AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Creates a custom key store backed by a key store that you own and manage. When you use a KMS key in a custom key store for a cryptographic operation, the cryptographic operation is actually performed in your key store using your keys. KMS supports CloudHSM key stores backed by an CloudHSM cluster and external key stores backed by an external key store proxy and external key manager outside of Amazon Web Services.

This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.

Before you create the custom key store, the required elements must be in place and operational. We recommend that you use the test tools that KMS provides to verify the configuration your external key store proxy. For details about the required elements and verification tests, see Assemble the prerequisites (for CloudHSM key stores) or Assemble the prerequisites (for external key stores) in the Key Management Service Developer Guide.

To create a custom key store, use the following parameters.

For external key stores:

Some external key managers provide a simpler method for creating an external key store. For details, see your external key manager documentation.

When creating an external key store in the KMS console, you can upload a JSON-based proxy configuration file with the desired values. You cannot use a proxy configuration with the CreateCustomKeyStore operation. However, you can use the values in the file to help you determine the correct values for the CreateCustomKeyStore parameters.

When the operation completes successfully, it returns the ID of the new custom key store. Before you can use your new custom key store, you need to use the ConnectCustomKeyStore operation to connect a new CloudHSM key store to its CloudHSM cluster, or to connect a new external key store to the external key store proxy for your external key manager. Even if you are not going to use your custom key store immediately, you might want to connect it to verify that all settings are correct and then disconnect it until you are ready to use it.

For help with failures, see Troubleshooting a custom key store in the Key Management Service Developer Guide.

Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.

Required permissions: kms:CreateCustomKeyStore (IAM policy).

Related operations:

Note:

For .NET Core this operation is only available in asynchronous form. Please refer to CreateCustomKeyStoreAsync.

Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z

Syntax

C#
public virtual CreateCustomKeyStoreResponse CreateCustomKeyStore(
         CreateCustomKeyStoreRequest request
)
Parameters
request
Type: Amazon.KeyManagementService.Model.CreateCustomKeyStoreRequest

Container for the necessary parameters to execute the CreateCustomKeyStore service method.

Return Value
The response from the CreateCustomKeyStore service method, as returned by KeyManagementService.

Exceptions

ExceptionCondition
CloudHsmClusterInUseException The request was rejected because the specified CloudHSM cluster is already associated with an CloudHSM key store in the account, or it shares a backup history with an CloudHSM key store in the account. Each CloudHSM key store in the account must be associated with a different CloudHSM cluster. CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters operation.
CloudHsmClusterInvalidConfigurationException The request was rejected because the associated CloudHSM cluster did not meet the configuration requirements for an CloudHSM key store. The CloudHSM cluster must be configured with private subnets in at least two different Availability Zones in the Region. The security group for the cluster (cloudhsm-cluster--sg) must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225. The Source in the inbound rules and the Destination in the outbound rules must match the security group ID. These rules are set by default when you create the CloudHSM cluster. Do not delete or change them. To get information about a particular security group, use the DescribeSecurityGroups operation. The CloudHSM cluster must contain at least as many HSMs as the operation requires. To add HSMs, use the CloudHSM CreateHsm operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey operations, the CloudHSM cluster must have at least two active HSMs, each in a different Availability Zone. For the ConnectCustomKeyStore operation, the CloudHSM must contain at least one active HSM. For information about the requirements for an CloudHSM cluster that is associated with an CloudHSM key store, see Assemble the Prerequisites in the Key Management Service Developer Guide. For information about creating a private subnet for an CloudHSM cluster, see Create a Private Subnet in the CloudHSM User Guide. For information about cluster security groups, see Configure a Default Security Group in the CloudHSM User Guide.
CloudHsmClusterNotActiveException The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide.
CloudHsmClusterNotFoundException The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID.
CustomKeyStoreNameInUseException The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account.
IncorrectTrustAnchorException The request was rejected because the trust anchor certificate in the request to create an CloudHSM key store is not the trust anchor certificate for the specified CloudHSM cluster. When you initialize the CloudHSM cluster, you create the trust anchor certificate and save it in the customerCA.crt file.
KMSInternalException The request was rejected because an internal exception occurred. The request can be retried.
LimitExceededException The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide.
XksProxyIncorrectAuthenticationCredentialException The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy.
XksProxyInvalidConfigurationException The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store proxy. For details, see the exception message.
XksProxyInvalidResponseException KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor.
XksProxyUriEndpointInUseException The request was rejected because the concatenation of the XksProxyUriEndpoint is already associated with an external key store in the Amazon Web Services account and Region. Each external key store in an account and Region must use a unique external key store proxy address.
XksProxyUriInUseException The request was rejected because the concatenation of the XksProxyUriEndpoint and XksProxyUriPath is already associated with an external key store in the Amazon Web Services account and Region. Each external key store in an account and Region must use a unique external key store proxy API address.
XksProxyUriUnreachableException KMS was unable to reach the specified XksProxyUriPath. The path must be reachable before you create the external key store or update its settings. This exception is also thrown when the external key store proxy response to a GetHealthStatus request indicates that all external key manager instances are unavailable.
XksProxyVpcEndpointServiceInUseException The request was rejected because the specified Amazon VPC endpoint service is already associated with an external key store in the Amazon Web Services account and Region. Each external key store in an Amazon Web Services account and Region must use a different Amazon VPC endpoint service.
XksProxyVpcEndpointServiceInvalidConfigurationException The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store proxy. For details, see the exception message and review the requirements for Amazon VPC endpoint service connectivity for an external key store.
XksProxyVpcEndpointServiceNotFoundException The request was rejected because KMS could not find the specified VPC endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint service name for the external key store. Also, confirm that the Allow principals list for the VPC endpoint service includes the KMS service principal for the Region, such as cks.kms.us-east-1.amazonaws.com.

Examples

This example creates a custom key store that is associated with an AWS CloudHSM cluster.

To create an AWS CloudHSM key store


var client = new AmazonKeyManagementServiceClient();
var response = client.CreateCustomKeyStore(new CreateCustomKeyStoreRequest 
{
    CloudHsmClusterId = "cluster-1a23b4cdefg", // The ID of the CloudHSM cluster.
    CustomKeyStoreName = "ExampleKeyStore", // A friendly name for the custom key store.
    KeyStorePassword = "kmsPswd", // The password for the kmsuser CU account in the specified cluster.
    TrustAnchorCertificate = "<certificate-goes-here>" // The content of the customerCA.crt file that you created when you initialized the cluster.
});

string customKeyStoreId = response.CustomKeyStoreId; // The ID of the new custom key store.

            

This example creates an external key store that uses an Amazon VPC endpoint service to communicate with AWS KMS.

To create an external key store with VPC endpoint service connectivity


var client = new AmazonKeyManagementServiceClient();
var response = client.CreateCustomKeyStore(new CreateCustomKeyStoreRequest 
{
    CustomKeyStoreName = "ExampleVPCEndpointKeyStore", // A friendly name for the custom key store
    CustomKeyStoreType = "EXTERNAL_KEY_STORE", // For external key stores, the value must be EXTERNAL_KEY_STORE
    XksProxyAuthenticationCredential = new XksProxyAuthenticationCredentialType {
        AccessKeyId = "ABCDE12345670EXAMPLE",
        RawSecretAccessKey = "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
    }, // The access key ID and secret access key that KMS uses to authenticate to your external key store proxy
    XksProxyConnectivity = "VPC_ENDPOINT_SERVICE", // Indicates how AWS KMS communicates with the external key store proxy
    XksProxyUriEndpoint = "https://myproxy-private.xks.example.com", // The URI that AWS KMS uses to connect to the external key store proxy
    XksProxyUriPath = "/example-prefix/kms/xks/v1", // The URI path to the external key store proxy APIs
    XksProxyVpcEndpointServiceName = "com.amazonaws.vpce.us-east-1.vpce-svc-example1" // The VPC endpoint service that KMS uses to communicate with the external key store proxy
});

string customKeyStoreId = response.CustomKeyStoreId; // The ID of the new custom key store.

            

This example creates an external key store with public endpoint connectivity.

To create an external key store with public endpoint connectivity


var client = new AmazonKeyManagementServiceClient();
var response = client.CreateCustomKeyStore(new CreateCustomKeyStoreRequest 
{
    CustomKeyStoreName = "ExamplePublicEndpointKeyStore", // A friendly name for the custom key store
    CustomKeyStoreType = "EXTERNAL_KEY_STORE", // For external key stores, the value must be EXTERNAL_KEY_STORE
    XksProxyAuthenticationCredential = new XksProxyAuthenticationCredentialType {
        AccessKeyId = "ABCDE12345670EXAMPLE",
        RawSecretAccessKey = "DXjSUawnel2fr6SKC7G25CNxTyWKE5PF9XX6H/u9pSo="
    }, // The access key ID and secret access key that KMS uses to authenticate to your external key store proxy
    XksProxyConnectivity = "PUBLIC_ENDPOINT", // Indicates how AWS KMS communicates with the external key store proxy
    XksProxyUriEndpoint = "https://myproxy.xks.example.com", // The URI that AWS KMS uses to connect to the external key store proxy
    XksProxyUriPath = "/kms/xks/v1" // The URI path to your external key store proxy API
});

string customKeyStoreId = response.CustomKeyStoreId; // The ID of the new custom key store.

            

Version Information

.NET Framework:
Supported in: 4.5, 4.0, 3.5

See Also