AWS Key Management Service
API Reference (API Version 2014-11-01)

CustomKeyStoresListEntry

Contains information about each custom key store in the custom key store list.

Contents

Note

In the following list, the required parameters are described first.

CloudHsmClusterId

A unique identifier for the AWS CloudHSM cluster that is associated with the custom key store.

Type: String

Length Constraints: Minimum length of 19. Maximum length of 24.

Required: No

ConnectionErrorCode

Describes the connection error. This field appears in the response only when the ConnectionState is FAILED. For help resolving these errors, see How to Fix a Connection Failure in AWS Key Management Service Developer Guide.

Valid values are:

  • CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID.

  • INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does not contain any active HSMs. To connect a custom key store to its AWS CloudHSM cluster, the cluster must contain at least one active HSM.

  • INTERNAL_ERROR - AWS KMS could not complete the request due to an internal error. Retry the request. For ConnectCustomKeyStore requests, disconnect the custom key store before trying to connect again.

  • INVALID_CREDENTIALS - AWS KMS does not have the correct password for the kmsuser crypto user in the AWS CloudHSM cluster. Before you can connect your custom key store to its AWS CloudHSM cluster, you must change the kmsuser account password and update the key store password value for the custom key store.

  • NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting to the custom key store.

  • USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated AWS CloudHSM cluster due to too many failed password attempts. Before you can connect your custom key store to its AWS CloudHSM cluster, you must change the kmsuser account password and update the key store password value for the custom key store.

  • USER_LOGGED_IN - The kmsuser CU account is logged into the the associated AWS CloudHSM cluster. This prevents AWS KMS from rotating the kmsuser account password and logging into the cluster. Before you can connect your custom key store to its AWS CloudHSM cluster, you must log the kmsuser CU out of the cluster. If you changed the kmsuser password to log into the cluster, you must also and update the key store password value for the custom key store. For help, see How to Log Out and Reconnect in the AWS Key Management Service Developer Guide.

  • USER_NOT_FOUND - AWS KMS cannot find a kmsuser CU account in the associated AWS CloudHSM cluster. Before you can connect your custom key store to its AWS CloudHSM cluster, you must create a kmsuser CU account in the cluster, and then update the key store password value for the custom key store.

Type: String

Valid Values: INVALID_CREDENTIALS | CLUSTER_NOT_FOUND | NETWORK_ERRORS | INTERNAL_ERROR | INSUFFICIENT_CLOUDHSM_HSMS | USER_LOCKED_OUT | USER_NOT_FOUND | USER_LOGGED_IN

Required: No

ConnectionState

Indicates whether the custom key store is connected to its AWS CloudHSM cluster.

You can create and use CMKs in your custom key stores only when its connection state is CONNECTED.

The value is DISCONNECTED if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If the value is CONNECTED but you are having trouble using the custom key store, make sure that its associated AWS CloudHSM cluster is active and contains at least one active HSM.

A value of FAILED indicates that an attempt to connect was unsuccessful. The ConnectionErrorCode field in the response indicates the cause of the failure. For help resolving a connection failure, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.

Type: String

Valid Values: CONNECTED | CONNECTING | FAILED | DISCONNECTED | DISCONNECTING

Required: No

CreationDate

The date and time when the custom key store was created.

Type: Timestamp

Required: No

CustomKeyStoreId

A unique identifier for the custom key store.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Required: No

CustomKeyStoreName

The user-specified friendly name for the custom key store.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

TrustAnchorCertificate

The trust anchor certificate of the associated AWS CloudHSM cluster. When you initialize the cluster, you create this certificate and save it in the customerCA.crt file.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 5000.

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

On this page: