UpdateCustomKeyStore
Changes the properties of a custom key store. Use the CustomKeyStoreId
parameter to identify the custom key store you want to edit. Use the remaining parameters to
change the properties of the custom key store.
You can only update a custom key store that is disconnected. To disconnect the custom key store, use DisconnectCustomKeyStore. To reconnect the custom key store after the update completes, use ConnectCustomKeyStore. To find the connection state of a custom key store, use the DescribeCustomKeyStores operation.
The CustomKeyStoreId
parameter is required in all commands. Use the other
parameters of UpdateCustomKeyStore
to edit your key store settings.
-
Use the
NewCustomKeyStoreName
parameter to change the friendly name of the custom key store to the value that you specify. -
Use the
KeyStorePassword
parameter tell AWS KMS the current password of thekmsuser
crypto user (CU) in the associated AWS CloudHSM cluster. You can use this parameter to fix connection failures that occur when AWS KMS cannot log into the associated cluster because thekmsuser
password has changed. This value does not change the password in the AWS CloudHSM cluster. -
Use the
CloudHsmClusterId
parameter to associate the custom key store with a different, but related, AWS CloudHSM cluster. You can use this parameter to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is deleted, or when you need to create or restore a cluster from a backup.
If the operation succeeds, it returns a JSON object with no properties.
This operation is part of the custom key store feature feature in AWS KMS, which combines the convenience and extensive integration of AWS KMS with the isolation and control of a single-tenant key store.
Cross-account use: No. You cannot perform this operation on a custom key store in a different AWS account.
Required permissions: kms:UpdateCustomKeyStore (IAM policy)
Related operations:
Request Syntax
{
"CloudHsmClusterId": "string
",
"CustomKeyStoreId": "string
",
"KeyStorePassword": "string
",
"NewCustomKeyStoreName": "string
"
}
Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
In the following list, the required parameters are described first.
- CustomKeyStoreId
-
Identifies the custom key store that you want to update. Enter the ID of the custom key store. To find the ID of a custom key store, use the DescribeCustomKeyStores operation.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 64.
Required: Yes
- CloudHsmClusterId
-
Associates the custom key store with a related AWS CloudHSM cluster.
Enter the cluster ID of the cluster that you used to create the custom key store or a cluster that shares a backup history and has the same cluster certificate as the original cluster. You cannot use this parameter to associate a custom key store with an unrelated cluster. In addition, the replacement cluster must fulfill the requirements for a cluster associated with a custom key store. To view the cluster certificate of a cluster, use the DescribeClusters operation.
Type: String
Length Constraints: Minimum length of 19. Maximum length of 24.
Required: No
- KeyStorePassword
-
Enter the current password of the
kmsuser
crypto user (CU) in the AWS CloudHSM cluster that is associated with the custom key store.This parameter tells AWS KMS the current password of the
kmsuser
crypto user (CU). It does not set or change the password of any users in the AWS CloudHSM cluster.Type: String
Length Constraints: Minimum length of 7. Maximum length of 32.
Required: No
- NewCustomKeyStoreName
-
Changes the friendly name of the custom key store to the value that you specify. The custom key store name must be unique in the AWS account.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 256.
Required: No
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- CloudHsmClusterInvalidConfigurationException
-
The request was rejected because the associated AWS CloudHSM cluster did not meet the configuration requirements for a custom key store.
-
The cluster must be configured with private subnets in at least two different Availability Zones in the Region.
-
The security group for the cluster (cloudhsm-cluster-<cluster-id>-sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation.
-
The cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the AWS CloudHSM CreateHsm operation.
For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the AWS CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the AWS CloudHSM must contain at least one active HSM.
For information about the requirements for an AWS CloudHSM cluster that is associated with a custom key store, see Assemble the Prerequisites in the AWS Key Management Service Developer Guide. For information about creating a private subnet for an AWS CloudHSM cluster, see Create a Private Subnet in the AWS CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the AWS CloudHSM User Guide .
HTTP Status Code: 400
-
- CloudHsmClusterNotActiveException
-
The request was rejected because the AWS CloudHSM cluster that is associated with the custom key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the AWS CloudHSM User Guide.
HTTP Status Code: 400
- CloudHsmClusterNotFoundException
-
The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.
HTTP Status Code: 400
- CloudHsmClusterNotRelatedException
-
The request was rejected because the specified AWS CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster.
Specify a cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster.
Clusters that share a backup history have the same cluster certificate. To view the cluster certificate of a cluster, use the DescribeClusters operation.
HTTP Status Code: 400
- CustomKeyStoreInvalidStateException
-
The request was rejected because of the
ConnectionState
of the custom key store. To get theConnectionState
of a custom key store, use the DescribeCustomKeyStores operation.This exception is thrown under the following conditions:
-
You requested the CreateKey or GenerateRandom operation in a custom key store that is not connected. These operations are valid only when the custom key store
ConnectionState
isCONNECTED
. -
You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store
ConnectionState
isDISCONNECTED
. -
You requested the ConnectCustomKeyStore operation on a custom key store with a
ConnectionState
ofDISCONNECTING
orFAILED
. This operation is valid for all otherConnectionState
values.
HTTP Status Code: 400
-
- CustomKeyStoreNameInUseException
-
The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.
HTTP Status Code: 400
- CustomKeyStoreNotFoundException
-
The request was rejected because AWS KMS cannot find a custom key store with the specified key store name or ID.
HTTP Status Code: 400
- KMSInternalException
-
The request was rejected because an internal exception occurred. The request can be retried.
HTTP Status Code: 500
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: