AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Changes the properties of a custom key store. You can use this operation to change the properties of an CloudHSM key store or an external key store.
Use the required CustomKeyStoreId parameter to identify the custom key store.
Use the remaining optional parameters to change its properties. This operation does
not return any property values. To verify the updated property values, use the DescribeCustomKeyStores
operation.
This operation is part of the custom key stores feature in KMS, which combines the convenience and extensive integration of KMS with the isolation and control of a key store that you own and manage.
When updating the properties of an external key store, verify that the updated settings connect your key store, via the external key store proxy, to the same external key manager as the previous settings, or to a backup or snapshot of the external key manager with the same cryptographic keys. If the updated connection settings fail, you can fix them and retry, although an extended delay might disrupt Amazon Web Services services. However, if KMS permanently loses its access to cryptographic keys, ciphertext encrypted under those keys is unrecoverable.
For external key stores:
Some external key managers provide a simpler method for updating an external key store. For details, see your external key manager documentation.
When updating an external key store in the KMS console, you can upload a JSON-based
proxy configuration file with the desired values. You cannot upload the proxy configuration
file to the UpdateCustomKeyStore operation. However, you can use the file to
help you determine the correct values for the UpdateCustomKeyStore parameters.
For an CloudHSM key store, you can use this operation to change the custom key store
friendly name (NewCustomKeyStoreName), to tell KMS about a change to the kmsuser
crypto user password (KeyStorePassword), or to associate the custom key store
with a different, but related, CloudHSM cluster (CloudHsmClusterId). To update
any property of an CloudHSM key store, the ConnectionState of the CloudHSM
key store must be DISCONNECTED.
For an external key store, you can use this operation to change the custom key store
friendly name (NewCustomKeyStoreName), or to tell KMS about a change to the
external key store proxy authentication credentials (XksProxyAuthenticationCredential),
connection method (XksProxyConnectivity), external proxy endpoint (XksProxyUriEndpoint)
and path (XksProxyUriPath). For external key stores with an XksProxyConnectivity
of VPC_ENDPOINT_SERVICE, you can also update the Amazon VPC endpoint service
name (XksProxyVpcEndpointServiceName). To update most properties of an external
key store, the ConnectionState of the external key store must be DISCONNECTED.
However, you can update the CustomKeyStoreName, XksProxyAuthenticationCredential,
and XksProxyUriPath of an external key store when it is in the CONNECTED or
DISCONNECTED state.
If your update requires a DISCONNECTED state, before using UpdateCustomKeyStore,
use the DisconnectCustomKeyStore operation to disconnect the custom key store.
After the UpdateCustomKeyStore operation completes, use the ConnectCustomKeyStore
to reconnect the custom key store. To find the ConnectionState of the custom
key store, use the DescribeCustomKeyStores operation.
Before updating the custom key store, verify that the new values allow KMS to connect
the custom key store to its backing key store. For example, before you change the
XksProxyUriPath value, verify that the external key store proxy is reachable
at the new path.
If the operation succeeds, it returns a JSON object with no properties.
Cross-account use: No. You cannot perform this operation on a custom key store in a different Amazon Web Services account.
Required permissions: kms:UpdateCustomKeyStore (IAM policy)
Related operations:
Eventual consistency: The KMS API follows an eventual consistency model. For more information, see KMS eventual consistency.
This is an asynchronous operation using the standard naming convention for .NET 4.5 or higher. For .NET 3.5 the operation is implemented as a pair of methods using the standard naming convention of BeginUpdateCustomKeyStore and EndUpdateCustomKeyStore.
Namespace: Amazon.KeyManagementService
Assembly: AWSSDK.KeyManagementService.dll
Version: 3.x.y.z
public virtual Task<UpdateCustomKeyStoreResponse> UpdateCustomKeyStoreAsync( UpdateCustomKeyStoreRequest request, CancellationToken cancellationToken )
Container for the necessary parameters to execute the UpdateCustomKeyStore service method.
A cancellation token that can be used by other objects or threads to receive notice of cancellation.
| Exception | Condition |
|---|---|
| CloudHsmClusterInvalidConfigurationException |
The request was rejected because the associated CloudHSM cluster did not meet the
configuration requirements for an CloudHSM key store.
The CloudHSM cluster must be configured with private subnets in at least two different
Availability Zones in the Region.
The security
group for the cluster (cloudhsm-cluster- |
| CloudHsmClusterNotActiveException | The request was rejected because the CloudHSM cluster associated with the CloudHSM key store is not active. Initialize and activate the cluster and try the command again. For detailed instructions, see Getting Started in the CloudHSM User Guide. |
| CloudHsmClusterNotFoundException | The request was rejected because KMS cannot find the CloudHSM cluster with the specified cluster ID. Retry the request with a different cluster ID. |
| CloudHsmClusterNotRelatedException | The request was rejected because the specified CloudHSM cluster has a different cluster certificate than the original cluster. You cannot use the operation to specify an unrelated cluster for an CloudHSM key store. Specify an CloudHSM cluster that shares a backup history with the original cluster. This includes clusters that were created from a backup of the current cluster, and clusters that were created from the same backup that produced the current cluster. CloudHSM clusters that share a backup history have the same cluster certificate. To view the cluster certificate of an CloudHSM cluster, use the DescribeClusters operation. |
| CustomKeyStoreInvalidStateException | The request was rejected because of the ConnectionState of the custom key store. To get the ConnectionState of a custom key store, use the DescribeCustomKeyStores operation. This exception is thrown under the following conditions: You requested the ConnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or FAILED. This operation is valid for all other ConnectionState values. To reconnect a custom key store in a FAILED state, disconnect it (DisconnectCustomKeyStore), then connect it (ConnectCustomKeyStore). You requested the CreateKey operation in a custom key store that is not connected. This operations is valid only when the custom key store ConnectionState is CONNECTED. You requested the DisconnectCustomKeyStore operation on a custom key store with a ConnectionState of DISCONNECTING or DISCONNECTED. This operation is valid for all other ConnectionState values. You requested the UpdateCustomKeyStore or DeleteCustomKeyStore operation on a custom key store that is not disconnected. This operation is valid only when the custom key store ConnectionState is DISCONNECTED. You requested the GenerateRandom operation in an CloudHSM key store that is not connected. This operation is valid only when the CloudHSM key store ConnectionState is CONNECTED. |
| CustomKeyStoreNameInUseException | The request was rejected because the specified custom key store name is already assigned to another custom key store in the account. Try again with a custom key store name that is unique in the account. |
| CustomKeyStoreNotFoundException | The request was rejected because KMS cannot find a custom key store with the specified key store name or ID. |
| KMSInternalException | The request was rejected because an internal exception occurred. The request can be retried. |
| XksProxyIncorrectAuthenticationCredentialException | The request was rejected because the proxy credentials failed to authenticate to the specified external key store proxy. The specified external key store proxy rejected a status request from KMS due to invalid credentials. This can indicate an error in the credentials or in the identification of the external key store proxy. |
| XksProxyInvalidConfigurationException | The request was rejected because the external key store proxy is not configured correctly. To identify the cause, see the error message that accompanies the exception. |
| XksProxyInvalidResponseException | KMS cannot interpret the response it received from the external key store proxy. The problem might be a poorly constructed response, but it could also be a transient network issue. If you see this error repeatedly, report it to the proxy vendor. |
| XksProxyUriEndpointInUseException | The request was rejected because the XksProxyUriEndpoint is already associated with another external key store in this Amazon Web Services Region. To identify the cause, see the error message that accompanies the exception. |
| XksProxyUriInUseException | The request was rejected because the concatenation of the XksProxyUriEndpoint and XksProxyUriPath is already associated with another external key store in this Amazon Web Services Region. Each external key store in a Region must use a unique external key store proxy API address. |
| XksProxyUriUnreachableException | KMS was unable to reach the specified XksProxyUriPath. The path must be reachable before you create the external key store or update its settings. This exception is also thrown when the external key store proxy response to a GetHealthStatus request indicates that all external key manager instances are unavailable. |
| XksProxyVpcEndpointServiceInUseException | The request was rejected because the specified Amazon VPC endpoint service is already associated with another external key store in this Amazon Web Services Region. Each external key store in a Region must use a different Amazon VPC endpoint service. |
| XksProxyVpcEndpointServiceInvalidConfigurationException | The request was rejected because the Amazon VPC endpoint service configuration does not fulfill the requirements for an external key store. To identify the cause, see the error message that accompanies the exception and review the requirements for Amazon VPC endpoint service connectivity for an external key store. |
| XksProxyVpcEndpointServiceNotFoundException | The request was rejected because KMS could not find the specified VPC endpoint service. Use DescribeCustomKeyStores to verify the VPC endpoint service name for the external key store. Also, confirm that the Allow principals list for the VPC endpoint service includes the KMS service principal for the Region, such as cks.kms.us-east-1.amazonaws.com. |
.NET Core App:
Supported in: 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.5