CreateCustomKeyStore

Creates a custom key store that is associated with an AWS CloudHSM cluster that you own and manage.

This operation is part of the custom key store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.

Before you create the custom key store, you must assemble the required elements, including an AWS CloudHSM cluster that fulfills the requirements for a custom key store. For details about the required elements, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide.

All of the parameters of this operation are required. If you omit any of them, AWS KMS returns a ValidationException. After you create the custom key store, you can change its custom key store name and key store password by using the UpdateCustomKeyStore operation. You can also use UpdateCustomKeyStore to change the AWS CloudHSM cluster, but only to a related cluster.

When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect the new key store to its AWS CloudHSM cluster. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.

For help with failures, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.

Required permissions: kms:CreateCustomKeyStore (IAM policy).

Related operations:

• ConnectCustomKeyStore

• DeleteCustomKeyStore

• DescribeCustomKeyStores

• DisconnectCustomKeyStore

• UpdateCustomKeyStore

Request Syntax

{
   "CloudHsmClusterId": "string",
   "CustomKeyStoreName": "string",
   "KeyStorePassword": "string",
   "TrustAnchorCertificate": "string"
}

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

Note

In the following list, the required parameters are described first.

CustomKeyStoreName

Specifies a friendly name for the custom key store. The name must be unique in your AWS account.

This parameter is required.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: Yes

CloudHsmClusterId

Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster ID of any active AWS CloudHSM cluster that is not already associated with a custom key store. To find the cluster ID, use the DescribeClusters operation.

This parameter is required.

Type: String

Length Constraints: Minimum length of 19. Maximum length of 24.

Required: No

KeyStorePassword

Enter the password of the kmsuser crypto user (CU) account in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this user to manage key material on your behalf.

The password must be a string of 7 to 32 characters. Its value is case sensitive.

This parameter tells AWS KMS the kmsuser account password; it does not change the password in the AWS CloudHSM cluster.

This parameter is required.

Type: String

Length Constraints: Minimum length of 7. Maximum length of 32.

Required: No

TrustAnchorCertificate

Enter the content of the trust anchor certificate for the cluster. This is the content of the customerCA.crt file that you created when you initialized the cluster.

This parameter is required.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 5000.

Required: No

Response Syntax

{
   "CustomKeyStoreId": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

CustomKeyStoreId

A unique identifier for the new custom key store.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Errors

For information about the errors that are common to all actions, see Common Errors.

CloudHsmClusterInUseException

The request was rejected because the specified AWS CloudHSM cluster is already associated with a custom key store or it shares a backup history with a cluster that is associated with a custom key store. Each custom key store must be associated with a different AWS CloudHSM cluster.

Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.

HTTP Status Code: 400

CloudHsmClusterInvalidConfigurationException

The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration requirements for a custom key store.

• The cluster must be configured with private subnets in at least two different Availability Zones in the Region.

• The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.

• The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS CloudHSM CreateHsm operation.

  For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.

For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information about creating a private subnet for an AWS CloudHSM cluster, see Create a Private Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the AWS CloudHSM User Guide .

HTTP Status Code: 400

CloudHsmClusterNotActiveException

The request was rejected because the AWS CloudHSM cluster that is associated with the custom key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the AWS CloudHSM User Guide.

HTTP Status Code: 400

CloudHsmClusterNotFoundException

The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.

HTTP Status Code: 400

CustomKeyStoreNameInUseException

The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.

HTTP Status Code: 400

IncorrectTrustAnchorException

The request was rejected because the trust anchor certificate in the request is not the trust anchor certificate for the specified AWS CloudHSM cluster.

When you initialize the cluster, you create the trust anchor certificate and save it in the customerCA.crt file.

HTTP Status Code: 400

KMSInternalException

The request was rejected because an internal exception occurred. The request can be retried.

HTTP Status Code: 500

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java V2

• AWS SDK for JavaScript

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3