Developer Guide.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:CancelKeyDeletion (key policy)

Related operations: ScheduleKeyDeletion

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->cancelKeyDeletion([
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[
    'KeyId' => '<string>',
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To cancel deletion of a KMS key

The following example cancels deletion of the specified KMS key.

$result = $client->cancelKeyDeletion([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose deletion you are canceling. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
]);

Result syntax:

[
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key whose deletion you canceled.
]

ConnectCustomKeyStore

$result = $client->connectCustomKeyStore([/* ... */]);
$promise = $client->connectCustomKeyStoreAsync([/* ... */]);

Connects or reconnects a custom key store to its backing key store. For an CloudHSM key store, ConnectCustomKeyStore connects the key store to its associated CloudHSM cluster. For an external key store, ConnectCustomKeyStore connects the key store to the external key store proxy that communicates with your external key manager.

The custom key store must be connected before you can create KMS keys in the key store or use the KMS keys it contains. You can disconnect and reconnect a custom key store at any time.

The connection process for a custom key store can take an extended amount of time to complete. This operation starts the connection process, but it does not wait for it to complete. When it succeeds, this operation quickly returns an HTTP 200 response and a JSON object with no properties. However, this response does not indicate that the custom key store is connected. To get the connection state of the custom key store, use the DescribeCustomKeyStores operation.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

The ConnectCustomKeyStore operation might fail for various reasons. To find the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode in the response. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.

To fix the failure, use the DisconnectCustomKeyStore operation to disconnect the custom key store, correct the error, use the UpdateCustomKeyStore operation if necessary, and then use ConnectCustomKeyStore again.

CloudHSM key store

During the connection process for an CloudHSM key store, KMS finds the CloudHSM cluster that is associated with the custom key store, creates the connection infrastructure, connects to the cluster, logs into the CloudHSM client as the kmsuser CU, and rotates its password.

To connect an CloudHSM key store, its associated CloudHSM cluster must have at least one active HSM. To get the number of active HSMs in a cluster, use the DescribeClusters operation. To add HSMs to the cluster, use the CreateHsm operation. Also, the kmsuser crypto user (CU) must not be logged into the cluster. This prevents KMS from using this account to log in.

If you are having trouble connecting or disconnecting a CloudHSM key store, see Troubleshooting an CloudHSM key store in the Key Management Service Developer Guide.

External key store

When you connect an external key store that uses public endpoint connectivity, KMS tests its ability to communicate with your external key manager by sending a request via the external key store proxy.

When you connect to an external key store that uses VPC endpoint service connectivity, KMS establishes the networking elements that it needs to communicate with your external key manager via the external key store proxy. This includes creating an interface endpoint to the VPC endpoint service and a private hosted zone for traffic between KMS and the VPC endpoint service.

To connect an external key store, KMS must be able to connect to the external key store proxy, the external key store proxy must be able to communicate with your external key manager, and the external key manager must be available for cryptographic operations.

If you are having trouble connecting or disconnecting an external key store, see Troubleshooting an external key store in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:ConnectCustomKeyStore (IAM policy)

Related operations

• CreateCustomKeyStore

• DeleteCustomKeyStore

• DescribeCustomKeyStores

• DisconnectCustomKeyStore

• UpdateCustomKeyStore

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->connectCustomKeyStore([
    'CustomKeyStoreId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

CloudHsmClusterNotActiveException:

The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide.

CustomKeyStoreInvalidStateException:

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

• You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

• You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.

CustomKeyStoreNotFoundException:

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

CloudHsmClusterInvalidConfigurationException:

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.

• The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.

• The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.

• The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation.

  For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide .

Examples

Example 1: To connect a custom key store

This example connects an AWS KMS custom key store to its backing key store. For an AWS CloudHSM key store, it connects the key store to its AWS CloudHSM cluster. For an external key store, it connects the key store to the external key store proxy that communicates with your external key manager. This operation does not return any data. To verify that the custom key store is connected, use the DescribeCustomKeyStores operation.

$result = $client->connectCustomKeyStore([
    'CustomKeyStoreId' => 'cks-1234567890abcdef0', // The ID of the AWS KMS custom key store.
]);

Result syntax:

[
]

CreateAlias

$result = $client->createAlias([/* ... */]);
$promise = $client->createAliasAsync([/* ... */]);

Creates a friendly name for a KMS key.

You can use an alias to identify a KMS key in the KMS console, in the DescribeKey operation and in cryptographic operations, such as Encrypt and GenerateDataKey. You can also change the KMS key that's associated with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. These operations don't affect the underlying KMS key.

You can associate the alias with any customer managed key in the same Amazon Web Services Region. Each alias is associated with only one KMS key at a time, but a KMS key can have multiple aliases. A valid KMS key is required. You can't create an alias without a KMS key.

The alias must be unique in the account and Region, but you can have aliases with the same name in different Regions. For detailed information about aliases, see Aliases in KMS in the Key Management Service Developer Guide.

This operation does not return a response. To get the alias that you created, use the ListAliases operation.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account.

Required permissions

• kms:CreateAlias on the alias (IAM policy).

• kms:CreateAlias on the KMS key (key policy).

For details, see Controlling access to aliases in the Key Management Service Developer Guide.

Related operations:

• DeleteAlias

• ListAliases

• UpdateAlias

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->createAlias([
    'AliasName' => '<string>', // REQUIRED
    'TargetKeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

AlreadyExistsException:

The request was rejected because it attempted to create a resource that already exists.

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidAliasNameException:

The request was rejected because the specified alias name is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

LimitExceededException:

The request was rejected because a length constraint or quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To create an alias

The following example creates an alias for the specified KMS key.

$result = $client->createAlias([
    'AliasName' => 'alias/ExampleAlias', // The alias to create. Aliases must begin with 'alias/'. Do not use aliases that begin with 'alias/aws' because they are reserved for use by AWS.
    'TargetKeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose alias you are creating. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
]);

CreateCustomKeyStore

$result = $client->createCustomKeyStore([/* ... */]);
$promise = $client->createCustomKeyStoreAsync([/* ... */]);

Creates a custom key store backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an external key store proxy and external key manager outside of Amazon Web Services.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see Assemble the prerequisites (for CloudHSM key stores) or Assemble the prerequisites (for external key stores) in the Key Management Service Developer Guide.

To create a custom key store, use the following parameters.

• To create an CloudHSM key store, specify the CustomKeyStoreName, CloudHsmClusterId, KeyStorePassword, and TrustAnchorCertificate. The CustomKeyStoreType parameter is optional for CloudHSM key stores. If you include it, set it to the default value, AWS_CLOUDHSM. For help with failures, see Troubleshooting an CloudHSM key store in the Key Management Service Developer Guide.

• To create an external key store, specify the CustomKeyStoreName and a CustomKeyStoreType of EXTERNAL_KEY_STORE. Also, specify values for XksProxyConnectivity, XksProxyAuthenticationCredential, XksProxyUriEndpoint, and XksProxyUriPath. If your XksProxyConnectivity value is VPC_ENDPOINT_SERVICE, specify the XksProxyVpcEndpointServiceName parameter. For help with failures, see Troubleshooting an external key store in the Key Management Service Developer Guide.

When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your external key manager. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:CreateCustomKeyStore (IAM policy).

Related operations:

• ConnectCustomKeyStore

• DeleteCustomKeyStore

• DescribeCustomKeyStores

• DisconnectCustomKeyStore

• UpdateCustomKeyStore

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->createCustomKeyStore([
    'CloudHsmClusterId' => '<string>',
    'CustomKeyStoreName' => '<string>', // REQUIRED
    'CustomKeyStoreType' => 'AWS_CLOUDHSM|EXTERNAL_KEY_STORE',
    'KeyStorePassword' => '<string>',
    'TrustAnchorCertificate' => '<string>',
    'XksProxyAuthenticationCredential' => [
        'AccessKeyId' => '<string>', // REQUIRED
        'RawSecretAccessKey' => '<string>', // REQUIRED
    ],
    'XksProxyConnectivity' => 'PUBLIC_ENDPOINT|VPC_ENDPOINT_SERVICE',
    'XksProxyUriEndpoint' => '<string>',
    'XksProxyUriPath' => '<string>',
    'XksProxyVpcEndpointServiceName' => '<string>',
]);

Parameter Details

Result Syntax

[
    'CustomKeyStoreId' => '<string>',
]

Result Details

Errors

CloudHsmClusterInUseException:

The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a different CloudHSM cluster.

CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters operation.

CustomKeyStoreNameInUseException:

The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.

CloudHsmClusterNotFoundException:

The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

CloudHsmClusterNotActiveException:

The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide.

IncorrectTrustAnchorException:

The request was rejected because the trust anchor certificate in the request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster.

When you initialize the CloudHSM cluster, you create the trust anchor certificate and save it in the customerCA.crt file.

CloudHsmClusterInvalidConfigurationException:

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.

• The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.

• The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.

• The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation.

  For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide .

LimitExceededException:

The request was rejected because a length constraint or quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

XksProxyUriInUseException:

The request was rejected because the concatenation of the XksProxyUriEndpoint and XksProxyUriPath is already associated with another external key store in this Amazon Web Services Region. Each external key store in a Region must use a unique external key store proxy API address.

XksProxyUriEndpointInUseException:

The request was rejected because the XksProxyUriEndpoint is already associated with another external key store in this Amazon Web Services Region. To identify the cause, see the error message that accompanies the exception.

XksProxyUriUnreachableException:

KMS was unable to reach the specified XksProxyUriPath. The path must be reachable before you create the external key store or update its settings.

This exception is also thrown when the external key store proxy response to a GetHealthStatus request indicates that all external key manager instances are unavailable.

XksProxyIncorrectAuthenticationCredentialException:

The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy.

XksProxyVpcEndpointServiceInUseException:

The request was rejected because the specified Amazon VPC endpoint service is already associated with another external key store in this Amazon Web Services Region. Each external key store in a Region must use a different Amazon VPC endpoint service.

XksProxyVpcEndpointServiceNotFoundException:

The request was rejected because KMS could not find the specified VPC endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint service name for the external key store. Also, confirm that the Allow principals list for the VPC endpoint service includes the KMS service principal for the Region, such as cks.kms.us-east-1.amazonaws.com.

XksProxyVpcEndpointServiceInvalidConfigurationException:

The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store. To identify the cause, see the error message that accompanies the exception and review the requirements for Amazon VPC endpoint service connectivity for an external key store.

XksProxyInvalidResponseException:

KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor.

XksProxyInvalidConfigurationException:

The request was rejected because the external key store proxy is not configured correctly. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To create an AWS CloudHSM key store

This example creates a custom key store that is associated with an AWS CloudHSM cluster.

$result = $client->createCustomKeyStore([
    'CloudHsmClusterId' => 'cluster-234abcdefABC', // The ID of the CloudHSM cluster.
    'CustomKeyStoreName' => 'ExampleKeyStore', // A friendly name for the custom key store.
    'KeyStorePassword' => 'kmsPswd', // The password for the kmsuser CU account in the specified cluster.
    'TrustAnchorCertificate' => '', // The content of the customerCA.crt file that you created when you initialized the cluster.
]);

Result syntax:

[
    'CustomKeyStoreId' => 'cks-1234567890abcdef0', // The ID of the new custom key store.
]

Example 2: To create an external key store with VPC endpoint service connectivity

This example creates an external key store that uses an Amazon VPC endpoint service to communicate with AWS KMS.

$result = $client->createCustomKeyStore([
    'CustomKeyStoreName' => 'ExampleVPCEndpointKeyStore', // A friendly name for the custom key store
    'CustomKeyStoreType' => 'EXTERNAL_KEY_STORE', // For external key stores, the value must be EXTERNAL_KEY_STORE
    'XksProxyAuthenticationCredential' => [
        'AccessKeyId' => 'ABCDE12345670EXAMPLE',
        'RawSecretAccessKey' => 'DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo=',
    ], // The access key ID and secret access key that KMS uses to authenticate to your external key store proxy
    'XksProxyConnectivity' => 'VPC_ENDPOINT_SERVICE', // Indicates how AWS KMS communicates with the external key store proxy
    'XksProxyUriEndpoint' => 'https://myproxy-private.xks.example.com', // The URI that AWS KMS uses to connect to the external key store proxy
    'XksProxyUriPath' => '/example-prefix/kms/xks/v1', // The URI path to the external key store proxy APIs
    'XksProxyVpcEndpointServiceName' => 'com.amazonaws.vpce.us-east-1.vpce-svc-example1', // The VPC endpoint service that KMS uses to communicate with the external key store proxy
]);

Result syntax:

[
    'CustomKeyStoreId' => 'cks-1234567890abcdef0', // The ID of the new custom key store.
]

Example 3: To create an external key store with public endpoint connectivity

This example creates an external key store with public endpoint connectivity.

$result = $client->createCustomKeyStore([
    'CustomKeyStoreName' => 'ExamplePublicEndpointKeyStore', // A friendly name for the custom key store
    'CustomKeyStoreType' => 'EXTERNAL_KEY_STORE', // For external key stores, the value must be EXTERNAL_KEY_STORE
    'XksProxyAuthenticationCredential' => [
        'AccessKeyId' => 'ABCDE12345670EXAMPLE',
        'RawSecretAccessKey' => 'DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo=',
    ], // The access key ID and secret access key that KMS uses to authenticate to your external key store proxy
    'XksProxyConnectivity' => 'PUBLIC_ENDPOINT', // Indicates how AWS KMS communicates with the external key store proxy
    'XksProxyUriEndpoint' => 'https://myproxy.xks.example.com', // The URI that AWS KMS uses to connect to the external key store proxy
    'XksProxyUriPath' => '/kms/xks/v1', // The URI path to your external key store proxy API
]);

Result syntax:

[
    'CustomKeyStoreId' => 'cks-987654321abcdef0', // The ID of the new custom key store.
]

CreateGrant

$result = $client->createGrant([/* ... */]);
$promise = $client->createGrantAsync([/* ... */]);

Adds a grant to a KMS key.

A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic operations. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.

For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of creating grants in several programming languages, see Use CreateGrant with an Amazon Web Services SDK or CLI.

The CreateGrant operation returns a GrantToken and a GrantId.

• When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. Once the grant has achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the grant.

  However, to use the permissions in the grant immediately, use the GrantToken that CreateGrant returns. For details, see Using a grant token in the Key Management Service Developer Guide .

• The CreateGrant operation also returns a GrantId. You can use the GrantId and a key identifier to identify the grant in the RetireGrant and RevokeGrant operations. To find the grant ID, use the ListGrants or ListRetirableGrants operations.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the KeyId parameter.

Required permissions: kms:CreateGrant (key policy)

Related operations:

• ListGrants

• ListRetirableGrants

• RetireGrant

• RevokeGrant

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->createGrant([
    'Constraints' => [
        'EncryptionContextEquals' => ['<string>', ...],
        'EncryptionContextSubset' => ['<string>', ...],
    ],
    'DryRun' => true || false,
    'GrantTokens' => ['<string>', ...],
    'GranteePrincipal' => '<string>', // REQUIRED
    'KeyId' => '<string>', // REQUIRED
    'Name' => '<string>',
    'Operations' => ['<string>', ...], // REQUIRED
    'RetiringPrincipal' => '<string>',
]);

Parameter Details

Result Syntax

[
    'GrantId' => '<string>',
    'GrantToken' => '<string>',
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

LimitExceededException:

The request was rejected because a length constraint or quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To create a grant

The following example creates a grant that allows the specified IAM role to encrypt data with the specified KMS key.

$result = $client->createGrant([
    'GranteePrincipal' => 'arn:aws:iam::111122223333:role/ExampleRole', // The identity that is given permission to perform the operations specified in the grant.
    'KeyId' => 'arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key to which the grant applies. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'Operations' => [
        'Encrypt',
        'Decrypt',
    ], // A list of operations that the grant allows.
]);

Result syntax:

[
    'GrantId' => '0c237476b39f8bc44e45212e08498fbe3151305030726c0590dd8d3e9f3d6a60', // The unique identifier of the grant.
    'GrantToken' => 'AQpAM2RhZTk1MGMyNTk2ZmZmMzEyYWVhOWViN2I1MWM4Mzc0MWFiYjc0ZDE1ODkyNGFlNTIzODZhMzgyZjBlNGY3NiKIAgEBAgB4Pa6VDCWW__MSrqnre1HIN0Grt00ViSSuUjhqOC8OT3YAAADfMIHcBgkqhkiG9w0BBwaggc4wgcsCAQAwgcUGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMmqLyBTAegIn9XlK5AgEQgIGXZQjkBcl1dykDdqZBUQ6L1OfUivQy7JVYO2-ZJP7m6f1g8GzV47HX5phdtONAP7K_HQIflcgpkoCqd_fUnE114mSmiagWkbQ5sqAVV3ov-VeqgrvMe5ZFEWLMSluvBAqdjHEdMIkHMlhlj4ENZbzBfo9Wxk8b8SnwP4kc4gGivedzFXo-dwN8fxjjq_ZZ9JFOj2ijIbj5FyogDCN0drOfi8RORSEuCEmPvjFRMFAwcmwFkN2NPp89amA', // The grant token.
]

CreateKey

$result = $client->createKey([/* ... */]);
$promise = $client->createKeyAsync([/* ... */]);

Creates a unique customer managed KMS key in your Amazon Web Services account and Region. You can use a KMS key in cryptographic operations, such as encryption and signing. Some Amazon Web Services services let you use KMS keys that you create and manage to protect your service resources.

A KMS key is a logical representation of a cryptographic key. In addition to the key material used in cryptographic operations, a KMS key includes metadata, such as the key ID, key policy, creation date, description, and key state.

Use the parameters of CreateKey to specify the type of KMS key, the source of its key material, its key policy, description, tags, and other properties.

To create different types of KMS keys, use the following guidance:

Symmetric encryption KMS key

By default, CreateKey creates a symmetric encryption KMS key with key material that KMS generates. This is the basic and most widely used type of KMS key, and provides the best performance.

To create a symmetric encryption KMS key, you don't need to specify any parameters. The default value for KeySpec, SYMMETRIC_DEFAULT, the default value for KeyUsage, ENCRYPT_DECRYPT, and the default value for Origin, AWS_KMS, create a symmetric encryption KMS key with KMS key material.

If you need a key for basic encryption and decryption or you are creating a KMS key to protect your resources in an Amazon Web Services service, create a symmetric encryption KMS key. The key material in a symmetric encryption key never leaves KMS unencrypted. You can use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 bytes, but they are typically used to generate data keys and data keys pairs. For details, see GenerateDataKey and GenerateDataKeyPair.

Asymmetric KMS keys

To create an asymmetric KMS key, use the KeySpec parameter to specify the type of key material in the KMS key. Then, use the KeyUsage parameter to determine whether the KMS key will be used to encrypt and decrypt or sign and verify. You can't change these properties after the KMS key is created.

Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, ML-DSA key pair or an SM2 key pair (China Regions only). The private key in an asymmetric KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey operation to download the public key so it can be used outside of KMS. Each KMS key can have only one key usage. KMS keys with RSA key pairs can be used to encrypt and decrypt data or sign and verify messages (but not both). KMS keys with NIST-recommended ECC key pairs can be used to sign and verify messages or derive shared secrets (but not both). KMS keys with ECC_SECG_P256K1 can be used only to sign and verify messages. KMS keys with ML-DSA key pairs can be used to sign and verify messages. KMS keys with SM2 key pairs (China Regions only) can be used to either encrypt and decrypt data, sign and verify messages, or derive shared secrets (you must choose one key usage type). For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.

HMAC KMS key

To create an HMAC KMS key, set the KeySpec parameter to a key spec value for HMAC KMS keys. Then set the KeyUsage parameter to GENERATE_VERIFY_MAC. You must set the key usage even though GENERATE_VERIFY_MAC is the only valid key usage value for HMAC KMS keys. You can't change these properties after the KMS key is created.

HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for messages up to 4096 bytes.

Multi-Region primary keys

Imported key material

To create a multi-Region primary key in the local Amazon Web Services Region, use the MultiRegion parameter with a value of True. To create a multi-Region replica key, that is, a KMS key with the same key ID and key material as a primary key, but in a different Amazon Web Services Region, use the ReplicateKey operation. To change a replica key to a primary key, and its primary key to a replica key, use the UpdatePrimaryRegion operation.

You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with imported key material. However, you can't create multi-Region keys in a custom key store.

This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.

To import your own key material into a KMS key, begin by creating a KMS key with no key material. To do this, use the Origin parameter of CreateKey with a value of EXTERNAL. Next, use GetParametersForImport operation to get a public key and import token. Use the wrapping public key to encrypt your key material. Then, use ImportKeyMaterial with your import token to import the key material. For step-by-step instructions, see Importing Key Material in the Key Management Service Developer Guide .

You can import key material into KMS keys of all supported KMS key types: symmetric encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric signing KMS keys. You can also create multi-Region keys with imported key material. However, you can't import key material into a KMS key in a custom key store.

To create a multi-Region primary key with imported key material, use the Origin parameter of CreateKey with a value of EXTERNAL and the MultiRegion parameter with a value of True. To create replicas of the multi-Region primary key, use the ReplicateKey operation. For instructions, see Importing key material step 1. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.

Custom key store

A custom key store lets you protect your Amazon Web Services resources using keys in a backing key store that you own and manage. When you request a cryptographic operation with a KMS key in a custom key store, the operation is performed in the backing key store using its cryptographic keys.

KMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an external key manager outside of Amazon Web Services. When you create a KMS key in an CloudHSM key store, KMS generates an encryption key in the CloudHSM cluster and associates it with the KMS key. When you create a KMS key in an external key store, you specify an existing encryption key in the external key manager.

Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, see your external key manager documentation.

Before you create a KMS key in a custom key store, the ConnectionState of the key store must be CONNECTED. To connect the custom key store, use the ConnectCustomKeyStore operation. To find the ConnectionState, use the DescribeCustomKeyStores operation.

To create a KMS key in a custom key store, use the CustomKeyStoreId. Use the default KeySpec value, SYMMETRIC_DEFAULT, and the default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric encryption key. No other key type is supported in a custom key store.

To create a KMS key in an CloudHSM key store, use the Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM cluster that is associated with the custom key store must have at least two active HSMs in different Availability Zones in the Amazon Web Services Region.

To create a KMS key in an external key store, use the Origin parameter with a value of EXTERNAL_KEY_STORE and an XksKeyId parameter that identifies an existing external key.

Some external key managers provide a simpler method for creating a KMS key in an external key store. For details, see your external key manager documentation.

Cross-account use: No. You cannot use this operation to create a KMS key in a different Amazon Web Services account.

Required permissions: kms:CreateKey (IAM policy). To use the Tags parameter, kms:TagResource (IAM policy). For examples and information about related permissions, see Allow a user to create KMS keys in the Key Management Service Developer Guide.

Related operations:

• DescribeKey

• ListKeys

• ScheduleKeyDeletion

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->createKey([
    'BypassPolicyLockoutSafetyCheck' => true || false,
    'CustomKeyStoreId' => '<string>',
    'CustomerMasterKeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2',
    'Description' => '<string>',
    'KeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2|ML_DSA_44|ML_DSA_65|ML_DSA_87',
    'KeyUsage' => 'SIGN_VERIFY|ENCRYPT_DECRYPT|GENERATE_VERIFY_MAC|KEY_AGREEMENT',
    'MultiRegion' => true || false,
    'Origin' => 'AWS_KMS|EXTERNAL|AWS_CLOUDHSM|EXTERNAL_KEY_STORE',
    'Policy' => '<string>',
    'Tags' => [
        [
            'TagKey' => '<string>', // REQUIRED
            'TagValue' => '<string>', // REQUIRED
        ],
        // ...
    ],
    'XksKeyId' => '<string>',
]);

Parameter Details

Result Syntax

[
    'KeyMetadata' => [
        'AWSAccountId' => '<string>',
        'Arn' => '<string>',
        'CloudHsmClusterId' => '<string>',
        'CreationDate' => <DateTime>,
        'CurrentKeyMaterialId' => '<string>',
        'CustomKeyStoreId' => '<string>',
        'CustomerMasterKeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2',
        'DeletionDate' => <DateTime>,
        'Description' => '<string>',
        'Enabled' => true || false,
        'EncryptionAlgorithms' => ['<string>', ...],
        'ExpirationModel' => 'KEY_MATERIAL_EXPIRES|KEY_MATERIAL_DOES_NOT_EXPIRE',
        'KeyAgreementAlgorithms' => ['<string>', ...],
        'KeyId' => '<string>',
        'KeyManager' => 'AWS|CUSTOMER',
        'KeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2|ML_DSA_44|ML_DSA_65|ML_DSA_87',
        'KeyState' => 'Creating|Enabled|Disabled|PendingDeletion|PendingImport|PendingReplicaDeletion|Unavailable|Updating',
        'KeyUsage' => 'SIGN_VERIFY|ENCRYPT_DECRYPT|GENERATE_VERIFY_MAC|KEY_AGREEMENT',
        'MacAlgorithms' => ['<string>', ...],
        'MultiRegion' => true || false,
        'MultiRegionConfiguration' => [
            'MultiRegionKeyType' => 'PRIMARY|REPLICA',
            'PrimaryKey' => [
                'Arn' => '<string>',
                'Region' => '<string>',
            ],
            'ReplicaKeys' => [
                [
                    'Arn' => '<string>',
                    'Region' => '<string>',
                ],
                // ...
            ],
        ],
        'Origin' => 'AWS_KMS|EXTERNAL|AWS_CLOUDHSM|EXTERNAL_KEY_STORE',
        'PendingDeletionWindowInDays' => <integer>,
        'SigningAlgorithms' => ['<string>', ...],
        'ValidTo' => <DateTime>,
        'XksKeyConfiguration' => [
            'Id' => '<string>',
        ],
    ],
]

Result Details

Errors

MalformedPolicyDocumentException:

The request was rejected because the specified policy is not syntactically or semantically correct.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

LimitExceededException:

The request was rejected because a length constraint or quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

TagException:

The request was rejected because one or more tags are not valid.

CustomKeyStoreNotFoundException:

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

CustomKeyStoreInvalidStateException:

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

• You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

• You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.

CloudHsmClusterInvalidConfigurationException:

The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store.

• The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region.

• The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.

• The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation.

  For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM.

For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide .

XksKeyInvalidConfigurationException:

The request was rejected because the external key specified by the XksKeyId parameter did not meet the configuration requirements for an external key store.

The external key must be an AES-256 symmetric key that is enabled and performs encryption and decryption.

XksKeyAlreadyInUseException:

The request was rejected because the (XksKeyId) is already associated with another KMS key in this external key store. Each KMS key in an external key store must be associated with a different external key.

XksKeyNotFoundException:

The request was rejected because the external key store proxy could not find the external key. This exception is thrown when the value of the XksKeyId parameter doesn't identify a key in the external key manager associated with the external key proxy.

Verify that the XksKeyId represents an existing key in the external key manager. Use the key identifier that the external key store proxy uses to identify the key. For details, see the documentation provided with your external key store proxy or key manager.

Examples

Example 1: To create a KMS key

The following example creates a symmetric KMS key for encryption and decryption. No parameters are required for this operation.

$result = $client->createKey([
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CurrentKeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
    ], // Detailed information about the KMS key that this operation creates.
]

Example 2: To create an asymmetric RSA KMS key for encryption and decryption

This example creates a KMS key that contains an asymmetric RSA key pair for encryption and decryption. The key spec and key usage can't be changed after the key is created.

$result = $client->createKey([
    'KeySpec' => 'RSA_4096', // Describes the type of key material in the KMS key.
    'KeyUsage' => 'ENCRYPT_DECRYPT', // The cryptographic operations for which you can use the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'RSA_4096',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'RSAES_OAEP_SHA_1',
            'RSAES_OAEP_SHA_256',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'RSA_4096',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
    ], // Detailed information about the KMS key that this operation creates.
]

Example 3: To create an asymmetric elliptic curve KMS key for signing and verification

This example creates a KMS key that contains an asymmetric elliptic curve (ECC) key pair for signing and verification. The key spec and key usage can't be changed after the key is created.

$result = $client->createKey([
    'KeySpec' => 'ECC_NIST_P521', // Describes the type of key material in the KMS key.
    'KeyUsage' => 'SIGN_VERIFY', // The cryptographic operations for which you can use the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'ECC_NIST_P521',
        'Description' => '',
        'Enabled' => 1,
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'ECC_NIST_P521',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'SIGN_VERIFY',
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
        'SigningAlgorithms' => [
            'ECDSA_SHA_512',
        ],
    ], // Detailed information about the KMS key that this operation creates.
]

Example 4: To create an HMAC KMS key

This example creates a 384-bit symmetric HMAC KMS key. The GENERATE_VERIFY_MAC key usage value is required even though it's the only valid value for HMAC KMS keys. The key spec and key usage can't be changed after the key is created.

$result = $client->createKey([
    'KeySpec' => 'HMAC_384', // Describes the type of key material in the KMS key.
    'KeyUsage' => 'GENERATE_VERIFY_MAC', // The cryptographic operations for which you can use the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'HMAC_384',
        'Description' => '',
        'Enabled' => 1,
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'HMAC_384',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'GENERATE_VERIFY_MAC',
        'MacAlgorithms' => [
            'HMAC_SHA_384',
        ],
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
    ], // Detailed information about the KMS key that this operation creates.
]

Example 5: To create an asymmetric ML-DSA KMS key for signing and verification

This example creates a module-lattice digital signature algorithm (ML-DSA) key for signing and verification. The key-usage parameter is required even though SIGN_VERIFY is the only valid value for ML-DSA keys.

$result = $client->createKey([
    'KeySpec' => 'ML_DSA_65', // Describes the type of key material in the KMS key.
    'KeyUsage' => 'SIGN_VERIFY', // The cryptographic operations for which you can use the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'ML_DSA_65',
        'Description' => '',
        'Enabled' => 1,
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'ML_DSA_65',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'SIGN_VERIFY',
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
        'SigningAlgorithms' => [
            'ML_DSA_SHAKE_256',
        ],
    ], // Detailed information about the KMS key that this operation creates.
]

Example 6: To create a multi-Region primary KMS key

This example creates a multi-Region primary symmetric encryption key. Because the default values for all parameters create a symmetric encryption key, only the MultiRegion parameter is required for this KMS key.

$result = $client->createKey([
    'MultiRegion' => 1, // Indicates whether the KMS key is a multi-Region (True) or regional (False) key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab',
        'CreationDate' => ,
        'CurrentKeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => 'mrk-1234abcd12ab34cd56ef12345678990ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => 1,
        'MultiRegionConfiguration' => [
            'MultiRegionKeyType' => 'PRIMARY',
            'PrimaryKey' => [
                'Arn' => 'arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef12345678990ab',
                'Region' => 'us-west-2',
            ],
            'ReplicaKeys' => [
            ],
        ],
        'Origin' => 'AWS_KMS',
    ], // Detailed information about the KMS key that this operation creates.
]

Example 7: To create a KMS key for imported key material

This example creates a symmetric KMS key with no key material. When the operation is complete, you can import your own key material into the KMS key. To create this KMS key, set the Origin parameter to EXTERNAL.

$result = $client->createKey([
    'Origin' => 'EXTERNAL', // The source of the key material for the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => ,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'PendingImport',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'EXTERNAL',
    ], // Detailed information about the KMS key that this operation creates.
]

Example 8: To create a KMS key in an AWS CloudHSM key store

This example creates a KMS key in the specified AWS CloudHSM key store. The operation creates the KMS key and its metadata in AWS KMS and creates the key material in the AWS CloudHSM cluster associated with the custom key store. This example requires the CustomKeyStoreId and Origin parameters.

$result = $client->createKey([
    'CustomKeyStoreId' => 'cks-1234567890abcdef0', // Identifies the custom key store that hosts the KMS key.
    'Origin' => 'AWS_CLOUDHSM', // Indicates the source of the key material for the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CloudHsmClusterId' => 'cluster-234abcdefABC',
        'CreationDate' => ,
        'CustomKeyStoreId' => 'cks-1234567890abcdef0',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'AWS_CLOUDHSM',
    ], // Detailed information about the KMS key that this operation creates.
]

Example 9: To create a KMS key in an external key store

This example creates a KMS key in the specified external key store. It uses the XksKeyId parameter to associate the KMS key with an existing symmetric encryption key in your external key manager. This CustomKeyStoreId, Origin, and XksKeyId parameters are required in this operation.

$result = $client->createKey([
    'CustomKeyStoreId' => 'cks-9876543210fedcba9', // Identifies the custom key store that hosts the KMS key.
    'Origin' => 'EXTERNAL_KEY_STORE', // Indicates the source of the key material for the KMS key.
    'XksKeyId' => 'bb8562717f809024', // Identifies the encryption key in your external key manager that is associated with the KMS key
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321',
        'CreationDate' => ,
        'CustomKeyStoreId' => 'cks-9876543210fedcba9',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '0987dcba-09fe-87dc-65ba-ab0987654321',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'EXTERNAL_KEY_STORE',
        'XksKeyConfiguration' => [
            'Id' => 'bb8562717f809024',
        ],
    ], // Detailed information about the KMS key that this operation creates.
]

Decrypt

$result = $client->decrypt([/* ... */]);
$promise = $client->decryptAsync([/* ... */]);

Decrypts ciphertext that was encrypted by a KMS key using any of the following operations:

• Encrypt

• GenerateDataKey

• GenerateDataKeyPair

• GenerateDataKeyWithoutPlaintext

• GenerateDataKeyPairWithoutPlaintext

You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.

The Decrypt operation also decrypts ciphertext that was encrypted outside of KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with KMS.

If the ciphertext was encrypted under a symmetric encryption KMS key, the KeyId parameter is optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as a best practice. When you use the KeyId parameter to specify a KMS key, KMS only uses the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the Decrypt operation fails. This practice ensures that you use the KMS key that you intend.

Whenever possible, use key policies to give users permission to call the Decrypt operation on a particular KMS key, instead of using IAM policies. Otherwise, you might create an IAM policy that gives the user Decrypt permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must use an IAM policy for Decrypt permissions, limit the user to particular KMS keys or particular trusted accounts. For details, see Best practices for IAM policies in the Key Management Service Developer Guide.

Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call Decrypt for a Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. Instead of the plaintext data, the response includes the plaintext data encrypted with the public key from the attestation document (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. If you use the KeyId parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias ARN of the KMS key.

Required permissions: kms:Decrypt (key policy)

Related operations:

• Encrypt

• GenerateDataKey

• GenerateDataKeyPair

• ReEncrypt

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->decrypt([
    'CiphertextBlob' => <string || resource || Psr\Http\Message\StreamInterface>, // REQUIRED
    'DryRun' => true || false,
    'EncryptionAlgorithm' => 'SYMMETRIC_DEFAULT|RSAES_OAEP_SHA_1|RSAES_OAEP_SHA_256|SM2PKE',
    'EncryptionContext' => ['<string>', ...],
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>',
    'Recipient' => [
        'AttestationDocument' => <string || resource || Psr\Http\Message\StreamInterface>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ],
]);

Parameter Details

Result Syntax

[
    'CiphertextForRecipient' => <string || resource || Psr\Http\Message\StreamInterface>,
    'EncryptionAlgorithm' => 'SYMMETRIC_DEFAULT|RSAES_OAEP_SHA_1|RSAES_OAEP_SHA_256|SM2PKE',
    'KeyId' => '<string>',
    'KeyMaterialId' => '<string>',
    'Plaintext' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

InvalidCiphertextException:

From the Decrypt or ReEncrypt operation, the request was rejected because the specified ciphertext, or additional authenticated data incorporated into the ciphertext, such as the encryption context, is corrupted, missing, or otherwise invalid.

From the ImportKeyMaterial operation, the request was rejected because KMS could not decrypt the encrypted (wrapped) key material.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

IncorrectKeyException:

The request was rejected because the specified KMS key cannot decrypt the data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request must identify the same KMS key that was used to encrypt the ciphertext.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To decrypt data with a symmetric encryption KMS key

The following example decrypts data that was encrypted with a symmetric encryption KMS key. The KeyId is not required when decrypting with a symmetric encryption key, but it is a best practice.

$result = $client->decrypt([
    'CiphertextBlob' => <BLOB>, // The encrypted data (ciphertext).
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // A key identifier for the KMS key to use to decrypt the data.
]);

Result syntax:

[
    'EncryptionAlgorithm' => 'SYMMETRIC_DEFAULT', // The encryption algorithm that was used to decrypt the ciphertext. SYMMETRIC_DEFAULT is the only valid value for symmetric encryption in AWS KMS.
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // The identifier of the key material used to decrypt the ciphertext.
    'Plaintext' => <BLOB>, // The decrypted (plaintext) data.
]

Example 2: To decrypt data with an asymmetric encryption KMS key

The following example decrypts data that was encrypted with an asymmetric encryption KMS key. When the KMS encryption key is asymmetric, you must specify the KMS key ID and the encryption algorithm that was used to encrypt the data.

$result = $client->decrypt([
    'CiphertextBlob' => <BLOB>, // The encrypted data (ciphertext).
    'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256', // The encryption algorithm that was used to encrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
    'KeyId' => '0987dcba-09fe-87dc-65ba-ab0987654321', // A key identifier for the KMS key to use to decrypt the data. This parameter is required to decrypt with an asymmetric KMS key.
]);

Result syntax:

[
    'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256', // The encryption algorithm that was used to decrypt the ciphertext.
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321', // The Amazon Resource Name (ARN) of the KMS key that was used to decrypt the data.
    'Plaintext' => <BLOB>, // The decrypted (plaintext) data.
]

Example 3: To decrypt data for a Nitro enclave

The following Decrypt example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning the decrypted data in plaintext (Plaintext), the operation returns the decrypted data encrypted by the public key from the attestation document (CiphertextForRecipient).

$result = $client->decrypt([
    'CiphertextBlob' => <BLOB>, // The encrypted data. This ciphertext was encrypted with the KMS key
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The KMS key to use to decrypt the ciphertext
    'Recipient' => [
        'AttestationDocument' => <BLOB>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ], // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
]);

Result syntax:

[
    'CiphertextForRecipient' => <BLOB>, // The decrypted CiphertextBlob encrypted with the public key from the attestation document
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The KMS key that was used to decrypt the encrypted data (CiphertextBlob)
    'Plaintext' => <BLOB>, // This field is null or empty
]

DeleteAlias

$result = $client->deleteAlias([/* ... */]);
$promise = $client->deleteAliasAsync([/* ... */]);

Deletes the specified alias.

Because an alias is not a property of a KMS key, you can delete and change the aliases of a KMS key without affecting the KMS key. Also, aliases do not appear in the response from the DescribeKey operation. To get the aliases of all KMS keys, use the ListAliases operation.

Each KMS key can have multiple aliases. To change the alias of a KMS key, use DeleteAlias to delete the current alias and CreateAlias to create a new alias. To associate an existing alias with a different KMS key, call UpdateAlias.

Cross-account use: No. You cannot perform this operation on an alias in a different Amazon Web Services account.

Required permissions

• kms:DeleteAlias on the alias (IAM policy).

• kms:DeleteAlias on the KMS key (key policy).

For details, see Controlling access to aliases in the Key Management Service Developer Guide.

Related operations:

• CreateAlias

• ListAliases

• UpdateAlias

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->deleteAlias([
    'AliasName' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To delete an alias

The following example deletes the specified alias.

$result = $client->deleteAlias([
    'AliasName' => 'alias/ExampleAlias', // The alias to delete.
]);

DeleteCustomKeyStore

$result = $client->deleteCustomKeyStore([/* ... */]);
$promise = $client->deleteCustomKeyStoreAsync([/* ... */]);

Deletes a custom key store. This operation does not affect any backing elements of the custom key store. It does not delete the CloudHSM cluster that is associated with an CloudHSM key store, or affect any users or keys in the cluster. For an external key store, it does not affect the external key store proxy, external key manager, or any external keys.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

The custom key store that you delete cannot contain any KMS keys. Before deleting the key store, verify that you will never need to use any of the KMS keys in the key store for any cryptographic operations. Then, use ScheduleKeyDeletion to delete the KMS keys from the key store. After the required waiting period expires and all KMS keys are deleted from the custom key store, use DisconnectCustomKeyStore to disconnect the key store from KMS. Then, you can delete the custom key store.

For keys in an CloudHSM key store, the ScheduleKeyDeletion operation makes a best effort to delete the key material from the associated cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups. KMS never creates, manages, or deletes cryptographic keys in the external key manager associated with an external key store. You must manage them using your external key manager tools.

Instead of deleting the custom key store, consider using the DisconnectCustomKeyStore operation to disconnect the custom key store from its backing key store. While the key store is disconnected, you cannot create or use the KMS keys in the key store. But, you do not need to delete KMS keys and you can reconnect a disconnected custom key store at any time.

If the operation succeeds, it returns a JSON object with no properties.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:DeleteCustomKeyStore (IAM policy)

Related operations:

• ConnectCustomKeyStore

• CreateCustomKeyStore

• DescribeCustomKeyStores

• DisconnectCustomKeyStore

• UpdateCustomKeyStore

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->deleteCustomKeyStore([
    'CustomKeyStoreId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

CustomKeyStoreHasCMKsException:

The request was rejected because the custom key store contains KMS keys. After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion operation to delete the KMS keys. After they are deleted, you can delete the custom key store.

CustomKeyStoreInvalidStateException:

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

• You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

• You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.

CustomKeyStoreNotFoundException:

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

Examples

Example 1: To delete a custom key store from AWS KMS

This example deletes a custom key store from AWS KMS. This operation does not affect the backing key store, such as a CloudHSM cluster, external key store proxy, or your external key manager. This operation doesn't return any data. To verify that the operation was successful, use the DescribeCustomKeyStores operation.

$result = $client->deleteCustomKeyStore([
    'CustomKeyStoreId' => 'cks-1234567890abcdef0', // The ID of the custom key store to be deleted.
]);

Result syntax:

[
]

DeleteImportedKeyMaterial

$result = $client->deleteImportedKeyMaterial([/* ... */]);
$promise = $client->deleteImportedKeyMaterialAsync([/* ... */]);

Deletes key material that was previously imported. This operation makes the specified KMS key temporarily unusable. To restore the usability of the KMS key, reimport the same key material. For more information about importing key material into KMS, see Importing Key Material in the Key Management Service Developer Guide.

When the specified KMS key is in the PendingDeletion state, this operation does not change the KMS key's state. Otherwise, it changes the KMS key's state to PendingImport.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:DeleteImportedKeyMaterial (key policy)

Related operations:

• GetParametersForImport

• ListKeyRotations

• ImportKeyMaterial

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->deleteImportedKeyMaterial([
    'KeyId' => '<string>', // REQUIRED
    'KeyMaterialId' => '<string>',
]);

Parameter Details

Result Syntax

[
    'KeyId' => '<string>',
    'KeyMaterialId' => '<string>',
]

Result Details

Errors

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To delete imported key material

The following example deletes the imported key material from the specified KMS key.

$result = $client->deleteImportedKeyMaterial([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose imported key material you are deleting. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // Identifies the deleted key material.
]);

DeriveSharedSecret

$result = $client->deriveSharedSecret([/* ... */]);
$promise = $client->deriveSharedSecretAsync([/* ... */]);

Derives a shared secret using a key agreement algorithm.

DeriveSharedSecret uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive (ECDH) to establish a key agreement between two peers by deriving a shared secret from their elliptic curve public-private key pairs. You can use the raw shared secret that DeriveSharedSecret returns to derive a symmetric key that can encrypt and decrypt data that is sent between the two peers, or that can generate and verify HMACs. KMS recommends that you follow NIST recommendations for key derivation when using the raw shared secret to derive a symmetric key.

The following workflow demonstrates how to establish key agreement over an insecure communication channel using DeriveSharedSecret.

1. Alice calls CreateKey to create an asymmetric KMS key pair with a KeyUsage value of KEY_AGREEMENT.

   The asymmetric KMS key must use a NIST-recommended elliptic curve (ECC) or SM2 (China Regions only) key spec.

2. Bob creates an elliptic curve key pair.

   Bob can call CreateKey to create an asymmetric KMS key pair or generate a key pair outside of KMS. Bob's key pair must use the same NIST-recommended elliptic curve (ECC) or SM2 (China Regions ony) curve as Alice.

3. Alice and Bob exchange their public keys through an insecure communication channel (like the internet).

   Use GetPublicKey to download the public key of your asymmetric KMS key pair.

   KMS strongly recommends verifying that the public key you receive came from the expected party before using it to derive a shared secret.

4. Alice calls DeriveSharedSecret.

   KMS uses the private key from the KMS key pair generated in Step 1, Bob's public key, and the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive to derive the shared secret. The private key in your KMS key pair never leaves KMS unencrypted. DeriveSharedSecret returns the raw shared secret.

5. Bob uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive to calculate the same raw secret using his private key and Alice's public key.

To derive a shared secret you must provide a key agreement algorithm, the private key of the caller's asymmetric NIST-recommended elliptic curve or SM2 (China Regions only) KMS key pair, and the public key from your peer's NIST-recommended elliptic curve or SM2 (China Regions only) key pair. The public key can be from another asymmetric KMS key pair or from a key pair generated outside of KMS, but both key pairs must be on the same elliptic curve.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:DeriveSharedSecret (key policy)

Related operations:

• CreateKey

• GetPublicKey

• DescribeKey

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->deriveSharedSecret([
    'DryRun' => true || false,
    'GrantTokens' => ['<string>', ...],
    'KeyAgreementAlgorithm' => 'ECDH', // REQUIRED
    'KeyId' => '<string>', // REQUIRED
    'PublicKey' => <string || resource || Psr\Http\Message\StreamInterface>, // REQUIRED
    'Recipient' => [
        'AttestationDocument' => <string || resource || Psr\Http\Message\StreamInterface>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ],
]);

Parameter Details

Result Syntax

[
    'CiphertextForRecipient' => <string || resource || Psr\Http\Message\StreamInterface>,
    'KeyAgreementAlgorithm' => 'ECDH',
    'KeyId' => '<string>',
    'KeyOrigin' => 'AWS_KMS|EXTERNAL|AWS_CLOUDHSM|EXTERNAL_KEY_STORE',
    'SharedSecret' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To derive a shared secret

The following example derives a shared secret using a key agreement algorithm.

$result = $client->deriveSharedSecret([
    'KeyAgreementAlgorithm' => 'ECDH', // The key agreement algorithm used to derive the shared secret. The only valid value is ECDH.
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The key identifier for an asymmetric KMS key pair. The private key in the specified key pair is used to derive the shared secret.
    'PublicKey' => <BLOB>, // The public key in your peer's asymmetric key pair.
]);

Result syntax:

[
    'KeyAgreementAlgorithm' => 'ECDH', // The key agreement algorithm used to derive the shared secret.
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The asymmetric KMS key pair used to derive the shared secret.
    'KeyOrigin' => 'AWS_KMS', // The source of the key material for the specified KMS key.
    'SharedSecret' => <BLOB>, // The raw secret derived from the specified key agreement algorithm, private key in the asymmetric KMS key, and your peer's public key.
]

DescribeCustomKeyStores

$result = $client->describeCustomKeyStores([/* ... */]);
$promise = $client->describeCustomKeyStoresAsync([/* ... */]);

Gets information about custom key stores in the account and Region.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

By default, this operation returns information about all custom key stores in the account and Region. To get only information about a particular custom key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter (but not both).

To determine whether the custom key store is connected to its CloudHSM cluster or external key store proxy, use the ConnectionState element in the response. If an attempt to connect the custom key store failed, the ConnectionState value is FAILED and the ConnectionErrorCode element in the response indicates the cause of the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry.

Custom key stores have a DISCONNECTED connection state if the key store has never been connected or you used the DisconnectCustomKeyStore operation to disconnect it. Otherwise, the connection state is CONNECTED. If your custom key store connection state is CONNECTED but you are having trouble using it, verify that the backing store is active and available. For an CloudHSM key store, verify that the associated CloudHSM cluster is active and contains the minimum number of HSMs required for the operation, if any. For an external key store, verify that the external key store proxy and its associated external key manager are reachable and enabled.

For help repairing your CloudHSM key store, see the Troubleshooting CloudHSM key stores. For help repairing your external key store, see the Troubleshooting external key stores. Both topics are in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:DescribeCustomKeyStores (IAM policy)

Related operations:

• ConnectCustomKeyStore

• CreateCustomKeyStore

• DeleteCustomKeyStore

• DisconnectCustomKeyStore

• UpdateCustomKeyStore

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->describeCustomKeyStores([
    'CustomKeyStoreId' => '<string>',
    'CustomKeyStoreName' => '<string>',
    'Limit' => <integer>,
    'Marker' => '<string>',
]);

Parameter Details

Result Syntax

[
    'CustomKeyStores' => [
        [
            'CloudHsmClusterId' => '<string>',
            'ConnectionErrorCode' => 'INVALID_CREDENTIALS|CLUSTER_NOT_FOUND|NETWORK_ERRORS|INTERNAL_ERROR|INSUFFICIENT_CLOUDHSM_HSMS|USER_LOCKED_OUT|USER_NOT_FOUND|USER_LOGGED_IN|SUBNET_NOT_FOUND|INSUFFICIENT_FREE_ADDRESSES_IN_SUBNET|XKS_PROXY_ACCESS_DENIED|XKS_PROXY_NOT_REACHABLE|XKS_VPC_ENDPOINT_SERVICE_NOT_FOUND|XKS_PROXY_INVALID_RESPONSE|XKS_PROXY_INVALID_CONFIGURATION|XKS_VPC_ENDPOINT_SERVICE_INVALID_CONFIGURATION|XKS_PROXY_TIMED_OUT|XKS_PROXY_INVALID_TLS_CONFIGURATION',
            'ConnectionState' => 'CONNECTED|CONNECTING|FAILED|DISCONNECTED|DISCONNECTING',
            'CreationDate' => <DateTime>,
            'CustomKeyStoreId' => '<string>',
            'CustomKeyStoreName' => '<string>',
            'CustomKeyStoreType' => 'AWS_CLOUDHSM|EXTERNAL_KEY_STORE',
            'TrustAnchorCertificate' => '<string>',
            'XksProxyConfiguration' => [
                'AccessKeyId' => '<string>',
                'Connectivity' => 'PUBLIC_ENDPOINT|VPC_ENDPOINT_SERVICE',
                'UriEndpoint' => '<string>',
                'UriPath' => '<string>',
                'VpcEndpointServiceName' => '<string>',
            ],
        ],
        // ...
    ],
    'NextMarker' => '<string>',
    'Truncated' => true || false,
]

Result Details

Errors

CustomKeyStoreNotFoundException:

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

InvalidMarkerException:

The request was rejected because the marker that specifies where pagination should next begin is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

Examples

Example 1: To get detailed information about custom key stores in the account and Region

This example gets detailed information about all AWS KMS custom key stores in an AWS account and Region. To get all key stores, do not enter a custom key store name or ID.

$result = $client->describeCustomKeyStores([
]);

Result syntax:

[
    'CustomKeyStores' => [
    ], // Details about each custom key store in the account and Region.
]

Example 2: To get detailed information about an AWS CloudHSM key store by specifying its friendly name

This example gets detailed information about a particular AWS CloudHSM key store by specifying its friendly name. To limit the output to a particular custom key store, provide either the custom key store name or ID.

$result = $client->describeCustomKeyStores([
    'CustomKeyStoreName' => 'ExampleKeyStore', // The friendly name of the custom key store.
]);

Result syntax:

[
    'CustomKeyStores' => [
        [
            'CloudHsmClusterId' => 'cluster-234abcdefABC',
            'ConnectionState' => 'CONNECTED',
            'CreationDate' => ,
            'CustomKeyStoreId' => 'cks-1234567890abcdef0',
            'CustomKeyStoreName' => 'ExampleKeyStore',
            'CustomKeyStoreType' => 'AWS_CLOUDHSM',
            'TrustAnchorCertificate' => '',
        ],
    ], // Detailed information about the specified custom key store.
]

Example 3: To get detailed information about an external key store by specifying its ID

This example gets detailed information about an external key store by specifying its ID. The example external key store proxy uses public endpoint connectivity.

$result = $client->describeCustomKeyStores([
    'CustomKeyStoreId' => 'cks-9876543210fedcba9', // The ID of the custom key store.
]);

Result syntax:

[
    'CustomKeyStores' => [
        [
            'ConnectionState' => 'CONNECTED',
            'CreationDate' => ,
            'CustomKeyStoreId' => 'cks-9876543210fedcba9',
            'CustomKeyStoreName' => 'ExampleExternalKeyStore',
            'CustomKeyStoreType' => 'EXTERNAL_KEY_STORE',
            'XksProxyConfiguration' => [
                'AccessKeyId' => 'ABCDE12345670EXAMPLE',
                'Connectivity' => 'PUBLIC_ENDPOINT',
                'UriEndpoint' => 'https://myproxy.xks.example.com',
                'UriPath' => '/kms/xks/v1',
            ],
        ],
    ], // Detailed information about the specified custom key store.
]

Example 4: To get detailed information about an external key store VPC endpoint connectivity by specifying its friendly name

This example gets detailed information about a particular external key store by specifying its friendly name. To limit the output to a particular custom key store, provide either the custom key store name or ID. The proxy URI path for this external key store includes an optional prefix. Also, because this example external key store uses VPC endpoint connectivity, the response includes the associated VPC endpoint service name.

$result = $client->describeCustomKeyStores([
    'CustomKeyStoreName' => 'VPCExternalKeystore',
]);

Result syntax:

[
    'CustomKeyStores' => [
        [
            'ConnectionState' => 'CONNECTED',
            'CreationDate' => ,
            'CustomKeyStoreId' => 'cks-876543210fedcba98',
            'CustomKeyStoreName' => 'ExampleVPCExternalKeyStore',
            'CustomKeyStoreType' => 'EXTERNAL_KEY_STORE',
            'XksProxyConfiguration' => [
                'AccessKeyId' => 'ABCDE12345670EXAMPLE',
                'Connectivity' => 'VPC_ENDPOINT_SERVICE',
                'UriEndpoint' => 'https://myproxy-private.xks.example.com',
                'UriPath' => '/example-prefix/kms/xks/v1',
                'VpcEndpointServiceName' => 'com.amazonaws.vpce.us-east-1.vpce-svc-example1',
            ],
        ],
    ], // Detailed information about the specified custom key store.
]

DescribeKey

$result = $client->describeKey([/* ... */]);
$promise = $client->describeKeyAsync([/* ... */]);

Provides detailed information about a KMS key. You can run DescribeKey on a customer managed key or an Amazon Web Services managed key.

This detailed information includes the key ARN, creation date (and deletion date, if applicable), the key state, and the origin and expiration date (if any) of the key material. It includes fields, like KeySpec, that help you distinguish different types of KMS keys. It also displays the key usage (encryption, signing, or generating and verifying MACs) and the algorithms that the KMS key supports.

For multi-Region keys, DescribeKey displays the primary key and all related replica keys. For KMS keys in CloudHSM key stores, it includes information about the key store, such as the key store ID and the CloudHSM cluster ID. For KMS keys in external key stores, it includes the custom key store ID and the ID of the external key.

DescribeKey does not return the following information:

• Aliases associated with the KMS key. To get this information, use ListAliases.

• Whether automatic key rotation is enabled on the KMS key. To get this information, use GetKeyRotationStatus. Also, some key states prevent a KMS key from being automatically rotated. For details, see How key rotation works in the Key Management Service Developer Guide.

• Tags on the KMS key. To get this information, use ListResourceTags.

• Key policies and grants on the KMS key. To get this information, use GetKeyPolicy and ListGrants.

In general, DescribeKey is a non-mutating operation. It returns data about KMS keys, but doesn't change them. However, Amazon Web Services services use DescribeKey to create Amazon Web Services managed keys from a predefined Amazon Web Services alias with no key ID.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:DescribeKey (key policy)

Related operations:

• GetKeyPolicy

• GetKeyRotationStatus

• ListAliases

• ListGrants

• ListKeys

• ListResourceTags

• ListRetirableGrants

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->describeKey([
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[
    'KeyMetadata' => [
        'AWSAccountId' => '<string>',
        'Arn' => '<string>',
        'CloudHsmClusterId' => '<string>',
        'CreationDate' => <DateTime>,
        'CurrentKeyMaterialId' => '<string>',
        'CustomKeyStoreId' => '<string>',
        'CustomerMasterKeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2',
        'DeletionDate' => <DateTime>,
        'Description' => '<string>',
        'Enabled' => true || false,
        'EncryptionAlgorithms' => ['<string>', ...],
        'ExpirationModel' => 'KEY_MATERIAL_EXPIRES|KEY_MATERIAL_DOES_NOT_EXPIRE',
        'KeyAgreementAlgorithms' => ['<string>', ...],
        'KeyId' => '<string>',
        'KeyManager' => 'AWS|CUSTOMER',
        'KeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2|ML_DSA_44|ML_DSA_65|ML_DSA_87',
        'KeyState' => 'Creating|Enabled|Disabled|PendingDeletion|PendingImport|PendingReplicaDeletion|Unavailable|Updating',
        'KeyUsage' => 'SIGN_VERIFY|ENCRYPT_DECRYPT|GENERATE_VERIFY_MAC|KEY_AGREEMENT',
        'MacAlgorithms' => ['<string>', ...],
        'MultiRegion' => true || false,
        'MultiRegionConfiguration' => [
            'MultiRegionKeyType' => 'PRIMARY|REPLICA',
            'PrimaryKey' => [
                'Arn' => '<string>',
                'Region' => '<string>',
            ],
            'ReplicaKeys' => [
                [
                    'Arn' => '<string>',
                    'Region' => '<string>',
                ],
                // ...
            ],
        ],
        'Origin' => 'AWS_KMS|EXTERNAL|AWS_CLOUDHSM|EXTERNAL_KEY_STORE',
        'PendingDeletionWindowInDays' => <integer>,
        'SigningAlgorithms' => ['<string>', ...],
        'ValidTo' => <DateTime>,
        'XksKeyConfiguration' => [
            'Id' => '<string>',
        ],
    ],
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

Examples

Example 1: To get details about a KMS key

The following example gets metadata for a symmetric encryption KMS key.

$result = $client->describeKey([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CurrentKeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
    ], // An object that contains information about the specified KMS key.
]

Example 2: To get details about an RSA asymmetric KMS key

The following example gets metadata for an asymmetric RSA KMS key used for signing and verification.

$result = $client->describeKey([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'RSA_2048',
        'Description' => '',
        'Enabled' => ,
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'RSA_2048',
        'KeyState' => 'Disabled',
        'KeyUsage' => 'SIGN_VERIFY',
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
        'SigningAlgorithms' => [
            'RSASSA_PKCS1_V1_5_SHA_256',
            'RSASSA_PKCS1_V1_5_SHA_384',
            'RSASSA_PKCS1_V1_5_SHA_512',
            'RSASSA_PSS_SHA_256',
            'RSASSA_PSS_SHA_384',
            'RSASSA_PSS_SHA_512',
        ],
    ], // An object that contains information about the specified KMS key.
]

Example 3: To get details about a multi-Region key

The following example gets metadata for a multi-Region replica key. This multi-Region key is a symmetric encryption key. DescribeKey returns information about the primary key and all of its replicas.

$result = $client->describeKey([
    'KeyId' => 'arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab', // An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '111122223333',
        'Arn' => 'arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
        'CreationDate' => ,
        'CurrentKeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => '',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => 'mrk-1234abcd12ab34cd56ef1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => 1,
        'MultiRegionConfiguration' => [
            'MultiRegionKeyType' => 'PRIMARY',
            'PrimaryKey' => [
                'Arn' => 'arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                'Region' => 'us-west-2',
            ],
            'ReplicaKeys' => [
                [
                    'Arn' => 'arn:aws:kms:eu-west-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                    'Region' => 'eu-west-1',
                ],
                [
                    'Arn' => 'arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                    'Region' => 'ap-northeast-1',
                ],
                [
                    'Arn' => 'arn:aws:kms:sa-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab',
                    'Region' => 'sa-east-1',
                ],
            ],
        ],
        'Origin' => 'AWS_KMS',
    ], // An object that contains information about the specified KMS key.
]

Example 4: To get details about an HMAC KMS key

The following example gets the metadata of an HMAC KMS key.

$result = $client->describeKey([
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '123456789012',
        'Arn' => 'arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomerMasterKeySpec' => 'HMAC_256',
        'Description' => 'Development test key',
        'Enabled' => 1,
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'GENERATE_VERIFY_MAC',
        'MacAlgorithms' => [
            'HMAC_SHA_256',
        ],
        'MultiRegion' => ,
        'Origin' => 'AWS_KMS',
    ], // An object that contains information about the specified KMS key.
]

Example 5: To get details about a KMS key in an AWS CloudHSM key store

The following example gets the metadata of a KMS key in an AWS CloudHSM key store.

$result = $client->describeKey([
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '123456789012',
        'Arn' => 'arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CloudHsmClusterId' => 'cluster-234abcdefABC',
        'CreationDate' => ,
        'CustomKeyStoreId' => 'cks-1234567890abcdef0',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => 'CloudHSM key store test key',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'AWS_CLOUDHSM',
    ], // An object that contains information about the specified KMS key.
]

Example 6: To get details about a KMS key in an external key store

The following example gets the metadata of a KMS key in an external key store.

$result = $client->describeKey([
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // An identifier for the KMS key. You can use the key ID, key ARN, alias name, alias ARN of the KMS key.
]);

Result syntax:

[
    'KeyMetadata' => [
        'AWSAccountId' => '123456789012',
        'Arn' => 'arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        'CreationDate' => ,
        'CustomKeyStoreId' => 'cks-1234567890abcdef0',
        'CustomerMasterKeySpec' => 'SYMMETRIC_DEFAULT',
        'Description' => 'External key store test key',
        'Enabled' => 1,
        'EncryptionAlgorithms' => [
            'SYMMETRIC_DEFAULT',
        ],
        'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab',
        'KeyManager' => 'CUSTOMER',
        'KeySpec' => 'SYMMETRIC_DEFAULT',
        'KeyState' => 'Enabled',
        'KeyUsage' => 'ENCRYPT_DECRYPT',
        'MultiRegion' => ,
        'Origin' => 'EXTERNAL_KEY_STORE',
        'XksKeyConfiguration' => [
            'Id' => 'bb8562717f809024',
        ],
    ], // An object that contains information about the specified KMS key.
]

DisableKey

$result = $client->disableKey([/* ... */]);
$promise = $client->disableKeyAsync([/* ... */]);

Sets the state of a KMS key to disabled. This change temporarily prevents use of the KMS key for cryptographic operations.

The KMS key that you use for this operation must be in a compatible key state. For more information about how key state affects the use of a KMS key, see Key states of KMS keys in the Key Management Service Developer Guide .

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:DisableKey (key policy)

Related operations: EnableKey

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->disableKey([
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To disable a KMS key

The following example disables the specified KMS key.

$result = $client->disableKey([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key to disable. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
]);

DisableKeyRotation

$result = $client->disableKeyRotation([/* ... */]);
$promise = $client->disableKeyRotationAsync([/* ... */]);

Disables automatic rotation of the key material of the specified symmetric encryption KMS key.

Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.

You can enable (EnableKeyRotation) and disable automatic rotation of the key material in customer managed KMS keys. Key material rotation of Amazon Web Services managed KMS keys is not configurable. KMS always rotates the key material for every year. Rotation of Amazon Web Services owned KMS keys varies.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:DisableKeyRotation (key policy)

Related operations:

• EnableKeyRotation

• GetKeyRotationStatus

• ListKeyRotations

• RotateKeyOnDemand

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->disableKeyRotation([
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

Examples

Example 1: To disable automatic rotation of key material

The following example disables automatic annual rotation of the key material for the specified KMS key.

$result = $client->disableKeyRotation([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose key material will no longer be rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
]);

DisconnectCustomKeyStore

$result = $client->disconnectCustomKeyStore([/* ... */]);
$promise = $client->disconnectCustomKeyStoreAsync([/* ... */]);

Disconnects the custom key store from its backing key store. This operation disconnects an CloudHSM key store from its associated CloudHSM cluster or disconnects an external key store from the external key store proxy that communicates with your external key manager.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

While a custom key store is disconnected, you can manage the custom key store and its KMS keys, but you cannot create or use its KMS keys. You can reconnect the custom key store at any time.

When you disconnect a custom key store, its ConnectionState changes to Disconnected. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation. To reconnect a custom key store, use the ConnectCustomKeyStore operation.

If the operation succeeds, it returns a JSON object with no properties.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:DisconnectCustomKeyStore (IAM policy)

Related operations:

• ConnectCustomKeyStore

• CreateCustomKeyStore

• DeleteCustomKeyStore

• DescribeCustomKeyStores

• UpdateCustomKeyStore

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->disconnectCustomKeyStore([
    'CustomKeyStoreId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

CustomKeyStoreInvalidStateException:

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

• You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

• You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.

CustomKeyStoreNotFoundException:

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

Examples

Example 1: To disconnect a custom key store from its CloudHSM cluster

This example disconnects an AWS KMS custom key store from its backing key store. For an AWS CloudHSM key store, it disconnects the key store from its AWS CloudHSM cluster. For an external key store, it disconnects the key store from the external key store proxy that communicates with your external key manager. This operation doesn't return any data. To verify that the custom key store is disconnected, use the DescribeCustomKeyStores operation.

$result = $client->disconnectCustomKeyStore([
    'CustomKeyStoreId' => 'cks-1234567890abcdef0', // The ID of the custom key store.
]);

Result syntax:

[
]

EnableKey

$result = $client->enableKey([/* ... */]);
$promise = $client->enableKeyAsync([/* ... */]);

Sets the key state of a KMS key to enabled. This allows you to use the KMS key for cryptographic operations.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:EnableKey (key policy)

Related operations: DisableKey

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->enableKey([
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

LimitExceededException:

The request was rejected because a length constraint or quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To enable a KMS key

The following example enables the specified KMS key.

$result = $client->enableKey([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key to enable. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
]);

EnableKeyRotation

$result = $client->enableKeyRotation([/* ... */]);
$promise = $client->enableKeyRotationAsync([/* ... */]);

Enables automatic rotation of the key material of the specified symmetric encryption KMS key.

By default, when you enable automatic rotation of a customer managed KMS key, KMS rotates the key material of the KMS key one year (approximately 365 days) from the enable date and every year thereafter. You can use the optional RotationPeriodInDays parameter to specify a custom rotation period when you enable key rotation, or you can use RotationPeriodInDays to modify the rotation period of a key that you previously enabled automatic key rotation on.

You can monitor rotation of the key material for your KMS keys in CloudTrail and Amazon CloudWatch. To disable rotation of the key material in a customer managed KMS key, use the DisableKeyRotation operation. You can use the GetKeyRotationStatus operation to identify any in progress rotations. You can use the ListKeyRotations operation to view the details of completed rotations.

Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.

You cannot enable or disable automatic rotation of Amazon Web Services managed KMS keys. KMS always rotates the key material of Amazon Web Services managed keys every year. Rotation of Amazon Web Services owned KMS keys is managed by the Amazon Web Services service that owns the key.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:EnableKeyRotation (key policy)

Related operations:

• DisableKeyRotation

• GetKeyRotationStatus

• ListKeyRotations

• RotateKeyOnDemand

  You can perform on-demand (RotateKeyOnDemand) rotation of the key material in customer managed KMS keys, regardless of whether or not automatic key rotation is enabled.

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->enableKeyRotation([
    'KeyId' => '<string>', // REQUIRED
    'RotationPeriodInDays' => <integer>,
]);

Parameter Details

Result Syntax

[]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

Examples

Example 1: To enable automatic rotation of key material

The following example enables automatic rotation with a rotation period of 365 days for the specified KMS key.

$result = $client->enableKeyRotation([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose key material will be automatically rotated. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'RotationPeriodInDays' => 365, // The number of days between each rotation date. Specify a value between 9 and 2560. If no value is specified, the default value is 365 days.
]);

Encrypt

$result = $client->encrypt([/* ... */]);
$promise = $client->encryptAsync([/* ... */]);

Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT.

You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other sensitive information. You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.

If you use a symmetric encryption KMS key, you can use an encryption context to add additional security to your encryption operation. If you specify an EncryptionContext when encrypting data, you must specify the same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.

If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be compatible with the KMS key spec.

The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm that you choose.

• Symmetric encryption KMS keys

  • SYMMETRIC_DEFAULT: 4096 bytes

• RSA_2048

  • RSAES_OAEP_SHA_1: 214 bytes

  • RSAES_OAEP_SHA_256: 190 bytes

• RSA_3072

  • RSAES_OAEP_SHA_1: 342 bytes

  • RSAES_OAEP_SHA_256: 318 bytes

• RSA_4096

  • RSAES_OAEP_SHA_1: 470 bytes

  • RSAES_OAEP_SHA_256: 446 bytes

• SM2PKE: 1024 bytes (China Regions only)

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:Encrypt (key policy)

Related operations:

• Decrypt

• GenerateDataKey

• GenerateDataKeyPair

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->encrypt([
    'DryRun' => true || false,
    'EncryptionAlgorithm' => 'SYMMETRIC_DEFAULT|RSAES_OAEP_SHA_1|RSAES_OAEP_SHA_256|SM2PKE',
    'EncryptionContext' => ['<string>', ...],
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
    'Plaintext' => <string || resource || Psr\Http\Message\StreamInterface>, // REQUIRED
]);

Parameter Details

Result Syntax

[
    'CiphertextBlob' => <string || resource || Psr\Http\Message\StreamInterface>,
    'EncryptionAlgorithm' => 'SYMMETRIC_DEFAULT|RSAES_OAEP_SHA_1|RSAES_OAEP_SHA_256|SM2PKE',
    'KeyId' => '<string>',
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To encrypt data with a symmetric encryption KMS key

The following example encrypts data with the specified symmetric encryption KMS key.

$result = $client->encrypt([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
    'Plaintext' => <BLOB>, // The data to encrypt.
]);

Result syntax:

[
    'CiphertextBlob' => <BLOB>, // The encrypted data (ciphertext).
    'EncryptionAlgorithm' => 'SYMMETRIC_DEFAULT', // The encryption algorithm that was used in the operation. For symmetric encryption keys, the encryption algorithm is always SYMMETRIC_DEFAULT.
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that was used to encrypt the data.
]

Example 2: To encrypt data with an asymmetric encryption KMS key

The following example encrypts data with the specified RSA asymmetric KMS key. When you encrypt with an asymmetric key, you must specify the encryption algorithm.

$result = $client->encrypt([
    'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256', // The encryption algorithm to use in the operation.
    'KeyId' => '0987dcba-09fe-87dc-65ba-ab0987654321', // The identifier of the KMS key to use for encryption. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
    'Plaintext' => <BLOB>, // The data to encrypt.
]);

Result syntax:

[
    'CiphertextBlob' => <BLOB>, // The encrypted data (ciphertext).
    'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256', // The encryption algorithm that was used in the operation.
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321', // The ARN of the KMS key that was used to encrypt the data.
]

GenerateDataKey

$result = $client->generateDataKey([/* ... */]);
$promise = $client->generateDataKeyAsync([/* ... */]);

Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted data key with the encrypted data.

To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the DescribeKey operation.

You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.

To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec value of AES_128 or a NumberOfBytes value of 16. The symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption key.

To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random byte string, use GenerateRandom.

You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.

GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. GenerateDataKey returns a copy of the data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of the data key encrypted under the public key from the attestation document (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

How to use your data key

We recommend that you use the following pattern to encrypt data locally in your application. You can write your own code or use a client-side encryption library, such as the Amazon Web Services Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you.

To encrypt data outside of KMS:

1. Use the GenerateDataKey operation to get a data key.

2. Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of KMS. Then erase the plaintext data key from memory.

3. Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.

To decrypt data outside of KMS:

1. Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.

2. Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GenerateDataKey (key policy)

Related operations:

• Decrypt

• Encrypt

• GenerateDataKeyPair

• GenerateDataKeyPairWithoutPlaintext

• GenerateDataKeyWithoutPlaintext

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->generateDataKey([
    'DryRun' => true || false,
    'EncryptionContext' => ['<string>', ...],
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
    'KeySpec' => 'AES_256|AES_128',
    'NumberOfBytes' => <integer>,
    'Recipient' => [
        'AttestationDocument' => <string || resource || Psr\Http\Message\StreamInterface>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ],
]);

Parameter Details

Result Syntax

[
    'CiphertextBlob' => <string || resource || Psr\Http\Message\StreamInterface>,
    'CiphertextForRecipient' => <string || resource || Psr\Http\Message\StreamInterface>,
    'KeyId' => '<string>',
    'KeyMaterialId' => '<string>',
    'Plaintext' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To generate a data key

The following example generates a 256-bit symmetric data encryption key (data key) in two formats. One is the unencrypted (plainext) data key, and the other is the data key encrypted with the specified KMS key.

$result = $client->generateDataKey([
    'KeyId' => 'alias/ExampleAlias', // The identifier of the KMS key to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
    'KeySpec' => 'AES_256', // Specifies the type of data key to return.
]);

Result syntax:

[
    'CiphertextBlob' => <BLOB>, // The encrypted data key.
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that was used to encrypt the data key.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // The identifier of the key material used to encrypt the data key.
    'Plaintext' => <BLOB>, // The unencrypted (plaintext) data key.
]

Example 2: To generate a data key pair for a Nitro enclave

The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning a copy of the data key encrypted by the KMS key and a plaintext copy of the data key, GenerateDataKey returns one copy of the data key encrypted by the KMS key (CiphertextBlob) and one copy of the data key encrypted by the public key from the attestation document (CiphertextForRecipient). The operation doesn't return a plaintext data key.

$result = $client->generateDataKey([
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // Identifies the KMS key used to encrypt the encrypted data key (CiphertextBlob)
    'KeySpec' => 'AES_256', // Specifies the type of data key to return
    'Recipient' => [
        'AttestationDocument' => <BLOB>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ], // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
]);

Result syntax:

[
    'CiphertextBlob' => <BLOB>, // The data key encrypted by the specified KMS key
    'CiphertextForRecipient' => <BLOB>, // The plaintext data key encrypted by the public key from the attestation document
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The KMS key used to encrypt the CiphertextBlob (encrypted data key)
    'Plaintext' => <BLOB>, // This field is null or empty
]

GenerateDataKeyPair

$result = $client->generateDataKeyPair([/* ... */]);
$promise = $client->generateDataKeyPairAsync([/* ... */]);

Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes in the keys are random; they are not related to the caller or to the KMS key that is used to encrypt the private key.

You can use the public key that GenerateDataKeyPair returns to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.

To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.

Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.

If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an encrypted private key, but omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use the Decrypt operation to decrypt the encrypted private key in the data key pair.

GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are random; they are not related to the caller or the KMS key that is used to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in RFC 5280. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.

GenerateDataKeyPair also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. GenerateDataKeyPair returns the public data key and a copy of the private data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the private data key (PrivateKeyPlaintext), the response includes a copy of the private data key encrypted under the public key from the attestation document (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..

You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GenerateDataKeyPair (key policy)

Related operations:

• Decrypt

• Encrypt

• GenerateDataKey

• GenerateDataKeyPairWithoutPlaintext

• GenerateDataKeyWithoutPlaintext

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->generateDataKeyPair([
    'DryRun' => true || false,
    'EncryptionContext' => ['<string>', ...],
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
    'KeyPairSpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SM2', // REQUIRED
    'Recipient' => [
        'AttestationDocument' => <string || resource || Psr\Http\Message\StreamInterface>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ],
]);

Parameter Details

Result Syntax

[
    'CiphertextForRecipient' => <string || resource || Psr\Http\Message\StreamInterface>,
    'KeyId' => '<string>',
    'KeyMaterialId' => '<string>',
    'KeyPairSpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SM2',
    'PrivateKeyCiphertextBlob' => <string || resource || Psr\Http\Message\StreamInterface>,
    'PrivateKeyPlaintext' => <string || resource || Psr\Http\Message\StreamInterface>,
    'PublicKey' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To generate an RSA key pair for encryption and decryption

This example generates an RSA data key pair for encryption and decryption. The operation returns a plaintext public key and private key, and a copy of the private key that is encrypted under a symmetric encryption KMS key that you specify.

$result = $client->generateDataKeyPair([
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
    'KeyPairSpec' => 'RSA_3072', // The requested key spec of the RSA data key pair.
]);

Result syntax:

[
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The key ARN of the symmetric encryption KMS key that was used to encrypt the private key.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // The identifier of the key material used to encrypt the private key.
    'KeyPairSpec' => 'RSA_3072', // The actual key spec of the RSA data key pair.
    'PrivateKeyCiphertextBlob' => <BLOB>, // The encrypted private key of the RSA data key pair.
    'PrivateKeyPlaintext' => <BLOB>, // The plaintext private key of the RSA data key pair.
    'PublicKey' => <BLOB>, // The public key (plaintext) of the RSA data key pair.
]

Example 2: To generate a data key pair for a Nitro enclave

The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning a plaintext copy of the private data key, GenerateDataKeyPair returns a copy of the private data key encrypted by the public key from the attestation document (CiphertextForRecipient). It returns the public data key (PublicKey) and a copy of private data key encrypted under the specified KMS key (PrivateKeyCiphertextBlob), as usual, but plaintext private data key field (PrivateKeyPlaintext) is null or empty.

$result = $client->generateDataKeyPair([
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The key ID of the symmetric encryption KMS key that encrypts the private RSA key in the data key pair.
    'KeyPairSpec' => 'RSA_3072', // The requested key spec of the RSA data key pair.
    'Recipient' => [
        'AttestationDocument' => <BLOB>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ], // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document.
]);

Result syntax:

[
    'CiphertextForRecipient' => <BLOB>, // The private key of the RSA data key pair encrypted by the public key from the attestation document
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The key ARN of the symmetric encryption KMS key that was used to encrypt the PrivateKeyCiphertextBlob.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // The identifier of the key material used to encrypt the private key.
    'KeyPairSpec' => 'RSA_3072', // The actual key spec of the RSA data key pair.
    'PrivateKeyCiphertextBlob' => <BLOB>, // The private key of the RSA data key pair encrypted by the KMS key.
    'PrivateKeyPlaintext' => <BLOB>, // This field is null or empty
    'PublicKey' => <BLOB>, // The public key (plaintext) of the RSA data key pair.
]

GenerateDataKeyPairWithoutPlaintext

$result = $client->generateDataKeyPairWithoutPlaintext([/* ... */]);
$promise = $client->generateDataKeyPairWithoutPlaintextAsync([/* ... */]);

Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key. The bytes in the keys are random; they are not related to the caller or to the KMS key that is used to encrypt the private key.

You can use the public key that GenerateDataKeyPairWithoutPlaintext returns to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.

To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.

Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.

GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each request. The bytes in the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in RFC 5280.

You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key policy)

Related operations:

• Decrypt

• Encrypt

• GenerateDataKey

• GenerateDataKeyPair

• GenerateDataKeyWithoutPlaintext

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->generateDataKeyPairWithoutPlaintext([
    'DryRun' => true || false,
    'EncryptionContext' => ['<string>', ...],
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
    'KeyPairSpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SM2', // REQUIRED
]);

Parameter Details

Result Syntax

[
    'KeyId' => '<string>',
    'KeyMaterialId' => '<string>',
    'KeyPairSpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SM2',
    'PrivateKeyCiphertextBlob' => <string || resource || Psr\Http\Message\StreamInterface>,
    'PublicKey' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To generate an asymmetric data key pair without a plaintext key

This example returns an asymmetric elliptic curve (ECC) data key pair. The private key is encrypted under the symmetric encryption KMS key that you specify. This operation doesn't return a plaintext (unencrypted) private key.

$result = $client->generateDataKeyPairWithoutPlaintext([
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The symmetric encryption KMS key that encrypts the private key of the ECC data key pair.
    'KeyPairSpec' => 'ECC_NIST_P521', // The requested key spec of the ECC asymmetric data key pair.
]);

Result syntax:

[
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The key ARN of the symmetric encryption KMS key that encrypted the private key in the ECC asymmetric data key pair.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // The identifier of the key material used to encrypt the private key.
    'KeyPairSpec' => 'ECC_NIST_P521', // The actual key spec of the ECC asymmetric data key pair.
    'PrivateKeyCiphertextBlob' => <BLOB>, // The encrypted private key of the asymmetric ECC data key pair.
    'PublicKey' => <BLOB>, // The public key (plaintext).
]

GenerateDataKeyWithoutPlaintext

$result = $client->generateDataKeyWithoutPlaintext([/* ... */]);
$promise = $client->generateDataKeyWithoutPlaintextAsync([/* ... */]);

Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to the caller or to the KMS key.

GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it does not return a plaintext copy of the data key.

This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key.

It's also useful in distributed systems with different levels of trust. For example, you might store encrypted data in containers. One component of your system creates new containers and stores an encrypted data key with each container. Then, a different component puts the data into the containers. That component first decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then destroys the plaintext data key. In this system, the component that creates the containers never sees the plaintext data key.

To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.

To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of your KMS key, use the DescribeKey operation.

You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.

To generate an SM4 data key (China Regions only), specify a KeySpec value of AES_128 or NumberOfBytes value of 16. The symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption key.

If the operation succeeds, you will find the encrypted copy of the data key in the CiphertextBlob field.

You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GenerateDataKeyWithoutPlaintext (key policy)

Related operations:

• Decrypt

• Encrypt

• GenerateDataKey

• GenerateDataKeyPair

• GenerateDataKeyPairWithoutPlaintext

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->generateDataKeyWithoutPlaintext([
    'DryRun' => true || false,
    'EncryptionContext' => ['<string>', ...],
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
    'KeySpec' => 'AES_256|AES_128',
    'NumberOfBytes' => <integer>,
]);

Parameter Details

Result Syntax

[
    'CiphertextBlob' => <string || resource || Psr\Http\Message\StreamInterface>,
    'KeyId' => '<string>',
    'KeyMaterialId' => '<string>',
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To generate an encrypted data key

The following example generates an encrypted copy of a 256-bit symmetric data encryption key (data key). The data key is encrypted with the specified KMS key.

$result = $client->generateDataKeyWithoutPlaintext([
    'KeyId' => 'alias/ExampleAlias', // The identifier of the KMS key to use to encrypt the data key. You can use the key ID or Amazon Resource Name (ARN) of the KMS key, or the name or ARN of an alias that refers to the KMS key.
    'KeySpec' => 'AES_256', // Specifies the type of data key to return.
]);

Result syntax:

[
    'CiphertextBlob' => <BLOB>, // The encrypted data key.
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that was used to encrypt the data key.
    'KeyMaterialId' => '0b7fd7ddbac6eef27907413567cad8c810e2883dc8a7534067a82ee1142fc1e6', // The identifier of the key material used to encrypt the data key.
]

GenerateMac

$result = $client->generateMac([/* ... */]);
$promise = $client->generateMacAsync([/* ... */]);

Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104.

You can use value that GenerateMac returns in the VerifyMac operation to demonstrate that the original message has not changed. Also, because a secret key is used to create the hash, you can verify that the party that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS in the Key Management Service Developer Guide .

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GenerateMac (key policy)

Related operations: VerifyMac

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->generateMac([
    'DryRun' => true || false,
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
    'MacAlgorithm' => 'HMAC_SHA_224|HMAC_SHA_256|HMAC_SHA_384|HMAC_SHA_512', // REQUIRED
    'Message' => <string || resource || Psr\Http\Message\StreamInterface>, // REQUIRED
]);

Parameter Details

Result Syntax

[
    'KeyId' => '<string>',
    'Mac' => <string || resource || Psr\Http\Message\StreamInterface>,
    'MacAlgorithm' => 'HMAC_SHA_224|HMAC_SHA_256|HMAC_SHA_384|HMAC_SHA_512',
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

DryRunOperationException:

The request was rejected because the DryRun parameter was specified.

Examples

Example 1: To generate an HMAC for a message

This example generates an HMAC for a message, an HMAC KMS key, and a MAC algorithm. The algorithm must be supported by the specified HMAC KMS key.

$result = $client->generateMac([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The HMAC KMS key input to the HMAC algorithm.
    'MacAlgorithm' => 'HMAC_SHA_384', // The HMAC algorithm requested for the operation.
    'Message' => <BLOB>, // The message input to the HMAC algorithm.
]);

Result syntax:

[
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The key ARN of the HMAC KMS key used in the operation.
    'Mac' => <BLOB>, // The HMAC tag that results from this operation.
    'MacAlgorithm' => 'HMAC_SHA_384', // The HMAC algorithm used in the operation.
]

GenerateRandom

$result = $client->generateRandom([/* ... */]);
$promise = $client->generateRandomAsync([/* ... */]);

Returns a random byte string that is cryptographically secure.

You must use the NumberOfBytes parameter to specify the length of the random byte string. There is no default value for string length.

By default, the random byte string is generated in KMS. To generate the byte string in the CloudHSM cluster associated with an CloudHSM key store, use the CustomKeyStoreId parameter.

GenerateRandom also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call GenerateRandom for a Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. Instead of plaintext bytes, the response includes the plaintext bytes encrypted under the public key from the attestation document (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.

For more information about entropy and random number generation, see Entropy and random number generation in the Key Management Service Developer Guide.

Cross-account use: Not applicable. GenerateRandom does not use any account-specific resources, such as KMS keys.

Required permissions: kms:GenerateRandom (IAM policy)

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->generateRandom([
    'CustomKeyStoreId' => '<string>',
    'NumberOfBytes' => <integer>,
    'Recipient' => [
        'AttestationDocument' => <string || resource || Psr\Http\Message\StreamInterface>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ],
]);

Parameter Details

Result Syntax

[
    'CiphertextForRecipient' => <string || resource || Psr\Http\Message\StreamInterface>,
    'Plaintext' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

CustomKeyStoreNotFoundException:

The request was rejected because KMS cannot find a custom key store with the specified key store name or ID.

CustomKeyStoreInvalidStateException:

The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation.

This exception is thrown under the following conditions:

• You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore).

• You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED.

• You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values.

• You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED.

• You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED.

Examples

Example 1: To generate random data

The following example generates 32 bytes of random data.

$result = $client->generateRandom([
    'NumberOfBytes' => 32, // The length of the random data, specified in number of bytes.
]);

Result syntax:

[
    'Plaintext' => <BLOB>, // The random data.
]

Example 2: To generate random data

The following example includes the Recipient parameter with a signed attestation document from an AWS Nitro enclave. Instead of returning a plaintext (unencrypted) byte string, GenerateRandom returns the byte string encrypted by the public key from the enclave's attestation document.

$result = $client->generateRandom([
    'NumberOfBytes' => 1024, // The length of the random byte string
    'Recipient' => [
        'AttestationDocument' => <BLOB>,
        'KeyEncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ], // Specifies the attestation document from the Nitro enclave and the encryption algorithm to use with the public key from the attestation document
]);

Result syntax:

[
    'CiphertextForRecipient' => <BLOB>, // The random data encrypted under the public key from the attestation document
    'Plaintext' => <BLOB>, // This field is null or empty
]

GetKeyPolicy

$result = $client->getKeyPolicy([/* ... */]);
$promise = $client->getKeyPolicyAsync([/* ... */]);

Gets a key policy attached to the specified KMS key.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:GetKeyPolicy (key policy)

Related operations: PutKeyPolicy

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->getKeyPolicy([
    'KeyId' => '<string>', // REQUIRED
    'PolicyName' => '<string>',
]);

Parameter Details

Result Syntax

[
    'Policy' => '<string>',
    'PolicyName' => '<string>',
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To retrieve a key policy

The following example retrieves the key policy for the specified KMS key.

$result = $client->getKeyPolicy([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose key policy you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'PolicyName' => 'default', // The name of the key policy to retrieve.
]);

Result syntax:

[
    'Policy' => '{ "Version" : "2012-10-17", "Id" : "key-default-1", "Statement" : [ { "Sid" : "Enable IAM User Permissions", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" } ]}', // The key policy document.
]

GetKeyRotationStatus

$result = $client->getKeyRotationStatus([/* ... */]);
$promise = $client->getKeyRotationStatusAsync([/* ... */]);

Provides detailed information about the rotation status for a KMS key, including whether automatic rotation of the key material is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date.

Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.

You can enable (EnableKeyRotation) and disable automatic rotation (DisableKeyRotation) of the key material in customer managed KMS keys. Key material rotation of Amazon Web Services managed KMS keys is not configurable. KMS always rotates the key material in Amazon Web Services managed KMS keys every year. The key rotation status for Amazon Web Services managed KMS keys is always true.

You can perform on-demand (RotateKeyOnDemand) rotation of the key material in customer managed KMS keys, regardless of whether or not automatic key rotation is enabled. You can use GetKeyRotationStatus to identify the date and time that an in progress on-demand rotation was initiated. You can use ListKeyRotations to view the details of completed rotations.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

• Disabled: The key rotation status does not change when you disable a KMS key. However, while the KMS key is disabled, KMS does not rotate the key material. When you re-enable the KMS key, rotation resumes. If the key material in the re-enabled KMS key hasn't been rotated in one year, KMS rotates it immediately, and every year thereafter. If it's been less than a year since the key material in the re-enabled KMS key was rotated, the KMS key resumes its prior rotation schedule.

• Pending deletion: While a KMS key is pending deletion, its key rotation status is false and KMS does not rotate the key material. If you cancel the deletion, the original key rotation status returns to true.

Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the KeyId parameter.

Required permissions: kms:GetKeyRotationStatus (key policy)

Related operations:

• DisableKeyRotation

• EnableKeyRotation

• ListKeyRotations

• RotateKeyOnDemand

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->getKeyRotationStatus([
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[
    'KeyId' => '<string>',
    'KeyRotationEnabled' => true || false,
    'NextRotationDate' => <DateTime>,
    'OnDemandRotationStartDate' => <DateTime>,
    'RotationPeriodInDays' => <integer>,
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

Examples

Example 1: To retrieve the rotation status for a KMS key

The following example retrieves detailed information about the rotation status for a KMS key, including whether automatic key rotation is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date.

$result = $client->getKeyRotationStatus([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key whose key material rotation status you want to retrieve. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
]);

Result syntax:

[
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // Identifies the specified symmetric encryption KMS key.
    'KeyRotationEnabled' => 1, // A boolean that indicates the key material rotation status. Returns true when automatic rotation of the key material is enabled, or false when it is not.
    'NextRotationDate' => , // The next date that the key material will be automatically rotated.
    'OnDemandRotationStartDate' => , // Identifies the date and time that an in progress on-demand rotation was initiated.
    'RotationPeriodInDays' => 365, // The number of days between each automatic rotation. The default value is 365 days.
]

GetParametersForImport

$result = $client->getParametersForImport([/* ... */]);
$promise = $client->getParametersForImportAsync([/* ... */]);

Returns the public key and an import token you need to import or reimport key material for a KMS key.

By default, KMS keys are created with key material that KMS generates. This operation supports Importing key material, an advanced feature that lets you generate and import the cryptographic key material for a KMS key.

Before calling GetParametersForImport, use the CreateKey operation with an Origin value of EXTERNAL to create a KMS key with no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material into a multi-Region key of any supported type. However, you can't import key material into a KMS key in a custom key store. You can also use GetParametersForImport to get a public key and import token to reimport the original key material into a KMS key whose key material expired or was deleted.

GetParametersForImport returns the items that you need to import your key material.

• The public key (or "wrapping key") of an RSA key pair that KMS generates.

  You will use this public key to encrypt ("wrap") your key material while it's in transit to KMS.

• A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.

The public key and its import token are permanently linked and must be used together. Each public key and import token set is valid for 24 hours. The expiration date and time appear in the ParametersValidTo field in the GetParametersForImport response. You cannot use an expired public key or import token in an ImportKeyMaterial request. If your key and token expire, send another GetParametersForImport request.

GetParametersForImport requires the following information:

• The key ID of the KMS key for which you are importing the key material.

• The key spec of the public key ("wrapping key") that you will use to encrypt your key material during import.

• The wrapping algorithm that you will use with the public key to encrypt your key material.

You can use the same or a different public key spec and wrapping algorithm each time you import or reimport the same key material.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.

Required permissions: kms:GetParametersForImport (key policy)

Related operations:

• ImportKeyMaterial

• DeleteImportedKeyMaterial

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->getParametersForImport([
    'KeyId' => '<string>', // REQUIRED
    'WrappingAlgorithm' => 'RSAES_PKCS1_V1_5|RSAES_OAEP_SHA_1|RSAES_OAEP_SHA_256|RSA_AES_KEY_WRAP_SHA_1|RSA_AES_KEY_WRAP_SHA_256|SM2PKE', // REQUIRED
    'WrappingKeySpec' => 'RSA_2048|RSA_3072|RSA_4096|SM2', // REQUIRED
]);

Parameter Details

Result Syntax

[
    'ImportToken' => <string || resource || Psr\Http\Message\StreamInterface>,
    'KeyId' => '<string>',
    'ParametersValidTo' => <DateTime>,
    'PublicKey' => <string || resource || Psr\Http\Message\StreamInterface>,
]

Result Details

Errors

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To download the public key and import token for a symmetric encryption KMS key

The following example downloads a public key and import token to import symmetric encryption key material. It uses the default wrapping key spec and the RSAES_OAEP_SHA_256 wrapping algorithm.

$result = $client->getParametersForImport([
    'KeyId' => '1234abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'WrappingAlgorithm' => 'RSAES_OAEP_SHA_1', // The algorithm that you will use to encrypt the key material before importing it.
    'WrappingKeySpec' => 'RSA_2048', // The type of wrapping key (public key) to return in the response.
]);

Result syntax:

[
    'ImportToken' => <BLOB>, // The import token to send with a subsequent ImportKeyMaterial request.
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that will be associated with the imported key material.
    'ParametersValidTo' => , // The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
    'PublicKey' => <BLOB>, // The public key to use to encrypt the key material before importing it.
]

Example 2: To download the public key and import token for an RSA asymmetric KMS key

The following example downloads a public key and import token to import an RSA private key. It uses a required RSA_AES wrapping algorithm and the largest supported private key.

$result = $client->getParametersForImport([
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'WrappingAlgorithm' => 'RSA_AES_KEY_WRAP_SHA_256', // The algorithm that you will use to encrypt the key material before importing it.
    'WrappingKeySpec' => 'RSA_4096', // The type of wrapping key (public key) to return in the response.
]);

Result syntax:

[
    'ImportToken' => <BLOB>, // The import token to send with a subsequent ImportKeyMaterial request.
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/8888abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that will be associated with the imported key material.
    'ParametersValidTo' => , // The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
    'PublicKey' => <BLOB>, // The public key to use to encrypt the key material before importing it.
]

Example 3: To download the public key and import token for an elliptic curve (ECC) asymmetric KMS key

The following example downloads a public key and import token to import an ECC_NIST_P521 (secp521r1) private key. You cannot directly wrap this ECC key under an RSA_2048 public key, although you can use an RSA_2048 public key with an RSA_AES wrapping algorithm to wrap any supported key material. This example requests an RSA_3072 public key for use with the RSAES_OAEP_SHA_256.

$result = $client->getParametersForImport([
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'WrappingAlgorithm' => 'RSAES_OAEP_SHA_256', // The algorithm that you will use to encrypt the key material before importing it.
    'WrappingKeySpec' => 'RSA_3072', // The type of wrapping key (public key) to return in the response.
]);

Result syntax:

[
    'ImportToken' => <BLOB>, // The import token to send with a subsequent ImportKeyMaterial request.
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/9876abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that will be associated with the imported key material.
    'ParametersValidTo' => , // The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
    'PublicKey' => <BLOB>, // The public key to use to encrypt the key material before importing it.
]

Example 4: To download the public key and import token for an HMAC KMS key

The following example downloads a public key and import token to import an HMAC key. It uses the RSAES_OAEP_SHA_256 wrapping algorithm and an RSA_4096 private key.

$result = $client->getParametersForImport([
    'KeyId' => '2468abcd-12ab-34cd-56ef-1234567890ab', // The identifier of the KMS key that will be associated with the imported key material. You can use the key ID or the Amazon Resource Name (ARN) of the KMS key.
    'WrappingAlgorithm' => 'RSAES_OAEP_SHA_256', // The algorithm that you will use to encrypt the key material before importing it.
    'WrappingKeySpec' => 'RSA_4096', // The type of wrapping key (public key) to return in the response.
]);

Result syntax:

[
    'ImportToken' => <BLOB>, // The import token to send with a subsequent ImportKeyMaterial request.
    'KeyId' => 'arn:aws:kms:us-east-2:111122223333:key/2468abcd-12ab-34cd-56ef-1234567890ab', // The ARN of the KMS key that will be associated with the imported key material.
    'ParametersValidTo' => , // The date and time when the import token and public key expire. After this time, call GetParametersForImport again.
    'PublicKey' => <BLOB>, // The public key to use to encrypt the key material before importing it.
]

GetPublicKey

$result = $client->getPublicKey([/* ... */]);
$promise = $client->getPublicKeyAsync([/* ... */]);

Returns the public key of an asymmetric KMS key. Unlike the private key of a asymmetric KMS key, which never leaves KMS unencrypted, callers with kms:GetPublicKey permission can download the public key of an asymmetric KMS key. You can share the public key to allow others to encrypt messages and verify signatures outside of KMS. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.

You do not need to download the public key. Instead, you can use the public key within KMS by calling the Encrypt, ReEncrypt, or Verify operations with the identifier of an asymmetric KMS key. When you use the public key within KMS, you benefit from the authentication, authorization, and logging that are part of every KMS operation. You also reduce of risk of encrypting data that cannot be decrypted. These features are not effective outside of KMS.

To help you use the public key safely outside of KMS, GetPublicKey returns important information about the public key in the response, including:

• KeySpec: The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.

• KeyUsage: Whether the key is used for encryption, signing, or deriving a shared secret.

• EncryptionAlgorithms, KeyAgreementAlgorithms, or SigningAlgorithms: A list of the encryption algorithms, key agreement algorithms, or signing algorithms for the key.

Although KMS cannot enforce these restrictions on external operations, it is crucial that you use this information to prevent the public key from being used improperly. For example, you can prevent a public signing key from being used encrypt data, or prevent a public key from being used with an encryption algorithm that is not supported by KMS. You can also avoid errors, such as using the wrong signing algorithm in a verification operation.

To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the distinguishing ID. By default, KMS uses 1234567812345678 as the distinguishing ID. For more information, see Offline verification with SM2 key pairs.

The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.

Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.

Required permissions: kms:GetPublicKey (key policy)

Related operations: CreateKey

Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.

Parameter Syntax

$result = $client->getPublicKey([
    'GrantTokens' => ['<string>', ...],
    'KeyId' => '<string>', // REQUIRED
]);

Parameter Details

Result Syntax

[
    'CustomerMasterKeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2',
    'EncryptionAlgorithms' => ['<string>', ...],
    'KeyAgreementAlgorithms' => ['<string>', ...],
    'KeyId' => '<string>',
    'KeySpec' => 'RSA_2048|RSA_3072|RSA_4096|ECC_NIST_P256|ECC_NIST_P384|ECC_NIST_P521|ECC_SECG_P256K1|SYMMETRIC_DEFAULT|HMAC_224|HMAC_256|HMAC_384|HMAC_512|SM2|ML_DSA_44|ML_DSA_65|ML_DSA_87',
    'KeyUsage' => 'SIGN_VERIFY|ENCRYPT_DECRYPT|GENERATE_VERIFY_MAC|KEY_AGREEMENT',
    'PublicKey' => <string || resource || Psr\Http\Message\StreamInterface>,
    'SigningAlgorithms' => ['<string>', ...],
]

Result Details

Errors

NotFoundException:

The request was rejected because the specified entity or resource could not be found.

DisabledException:

The request was rejected because the specified KMS key is not enabled.

KeyUnavailableException:

The request was rejected because the specified KMS key was not available. You can retry the request.

DependencyTimeoutException:

The system timed out while trying to fulfill the request. You can retry the request.

UnsupportedOperationException:

The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation.

InvalidArnException:

The request was rejected because a specified ARN, or an ARN in a key policy, is not valid.

InvalidGrantTokenException:

The request was rejected because the specified grant token is not valid.

InvalidKeyUsageException:

The request was rejected for one of the following reasons:

• The KeyUsage value of the KMS key is incompatible with the API operation.

• The encryption algorithm or signing algorithm specified for the operation is incompatible with the type of key material in the KMS key (KeySpec).

For encrypting, decrypting, re-encrypting, and generating data keys, the KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage of a KMS key, use the DescribeKey operation.

To find the encryption or signing algorithms supported for a particular KMS key, use the DescribeKey operation.

KMSInternalException:

The request was rejected because an internal exception occurred. The request can be retried.

KMSInvalidStateException:

The request was rejected because the state of the specified resource is not valid for this request.

This exceptions means one of the following:

• The key state of the KMS key is not compatible with the operation.

  To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide .

• For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception.

Examples

Example 1: To download the public key of an asymmetric KMS key

This example gets the public key of an asymmetric RSA KMS key used for encryption and decryption. The operation returns the key spec, key usage, and encryption or signing algorithms to help you use the public key correctly outside of AWS KMS.

$result = $client->getPublicKey([
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321', // The key ARN of the asymmetric KMS key.
]);

Result syntax:

[
    'CustomerMasterKeySpec' => 'RSA_4096', // The key spec of the asymmetric KMS key from which the public key was downloaded.
    'EncryptionAlgorithms' => [
        'RSAES_OAEP_SHA_1',
        'RSAES_OAEP_SHA_256',
    ], // The encryption algorithms supported by the asymmetric KMS key that was downloaded.
    'KeyId' => 'arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321', // The key ARN of the asymmetric KMS key from which the public key was downloaded.
    'KeyUsage' => 'ENCRYPT_DECRYPT', // The key usage of the asymmetric KMS key from which the public key was downloaded.
    'PublicKey' => <BLOB>, // The public key (plaintext) of the asymmetric KMS key.
]

ImportKeyMaterial

$result = $client->importKeyMaterial([/* ... */]);
$promise = $client->importKeyMaterialAsync([/* ... */]);

Imports or reimports key material into an existing KMS key that was created without key material. You can also use this operation to set or update the expiration model and expiration date of the imported key material.

By default, KMS creates KMS keys with key material that it generates. You can also generate and import your own key material. For more information about importing key material, see Importing key material.

For asymmetric, HMAC and multi-Region keys, you cannot change the key material after the initial import. You can import multiple key materials into single-Region, symmetric encryption keys and rotate the key material on demand using RotateKeyOnDemand.

After you import key material, you can reimport the same key material into that KMS key or, if the key supports on-demand rotation, import new key material. You can use the ImportType parameter to indicate whether you are importing new key material or re-importing previously imported key material. You might reimport key material to replace key material that expired or key material that you deleted. You might also reimport key material to change the expiration model or expiration date of the key material.

Each time you import key material into KMS, you can determine whether (ExpirationModel) and when (ValidTo) the key material expires. To change the expiration of your key material, you must import it again, either by calling ImportKeyMaterial or using the import features of the KMS console.

Before you call ImportKeyMaterial, complete these steps:

• Create or identify a KMS key with EXTERNAL origin, which indicates that the KMS key is designed for imported key material.

  To create a new KMS key for imported key material, call the CreateKey operation with an Origin value of EXTERNAL. You can create a symmetric encryption KMS key, HMAC KMS key, asymmetric encryption KMS key, asymmetric key agreement key, or asymmetric signing KMS key. You can also import key material into a multi-Region key of any supported type. However, you can't import key material into a KMS key in a custom key store.

• Call the GetParametersForImport operation to get a public key and import token set for importing key material.

• Use the public key in the GetParametersForImport response to encrypt your key material.

Then, in an ImportKeyMaterial request, you submit your encrypted key material and import token. When calling this operation, you must specify the following values:

• The key ID or key ARN of the KMS key to associate with the imported key material. Its Origin must be EXTERNAL and its KeyState must be PendingImport. You cannot perform this operation on a KMS key in a custom key store, or on a KMS key in a different Amazon Web Services account. To get the Origin and KeyState of a KMS key, call DescribeKey.

• The encrypted key material.

• The import token that GetParametersForImport returned. You must use a public key and token from the same GetParametersForImport response.

• Whether the key material expires (ExpirationModel) and, if so, when (ValidTo). For help with this choice, see Setting an expiration time in the Key Management Service Developer Guide.

  If you set an expiration date, KMS deletes the key material from the KMS key on the specified date, making the KMS key unusable. To use the KMS key in cryptographic operations again, you must reimport the same key material. However, you can delete and reimport the key material at any time, including before the key material expires. Each time you reimport, you can eliminate or reset the expiration time.