AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Replicates a multi-Region key into the specified Region. This operation creates a multi-Region replica key based on a multi-Region primary key in a different Region of the same Amazon Web Services partition. You can create multiple replicas of a primary key, but each must be in a different Region. To create a multi-Region primary key, use the CreateKey operation.
This operation supports multi-Region keys, an KMS feature that lets you create multiple interoperable KMS keys in different Amazon Web Services Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them interchangeably to encrypt data in one Amazon Web Services Region and decrypt it in a different Amazon Web Services Region without re-encrypting the data or making a cross-Region call. For more information about multi-Region keys, see Multi-Region keys in KMS in the Key Management Service Developer Guide.
A replica key is a fully-functional KMS key that can be used independently of its primary and peer replica keys. A primary key and its replica keys share properties that make them interoperable. They have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. KMS automatically synchronizes these shared properties among related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and Key states of KMS keys. KMS pricing and quotas for KMS keys apply to each primary key and replica key.
When this operation completes, the new replica key has a transient key state of Creating
.
This key state changes to Enabled
(or PendingImport
) after a few seconds
when the process of creating the new replica key is complete. While the key state
is Creating
, you can manage key, but you cannot yet use it in cryptographic
operations. If you are creating and using the replica key programmatically, retry
on KMSInvalidStateException
or call DescribeKey
to check its KeyState
value before using it. For details about the Creating
key state, see Key
states of KMS keys in the Key Management Service Developer Guide.
You cannot create more than one replica of a primary key in any Region. If the Region
already includes a replica of the key you're trying to replicate, ReplicateKey
returns an AlreadyExistsException
error. If the key state of the existing replica
is PendingDeletion
, you can cancel the scheduled key deletion (CancelKeyDeletion)
or wait for the key to be deleted. The new replica key you create will have the same
shared
properties as the original replica key.
The CloudTrail log of a ReplicateKey
operation records a ReplicateKey
operation in the primary key's Region and a CreateKey operation in the replica
key's Region.
If you replicate a multi-Region primary key with imported key material, the replica key is created with no key material. You must import the same key material that you imported into the primary key. For details, see Importing key material into multi-Region keys in the Key Management Service Developer Guide.
To convert a replica key to a primary key, use the UpdatePrimaryRegion operation.
ReplicateKey
uses different default values for the KeyPolicy
and Tags
parameters than those used in the KMS console. For details, see the parameter descriptions.
Cross-account use: No. You cannot use this operation to create a replica key in a different Amazon Web Services account.
Required permissions:
kms:ReplicateKey
on the primary key (in the primary key's Region). Include
this permission in the primary key's key policy.
kms:CreateKey
in an IAM policy in the replica Region.
To use the Tags
parameter, kms:TagResource
in an IAM policy in the replica
Region.
Related operations
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.
For .NET Core this operation is only available in asynchronous form. Please refer to ReplicateKeyAsync.
Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z
public virtual ReplicateKeyResponse ReplicateKey( ReplicateKeyRequest request )
Container for the necessary parameters to execute the ReplicateKey service method.
Exception | Condition |
---|---|
AlreadyExistsException | The request was rejected because it attempted to create a resource that already exists. |
DisabledException | The request was rejected because the specified KMS key is not enabled. |
InvalidArnException | The request was rejected because a specified ARN, or an ARN in a key policy, is not valid. |
KMSInternalException | The request was rejected because an internal exception occurred. The request can be retried. |
KMSInvalidStateException | The request was rejected because the state of the specified resource is not valid for this request. This exceptions means one of the following: The key state of the KMS key is not compatible with the operation. To find the key state, use the DescribeKey operation. For more information about which key states are compatible with each KMS operation, see Key states of KMS keys in the Key Management Service Developer Guide. For cryptographic operations on KMS keys in custom key stores, this exception represents a general failure with many possible causes. To identify the cause, see the error message that accompanies the exception. |
LimitExceededException | The request was rejected because a quota was exceeded. For more information, see Quotas in the Key Management Service Developer Guide. |
MalformedPolicyDocumentException | The request was rejected because the specified policy is not syntactically or semantically correct. |
NotFoundException | The request was rejected because the specified entity or resource could not be found. |
TagException | The request was rejected because one or more tags are not valid. |
UnsupportedOperationException | The request was rejected because a specified parameter is not supported or a specified resource is not valid for this operation. |
This example creates a multi-Region replica key in us-west-2 of a multi-Region primary key in us-east-1.
var client = new AmazonKeyManagementServiceClient(); var response = client.ReplicateKey(new ReplicateKeyRequest { KeyId = "arn:aws:kms:us-east-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab", // The key ID or key ARN of the multi-Region primary key ReplicaRegion = "us-west-2" // The Region of the new replica. }); KeyMetadata replicaKeyMetadata = response.ReplicaKeyMetadata; // An object that displays detailed information about the replica key. string replicaPolicy = response.ReplicaPolicy; // The key policy of the replica key. If you don't specify a key policy, the replica key gets the default key policy for a KMS key. List<Tag> replicaTags = response.ReplicaTags; // The tags on the replica key, if any.
.NET Framework:
Supported in: 4.5 and newer, 3.5