AWS Key Management Service
API Reference (API Version 2014-11-01)

CustomKeyStoresListEntry

Contains information about each custom key store in the custom key store list.

Contents

Note

In the following list, the required parameters are described first.

CloudHsmClusterId

A unique identifier for the AWS CloudHSM cluster that is associated with the custom key store.

Type: String

Length Constraints: Minimum length of 19. Maximum length of 24.

Required: No

ConnectionErrorCode

Describes the connection error. Valid values are:

  • CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID.

  • INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does not contain any active HSMs. To connect a custom key store to its AWS CloudHSM cluster, the cluster must contain at least one active HSM.

  • INTERNAL_ERROR - AWS KMS could not complete the request due to an internal error. Retry the request. For ConnectCustomKeyStore requests, disconnect the custom key store before trying to connect again.

  • INVALID_CREDENTIALS - AWS KMS does not have the correct password for the kmsuser crypto user in the AWS CloudHSM cluster.

  • NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting to the custom key store.

  • USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated AWS CloudHSM cluster due to too many failed password attempts. Before you can connect your custom key store to its AWS CloudHSM cluster, you must change the kmsuser account password and update the password value for the custom key store.

For help with connection failures, see Troubleshooting Custom Key Stores in the AWS Key Management Service Developer Guide.

Type: String

Valid Values: INVALID_CREDENTIALS | CLUSTER_NOT_FOUND | NETWORK_ERRORS | INTERNAL_ERROR | INSUFFICIENT_CLOUDHSM_HSMS | USER_LOCKED_OUT

Required: No

ConnectionState

Indicates whether the custom key store is connected to its AWS CloudHSM cluster.

You can create and use CMKs in your custom key stores only when its connection state is CONNECTED.

The value is DISCONNECTED if the key store has never been connected or you use the DisconnectCustomKeyStore operation to disconnect it. If the value is CONNECTED but you are having trouble using the custom key store, make sure that its associated AWS CloudHSM cluster is active and contains at least one active HSM.

A value of FAILED indicates that an attempt to connect was unsuccessful. For help resolving a connection failure, see Troubleshooting a Custom Key Store in the AWS Key Management Service Developer Guide.

Type: String

Valid Values: CONNECTED | CONNECTING | FAILED | DISCONNECTED | DISCONNECTING

Required: No

CreationDate

The date and time when the custom key store was created.

Type: Timestamp

Required: No

CustomKeyStoreId

A unique identifier for the custom key store.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Required: No

CustomKeyStoreName

The user-specified friendly name for the custom key store.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

TrustAnchorCertificate

The trust anchor certificate of the associated AWS CloudHSM cluster. When you initialize the cluster, you create this certificate and save it in the customerCA.crt file.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 5000.

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

On this page: